Text

Rev. OL-24 to Final Safety Analysis Report, Chapter 7.0, Instrumentation and Controls
	ML20209A027
Person / Time
Site:	Callaway
Issue date:	11/13/2019
From:	; Ameren Missouri, Union Electric Co
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML20209A098	List: ML20209A011; ML20209A012; ML20209A013; ML20209A014; ML20209A015; ML20209A016; ML20209A017; ML20209A019; ML20209A020; ML20209A021; ML20209A022; ML20209A023; ML20209A024; ML20209A025; ML20209A026; ML20209A027; ML20209A028; ML20209A029; ML20209A030; ML20209A031; ML20209A032; ML20209A033; ML20209A034; ML20209A036; ML20209A037; ML20209A038; ML20209A039; ML20209A040; ML20209A041; ML20209A042; ML20209A043; ML20209A044; ML20209A045; ML20209A046; ML20209A047; ML20209A048; ML20209A049; ML20209A072; ML20209A073; ML20209A074; ML20209A075; ML20209A076; ML20209A077; ML20209A078; ML20209A079; ML20209A080; ML20209A081; ML20209A082; ML20209A083; ML20209A084; ... further results
References
	ULNRC-06547
	Download: ML20209A027 (357)
	v • d • e

CHAPTER 7.0 INSTRUMENTATION AND CONTROLS tion Page INTRODUCTION............................................................................................. 7.1-1

.1 IDENTIFICATION OF SAFETY-RELATED SYSTEMS ............................ 7.1-1

.1.1 Reactor Trip System............................................................................. 7.1-2

.1.2 Engineered Safety Feature Actuation Systems.................................... 7.1-2

.1.3 Systems Required for Safe Shutdown ................................................. 7.1-2

.1.4 Safety-Related Display Instrumentation ............................................... 7.1-3

.1.5 All Other Instrumentation Systems Required for Safety....................... 7.1-3

.1.6 Control Systems Not Required for Safety ............................................ 7.1-4

.2 IDENTIFICATION OF SAFETY CRITERIA ............................................... 7.1-4

.2.1 Design Bases ....................................................................................... 7.1-4

.2.2 Independence of Redundant Safety-Related Systems ........................ 7.1-4

.2.3 Physical Identification of Safety-Related Equipment.......................... 7.1-10

.2.4 Conformance to Criteria ..................................................................... 7.1-11

.2.5 Conformance to NRC Regulatory Guides .......................................... 7.1-11

.2.6 Conformance to IEEE Standards ....................................................... 7.1-14

.3 REFERENCES ........................................................................................ 7.1-16 REACTOR TRIP SYSTEM.............................................................................. 7.2-1

.1 DESCRIPTION .......................................................................................... 7.2-1

.1.1 System Description .............................................................................. 7.2-1

.1.2 Design Bases Information .................................................................. 7.2-15

.1.3 Final Systems Drawings..................................................................... 7.2-18

.2 ANALYSES.............................................................................................. 7.2-18

.2.1 Failure Mode and Effects Analyses.................................................... 7.2-18

.2.2 Evaluation of Design Limits ................................................................ 7.2-18

.2.3 Specific Control and Protection Interactions ...................................... 7.2-31

.2.4 Additional Postulated Accidents ......................................................... 7.2-35 7.0-i

tion Page

.3 TESTS AND INSPECTIONS ................................................................... 7.2-35

.4 REFERENCES ........................................................................................ 7.2-35 ENGINEERED SAFETY FEATURE SYSTEMS ............................................. 7.3-1

.1 CONTAINMENT COMBUSTIBLE GAS CONTROL SYSTEM................... 7.3-1

.1.1 Description ........................................................................................... 7.3-1

.1.2 Analysis ................................................................................................ 7.3-4

.2 CONTAINMENT PURGE ISOLATION SYSTEM....................................... 7.3-8

.2.1 Description ........................................................................................... 7.3-8

.2.2 Analysis ............................................................................................. 7.3-11

.3 FUEL BUILDING VENTILATION ISOLATION......................................... 7.3-12

.3.1 Description ......................................................................................... 7.3-12

.3.2 Analysis .............................................................................................. 7.3-14

.4 CONTROL ROOM VENTILATION ISOLATION ...................................... 7.3-15

.4.1 Description ......................................................................................... 7.3-15

.4.2 Analysis .............................................................................................. 7.3-17

.5 DEVICE LEVEL MANUAL OVERRIDE ................................................... 7.3-18

.5.1 Description ......................................................................................... 7.3-18

.5.2 Analysis .............................................................................................. 7.3-18

.6 AUXILIARY FEEDWATER SUPPLY ....................................................... 7.3-18

.6.1 Description ......................................................................................... 7.3-18

.6.2 Analysis .............................................................................................. 7.3-22

.7 MAIN STEAM AND FEEDWATER ISOLATION ...................................... 7.3-24

.7.1 Description ......................................................................................... 7.3-24

.7.2 Analysis .............................................................................................. 7.3-26 7.0-ii

tion Page

.8 NSSS ENGINEERED SAFETY FEATURE ACTUATION SYSTEM........ 7.3-27

.8.1 Description ......................................................................................... 7.3-27

.8.2 Analysis .............................................................................................. 7.3-40

.8.3 Summary ............................................................................................ 7.3-54

.9 REFERENCES ....................................................................................... 7.3-56 SYSTEMS REQUIRED FOR SAFE SHUTDOWN.......................................... 7.4-1

.1 HOT STANDBY ......................................................................................... 7.4-3

.1.1 Auxiliary Feedwater Control ................................................................. 7.4-4

.1.2 Atmospheric Steam Relief.................................................................... 7.4-4

.1.3 Other Systems and Controls Required for Hot Standby....................... 7.4-8

.2 COLD SHUTDOWN................................................................................... 7.4-8

.2.1 Description ........................................................................................... 7.4-8

.2.2 Analysis ................................................................................................ 7.4-9

.3 SAFE SHUTDOWN FROM OUTSIDE THE CONTROL ROOM................ 7.4-9

.3.1 Description ........................................................................................... 7.4-9

.3.2 Analysis .............................................................................................. 7.4-15 SAFETY-RELATED DISPLAY INSTRUMENTATION .................................... 7.5-1

.1 REACTOR TRIP SYSTEM ....................................................................... 7.5-2

.2 ENGINEERED SAFETY FEATURE SYSTEM .......................................... 7.5-2

.2.1 System Actuation Parameters ............................................................. 7.5-2

.2.2 System Bypasses ................................................................................ 7.5-4

.2.3 System Status ...................................................................................... 7.5-6

.2.4 System Performance ........................................................................... 7.5-8

.3 SAFE SHUTDOWN ................................................................................... 7.5-9

.3.1 Hot Shutdown Control .......................................................................... 7.5-9

.3.2 Cold Shutdown Control ...................................................................... 7.5-10

.3.3 System Bypasses............................................................................... 7.5-10 7.0-iii

tion Page

.3.4 System Status .................................................................................... 7.5-10

.3.5 System Performance ......................................................................... 7.5-11 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY .......................................................................................................... 7.6-1

.1 INSTRUMENTATION AND CONTROL POWER SUPPLY SYSTEM ...... 7.6-1

.2 RESIDUAL HEAT REMOVAL SYSTEM ISOLATION VALVES ................ 7.6-1

.2.1 Description .......................................................................................... 7.6-1

.2.2 Analysis ................................................................................................ 7.6-2

.3 REFUELING INTERLOCKS ...................................................................... 7.6-3

.4 ACCUMULATOR MOTOR-OPERATED VALVES..................................... 7.6-3

.5 SWITCHOVER FROM INJECTION TO RECIRCULATION ...................... 7.6-5

.6 INTERLOCKS FOR RCS PRESSURE CONTROL DURING LOW TEMPERATURE OPERATION ................................................................. 7.6-5

.6.1 Analysis of Interlocks ........................................................................... 7.6-6

.7 ISOLATION OF ESSENTIAL SERVICE WATER (ESW) TO THE AIR COMPRESSORS ...................................................................................... 7.6-7

.7.1 Description ........................................................................................... 7.6-7

.7.2 Analysis ................................................................................................ 7.6-8

.8 ISOLATION OF THE NONSAFETY-RELATED PORTION OF THE COMPONENT COOLING WATER (CCW) SYSTEM .............................. 7.6-9

.8.1 Description ........................................................................................... 7.6-9

.8.2 Analysis .............................................................................................. 7.6-11

.9 FIRE PROTECTION AND DETECTION.................................................. 7.6-12

.10 INTERLOCKS FOR PRESSURIZER PRESSURE RELIEF SYSTEM .... 7.6-12

.10.1 Description of Pressurizer Pressure Relief System............................ 7.6-12

.10.2 Description of Pressurizer Pressure Relief System Interlocks ........... 7.6-12 7.0-iv

tion Page

.11 SWITCHOVER ECCS OF CHARGING PUMP SUCTION TO RWST ON LOW-LOW VCT LEVEL .................................................................... 7.6-13

.11.1 Description ......................................................................................... 7.6-13

.11.2 Evaluation of Switchover of ECCS Charging Pump Suction .............. 7.6-13

.12 INSTRUMENTATION FOR MITIGATING CONSEQUENCES OF INADVERTENT BORON DILUTION ...................................................... 7.6-14

.12.1 Description ......................................................................................... 7.6-14

.12.2 Analysis ............................................................................................. 7.6-14

.12.3 Qualification ....................................................................................... 7.6-14

.13 ECCS CHARGING PUMP MINIFLOW INTERLOCK .............................. 7.6-14

.13.1 Description ......................................................................................... 7.6-14

.14 NEUTRON FLUX MONITORING SYSTEM............................................. 7.6-15

.14.1 Description ......................................................................................... 7.6-15

.14.2 Qualification........................................................................................ 7.6-15 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY ................................ 7.7-1

.1 DESCRIPTION .......................................................................................... 7.7-1

.1.1 Reactor Control System ....................................................................... 7.7-3

.1.2 Rod Control System ............................................................................. 7.7-4

.1.3 Plant Control Signals for Monitoring and Indicating ............................. 7.7-9

.1.4 Plant Control System Interlocks ......................................................... 7.7-14

.1.5 Pressurizer Pressure Control ............................................................. 7.7-15

.1.6 Pressurizer Water Level Control ........................................................ 7.7-16

.1.7 Steam Generator Water Level Control ............................................... 7.7-17

.1.8 Steam Dump Control.......................................................................... 7.7-18

.1.9 Incore Instrumentation........................................................................ 7.7-19

.1.10 Boron Concentration Monitoring System............................................ 7.7-21

.1.11 ATWS Mitigation System Actuation Circuitry ..................................... 7.7-23

.2 ANALYSIS ............................................................................................... 7.7-28

.2.1 Separation of Protection and Control System .................................... 7.7-30

.2.2 Response Considerations of Reactivity.............................................. 7.7-30 7.0-v

tion Page

.2.3 Step Load Changes Without Steam Dump ........................................ 7.7-32

.2.4 Loading and Unloading ...................................................................... 7.7-33

.2.5 Load Rejection Furnished By Steam Dump System .......................... 7.7-33

.2.6 Turbine-Generator Trip With Reactor Trip.......................................... 7.7-34

.3 REFERENCES ........................................................................................ 7.7-35

p. 7.A COMPARISON TO REGULATORY GUIDE 1.97, REVISION 2 .........7.A-1 1 INTRODUCTION .......................................................................................7.A-1 2 ORGANIZATION .......................................................................................7.A-1 3 CALLAWAY DESIGN BASIS COMPARISON TO REGULATORY GUIDE 1.97 ...............................................................................................7.A-2 3.1 TYPE A VARIABLES............................................................................7.A-2 3.2 REDUNDANCY AND DIVERSITY FOR CATEGORY 1 VARIABLES .........................................................................................7.A-2 3.3 RECORDERS ......................................................................................7.A-3 3.4 INSTRUMENT RANGES......................................................................7.A-4 3.5 UNNECESSARY VARIABLES .............................................................7.A-4 3.6 QUALIFICATION FOR CATEGORY 1 PARAMETERS .......................7.A-4 3.7 QUALIFICATION FOR CATEGORY 2 PARAMETERS .......................7.A-4 3.8 QUALIFICATION FOR CATEGORY 3 ITEMS .....................................7.A-5 7.0-vi

mber Title

-1 Instrumentation Systems Identification

-2 Identification of Safety Criteria

-3 Conformance to Regulatory Guide 1.22

-4 Conformance to Regulatory Guide 1.53

-5 Conformance to Regulatory Guide 1.62

-6 Conformance to Regulatory Guide 1.105

-7 Conformance to Regulatory Guide 1.118

-1 List of Reactor Trips

-2 Protection System Interlocks

-3 Reactor Trip System Instrumentation

-4 Reactor Trip Correlation

-1 Containment Combustible Gas Control System Actuated Equipment List

-2 Containment Combustible Gas Control System Failure Modes and Effects Analysis

-3 Containment Purge Isolation System Actuated Equipment List

-4 Containment Purge Isolation System Failure Modes and Effects Analysis

-5 Fuel Building Ventilation Isolation System Actuated Equipment List

-6 Fuel Building Ventilation Isolation System Failure Modes and Effects Analysis

-7 Control Room Ventilation Isolation Control System Monitor Sensitivities and Response Times

-8 Control Room Ventilation Isolation Control System 7.0-vii Rev. OL-14 12/04

mber Title

-9 Control Room Ventilation Isolation System Failure Modes and Effects Analysis

-10 Device Level Manual Override Failure Modes and Effects Analysis

-11 Auxiliary Feedwater System Failure Modes and Effects Analysis

-12 Auxiliary Supporting Engineered Safety Feature Systems

-13 NSSS Instrumentation Operating Condition for Engineered Safety Features

-14 NSSS Instrument Operating Conditions for Isolation Functions

-15 NSSS Interlocks for Engineered Safety Feature System

-1 Auxiliary Shutdown Panel Equipment List

-1 Engineered Safety Features - Displays

-2 Safe Shutdown Display Information

-3 Callaway Plant Design Comparison with Regulatory Guide 1.47 Dated May 1973, Titled Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems

-4 Safety-Related Display Instrumentation Located on the Control Board -

(NSSS Scope of Supply)

-5 Safety-Related Display Instrumentation Located on the Control Board -

(Bop Scope of Supply)

-1 Plant Control System Interlocks

-2 Boron Concentration Measurement System Specifications 1 Regulatory Guide 1.97 Variable List 2 Summary Comparison to Regulatory Guide 1.97 3 Data Sheets 7.0-viii Rev. OL-14 12/04

mber Title

-1 Protection System Block Diagram

-1 (Sheet 1) Functional Diagrams (Index and Symbols)

-1 (Sheet 2) Functional Diagrams (Reactor Trip Signals)

-1 (Sheet 3) Functional Diagrams (Nuclear Instrumentation and Manual Trip Signals)

-1 (Sheet 4) Functional Diagrams (Nuclear Instrumentation Permissives and Blocks)

-1 (Sheets 5 and 5A) Functional Diagrams (Primary Coolant System Trip Signals)

-1 (Sheet 6) Functional Diagrams (Pressurizer Trip Signals)

-1 (Sheets 7 and 19) Functional Diagrams (Steam Generator Trip Signals)

-1 (Sheet 8) Functional Diagrams (Safeguards Actuation Signals)

-1 (Sheet 9) Functional Diagrams (Rod Controls and Rod Blocks)

-1 (Sheet 10) Functional Diagrams (Steam Dump Control)

-1 (Sheet 11) Functional Diagrams (Pressurizer Pressure and Level Control)

-1 (Sheet 12) Functional Diagrams (Pressurizer Heater Control)

-1 Functional Diagrams (Feedwater Control eets 13 & 14) and Isolation)

-1 (Sheet 15) Functional Diagrams (Auxiliary Feedwater Pumps Startup)

-1 (Sheet 16) Functional Diagrams (Turbine Trips, Runbacks and Other Signals)

-1 (Sheet 17) Functional Diagram Pressurizer Pressure Relief System -

Train A

-1 (Sheet 18) Functional Diagram Pressurizer Pressure Relief System -

Train B 7.0-ix Rev. OL-19 5/12

mber Title

-2 Setpoint Reduction Function for Overpower and Overtemperature T Trips

-3 Reactor Trip/Engineered Safety Features Actuation Mechanical Linkage

-1 (Sheet 1) Engineered Safety Features Actuation System (BOP)

-1 (Sheets 2 & 3) Logic Diagram Engineered Safety Features Actuation System (BOP)

-2 Typical Engineered Safety Features Test Circuits

-3 Engineered Safeguards Test Cabinet (Index, Notes and Legend)

-1 (Sheet 1) Logic Diagram for Outer RHRS Isolation Valve

-1 (Sheet 2) Logic Diagram for Inner RHRS Isolation Valve

-2 Functional Block Diagram of Accumulator Isolation Valve

-3 Safety Injection System Recirculation Sump and RHR Suction Isolation Valves

-4 (Sheet 1) Train B Functional Diagram Showing Logic Requirements for Pressurizer Pressure Relief System

-4 (Sheet 2) Train A Functional Diagram Showing Logic Requirements for Pressurizer Pressure Relief System

-4 (Sheet 3) Deleted

-5 (Sheet 1) Logic Diagram for VCT Outlet Isolation Valve Interlocks on Switchover to RWST

-5 (Sheet 2) Logic Diagram for RWST Valves Interlocks on Switchover to RWST

-6 Instrumentation for Protection Against Inadvertent Boron Dilution 7.0-x Rev. OL-19 5/12

mber Title

-1 Simplified Block Diagram of Reactor Control System

-2 Control Bank Rod Insertion Monitor

-3 Rod Deviation Comparator

-4 Block Diagram of Pressurizer Pressure Control System

-5 Block Diagram of Pressurizer Level Control System

-6 Block Diagram of Steam Generator Water Level Control System

-7 Block Diagram of Main Feedwater Pump Speed Control System

-8 Block Diagram of Steam Dump Control System

-9 Basic Flux-Mapping System

-10 Sampler Assembly

-11 Sampler Subassembly

-12 Process Assembly Block Diagram

-13 Deleted

-14 Simplified Block Diagram of Rod Control System

-15 Control Bank D Partial Simplified Schematic Diagram of Power Cabinets 1BD and 2BD

-16 AMSAC Logic Diagram 7.0-xi Rev. OL-19 5/12

INSTRUMENTATION AND CONTROLS INTRODUCTION s section describes the various plant instrumentation and control systems and the ctional performance requirements, design bases, system descriptions, design luations, and tests and inspections for each. The information provided in this chapter phasizes those instruments and associated equipment which constitute the protection tem, as defined in IEEE Standard 279-1971, "IEEE Standard: Criteria for Protection tems for Nuclear Power Generating Stations."

instrumentation and control systems provide automatic protection and exercise per control against unsafe and improper reactor operation during steady state and sient power operations (Conditions I and II) and to provide initiating signals to gate the consequences of emergency and faulted conditions (Conditions III and IV).

S conditions are discussed in Chapter 15.0.

plicable criteria and codes are listed in Table 7.1-2.

.1 IDENTIFICATION OF SAFETY-RELATED SYSTEMS ety-related instrumentation and control systems and their supporting systems are se systems required to ensure:

a. The integrity of the reactor coolant pressure boundary.

b. The capability to shut down the reactor and maintain it in a safe shutdown condition.

c. The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures comparable to the guideline exposures of 10 CFR 100.

definitions provided below are used to classify the instrumentation systems into the egories defined for Chapter 7.0 by Regulatory Guide 1.70.

sting of these systems, by categories, that are comparable to those of nuclear power nts of similar design is given in Table 7.1-1. Table 7.1-1 also identifies the systems t are different with references to discussions of those differences.

plant's control and instrumentation systems are grouped into the following egories:

a. Reactor trip system (RTS) 7.1-1 Rev. OL-24 11/19

c. Systems required for safe shutdown

d. Safety-related display instrumentation

e. Other instrumentation systems required for safety

f. Systems not required for safety scriptions of the above are given in Sections 7.1.1.1 through 7.1.1.6. Table 7.1-2 ntifies which instrumentation systems are safety related.

.1.1 Reactor Trip System RTS is described in Section 7.2. Figure 7.1-1 is a single-line diagram of this system.

.1.2 Engineered Safety Feature Actuation Systems ESFAS are those instrumentation systems which are needed to actuate the ipment and systems required to mitigate the consequences of postulated design is accidents. The engineered safety features requiring actuation are:

a. Main steam and feedwater isolation (Sections 6.2.4 and 7.3.7)

b. Containment combustible gas control (Sections 6.2.5 and 7.3.1)

c. Containment purge isolation (Sections 6.2.4 and 7.3.2)

d. Fuel building ventilation isolation (Sections 7.3.3 and 9.4.2)

e. Control room ventilation isolation (Sections 7.3.4 and 9.4.1)

f. Auxiliary feedwater supply (Sections 7.3.6 and 10.4.9)

g. Nuclear steam system supply (NSSS) ESFAS (Section 7.3.8) equipment which provides the engineered safety feature actuation functions for the tems listed above is identified and discussed in Section 7.3. Design bases for these ineered safety feature actuation systems are also given in Section 7.3. For auxiliary porting systems, see Section 7.3.8.1.11 and Table 7.3-12.

.1.3 Systems Required for Safe Shutdown tems required for safe shutdown are defined as those essential for pressure and ctivity control, coolant inventory makeup, and removal of residual heat once the 7.1-2 Rev. OL-24 11/19

cifications.

ntification of the equipment and systems required for safe shutdown is provided in tion 7.4. Additional information regarding hot standby provisions for shutdown from side the control room is also provided in Section 7.4.

.1.4 Safety-Related Display Instrumentation ety-related display instrumentation is instrumentation which provides information for operator to manually perform reactor trip, engineered safety feature actuation, t-accident monitoring or safe shutdown functions.

ntification of the equipment and systems in safety-related display instrumentation is vided in Section 7.5. Description of other indicating systems which provide rmation for monitoring equipment and processes is also provided in Section 7.5.

tion 7.5 and Table 7.5-1 summarize procedures required to maintain the plant in a hot ndby condition, or to proceed to cold shutdown.

.1.5 All Other Instrumentation Systems Required for Safety other instrumentation systems required for safety - other than the RTS, the ESFAS, ety-related display and the safe shutdown systems - are discussed in Section 7.6.

y are those systems and components which have a preventive role in reducing the cts of accidents. Single failures in these systems will not inhibit reactor trip, ineered safety feature actuation, or functions required for safe shutdown. The other rumentation systems required for safety consist of the following:

a. Instrumentation and control power supply system

b. Residual heat removal system isolation valve interlocks

c. Refueling interlocks

d. Accumulator motor-operated isolation valve interlocks

e. Emergency core cooling system switchover from injection mode to recirculation mode

f. Interlocks for RCS pressure control during low temperature operation

g. Isolation of nonseismic Category I piping from seismic Category I cooling systems 7.1-3 Rev. OL-24 11/19

i. Switchover of charging pump suction to refueling water storage tank (RWST) on low-low volume control tank level

j. Instrumentation for mitigating consequences of inadvertent boron dilution

k. Charging pump miniflow interlock

l. Neutron flux monitoring m a above is described in Section 8.3.1.1.5. Item c is described in Section 9.1.4. The aining items are described in Section 7.6.

.1.6 Control Systems Not Required for Safety ntrol systems not required for safety are those automatic and manual systems igned for the primary purpose of normal load control, startup, and shutdown of the n power generating system. As shown in Section 7.7, malfunctions in these systems not result in unsafe conditions.

.2 IDENTIFICATION OF SAFETY CRITERIA nsiderations for instrument errors are included in the accident analyses presented in apter 15.0. Functional requirements, developed on the basis of the results of the ident analyses, that have utilized conservative assumptions and parameters are used esigning these systems. A preoperational testing program verifies the adequacy of design. Accuracies are given in Sections 7.2, 7.3, and 7.5.

criteria listed in Table 7.1-2 were considered in the design of the systems given in tion 7.1.1. A discussion of compliance with each criterion for systems in its scope is vided in the referenced sections given in Table 7.1-2. Because some criteria were ablished after design and testing had been completed, the equipment documentation y not meet the format requirements of some standards. Justification for any eptions taken to each document for systems in its scope is provided in the referenced tions.

.2.1 Design Bases design bases for the safety-related systems are provided in the respective sections hapter 7.0.

.2.2 Independence of Redundant Safety-Related Systems safety-related systems are designed to meet the independence and separation uirements of GDC-22 and Section 4.6 of IEEE Standard 279-1971.

7.1-4 Rev. OL-24 11/19

nsure that no single credible event will prevent operation of the associated function.

ical circuits and functions include power, control, and analog instrumentation ociated with the operation of the safety-related systems. Events considered credible considered in the design include the effects of short circuits, pipe rupture, missiles,

, and earthquake.

.2.2.1 General physical separation criteria for redundant safety-related system sensors, sensing s, wireways, cables, and components on racks meet the recommendations contained egulatory Guide 1.75 with the following comments:

a. The protection systems use redundant instrumentation channels and actuation trains and incorporate physical and electrical separation to prevent faults in one channel from degrading any other protection channel.

b. Where no redundant circuits share a single compartment of a safety-related instrumentation rack and these redundant safety-related instrumentation racks are physically separated, the recommendations of Position C.16 of Regulatory Guide 1.75 do not apply.

c. Redundant, isolated control signal cables leaving the protection racks are brought into close proximity elsewhere in the plant, such as the control board. It could be postulated that electrical faults, or interference, at these locations might be propagated into all redundant racks and degrade protection circuits because of the close proximity of protection and control wiring within each rack. Regulatory Guide 1.75 (Regulatory Position C.4) and IEEE Standard 384-1974 (Section 4.5(3)) provide the option to demonstrate by tests that the absence of physical separation could not significantly reduce the availability of Class 1E circuits.

Westinghouse test programs have demonstrated that Class 1E protection systems (nuclear instrumentation system, solid state protection system, and 7300 process protection system) are not degraded by non-Class 1E circuits sharing the same enclosure. Conformance to the requirements of IEEE Standard 279-1971 and Regulatory Guide 1.75 has been established and accepted by the NRC, based on the following which is applicable to these systems at the Callaway Plant.

Tests conducted on the as-built designs of the nuclear instrumentation system and solid state protection system were reported and accepted by the NRC in support of the Diablo Canyon application (Docket Nos. 50-275 and 50-323). Westinghouse considers these programs as applicable to all plants, including Callaway. Westinghouse tests on the 7300 process 7.1-5 Rev. OL-24 11/19

letter dated April 20, 1977 (Ref. 2), the NRC accepted the report in which the applicability to the Callaway Plant is established.

Replacement solid state protection system circuit boards were additionally analyzed and tested to ensure regulatory compliance was maintained as described in References 6, 7, and 8 for the three circuit boards associated with active safety functions.

The Westinghouse 7300 process protection system NCT (channel test) cards used in the four containment pressure High-3 channels for containment spray initiation also provide contacts to non-safety related annunciators to inform the operators when a channel is bypassed for test.

These NCT cards have been analyzed to demonstrate that the non-safety annunciator circuits do not degrade the Class 1E circuits below an acceptable level.

The NCT card is a channel test card typically used in channels that interface only with the SSPS, and, therefore would not normally require isolation. However, for the containment spray circuits, which are energized to actuate, contacts from the NCT card to an annunciator were provided to indicate when a channel was bypassed for test. A qualified isolation device should be used to provide separation by preventing the propagation of electrical faults from non-safety systems. This separation is typically provided by NAI (annunciator interface) cards which have been proven by the testing documented in Reference 1 to be a qualified isolation device.

The NCT cards have not been qualified by testing as isolation devices.

The following analysis supports the use of the NCT cards without NAI cards, or other isolation devices, for this application.

The worst conceivable faults are generalized into three main categories.

One category occurs in the annunciator input and associated circuitry including any short circuit faults. The second category occurs in the cable tray where the maximum possible voltage (120 VAC or 125 VDC) could be applied to the cable conductors and then directly to NCT card contacts.

Lastly, a fault could occur where the contact degrades, increasing the power across the contact.

The maximum power seen by the NCT relay contact due to the contact resistance feeding the annunciator system was calculated to be one (1) watt, well below its ten (10) watt rating. The maximum induced voltage is considered to be of a low enough magnitude and short time duration to not degrade the safety-related circuits.

7.1-6 Rev. OL-24 11/19

closed. For these containment pressure High-3 channels, the contacts are closed only if the card is in test. During normal operation, the contacts are open. Therefore, any type of fault (up to impressing the rated contact voltage or voltage rating of the NCT circuit card traces) could occur and no fault current would flow through the NCT card circuit due to a non-1E circuit fault during normal operation.

Potential damage to the NCT card and its Class 1E circuit would only occur when the card was placed in test. Any damage would occur only in the channel which was placed in test. The other three channels would remain operable. Since the card that potentially fails would have already been authorized to be removed from service, the level of protection would not be reduced. Since the fault would be detected due to an annunciator malfunction when it occurs, the root cause of the failure would be determined and corrected prior to returning the channel to service.

Troubleshooting would identify that potential NCT card degradation had occurred and the affected NCT card would either be replaced or determined to be undamaged and returned to service.

d. The physical separation criteria for instrument cabinets within the NSSS scope meet the recommendations contained in Section 5.7 of IEEE Standard 384-1974. Compliance with specific positions of Regulatory Guide 1.75 is given in Sections 8.1.4.3 and 8.3.1.4.

.2.2.2 Specific Systems ependence is maintained throughout each system, extending from the sensor through he devices actuating the protective function. Physical separation is used to achieve aration of redundant transmitters. Separation of field wiring is achieved using arate wireways, cable trays, conduit runs, and containment penetrations for each undant protection channel set. Redundant analog equipment is separated by locating dules in different protection rack sets. Each redundant channel set is energized from eparate ac power feed.

re are four separate protection sets. Each protection set contains several channels, h channel sensing a different variable. Separation of redundant analog channels ins at the process sensors and is maintained in the field wiring, containment etrations, and process protection cabinets. Protection sets are formed at the process tection cabinets and transmit the required signals to the redundant trains in the solid e protection system logic racks (Figure 7.1-1). Redundant analog channels are arated by locating modules in different cabinets. Since all equipment within any inet is associated with a single protection set, there is no requirement for separation iring and components within the cabinet. See Section 7.1.2.3 for additional rmation.

7.1-7 Rev. OL-24 11/19

able penetrations which would permit a fire resulting from electrical failure in one nnel to propagate into redundant channels.

o reactor trip breakers are actuated by two separate logic matrices to interrupt power he control rod drive mechanisms. The breaker main contacts are connected in series the power supply so that opening either breaker interrupts power to all control rod e mechanisms, permitting the rods to free fall into the core.

a. Reactor trip system

1. Separate routing is maintained for the four basic reactor trip system channel sets, analog sensor signals, bistable output signals, and power supplies for these systems. The separation of these four channel sets is maintained from sensors to instrument cabinets to logic system input cabinets.

2. Separate routing of the redundant reactor trip signals from the redundant logic system cabinets is maintained, and, in addition, the cables carrying these signals are separated (by spatial separation or by provision of barriers or by separate cable trays or wireways) from the four analog channel sets.

b. Engineered safety feature actuation system

1. Separate routing is maintained for the four basic sets of engineered safety feature actuation system analog sensing signals, bistable output signals, and power supplies for these systems. The separation of these four channel sets is maintained from sensors to instrument cabinets to logic system input cabinets.

2. Separate routing of the engineered safety feature actuation signals from the redundant logic system cabinets is maintained. In addition, they are separated by spatial separation or by provisions of barriers or by separate cable trays or wireways from the four analog channel sets.

3. Separate routing of control and power circuits associated with the operation of engineered safety feature equipment is required to retain redundancies provided in the system design and power supplies.

c. Instrumentation and control power supply system 7.1-8 Rev. OL-24 11/19

to the control of these power supplies.

actor trip system, engineered safety feature actuation system, and other ety-related system analog circuits may be routed in the same wireways provided the uits have the same power supply and channel set identified (I, II, III, or IV).

.2.2.3 Fire Protection electrical equipment, noncombustible or fire retardant material is specified.

ided sheathed material used in the cables is noncombustible. For in-field wiring, les in the power trays are sized using derating factors listed in IPCEA Publication 6-426.

early warning protection against propagation of electrical fires, high sensitivity ectors are provided for fire detection and alarm in remote wireways or other ttended areas where large concentrations of cables are installed.

ails of the plant's fire protection system are provided in Section 9.5.1.

electrical power supply, instrumentation, and control wiring for redundant circuits e physical separation to preserve redundancy and ensure that no single credible nt will prevent operation of the associated function. Critical circuits include power, trol, and analog instrumentation associated with the operation of the reactor trip tem or engineered safety feature actuation systems. Credible events include the cts of short circuits, pipe rupture, pipe whip, high-pressure jets, missiles, fire, and thquake. These events are considered in the basic plant design.

sical space or barriers are provided between separation groups performing the same tective function.

ocations where a specific hazard exists (missile, jet, etc.) which could produce mage to safety-related controls and instrumentation required as an active functional t of a nuclear safety-related system, the physical separation, structural protection, or or provided will be adequate to ensure that no multiple failures can result from a gle event.

minimum protection or spacing maintained between redundant safety-related control instrumentation components will be:

a. In open space See the discussion of compliance with Regulatory Guide 1.75 (Appendix 3A).

7.1-9 Rev. OL-24 11/19

1. Six inches of free space, or

2. If a barrier is present, one inch plus the barrier. See also Section 8.3.1.4.1.2.

criteria and bases for the independence of electrical cable, including routing, rking, and cable derating, are covered in Section 8.3. Fire detection and protection in areas where wiring is installed is covered in Section 9.5.1.

.2.3 Physical Identification of Safety-Related Equipment components required as part of the safety-related control and instrumentation tems are identified as safety-related components requiring formal quality assurance supporting documentation. Specific requirements for each type of component are ered in its procurement specification. The quality assurance program is described in apter 17.0.

panels and cabinets which contain one or more safety-related devices are subject to requirements for safety-related systems.

rument racks and trays containing tubing or wiring connected to safety-related rumentation devices are subject to the requirements for safety-related systems.

ety-related systems and their component devices are identified as to their separation up. Each protection set described in Section 7.1.2.2.2 is included in its respective aration group.

re are four separation groups identifiable with process equipment associated with the S and ESFAS. A separation group may be comprised of more than a single process ipment cabinet. The color coding of each process equipment rack nameplate ncides with the color code established for the separation group of which it is a part.

dundant BOP channels are separated by locating them in different equipment inets. Separation of redundant channels begins at the process sensors and is ntained in the field wiring, containment penetrations, and equipment cabinets to the undant trains in the logic racks. The NSSS solid state protection system input inets and the NSSS engineered safety feature actuation systems are divided into ated compartments, each serving one of the redundant input channels. Horizontal 1/

ch-thick solid steel barriers, coated with fire retardant paint, separate the partments. One-eighth-inch-thick solid steel wireways coated with fire retardant nt enter the input cabinets vertically. The wireway for a particular compartment is n only into that compartment so that flame could not propagate to affect other nnels. At the logic racks, the separation group color coding for redundant channels is arly maintained until the channel loses its identity in the redundant logic trains. The 7.1-10 Rev. OL-24 11/19

tection Set I Separation Group 1: red with white lettering tection Set II Separation Group 2: white with black lettering tection Set III Separation Group 3: blue with white lettering tection Set IV Separation Group 4: yellow with black lettering Nonsafety-related: black with white lettering hin the control panels, where more than one separation group is present, wiring is ntified by separation group or if the wiring is enclosed by conduit the separation group ntification is located on the conduit.

hin a cabinet or panel associated and identified with a single safety-related separation up, no identification of the safety-related wiring is required. The separation group of panel or cabinet, however, is clearly identified.

hin a panel or cabinet otherwise associated and identified with a single safety-related aration group, nonsafety-related wiring is clearly identified. However, provided such safety-related wiring is maintained at a small quantity, identification of the ety-related wiring is not required.

noncabinet-mounted protective equipment and components are provided with an ntification tag or nameplate. Small electrical components, such as relays, have meplates on the enclosure which houses them. All cables are numbered with ntification tags. In congested areas, such as under or over the control boards, rument racks, etc., cable trays and conduits containing redundant circuits shall be ntified, using permanent markings. The purpose of such markings is to facilitate cable ting identification for future modifications or additions. Positive permanent ntification of cables and/or conductors shall be made at all terminal points. There are o identification nameplates on the input panels of the solid state protection system.

.2.4 Conformance to Criteria sting of applicable criteria and the sections where conformance is discussed is given able 7.1-2.

.2.5 Conformance to NRC Regulatory Guides

.2.5.1 General nformance of BOP equipment to Regulatory Guides 1.22, 1.53, 1.62, 1.105, and 1.118 ddressed in Tables 7.1-3, 4, 5, 6, and 7, respectively.

7.1-11 Rev. OL-24 11/19

erences to discussions of these regulatory guides are provided in Appendix 3A.

additional discussion of the NSSS conformance to Regulatory Guide 1.22 and E-338 and 379 is given in the following sections.

.2.5.2 Conformance to Regulatory Guide 1.22 iodic testing of the reactor trip and engineered safety feature actuation systems, as cribed in Sections 7.2.2 and 7.3, complies with Regulatory Guide 1.22, "Periodic ting of Protection System Actuation Functions."

ere the ability of a system to respond to a bona fide accident signal is intentionally assed for the purpose of performing a test during reactor operation, each bypass dition is automatically indicated to the reactor operator in the main control room by a arate annunciator for the channel in test. Test circuitry does not allow two channels e tested at the same time so that extension of the bypass condition to the redundant tem is prevented.

actuation logic for the RTS and ESFAS is tested as described in Sections 7.2 and

. As recommended by Regulatory Guide 1.22, where actuated equipment is not ed during reactor operation, it has been determined that:

a. There is no practicable system design that would permit operation of the actuated equipment without adversely affecting the safety or operability of the plant;

b. The probability that the protection system will fail to initiate the operation of the actuated equipment is, and can be maintained, acceptably low without testing the actuated equipment during reactor operation; and

c. The actuated equipment can be routinely tested when the reactor is shut down.

list of equipment that is not tested at full power so as not to damage equipment or et plant operation is:

a. Manual actuation switches (RTS and ESFAS)

b. Main turbine trip system (actual trip)

c. Main steam isolation valves (actual full closure)

d. Main feedwater isolation valves (actual full closure) 7.1-12 Rev. OL-24 11/19

f. Main feedwater pump trip solenoids

g. Reactor coolant pump seal water return valves (actual full closure)

h. Seven selected slave relays justifications for not testing the above items at full power are discussed below.

a. Manual actuation switches for RTS and ESFAS These would cause initiation of their protection system function at power, causing plant upset and/or reactor trip. It should be noted that the reactor trip function that is derived from the automatic safety injection signal is tested at power in the same manner as the other analog signals and as described in Section 7.2.2.2.3. The processing of these signals in the solid state protection system wherein their channel orientation converts to a logic train orientation is tested at power by the built-in semiautomatic test provisions of the solid state protection system. The reactor trip breakers are tested at power, as discussed in Section 7.2.2.2.3.

b. Main turbine trip system Testing of the main turbine trip function under power operation is discussed in Section 10.2.3.6.

c. Closing the main steam isolation valves See Table 7.1-3.

d. Closing the main feedwater isolation valves See Table 7.1-3.

e. Closing the feedwater control valves The actuation function for these valves and their associated solenoids are routinely tested during refueling outages. To close the valves at power would adversely affect the operation of the plant. The operability of the slave relays which actuate the solenoids is verified at power. The closing of these control valves is blocked when the slave relay is tested. It is noted that the solenoids work on the de-energize-to-actuate principle. The feedwater control valves will fail closed on the loss of electrical power to both of the solenoids.

7.1-13 Rev. OL-24 11/19

Regulatory Guide 1.22.

f. Main feedwater pump trip solenoids No credit is taken for the automatic tripping of the feedwater pumps, and, therefore, this function does not require periodic testing.

g. Reactor coolant pump seal water return valves Seal water return line isolation valves are routinely tested during refueling outages. Closure of these valves during operation would cause the seal water system relief valve to lift, with the possibility of valve chatter. Valve chatter could damage this relief valve. Testing of these valves at power could cause equipment damage. Therefore, these valves will be tested during scheduled refueling outages. Thus, the guidelines of Regulatory Position D.4 of Regulatory Guide 1.22 are met.

h. Eight selected slave relays Slave relays K602, K620 (turbine trip circuitry only; main feedwater pump trip solenoid circuitry is excluded as discussed in f above), K622, K624, K630, K740, K741, and K750 and their actuated equipment will be tested at least once per 18 months during refueling and during each cold shutdown exceeding 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months unless they have been tested within the previous 92 days. Justification for the extended test interval is based on plant operational concerns and was presented in detail in References 3 and 5.

.2.6 Conformance to IEEE Standards

.2.6.1 Conformance to IEEE Standard 379-1972 principles described in IEEE Standard 379-1972 were used in the design of the solid e protection system. The system complies with the intent of this standard and the itional guidance of Regulatory Guide 1.53, although the formal analyses have not n documented exactly as outlined. Westinghouse has gone beyond the required lyses and has performed a fault tree analysis (Ref. 4).

referenced report provides details of the analyses of the solid state protection tem previously made to show conformance with the single failure criterion set forth in tion 4.2 of IEEE Standard 279-1971. The interpretation of the single failure criterion vided by IEEE Standard 379-1972 is not substantially different than the Westinghouse rpretation of the criterion, except in the methods used to confirm design reliability.

placement solid state protection system circuit boards were additionally analyzed and 7.1-14 Rev. OL-24 11/19

RTS and ESFAS safety-related systems featuring redundant design provisions. The uired periodic testing of these systems will disclose any failures or loss of redundancy ch could have occurred in the interval between tests, thus ensuring the availability of se systems.

.2.6.2 Conformance to IEEE Standard 338-1971 periodic testing of the RTS and ESFAS conforms to the requirements of IEEE ndard 338-1971 with the following comments:

a. The surveillance requirements in the Callaway Technical Specifications for the solid state protection system ensure that the system functional operability is maintained comparable to the original design standards.

Periodic tests at the established intervals demonstrate this capability for the system.

b. Callaways administrative program for the response time testing of the RTS and ESFAS instrumentation meets the requirements of section 6.3.4 of IEEE Standard 338-1977, as clarified below:

For sensors, Callaway performs periodic response time testing or makes use of allocated response times. The methods of testing, when required, fall into two categories as follows:

PRIMARY - For resistance temperature detectors (RTDs), a loop current step response methodology is used as endorsed in NUREG-0809 and described in detail in EPRI report NP-834 (Vol. 1).

- For newly installed pressure sensors or refurbished pressure sensors whose response time may have been adversely affected, the EPRI developed method described in report NP-267 shall be used. This pressure ramp testing is also discussed in ISA dS-67.06. See the Technical Specifications Bases for SR 3.3.1.16 and SR 3.3.2.10.

7.1-15 Rev. OL-24 11/19

noise analysis method which will function on the principle that, in the protection system, sensors are sensitive to process noise created by natural perturbations in variables, including temperature, pressure, and flow. The noise analysis method testing system is designed to measure sensor response time and/or assess degradation by measurement of the sensors' efficiency to detect high-frequency noise.

Nuclear instrumentation detectors are excluded since delays attributable to them are negligible in the overall channel response time required for safety.

The verification of response time at the specified time intervals provides assurance that the protective and engineered safety feature function associated with each channel is completed within the time limit assumed in the accident analyses.

The time response of discrete portions of the system can be measured or allocated, and overall response times can be determined by summing the response times of those discrete components. The wires that connect the discrete components do not necessarily require time response testing since wiring delays are typically insignificant compared with the response times of the individual components.

c. The reliability goals specified in Section 4.2 of IEEE Standard 338-1971 are consistent with the test frequency in the Callaway Technical Specifications.

d. The periodic time interval discussed in Section 4.3 of IEEE Standard 338-1971, and specified in the Callaway Technical Specifications, is selected to ensure that equipment associated with protection functions has not drifted beyond its minimum performance requirements. The adequacy of the interval will be verified by results of testing or the interval will be reevaluated on the basis of actual experience.

e. The test interval discussed in Section 5.2 of IEEE Standard 338-1971 is developed primarily on past operating experience and modified, if necessary, to ensure that system and subsystem protection is reliably provided.

.3 REFERENCES Marasco, F.W. and Siroky, R.M., "Westinghouse 7300 Series Process Control System Noise Tests," WCAP-8892-A, June, 1977.

7.1-16 Rev. OL-24 11/19

Letter dated February 27, 1984, N.A. Petrick (SNUPPS) to Mr. Harold R. Denton (NRC), SLNRC 84-0038.

Gangloff, W.C. and Loftus, W.D., "An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients," WCAP-7706-L (Proprietary) and WCAP-7706 (Non-Proprietary), July, 1971.

Operating License Amendment 137 dated September 25, 2000.

Gruber, T. J. and Harbaugh, T. D., Westinghouse SSPS Universal Logic Board Replacement Summary Report 6D30225G01/G02/G03/G04, WCAP-16769-P, Revision 2, February, 2011.

Harbaugh, T. D. and Hines, E. F., Westinghouse SSPS Safeguards Driver Board Replacement Summary Report 6D30252G01/G02, WCAP-16770-P, Revision 0, August, 2008.

Gruber, T. J. and Harbaugh, T. D., Westinghouse SSPS Undervoltage Driver Board Replacement Summary Report 6D30350G01/G02,WCAP-16771-P, Revision 1, April, 2011.

7.1-17 Rev. OL-24 11/19

Similar Designer To Plant y-Related Systems Comanche W. B. McGuire and tegories Westinghouse Bechtel Peak Watts Bar Other Remarks eactor trip system X X X ngineered safety feature actuation systems

. Main steam and feedwater isolation X X New (see 7.3.7)

. Containment combustible gas control X Millstone Unit 2

. Containment purge isolation X New (see 7.3.2)

. Fuel building ventilation isolation X ----- New (see 7.3.3)

. Control room ventilation isolation X ----- New (see 7.3.4)

Auxiliary feedwater supply X X X X ----- New supply configuration (see 7.3.6)

. NSSS ESFAS X X ystems required for safe shutdown

. Hot standby X X X X

. Cold shutdown X X X X

. Safe shutdown from outside control room X X X ----- New (see 7.4.3) afety-related display instrumentation

. Reactor trip system X X X

. Engineering safety feature actuation X X X X systems

. Systems required for safe shutdown X X X X ther instrumentation systems required for afety

. Instrumentation and control power supply X Trojan system

. Residual heat removal system isolation X X valve interlocks

. Refueling interlocks X X Rev. OL-14 12/04

Similar Designer To Plant y-Related Systems Comanche W. B. McGuire and tegories Westinghouse Bechtel Peak Watts Bar Other Remarks

. Accumulator motor-operated isolation X X valve interlocks

. ECCS switchover from injection mode to X X recirculation mode Interlocks for RCS pressure control X X

during low temperature operation

. Isolation of nonseismic Category I piping X New (See 7.6.7 and from seismic Category I cooling systems 7.6.8)

. Interlocks for pressurizer pressure relief X X system Switchover of charging pump suction to **

RWST on low-low VCT level X X Instrumentation for mitigating X X consequences of inadvertent boron dilution

. Charging pump miniflow interlock X Seabrook Neutron flux monitoring X X New (See 7.6.14)

Callaway arms circuit manually Callaway has a third VCT level instrument channel Rev. OL-14 12/04

CALLAWAY - SP CALLAWAY PLANT TABLE 7.1-2 IDENTIFICATION OF SAFETY CRITERIA SHEET 1 Rev. OL-24 11/19

CALLAWAY - SP CALLAWAY PLANT SHEET 2 Rev. OL-24 11/19

CALLAWAY - SP CALLAWAY PLANT SHEET 3 Rev. OL-24 11/19

CALLAWAY - SP CALLAWAY PLANT SHEET 4 Rev. OL-24 11/19

s table demonstrates the conformance of the design of BOP equipment to Regulatory de 1.22.

Regulatory Guide 1.22 Position Union Electric Position The protection system should 1. The protection system is designated to designed to permit periodic testing permit periodic testing to extend to and xtend to and include the actuation include the actuation devices and actuated ices and actuated equipment. equipment.

e actuated equipment is included he periodic tests to provide urance that the protection system initiate its operation, as required General Design criterion 21. This ety guide does not address the ctional performance testing of uated equipment required by other neral Design Criteria; neither does eclude a design that fulfills more n one testing requirement with a gle test.)

a. The periodic tests 1.a. and b. The periodic tests do uld duplicate, as closely as duplicate, as closely as practicable, the cticable, the performance that is performance that is required of the actuation uired of the actuation devices in the devices in the event of an accident. The only nt of an accident. actuation devices for which the tests do not completely duplicate the performance that is required in the event of an accident are:

b. The protection system i. The manual actuation switches the systems whose operation it for RTS and ESFAS--See Section 7.1.2.5.2.

ates should be designed to permit ing of the actuation devices during ctor operation.

Rev. OL-16 10/07

Regulatory Guide 1.22 Position Union Electric Position ii. The main turbine trip function--a trip of the main turbine under power-generating conditions would result in a trip of the reactor. The turbine trip function can be fully tested whenever the turbine is not in operation. Testing of the main turbine trip function is further discussed in Section 10.2.3.6.

iii. The main steam and feed-water isolation valve actuators--full performance testing of these actuators would result in full closure of the main steam and feedwater isolation valves. The transients that would result under power-generating conditions in the plant would include steam generator water level oscillations, or low-low steam generator water level, and would probably result in reactor trip. The valve actuators can be fully tested, including full closure, whenever the plant is not in operation.

iv. The feedwater control valves--See Section 7.1.2.5.2.

v. The main feedwater pump trip solenoids--See Section 7.1.2.5.2.

vi. The reactor coolant pump seal water return valves--See Section 7.1.2.5.2.

vii. Eight selected slave relays--See Section 7.1.2.5.2.

Rev. OL-16 10/07

Regulatory Guide 1.22 Position Union Electric Position Acceptable methods of 2.a. through d. In general, the protection uding the actuation devices in the systems can be tested in accordance with iodic tests of the protection system method a. The only protection systems that

cannot be tested in accordance with method

a. are the main steam and feedwater

a. Testing simultaneously isolation systems and the auxiliary feedwater actuation devices and actuated system. The systems not tested in ipment associated with each accordance with method a. can all be tested undant protection system output in accordance with method b. Methods c.

nal; and d. need not be used. See Section 10.2.3.6 regarding the main turbine trip

b. Testing all actuation system.

ices and actuated equipment vidually or in judiciously selected ups;

c. Preventing the operation ertain actuated equipment during a of their actuation devices;

d. Providing the actuated ipment with more than one uation device and testing vidually each actuation device.

thod a. set forth above is the ferable method of including the uation devices in the periodic tests he protection system. It shall be ed that the acceptability of each of four above methods is conditioned he provisions of Regulatory itions 3. and 4. below.

Where the ability of a system to 3.a. and b. System bypasses are pond to a bona fide accident signal generally not required for testing; in most tentionally bypassed for the cases, the actuated equipment actually pose of performing a test during responds to the test signals. The only ctor operation: exceptions to these criteria are:

Rev. OL-16 10/07

Regulatory Guide 1.22 Position Union Electric Position

a. Positive means should i. Bistables--test signals are provided to prevent expansion of substituted for the actual plant inputs during bypass condition to redundant or bistable tests, and provisions are included for erse systems, and bypassing bistable outputs. The bistables not under test, all digital inputs, and all other

b. Each bypass condition portions of the protection system are not uld be individually and affected.

omatically indicated to the reactor rator in the main control room. ii. Main steam and feedwater isolation valves--the signals to these valves are held in a condition that prevents valve motion during a portion of the test.

iii. Auxiliary feedwater system--the auxiliary feedwater system configuration is altered during test to prevent accidental injection or auxiliary feedwater into the steam generators and to prevent the introduction of essential service water, which is not chemically controlled, into the chemically controlled portions of the system.

Test signal injection into a bistable is effected by means of a momentary test switch so that the normal input signal cannot continue to be overridden after the operator releases the switch. Bistable bypass can be effected only by means of key-lock switches. The keying and access to the keys and to the equipment cabinets is controlled to avoid the possibility of testing or bypassing more than one bistable at any one time. Bistable bypass is indicated by a light and by key position at the location of the bistables and by means of the plant annunciation system in the main control room.

Bypass of any portion of the auxiliary feedwater system or of the main steam and feedwater isolation valves is indicated in the main control room.

Rev. OL-16 10/07

Regulatory Guide 1.22 Position Union Electric Position Where actuated equipment is 4. Actuated equipment is tested during tested during reactor operation, it reactor operation, except for the equipment uld be shown that: addressed in Section 7.1.2.5.2.

a. There is no practicable tem design that would permit ration of the actuated equipment out adversely affecting the safety perability of the plant;

b. The probability that the tection system will fail to initiate the ration of the actuated equipment and can be maintained, acceptably without testing the actuated ipment during reactor operation,

c. The actuated equipment be routinely tested when the ctor is shut down.

Rev. OL-16 10/07

PLANT PROTECTION SYSTEMS" s table demonstrates the conformance of the design of BOP equipment to Regulatory de 1.53.

Regulatory Guide 1.53 Position Union Electric Position The guidance in trial-use IEEE Std

-1972 for applying the single-failure erion to the design and analysis of lear power plant protection systems is erally acceptable and provides an quate interim basis for complying with tion 4.2 of IEEE Std 279-1971, subject he following:

Because of the trial-use status of 1. Complies with IEEE 379-1972 in its E Std 379-1972, it may be necessary entirety.

pecific instances to depart from one or re of its provisions.

Section 5.2 of IEEE Std 379-1972 2. Complies. The testability of the uld be supplemented as follows: systems is designed to positively identify failures.

e detectability of a single failure is dicated on the assumption that the test ults in the presence of a failure are erent from the results that would be ained if no failure is present. Thus, onclusive testing procedures such as ntinuity checks" of relay circuit coils in of relay operations should not be sidered as adequate bases to classify detectable all potential failures which ld negate the functional capability of tested device."

Rev. OL-13 5/03

Regulatory Guide 1.53 Position Union Electric Position Section 6.2 of IEEE Std 379-1972 3. Complies. Switches are either for uld be supplemented as follows: single trains, or there are two switches, either of which can actuate both trains.

here a single mode switch supplies For the latter type switch, proper nals to redundant channels, it should separation is included in the design.

considered that the single-failure erion will not be satisfied if either (a) vidual switch sections supply signals edundant channels, or (b) redundant uits controlled by the switch are arated by less than six inches without able barriers."

Section 6.3 and 6.4 of IEEE Std 4. Complies. The FMEA is performed

-1972 should be interpreted as not on the basis of a system defined as mitting separate failure mode analyses starting with the sensors and continuing the protection system logic and the through the actuated devices.

uator system. The collective tection system logic-actuator system uld be analyzed for single-failure des which, though not negating the ctional capability of either portion, act isable the complete protective ction. [An example of such a potential ure mode is a misapplication of gulatory Guide 1.6 (Safety Guide 6) erein a single d-c source supplies trol power for one channel of tection system logic and for the undant actuator circuit.]

Rev. OL-13 5/03

s table demonstrates the conformance of the design of BOP equipment to Regulatory de 1.62.

Regulatory Guide 1.62 Position Union Electric Position Means should be provided for 1. Complies. Manual switches are nual initiation of each protective action provided for system actuation.

., reactor trip, containment isolation) he system level, regardless of whether ans are also provided to initiate the tective action at the component or nnel level (e.g., individual control rod, vidual isolation valve).

Manual initiation of a protective 2. Complies. Manual actuation of the on at the system level should perform protective systems will have the same actions performed by automatic result as automatic actuation.

ation such as starting auxiliary or porting systems, sending signals to ropriate valve-actuating mechanisms ssure correct valve position, and viding the required action-sequencing ctions and interlocks.

The switches for manual initiation 3. Complies. Manual switches for rotective actions at the system level protective systems are provided in the uld be located in the control room and control room.

easily accessible to the operator so t action can be taken in an expeditious nner.

Rev. OL-13 5/03

Regulatory Guide 1.62 Position Union Electric Position The amount of equipment common 4. Complies. The manual and oth manual and automatic initiation automatic initiation of protective functions uld be kept to a minimum. It is are separate.

ferable to limit such common ipment to the final actuation devices the actuated equipment. However, on-sequencing functions and rlocks (of Position 2) associated with final actuation devices and actuated ipment may be common if individual nual initiation at the component or nnel level is provided in the control

m. No single failure within the manual, omatic, or common portions of the tection system should prevent initiation rotective action by manual or omatic means.

Manual initiation of protective 5. Complies. In some cases, one ons should depend on the operation of switch will actuate both trains. In all other inimum of equipment, consistent with cases, one switch will actuate one train.

, 3, and 4 above.

Manual initiation of protective 6. Complies. Once manual initiation on at the system level should be so occurs, the protective action will go to igned that once initiated, it will go to completion.

pletion as required in Section 4.16 of E Std 279-1971.

Rev. OL-13 5/03

s table demonstrates the conformance of the design of BOP equipment to Regulatory de 1.105. The NSSS response to this Regulatory Guide is given in Appendix 3A.

e that the implementation date for this Regulatory Guide (plants with construction mits docketed after December 15, 1976), is after the construction permit docketing e for the Callaway plant (1974).

Regulatory Guide 1.105 Position Union Electric Position The following are applicable to ruments in systems important to ety:

The setpoints should be 1. Complies. The setpoints have ablished with sufficient margin been established with sufficient margin to ween the technical specification limits allow for instrument inaccuracies, the process variable and the nominal calibration uncertainties, and potential setpoints to allow for (a) the instrument drift between calibration ccuracy of the instrument, (b) checks.

ertainties in the calibration, and (c) the rument drift that could occur during the rval between calibrations.

All setpoints should be established 2. Complies. The instrument spans hat portion of the instrument span have been established to ensure that the ch ensures that the accuracy, as accuracy at setpoint is sufficient.

uired by regulatory position 4 below, is ntained. Instruments should be brated so as to ensure the required uracy at the setpoint.

The range selected for the 3. Complies. The instrument ranges rumentation should encompass the have been established to ensure that ected operating range of the process saturation does not negate the required able being monitored to the extent that instrument operation.

uration does not negate the required on of the instrument.

Rev. OL-13 5/03

Regulatory Guide 1.105 Position Union Electric Position The accuracy of all setpoints 4. Complies. The instrument uld be equal to or better than the accuracies are adequate to ensure uracy assumed in the safety analysis, actuation within the limits assumed in the ch considers the ambient temperature safety analyses, and will not be nges, vibration, and other unacceptably degraded by annealing, ironmental conditions. The stress relieving or work hardening under ruments should not anneal, stress design conditions. Compliance with eve, or work harden under design Regulatory Guide 1.89 is discussed in ditions to the extent that they will not Sections 3.11(B), 3.11(N), and Appendix ntain the required accuracy. Design 3A.

fication of these instruments should be monstrated as part of the instrument Note that the accident analyses generally lification program recommended in assume absolute values for the various gulatory Guide 1.89, "Qualification of parameters, rather than assuming ss 1E Equipment for Nuclear Power nominal values with specified accuracies.

nts."

Instruments should have a 5. Complies. The bistable setpoint uring device on the setpoint adjustments are not accessible when the ustment mechanism unless it can be cabinet doors are closed. Locks are monstrated by analysis or test that provided on the cabinet doors, and h devices will not aid in maintaining access to the cabinet area is under required setpoint accuracy and administrative control. There is sufficient imizing setpoint changes. The friction in the setpoint adjustment uring device should be designed so mechanism to ensure that the adjustment t it can be secured or released without will not slip during normal operation or ring the setpoint and should be under seismic excitation.

ministrative control.

The assumptions used in selecting 6. The derivation of the setpoint setpoint values in regulatory position 1 values from the limiting safety system the minimum margin with respect to settings has been thoroughly limiting safety system settings, documented.

point rate of deviation (drift rate), and relationship of drift rate to testing rval (if any) should be documented.

Rev. OL-13 5/03

s table demonstrates the conformance of the design of BOP equipment to Regulatory de 1.118. The NSSS response to this Regulatory Guide is given in Appendix 3A.

Regulatory Guide 1.118 Position Union Electric Position The requirements and ommendations contained in IEEE Std

-1977 are considered acceptable methods the periodic testing of electric power and tection systems, subject to the following:

The term "safety system" is used in 1. Complies. All of the systems E Std 338-1977 in many places. For the listed in position 1 are considered poses of this guide, "safety system" should and designed as safety-related understood to mean, collectively, the systems.

ctric, instrumentation, and controls portions he protection system; the protective action tem; and auxiliary or supporting features t must be operable for the protection tem and protective action system to form their safety-related functions.

Item (6) of Section 5 of IEEE Std 2. Complies. Protection systems

-1977 lists alternative means of including are tested during operation under actuated equipment in the periodic testing conditions specified in Item (6)(a) or rotection system equipment. The method (b). Full tests that would interfere hich actuated equipment is simultaneously with operation are performed with the ed with the associated protection system plant shutdown.

ipment is preferred by the NRC staff; ever, overlap testing is acceptable. In ition to the requirements of item (2) in tion 6.1, complete systems tests should be formed at suitable intervals.

Item (11) of Section 5 of IEEE Std 3. Complies. The testing is

-1977 should be supplemented by the performed by perturbing the owing: monitored variable wherever practical. Where perturbing the "Where perturbing the monitored monitored variable is not practical, able is not practical, the proposed substitute inputs will be introduced stitute tests shall be shown to be into the sensor.

quate."

Rev. OL-14 12/04

Regulatory Guide 1.118 Position Union Electric Position Section 5 of IEEE Std 338-1977 should 4. Complies. Bypass of a system supplemented by the following: does not bypass any other system on the same train or on redundant trains.

"(13) Means shall be included in the Redundant components are tested ign to prevent the expansion of any bypass independently.

dition to redundant channels or load ups during testing operations. Where ulated signals are used to test protective nnels or load groups or in other cases ere such equipment can be effectively assed during a test, care shall be rcised to ensure that more channels are bypassed than are necessary to perform test. The remaining channels (those not assed) shall provide that safety function sistent with the provisions of item (4) in tion 5 of IEEE Std 338-1977."

"(14) Where redundant components are d within a single channel or load group, the ign shall permit each to be tested ependently."

Section 6.3.4 of IEEE Std 338-1977 5. Not applicable. Neutron flux uld be supplemented by the following: monitors supplied with the BOP do not have response time testing "For neutron detectors (1) tests of requirements since they are not ector-cable assemblies for increased credited in any Chapter 15 accident acitance, (2) monitoring of noise analyses and are for post-accident racteristics of neutron detector signals, or monitoring only. Refer to Table 16.3-1 some other test that does not require and to FSAR Appendix 3A (RG 1.118 oval of detectors from their installed position), Section 7.1.2.6.2, and the ation should be used to confirm neutron response to NRC Question 640.1 for ector response time characteristics to avoid the justification for excluding the ue radiation exposure of plant personnel NSSS NIS detectors from the ess such tests are not capable of detecting response time testing requirements ponse time changes beyond acceptable of IEEE Std 338.

ts."

Rev. OL-14 12/04

Regulatory Guide 1.118 Position Union Electric Position Section 6.4(5) of IEEE Std 338-1977 uld be supplemented by the following:

". . . makeshift test setups except as ows:

a. Temporary jumper wires may be 6.a. Complies. Facilities for d with portable test equipment where the connection of test equipment include ety system equipment to be tested is screw terminal blocks at the back of vided with facilities specifically designed for the cabinet.

nection of this test equipment. These lities shall meet all the requirements of this ndard, whether the portable test equipment isconnected or remains connected to these lities.

b. Removal of fuses or opening a 6.b. Complies. Removal of fuses aker is permitted only if such action causes or opening of input circuit breakers is the trip of the associated protection system done only if it causes the trip of the nnel, or (2) the actuation (startup and associated channel or actuation of ration) of the associated Class 1E load the associated load group.

up."

In addition to items (1) through (7) of 7. Complies. Changes in failure tion 6.5.1 of IEEE Std 338-1977, the ability rates are considered in testing etect significant changes in failure rates intervals.

uld be considered in the selection of initial intervals.

The following provisions of IEEE Std

-1977 have been added in the 1977 sion of this standard. These provisions will considered by the NRC staff and endorsed upplemented in a future revision of this ulatory guide.

a. Section 4, eighth paragraph, 8.a. Complies with IEEE 338-1977.

excludes the process to sensor coupling Process to sensor coupling and the actuated equipment to process actuated equipment to process pling from response time testing required coupling are not considered in he standard. response times.

Rev. OL-14 12/04

Regulatory Guide 1.118 Position Union Electric Position

b. Section 5, first paragraph, items 8.b. Complies with IEEE 338-1977.

and (3) now allow tripping of the channel Tripping or bypass of channels being ng tested, or bypass of the equipment tested is done only for the short sistent with availability requirements, period of the test.

ing test of redundant channels or load ups.

c. Section 6.6.2, item (8) now only 8.c. Complies with IEEE 338-1977.

uires listing of anticipated responses in test The written procedures do provide cedures "when required as a precautionary the anticipated response, when asure." required, as a precautionary measure immediately before the step which will produce the response. The means by which the response is to be observed is included in the acceptance criteria.

Rev. OL-14 12/04

.1 DESCRIPTION

.1.1 System Description reactor trip system (RTS) automatically keeps the reactor operating within a safe ion by shutting down the reactor whenever the limits of the region are approached.

safe operating region is defined by several considerations, such as mechanical/

raulic limitations on equipment and heat transfer phenomena. Therefore, the reactor system keeps surveillance on process variables which are directly related to ipment mechanical limitations, such as pressure, and pressurizer water level (to vent water discharge through safety valves and uncovering heaters), and also on ables which directly affect the heat transfer capability of the reactor (e.g., flow and ctor coolant temperatures). Still other parameters utilized in the reactor trip system calculated from various process variables. Whenever a direct process or calculated able exceeds a setpoint and any applicable trip time delays have expired, the reactor be shut down in order to protect against either damage to fuel cladding or loss of tem integrity, which could lead to the release of radioactive fission products into the tainment.

following systems make up the reactor trip system (see Ref. 1, 2, and 3 for itional background information).

a. Process instrumentation and control system

b. Nuclear instrumentation system

c. Solid state logic protection system

d. Reactor trip switchgear

e. Manual actuation circuit reactor trip system consists of sensors that monitor various plant parameters and connected with analog circuitry, consisting of two to four redundant channels, and tal circuitry, consisting of two redundant logic trains, that receives inputs from the log channels to complete the logic necessary to automatically open the reactor trip akers.

h of two logic trains, A and B, is capable of opening a separate and independent ctor trip breaker, RTA and RTB, respectively. The two trip breakers in series connect e-phase ac power from the rod drive motor generator sets to the rod drive power inets, as shown in Figure 7.2-1 (Sheet 2). During plant power operation, a dc ervoltage coil on each reactor trip breaker holds a trip plunger out against its spring, wing the power to be available at the rod control power supply cabinets. For reactor 7.2-1 Rev. OL-20 11/13

akers opens, power is interrupted to the rod drive power supply, and the control rods by gravity, into the core. The rods cannot be withdrawn until the trip breakers are nually reset. The trip breakers cannot be reset until the abnormal condition which ated the trip is corrected. Bypass breakers BYA and BYB are provided to permit ing of the trip breakers, as discussed in Section 7.2.2.2.3.

auto shunt trip design modification has been implemented which monitors the reactor tection system outputs to the reactor trip breakers' undervoltage coils and provides signals to the shunt trip coils upon receipt of an automatic trip signal to the ervoltage coils. This was accomplished by providing a rotary type interposing relay ween the trip breaker undervoltage coil circuit and the shunt trip coil circuit. This auto nt trip relay is energized from the reactor protection system voltage which is provided he undervoltage coil. When the voltage is removed by an automatic reactor trip nal, the auto shunt trip relay will de-energize, closing a contact to energize the shunt coil. Thus, the breaker trip shaft will be actuated by both the undervoltage and shunt attachments. This design modification applies only to the reactor trip breakers; the ass breaker shunt trip coils will not receive an automatic trip signal.

added hardware consists of qualified shunt trip coils and panels which include the ys and test hardware. The shunt trip attachments and auto shunt trip panels are lified in accordance with IEEE Standards 323-1974 and 344-1975. The panels are unted at the reactor trip switchgear.

auto shunt trip panels are provided with two push-button switches for use during iodic on-line testing to independently confirm the operability of the undervoltage and nt trip attachments. The auto shunt trip block push-button switch is used to prevent shunt trip coil from energizing when the undervoltage trip is being tested. The auto nt trip test push-button switch is used to de-energize the auto shunt trip relay, rgizing the shunt trip coil while the undervoltage coil remains energized.

auto shunt trip panels are also equipped with test jacks to facilitate breaker response e testing. These jacks are wired directly to an auxiliary switch contact (closed when breaker is closed) to provide indication that the breaker has tripped. Another set of jacks is connected across the auto shunt trip relay coil through resistors to provide cation of trip initiation. The resistors are provided to ensure that accidental shorts or unds applied through the test points do not result in an inadvertent reactor trip or an rload on the reactor protection system output.

.1.1.1 Functional Performance Requirements reactor trip system automatically initiates reactor trip:

a. Whenever necessary to prevent fuel damage for an anticipated operational transient (Condition II) 7.2-2 Rev. OL-20 11/13

c. So that the energy generated in the core is compatible with the design provisions to protect the reactor coolant pressure boundary for limiting fault conditions (Condition IV).

reactor trip system initiates a turbine trip signal whenever reactor trip is initiated to vent the reactivity insertion that would otherwise result from excessive reactor system ldown. This eliminates unnecessary actuation of the engineered safety feature uation system.

reactor trip system provides for manual initiation of reactor trip by operator action.

.1.1.2 Reactor Trips reactor trip circuits automatically open the reactor trip breakers whenever a dition monitored by the reactor trip system reaches a preset level. To ensure a able system, high quality design, components, manufacturing, quality control, and ing are used. In addition to redundant channels and trains, the design approach vides a reactor trip system that monitors numerous system variables, therefore viding protection system functional diversity. The extent of this diversity has been luated for a wide variety of postulated accidents.

le 7.2-1 provides a list of reactor trips that are described below. Table 7.2-2 provides sting of all protection system interlocks which are designated P-(number).

a. Nuclear overpower trips The specific trip functions generated are as follows:

1. Power range high neutron flux trip The power range high neutron flux trip circuit trips the reactor when two out of the four power range channels exceed the trip setpoint.

There are two bistables, each with its own trip setting used for a high- and a low-range trip setting. The high trip setting provides protection during normal power operation and is always active. The low trip setting, which provides protection during startup, can be manually bypassed when two out of the four power range channels read above approximately 10-percent power (P-10). Three out of the four channels below 10 percent automatically reinstate the trip function.

2. Intermediate range high neutron flux trip 7.2-3 Rev. OL-20 11/13

trip setpoint. This trip, which provides protection during reactor startup, can be manually blocked if two out of the four power range channels are above P-10. Three out of the four power range channels below this value automatically reinstate the intermediate range high neutron flux trip. The intermediate range channels (including detectors) are separate from the power range channels.

The intermediate range channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup. This bypass action is annunciated on the control board.

3. Source range high neutron flux trip The source range high neutron flux trip circuit trips the reactor when one out of the two source range channels exceeds the trip setpoint.

This trip, which provides protection during reactor startup and plant shutdown, can be manually bypassed when one out of the two intermediate range channels reads above the P-6 setpoint value and is automatically reinstated when both intermediate range channels decrease below the P-6 setpoint value. This trip is also automatically bypassed by two-out-of-four logic from the power range protection interlock (P-10). This trip function can also be reinstated below P-10 by an administrative action requiring manual actuation of two control board mounted switches. Each switch will reinstate the trip function in one out of the two protection logic trains.

The source range trip point is set between the P-6 setpoint (source range cutoff power level) and the maximum source range power level. The channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup. This bypass action is annunciated on the control board.

4. Power range high positive neutron flux rate trip This circuit trips the reactor when a sudden abnormal increase in nuclear power occurs in two out of the four power range channels.

This trip provides DNB protection against certain rod withdrawal at power events and certain partial power, low rod worth, rod ejection accidents (see Sections 15.4.2 and 15.4.8).

Figure 7.2-1 (Sheet 3) shows the logic for all of the nuclear overpower and rate trips.

b. Core thermal overpower trips 7.2-4 Rev. OL-20 11/13

1. Overtemperature T trip This trip protects the core against DNB and trips the reactor on coincidence, as listed in Table 7.2-1, with one set of temperature measurements per loop. The setpoint for this trip is continuously calculated by analog circuitry for each loop by solving the following equation (See Technical Specification Table 3.3.1-1 Note 1 for further details):

( 1 + 1 s ) 1 ( 1 + 4 s ) 1 T ----------------------- ------------------ T o K 1 - K 2 ----------------------- T avg ------------------ - T avg + K 3 ( P - 2235 ) - f 1 ( I )

o

( 1 + 2 s ) 1 + 3 s 1 + s 1 + s 5 6 Where:

T = measured RCS T, °F To = indicated T at rated thermal power, °F Tavg = measured RCS average temperature, °F o = referenced Tavg at rated thermal power, T avg 585.3°F P = measured pressurizer pressure, psig K1 = preset bias reflecting upper limit (see analysis limit in Table 15.0-4)

K2 = preset gain which compensates for the effects of temperature on the DNB limits K3 = preset gain which compensates for the effect of pressure on the DNB limits 1 through 6 = preset time constants which compensate for piping, instrument, and signal conditioning time delays, seconds s = laplace transform operator, seconds-1 f1(I) = a function of the neutron flux difference between the upper and lower long ion chambers (refer to Figure 7.2-2).

A separate long ion chamber unit supplies the flux signal for each overtemperature T trip channel.

7.2-5 Rev. OL-20 11/13

The required one pressurizer pressure parameter per loop is obtained from separate sensors connected to three pressure taps at the top of the pressurizer. Four pressurizer pressure signals are obtained from the three taps by connecting one of the taps to two pressure transmitters. Refer to Section 7.2.2.3.3 for an analysis of this arrangement.

Figure 7.2-1 (Sheet 5) shows the logic for overtemperature T trip function.

2. Overpower T trip This trip protects against excessive power (fuel rod rating protection) and trips the reactor on coincidence, as listed in Table 7.2-1, with one set of temperature measurements per loop.

The setpoint for each channel is continuously calculated, using the following equation (See Technical Specification Table 3.3.1-1 Note 2 for further details):

( 1 + 1 s ) 1 7 s 1 1 o' T ----------------------- ------------------ T o K 4 - K 5 ------------------ ------------------ T avg - K 6 T avg ------------------ - T avg - f 2 ( I )

( 1 + 2 s ) 1 + 3 s 1 + 7 s 1 + 6 s 1 + 6 s Where:

T = measured RCS T, °F To = indicated T at rated thermal power, °F f2(I) = a function of the neutron flux difference between upper and lower long ion chambers (zero for OPDT for all input values)

K4 = a preset bias reflecting upper limit (see analysis limit in Table 15.0-4)

K5 = a constant which compensates for piping and instrument time delay K6 = a constant which compensates for the change in density flow and heat capacity of the water with temperature o' = indicated Tavg at rated thermal power, 585.3 T avg Tavg = measured RCS average temperature, °F 7.2-6 Rev. OL-20 11/13

conditioning time delays, seconds s = laplace transform operator, seconds-1 The source of temperature and flux information is identical to that of the overtemperature T trip, and the resultant T setpoint is compared to the same T. Figure 7.2-1 (Sheet 5) shows the logic for this trip function.

c. Reactor coolant system pressurizer pressure and water level trips The specific trip functions generated are as follows:

1. Pressurizer low pressure trip The purpose of this trip is to protect against low pressure which could lead to DNB. The parameter being sensed is reactor coolant pressure as measured in the pressurizer. Above P-7, the reactor is tripped when the pressurizer pressure measurements (compensated for rate of change) fall below preset limits. This trip is blocked below P-7 to permit startup. The trip logic and interlocks are given in Table 7.2-1.

The trip logic is shown on Figure 7.2-1 (Sheet 6).

2. Pressurizer high pressure trip The purpose of this trip is to protect the reactor coolant system against system overpressure.

The same sensors and transmitters used for the pressurizer low pressure trip are used for the high pressure trip, except that separate bistables are used for trip. These bistables trip when uncompensated pressurizer pressure signals exceed preset limits on coincidence as listed in Table 7.2-1. There are no interlocks or permissives associated with this trip function.

The logic for this trip is shown on Figure 7.2-1 (Sheet 6).

3. Pressurizer high water level trip This trip is provided as a backup to the high pressurizer pressure trip and serves to prevent water relief through the pressurizer safety valves. This trip is blocked below P-7 to permit startup. The coincidence logic and interlocks of pressurizer high water level signals are given in Table 7.2-1.

7.2-7 Rev. OL-20 11/13

d. Reactor coolant system low flow trips These trips protect the core from DNB in the event of a loss-of-coolant flow situation. Figure 7.2-1 (Sheet 5) shows the logic for these trips. The means of sensing the loss-of-coolant flow are as follows:

1. Low reactor coolant flow The parameter sensed is reactor coolant flow. Four elbow taps in each coolant loop are used as a flow device that indicates the status of reactor coolant flow. The basic function of this device is to provide information as to whether or not a reduction in flow has occurred. An output signal from two out of the three bistables in a loop would indicate a low flow in that loop.

The coincidence logic and interlocks are given in Table 7.2-1.

2. Reactor coolant pump undervoltage trip This trip protects against low flow which can result from loss of voltage to the reactor coolant pump motors (e.g., from loss of offsite power or reactor coolant pump breakers opening).

There is one undervoltage sensing relay connected to each pump at the motor side of each reactor coolant pump breaker. These relays provide an output signal when the pump voltage goes below 76.7 percent of rated bus voltage. Signals from these relays are time delayed to prevent spurious trips caused by short-term voltage perturbations.

3. Reactor coolant pump underfrequency trip This trip protects against low flow resulting from pump underfrequency, for example a major power grid frequency disturbance. The function of this trip is to trip the reactor for an underfrequency condition greater than approximately 2.4 Hz/

second. The setpoint of the underfrequency relays is adjustable between 54 and 60 Hz, typically.

There is one underfrequency sensing relay for each reactor coolant pump motor. Signals from one or both relays from both busses of the pump motors (time delayed to prevent spurious trips caused by short-term frequency perturbations) will trip the reactor if the power 7.2-8 Rev. OL-20 11/13

e. Steam generator low-low water level trip The specific trip function generated is low-low steam generator water level trip.

This trip protects the reactor from loss of heat sink. This trip is actuated on two out of four low-low water level signals occurring in any steam generator. The Environmental Allowance Modifier (EAM) circuitry in the low-low level channel provides for two level setpoints corresponding to an adverse and a normal containment environment. A detailed description of the EAM design basis and functional implementation is provided in Reference 5, including a discussion of surveillance testing clarifications.

The logic is shown on Figure 7.2-1 (Sheets 7 and 19).

f. Reactor trip on a turbine trip (anticipatory)

The reactor trip on a turbine trip is actuated by two-out-of-three logic from emergency trip fluid pressure signals or by all closed signals from the turbine steam stop valves. A turbine trip causes a direct reactor trip above P-9. The reactor trip on turbine trip provides additional protection and conservatism beyond that required for the health and safety of the public.

This trip is included as part of good engineering practice and prudent design.

The turbine provides anticipatory trips to the reactor protection system from contacts which change position when the turbine stop valves close or when the turbine emergency trip fluid pressure goes below its setpoint.

Components specified for use as sensors for input signals to the reactor protection system for "emergency trip oil pressure low" and "turbine stop valves close" will conform to the requirements of IEEE 279-1971 and be environmentally qualified. However, seismic criteria are not included in qualification regarding mounting and location for that portion of the trip system located within nonseismic Category I structures.

Evaluations indicate that the functional performance of the protection system would not be degraded by credible electrical faults such as opens and shorts in the circuits associated with reactor trip or the generation of the P-7 interlock. The solid state protection system cabinets are provided with fuse protection for the turbine stop valve reactor trip cabling in the Turbine Building to preclude degradation of required solid state protection system functions. Faults on the Turbine Building cables going to the oil 7.2-9 Rev. OL-20 11/13

(Foxboro) cabinets in the main control room. Loss of signal caused by open circuits would produce either a partial or full reactor trip. Faults on the first stage turbine pressure circuits would result in upscale, conservative output for open circuits and a sustained current, limited by circuit resistance, for short circuits. Multiple failures imposed on these redundant circuits could potentially disable the P-13 interlock. In this event, the nuclear instrumentation power range signals would provide the P-7 safety interlock. Refer to functional diagram, Sheet 4 of Figure 7.2-1. The sensors for the P-13 interlock are seismically qualified.

Evaluations provided in Section 7.6.1 for the trip fluid pressure transmitter loops indicate that credible electrical faults would not degrade the functional performance of the safety-related BOP instrumentation.

In addition, the following measures will be taken to ensure the integrity of the cabling to the reactor protection system (RPS):

1. Inputs from the turbine steam stop valves will originate from four separate limit switches (one per valve), each of which is dedicated to providing an input to one channel of the RPS. Cables carrying these signals will be routed in individual conduits. The four circuits will be separated from one another, from non-Class 1E circuits, and identified according to the criteria imposed on Class 1E circuits from their source up to their terminations with the RPS cabinets.

2. Inputs from the emergency trip oil pressure and P-13 interlock instrumentation will be routed in a similar manner as are the turbine stop valve inputs.

The logic for this trip is shown on Figure 7.2-1 (Sheet 16).

g. Safety injection signal actuation trip A reactor trip occurs when the safety injection system is actuated. The means of actuating the safety injection system are described in Section 7.3. This trip protects the core following a loss of reactor coolant or a steam line rupture.

Figure 7.2-1 (Sheet 8) shows the logic for this trip.

h. Manual trip The manual trip consists of two switches with two outputs on each switch.

One output is used to actuate the train A reactor trip breaker; the other 7.2-10 Rev. OL-20 11/13

the shunt trip coil of each breaker.

There are no interlocks which can block this trip. Figure 7.2-1 (Sheet 3) shows the manual trip logic. The design conforms to Regulatory Guide 1.62, as shown in Figure 7.2-3.

.1.1.3 Reactor Trip System Interlocks Table 7.2-2 for the list of protection system interlocks.

a. Power escalation permissives The overpower protection provided by the out-of-core nuclear instrumentation consists of three discrete, but overlapping, ranges.

Continuation of startup operation or power increase requires a permissive signal from the higher range instrumentation channels before the lower range level trips can be manually blocked by the operator.

A one out of two intermediate range permissive signal (P-6) is required prior to source range trip blocking and detector high voltage cutoff. Source range trips are automatically reactivated and high voltage restored when both intermediate range channels are below the permissive (P-6) setpoint.

There are two manual reset switches for administratively reactivating the source range level trip and detector high voltage when between the permissive P-6 and P-10 setpoints, if required. Source range level trip block and high voltage cutoff are always maintained when above the permissive P-10 setpoint.

The intermediate range level trip and power range (low setpoint) trip can only be blocked after satisfactory operation and permissive information are obtained from two out of four power range channels. Four individual blocking switches are provided so that the low range power range trip and intermediate range trip can be independently blocked (one switch for each train). These trips are automatically reactivated when any three out of the four power range channels are below the permissive (P-10) setpoint, thus ensuring automatic activation to more restrictive trip protection. The development of permissives P-6 and P-10 is shown on Figure 7.2-1 (Sheet 4). All of the permissives are digital; they are derived from analog signals in the nuclear power range and intermediate range channels.

b. Blocks of reactor trips at low power Interlock P-7 blocks a reactor trip at low power (below 10 percent of full power) on a low reactor coolant flow in more than one loop, reactor coolant 7.2-11 Rev. OL-20 11/13

6) for permissive applications. The P-7 interlock is derived from three out of four power range neutron flux signals below the setpoint in coincidence with two out of two turbine impulse chamber pressure signals below the setpoint (low plant load). See Figure 7.2-1 (Sheets 4 and 16) for the derivation of P-7.

The P-8 interlock blocks a reactor trip when the plant is below 48 percent of full power, on a low reactor coolant flow in any one loop.

The block action occurs when three out of four neutron flux power range signals are below the setpoint. Thus, below the P-8 setpoint, the reactor has the capability to operate with one inactive loop and trip will not occur until two loops are indicating low flow. See Figure 7.2-1 (Sheet 4) for derivation of P-8 and Sheet 5 for applicable logic.

Interlock P-9 blocks a reactor trip following a turbine trip below 50 percent power. See Figure 7.2-1 (Sheet 16) for the implementation of the P-9 interlock and Sheet 4 for the derivation of P-9.

.1.1.4 Coolant Temperature Sensor Arrangement e hot leg and one cold leg temperature reading are provided from each coolant loop to for protection. Narrow range, thermowell-mounted Resistance Temperature ectors (RTDs) are provided for each coolant loop. In the hot legs, sampling scoops used because the flow is stratified. That is, the fluid temperature is not uniform over oss section of the hot leg. One dual element RTD is mounted in a thermowell in each he three sampling scoops associated with each hot leg. The scoops extend into the stream at locations 120° apart in the cross sectional plane. Each scoop has five ces which sample the hot leg flow along the leading edge of the scoop. Outlet ports provided in the scoops to direct the sampled fluid past the sensing element of the Ds. One of each of the RTD's dual elements is used while the other is an installed re. Three readings from each hot leg are averaged to provide a hot leg reading for t loop.

e dual element RTD is mounted in a thermowell associated with each cold leg. No sampling is needed because coolant flow is well mixed by the reactor coolant mps. As is the case with the hot leg, one element is used while the other is an alled spare.

tain control signals are derived from individual protection channels through isolation ds. The isolation cards are classified as a part of the protection system. The rod trol system uses the auctioneered (high) value of four isolated T-AVG signals.

7.2-12 Rev. OL-20 11/13

.1.1.5 Pressurizer Water Level Reference Leg Arrangement design of the pressurizer water level instrumentation employs the usual tank level ngement, using differential pressure between an upper and a lower tap on a column ater. A reference leg connected to the upper tap is kept full of water by condensation team at the top of the leg.

.1.1.6 Analog System analog system consists of two instrumentation systems - the process rumentation system and the nuclear instrumentation system.

cess instrumentation includes those devices (and their interconnection into systems) ch measure temperature, pressure, fluid flow, fluid level as in tanks or vessels, and asionally physiochemical parameters, such as fluid conductivity or chemical centration. Process instrumentation specifically excludes nuclear and radiation asurements. The process instrumentation includes the process measuring devices, er supplies, indicators, recorders, alarm actuating devices, timers, controllers, signal ditioning devices, etc., which are necessary for day-to-day operation of the NSSS, as l as for monitoring the plant and providing initiation of plant protective functions.

primary function of nuclear instrumentation is to protect the reactor by monitoring the tron flux and generating appropriate trips and alarms for various phases of reactor rating and shutdown conditions. The instrumentation also provides a secondary trol function and indicates reactor status during startup and power operation. The lear instrumentation system uses information from three separate types of rumentation channels to provide three discrete protection levels. Each range of rumentation (source, intermediate, and power) provides the necessary overpower ctor trip protection required during operation in that range. The overlap of instrument ges provides reliable continuous protection beginning with source level through the rmediate and low power level. As the reactor power increases, the overpower tection level is increased by administrative procedures after satisfactory higher range rumentation operation is obtained. Automatic reset to more restrictive trip protection rovided when reducing power.

ious types of neutron detectors, with appropriate solid state electronic circuitry, are d to monitor the leakage neutron flux from subcritical conditions to 120 percent of full er. The neutron flux covers a wide range between these extremes. Therefore, nitoring with several ranges of instrumentation is necessary.

lowest range ("source" range) covers six decades of leakage neutron flux. The est observed count rate depends on the strength of the neutron sources in the core the core multiplication associated with the shutdown reactivity. This is generally 7.2-13 Rev. OL-20 11/13

her portion of the source range and the lower portion of the intermediate range. The hest range of instrumentation ("power" range) covers approximately two decades of total instrumentation range. This is a linear range that overlaps with the higher tion of the intermediate range.

system described above provides control room indication and recording of signals portional to reactor neutron flux during core loading, shutdown, startup, and power ration, as well as during subsequent refueling. Startup rate indication for the source intermediate range channels is provided at the control board. Reactor trip, control stop, and control and alarm signals are transmitted to the reactor control and tection systems. Equipment failures and test status information are annunciated in control room.

eparate neutron flux monitoring system is discussed in Section 7.6.14 and le 7A-3, Data Sheet 1.1 (SE-NE-60,61).

References 1 and 2 for additional background information on the process and lear instrumentation.

.1.1.7 Solid State Logic Protection System solid state logic protection system takes binary inputs (voltage/no voltage) from the cess and nuclear instrument channels corresponding to conditions (normal/abnormal) lant parameters. The system combines these signals in the required logic bination and generates a trip signal (no voltage) to the undervoltage coils of the ctor trip circuit breakers when the necessary combination of signals occur. This trip nal also de-energizes the auto shunt trip relay which, in turn, closes a contact that rgizes the shunt trip coil. The system also provides annunciator, status light, and puter input signals which indicate the condition of bistable input signals, partial trip full trip functions, and the status of the various blocking, permissive, and actuation ctions. In addition, the system includes means for semiautomatic testing of the logic uits. See References 3, 8, 9, and 10 for additional background information.

.1.1.8 Isolation Amplifiers ertain applications, control signals are derived from individual protection channels ugh isolation amplifiers contained in the protection channel, as permitted by IEEE ndard 279-1971.

ll of these cases, analog signals derived from protection channels for nonprotective ctions are obtained through isolation amplifiers located in the analog protection racks.

7.2-14 Rev. OL-20 11/13

lectrical separation of control and protection functions.

.1.1.9 Energy Supply and Environmental Variations energy supply for the reactor trip system, including the voltage and frequency ations, is described in Section 7.6 and Chapter 8.0. The environmental variations, ughout which the system will perform, are given in Sections 3.11(B), 3.11(N) and apter 8.0.

.1.1.10 Setpoints setpoints that require trip action are given in the Technical Specifications. A detailed cussion on setpoints is found in Section 7.3.8.1.2.7.

.1.1.11 Seismic Design seismic design considerations for the reactor trip system are given in tion 3.10(N). This design meets the requirements of GDC-2 (refer to Section 3.1).

.1.2 Design Bases Information information given below presents the design bases information requested by tion 3 of IEEE Standard 279-1971. Functional diagrams are presented in ure 7.2-1.

.1.2.1 Generating Station Conditions following are the generating station conditions requiring reactor trip.

a. DNBR approaching the applicable DNBR limit value (see Chapter 4).

b. Linear power density (kilowatts per foot) approaching rated value for Condition II events (see Chapter 4.0 for fuel design limits).

c. Reactor coolant system overpressure creating stresses approaching the limits specified in Chapter 5.0.

.1.2.2 Generating Station Variables following are the variables required to be monitored in order to provide reactor trips e Table 7.2-1).

a. Neutron flux 7.2-15 Rev. OL-20 11/13

c. Reactor coolant system pressure (pressurizer pressure)

d. Pressurizer water level

e. Reactor coolant flow

f. Reactor coolant pump operational status (voltage and frequency)

g. Steam generator water level (See Reference 5)

h. Turbine-generator operational status (trip fluid pressure and stop valve position)

.1.2.3 Spatially Dependent Variables only spatially dependent variable is the reactor coolant temperature. See tion 7.3.8.1.2 for a discussion of this spatial dependence.

.1.2.4 Limits, Margins, and Setpoints parameter values that will require reactor trip are given in Chapter 15.0 and the laway Technical Specifications. The accident analyses in Chapter 15.0 demonstrate t the setpoints used in the Callaway Technical Specifications are conservative.

setpoints for the various functions in the reactor trip system have been analytically ermined so that the operational limits so prescribed will prevent fuel rod clad damage loss of integrity of the reactor coolant system as a result of any Condition II event ticipated malfunction). As such, during any Condition II event, the reactor trip system ts the following parameters to:

a. Minimum DNBR = applicable DNBR limit value (see Chapter 4).

b. Maximum system pressure = 2,750 psia

c. Fuel rod maximum linear power for determination of protection setpoints =

18.0 kW/ft accident analyses described in Section 15.4 demonstrate that the functional uirements specified for the reactor trip system are adequate to meet the above siderations, even assuming the conservative, adverse combinations of instrument rs (refer to Table 15.0-4). A discussion of the safety limits associated with the reactor e and reactor coolant system, plus the limiting safety system setpoints, are presented he Callaway Technical Specifications.

7.2-16 Rev. OL-20 11/13

malfunctions, accidents, or other unusual events which could physically damage ctor trip system components or could cause environmental changes are as follows:

a. Earthquakes (see Chapters 2.0 and 3.0)

b. Fire (see Section 9.5.1)

c. Explosion - hydrogen buildup inside containment (see Section 6.2)

d. Missiles (see Section 3.5)

e. Flood (see Chapters 2.0 and 3.0)

f. Wind and tornadoes (see Section 3.3) reactor trip system fulfills the requirements of IEEE Standard 279-1971 to provide omatic protection and to provide initiating signals to mitigate the consequences of ted conditions. The reactor trip system is protected from fires, explosions, floods, ds, and tornadoes (see each item above).

.1.2.6 Minimum Performance Requirements

a. Reactor trip system response times Typical time delays in generating the reactor trip signal are tabulated in Table 7.2-3. See Section 7.1.2.6.2 for a discussion of periodic response time verification capabilities.

b. Reactor trip accuracies Typical reactor trip accuracies are tabulated in Table 7.2-3. An additional discussion on accuracy is found in Section 7.3.8.1.2.7.

c. Protection system ranges Typical protection system ranges are tabulated in Table 7.2-3. Range selection for the instrumentation covers the expected range of the process variable being monitored during power operation. Limiting setpoints are at least 5 percent from the end of the instrument span.

7.2-17 Rev. OL-20 11/13

ctional block diagrams, electrical elementaries, and other drawings required to ure electrical separation and perform a safety review are provided in the ety-Related Drawing Package (refer to Section 1.7).

.2 ANALYSES

.2.1 Failure Mode and Effects Analyses analysis of the reactor trip system has been performed. Results of this study and a t tree analysis are presented in Reference 4. Replacement solid state protection tem circuit boards were analyzed and tested to determine impact to the Failure des and Effects Analyses. The replacement circuit boards will continue to perform as cribed in Reference 4, but additional board level redundancies will prevent certain

-component failures from resulting in overall board failure as described in References

, and 10 for the three circuit boards associated with active safety functions.

.2.2 Evaluation of Design Limits ile most setpoints used in the reactor protection system are fixed, there are variable points, most notably the overtemperature T and overpower T setpoints.

itionally, for steam generator low-low level reactor trip, the Environmental Allowance difier (EAM) circuitry allows for two setpoints, one for a normal containment ironment and another enabled when an adverse environment is detected. All points in the reactor trip system have been selected on the basis of engineering ign or safety studies. The capability of the reactor trip system to prevent loss of grity of the fuel cladding and/or reactor coolant system pressure boundary during ndition II and III transients is demonstrated in Chapter 15.0. Accident analyses are ried out using those setpoints determined from results of the engineering design dies. Setpoint limits are presented in the Callaway Technical Specifications. A cussion of the intent for each of the various reactor trips and the accident analyses ere appropriate) which utilize this trip are presented below. It should be noted that selected trip setpoints provide for a margin to allow for uncertainties and instrument rs. The design meets the requirements of GDC-10 and 20 (refer to Section 3.1).

.2.2.1 Trip Setpoint Discussion DNBR existing at any point in the core for a given core design can be determined as nction of the core inlet temperature, power output, operating pressure, and flow.

e safety limits in terms of the applicable DNBR limit for the hot channel can be eloped as a function of core T, Tavg and pressure for the thermal design flow, as trated by the solid lines in Figure 15.0-1. The dashed lines indicate the maximum missable setpoint (T) as a function of Tavg and pressure for the overtemperature and rpower reactor trip. Actual setpoint constants in the equation representing the hed lines are as given in the Callaway Technical Specifications. These values are 7.2-18 Rev. OL-20 11/13

BR is not a directly measurable quantity; however, the process variables that ermine DNBR are sensed and evaluated. Small isolated changes in various process ables may not individually result in violation of a core safety limit, whereas the bined variations, over sufficient time, may cause the overpower or overtemperature ety limit to be exceeded. The reactor trip system provides reactor trips associated individual process variables in addition to the overpower/overtemperature safety t trips. Process variable trips prevent reactor operation whenever a change in the nitored value is such that a core or system safety limit is in danger of being exceeded uld operation continue. Basically, the high pressure, low pressure, and overpower/

rtemperature T trips provide sufficient protection for slow transients as opposed to h trips as low flow or high flux which will trip the reactor for rapid changes in flow or tron flux, respectively, that would result in fuel damage before actuation of the slower ponding T trips could be effected.

refore, the reactor trip system has been designed to provide protection for fuel dding and reactor coolant system pressure boundary integrity where: 1) a rapid nge in a single variable or factor will quickly result in exceeding a core or a system ety limit and 2) a slow change in one or more variables will have an integrated effect ch will cause safety limits to be exceeded. Overall, the reactor trip system offers erse and comprehensive protection against fuel cladding failure and/or loss of reactor lant system integrity for Condition II and III accidents. This is demonstrated by le 7.2-4, which lists the various trips of the reactor trip system, the corresponding laway Technical Specifications, and the applicable accidents discussed in the safety lyses in which the trip could be credited.

design meets the requirements of GDC-21 (refer to Section 3.1).

operational testing is performed on reactor trip system components and systems to ermine equipment readiness for startup. This testing serves as a further evaluation of system design.

lyses of the results of Condition I, II, III, and IV events, including considerations of rumentation installed to mitigate their consequences, are presented in Chapter 15.0.

instrumentation installed to mitigate the consequences of load rejection and turbine is given in Section 7.4.

.2.2.2 Reactor Coolant Flow Measurement elbow taps used on each loop in the primary coolant system are instrument devices t indicate the status of the reactor coolant flow. The basic function of this device is to 7.2-19 Rev. OL-20 11/13

P- -------W- 2 P o W o ere Po is the pressure differential at the reference flow Wo and P is the pressure erential at the corresponding flow, W. The full flow reference point is established ing initial plant startup. The low flow trip point is then established at 90% of full flow.

expected absolute accuracy of the channel is within +/- 10 percent of full flow, and d results have shown the repeatability of the trip point to be within +/- 1 percent.

.2.2.3 Evaluation of Compliance to Applicable Codes and Standards reactor trip system meets the criteria of the GDC, as indicated. The reactor trip tem meets the requirements of Section 4 of IEEE Standard 279-1971, as indicated ow.

a. General functional requirement The protection system automatically initiates appropriate protective action whenever a condition monitored by the system reaches a preset level.

Functional performance requirements are given in Section 7.2.1.1.1.

Section 7.2.1.2.4 presents a discussion of limits, margins, and levels; Section 7.2.1.2.5 discusses unusual (abnormal) events; and Section 7.2.1.2.6 presents minimum performance requirements.

b. Single failure criterion The protection system is designed to provide two, three, or four instrumentation channels for each protective function and two logic train circuits. These redundant channels and trains are electrically isolated and physically separated. Thus, any single failure within a channel or train will not prevent protective action at the system level when required. Loss of input power to a channel or logic train, the most likely mode of failure, will result in a signal calling for a trip. This design meets the requirements of GDC-23 (refer to Section 3.1).

To prevent the occurrence of common mode failures, such additional measures as functional diversity, physical separation, and testing, as well as administrative control during design, production, installation, and operation, are employed, as discussed in References 4, 8, 9, and 10. The design meets the requirements of GDC-21 and 22 (refer to Section 3.1).

7.2-20 Rev. OL-20 11/13

For a discussion on the quality of the components and modules used in the reactor trip system, refer to Chapter 17.0. The quality assurance applied conforms to GDC-1 (refer to Section 3.1).

d. Equipment qualification For a discussion of the type tests made to verify the performance requirements, refer to Section 3.11(N). The test results demonstrate that the design meets the requirements of GDC-4 (refer to Section 3.1).

e. Channel integrity Protection system channels required to operate in accident conditions maintain necessary functional capability under extremes of conditions relating to environment, energy supply, malfunctions, and accidents. The energy supply for the reactor trip system is described in Section 7.6 and Chapter 8.0. The environmental variations throughout which the system will perform are given in Section 3.11(N).

f. Independence Channel independence is carried throughout the system, extending from the sensor through to the devices actuating the protective function.

Physical separation is used to achieve separation of redundant transmitters. Separation of wiring is achieved using separate wireways, cable trays, conduit runs, and containment penetrations for each redundant channel. Redundant analog equipment is separated by locating modules in different protection cabinets. Each redundant protection channel set is energized from a separate ac power feed. This design meets the requirements of GDC-21 (refer to Section 3.1).

Two reactor trip breakers, which are actuated by two separate logic matrices, interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all control rod drive mechanisms, permitting the rods to free fall into the core (see Figure 7.1-1).

The design philosophy is to make maximum use of a wide variety of measurements. The protection system continuously monitors numerous diverse system variables. Generally, two or more diverse protection functions would terminate an accident before limits are exceeded. This design meets the requirement of GDC-22 (refer to Section 3.1).

7.2-21 Rev. OL-20 11/13

The protection system is designed to be independent of the control system.

In certain applications, the control signals and other nonprotective functions are derived from individual protection channels through isolation amplifiers, as described in Section 7.2.1.1.8. The isolation amplifiers are classified as part of the protection system and are located in the analog protection racks. Nonprotective functions include those signals used for control, remote process indication, and computer monitoring. The isolation amplifiers are designed such that a short circuit, open circuit, or the application of credible fault voltages from within the cabinets on the isolated output portion of the circuit (i.e., the nonprotective side of the circuit) will not affect the input (protective) side of the circuit. The signals obtained through the isolation amplifiers are never returned to the protective racks. This design meets the requirements of GDC-24 and Section 4.7 of IEEE Standard 279-1971 (refer to Section 3.1).

The results of applying various malfunction conditions on the output portion of the isolation amplifiers show that no significant disturbance to the isolation amplifier input signal occurred.

h. Derivation of system inputs To the extent feasible and practical, protection system inputs are derived from signals which are direct measures of the desired variables. Variables monitored for the various reactor trips are listed in Section 7.2.1.2.2.

i. Capability for sensor checks The operational availability of each system input sensor during reactor operation is accomplished by cross checking between channels that bear a known relationship to each other and that have readouts available.

Channel checks are discussed in the Technical Specifications.

j. Capability for testing The reactor trip system is capable of being tested during power operation.

Where only parts of the system are tested at any one time, the testing sequence provides the necessary overlap between the parts to ensure complete system operation. The testing capabilities are in conformance with Regulatory Guide 1.22, as discussed in Section 7.1.2.5.2.

The protection system is designed to permit periodic testing of the analog channel portion of the reactor trip system during reactor power operation without initiating a protective action, unless a trip condition actually exists.

This is because of the coincidence logic required for reactor trip. These 7.2-22 Rev. OL-20 11/13

redundant reactor trip channels associated with the function to be tested must be in the normal (untripped) mode in order to avoid spurious trips.

Setpoints are administratively controlled.

Analog Channel Tests Analog channel testing is performed at the analog instrumentation rack set by individually introducing dummy input signals into the instrumentation channels and observing the tripping of the appropriate output bistables.

Process analog output to the logic circuitry is interrupted during individual channel tests by test switches which, when thrown, place the Environmental Allowance Modifier (EAM) function into a conservative state, deenergize the associated logic inputs and insert a proving lamp in the bistable outputs. Interruption of a bistable output to the logic circuitry for any cause (test, maintenance purposes, or removed from service) will cause that portion of the logic to be actuated (partial trip), accompanied by a partial trip alarm and channel status light actuation in the control room.

Each channel contains those switches, test points, etc. necessary to test the channel. See References 1, 2, and 5 (as clarified) for additional background information.

The following periodic tests of the analog channels of the protection circuits are performed:

1. Tavg and T protection channel testing

2. Pressurizer pressure protection channel testing

3. Pressurizer water level protection channel testing

4. Steam generator water level protection channel testing

5. Reactor coolant low flow, underfrequency, and undervoltage protection channels

6. Steam line pressure protection channels

7. Containment pressure Nuclear Instrumentation Channel Tests The power range channels of the nuclear instrumentation system are tested by superimposing a test signal on the actual detector signal being received by the channel at the time of testing. The output of the bistable is 7.2-23 Rev. OL-20 11/13

not required.

To test a power range channel, a "TEST-OPERATE" switch is provided to require deliberate operator action. Operation of this switch will initiate the "CHANNEL TEST" annunciator in the control room. Bistable operation is tested by increasing the test signal to its trip setpoint and verifying bistable relay operation by control board annunciator and trip status lights. It should be noted that a valid trip signal would cause the channel under test to trip at a lower actual reactor power level.

A reactor trip would occur when a second bistable trips. No provisions have been made in the channel test circuit for reducing the channel signal level below that signal being received from the nuclear instrumentation system detector.

A nuclear instrumentation system channel which can cause a reactor trip through one of two protection logic (source or intermediate range) is provided with a bypass function which prevents the initiation of a reactor trip from that particular channel during the short period that it is undergoing test. These bypasses are annunciated in the control room.

Periodic tests of all three ranges of the nuclear instrumentation system are performed while at plant shutdown or while the reactor is at power.

Any deviations noted during the performance of these tests are investigated and corrected in accordance with the established calibration and trouble shooting procedures provided in the plant technical manual for the nuclear instrumentation system. Control and protection trip settings are administratively controlled.

In addition to the above tests, incore/excore calibrations of the power range channels are conducted while the reactor is at power. Also, 18-month calibrations of the source range, intermediate range, and power range channels are permitted to be conducted at power. During the incore/

excore calibration adjustments and during the 18-month calibrations at power, it is permitted to disconnect the detector and high voltage power supply cables for testing.

For additional background information on the nuclear instrumentation system, see Reference 2.

7.2-24 Rev. OL-20 11/13

The reactor logic trains of the reactor trip system are designed to be capable of complete testing at power. After the individual channel analog testing is complete, the logic matrices are tested from the train A and train B logic rack test panels. This step provides overlap between the analog and logic portions of the test program. During this test, all of the logic inputs are actuated automatically in all combinations of trip and nontrip logic. Trip logic is not maintained sufficiently long enough to permit opening of the reactor trip breakers. The reactor trip undervoltage coils and auto shunt trip relays are "pulsed," in order to check continuity. During logic testing of one train, the other train can initiate any required protective functions. Annunciation is provided in the control room to indicate when a train is in test (train output bypassed) and when a reactor trip breaker is bypassed. Logic testing can be performed in less than 30 minutes.

A direct reactor trip resulting from undervoltage or underfrequency on the reactor coolant pump busses is provided, as discussed in Section 7.2.1.1.2 and shown on Figure 7.2-1 (Sheet 5). The logic for these trips is capable of being tested during power operation. When parts of the trip are being tested, the sequence is such that an overlap is provided between parts so that a complete logic test is provided. Thus complete testing of the RTS is possible.

This design complies with the testing requirements of IEEE Standard 279-1971 and IEEE Standard 338-1971 discussed in Section 7.1.2.6.2. For additional details, see References 3, 8, 9, and 10.

The permissive and block interlocks associated with the reactor trip system and engineered safety feature actuation system are given on Tables 7.2-2 and 7.3-15 and designated protection or "P" interlocks. As a part of the protection system, these interlocks are designed to meet the testing requirements of IEEE Standard 279-1971 and IEEE Standard 338-1971.

Testing of all protection system interlocks is provided by the logic testing and semiautomatic testing capabilities of the solid state protection system.

In the solid state protection system, the undervoltage coils and auto shunt trip relays (reactor trip) and master relays (engineered safeguards actuation) are pulsed for all combinations of trip or actuation logic with and without the interlock signals. For example, reactor trip on low flow (two out of four loops showing two out of three low flow) is tested to verify operability of the trip above P-7 and nontrip below P-7 (see Figure 7.2-1, Sheet 5).

Interlock testing may be performed at power.

7.2-25 Rev. OL-20 11/13

test the system:

1. Check of input relays During testing of the process instrumentation system and nuclear instrumentation system channels, each channel bistable is placed in a trip mode, causing one input relay in train A and one in train B to deenergize. A contact of each relay is connected to a universal logic printed circuit card. This card performs both the reactor trip and monitoring functions. Each reactor trip input relay contact causes a status lamp and an annunciator on the control board to operate. Either the train A or train B input relay operation will light the status lamp and annunciator.

Each train contains a multiplexing test switch. At the start of a process or nuclear instrumentation system test, this switch (in either train) is placed in the A + B position.

The A + B position alternately allows information to be transmitted from the two trains to the control board. A steady status lamp and annunciator indicates that input relays in both trains have been deenergized. A flashing lamp means that the input relays in the two trains did not both deenergize. Contact inputs to the logic protection system, such as reactor coolant pump bus underfrequency relays, operate input relays which are tested by operating the remote contacts as described above and using the same type of indications as those provided for bistable input relays.

Actuation of the input relays provides the overlap between the testing of the logic protection system and the testing of those systems supplying the inputs to the logic protection system. Test indications are status lamps and annunciators on the control board.

Inputs to the logic protection system are checked one channel at a time, leaving the other channels in service. For example, a function that trips the reactor when two out of four channels trip becomes a one out of three trip when one channel is placed in the trip mode.

Both trains of the logic protection system remain in service during this portion of the test.

2. Check of logic matrices Logic matrices are checked, one train at a time. Input relays are not operated during this portion of the test. Reactor trips from the train being tested are inhibited with the use of the input error inhibit switch 7.2-26 Rev. OL-20 11/13

instrumentation or nuclear instrumentation is tripped to check closure of the input error inhibit switch contacts.

The logic test scheme uses pulse techniques to check the coincidence logic. All possible trip and nontrip combinations are checked. Pulses from the tester are applied to the inputs of the universal logic card at the same terminals that connect to the input relay contacts. Thus there is an overlap between the input relay check and the logic matrix check. Pulses are fed back from the reactor trip breaker undervoltage coil and auto shunt trip relay to the tester. The pulses are of such short duration that the reactor trip breaker undervoltage trip attachment (UVTA) trip lever and shunt trip attachment (STA) armature cannot respond mechanically.

Test indications that are provided are an annunciator in the control room indicating that reactor trips from the train have been blocked and that the train is being tested and green and red lamps on the semiautomatic tester to indicate a good or bad logic matrix test.

Protection capability provided during this portion of the test is from the train not being tested.

3. General warning alarm reactor trip Each of the two trains of the solid state protection system is continuously monitored by the general warning alarm reactor trip subsystem. The warning circuits are actuated if undesirable train conditions are set up by improper alignment of testing systems, circuit malfunction or failure, etc., as listed below. A trouble condition in a logic train is indicated in the control room.

However, if any of the conditions exist in both trains at the same time, the general warning alarm circuits will automatically trip the reactor.

a. Loss of either of two 48 volt dc or either of two 15 volt dc power supplies.

b. Printed circuit card improperly inserted.

c. Input error inhibit switch in the INHIBIT position.

d. Slave relay tester mode selector in TEST position.

e. Multiplexing selector switch in INHIBIT position.

7.2-27 Rev. OL-20 11/13

g. Opposite train bypass breaker racked in and closed.

h. Permissive or memory test switch not in OFF position.

i. Logic function test switch not in OFF position.

The testing capability meets the requirements of GDC-21 (refer to Section 3.1).

Testing of Reactor Trip Breakers Normally, reactor trip breakers 52/RTA and 52/RTB are in service, and bypass breakers 52/BYA and 52/BYB are withdrawn (out of service). In testing the protection logic, pulse techniques are used to avoid tripping the reactor trip breakers, thereby eliminating the need to bypass them during this testing. The following procedure describes the method used for testing the trip breakers:

1. With bypass breaker 52/BYA racked out, manually close and trip it to verify its operation.

2. Rack in and close 52/BYA.

3. Manually trip 52/RTA through a protection system logic matrix while at the same time depressing the auto shunt trip block push-button switch on the auto shunt trip panel. This verifies the operation of the UVTA when the breaker trips.

4. Release the auto shunt trip block push-button switch. After reclosing 52/RTA, trip it again by depressing the auto shunt trip test push-button switch on the auto shunt trip panel. This verifies the operation of the STA when the breaker trips.

5. Reclose 52/RTA.

6. Open and rack out 52/BYA.

7. Repeat above steps to test trip breaker 52/RTB, using bypass breaker 52/BYB.

Auxiliary contacts of the bypass breakers are connected into the alarm system of their respective trains so that if either train is placed in test while the bypass breaker of the other train is closed both reactor trip breakers and both bypass breakers will automatically trip.

7.2-28 Rev. OL-20 11/13

bypass breaker of the other train is already closed both bypass breakers will automatically trip.

The train A and train B alarm systems operate separate annunciators in the control room. The two bypass breakers also operate an annunciator in the control room. Bypassing of a protection train with either the bypass breaker or with the test switches will result in audible and visual indicators.

Auxiliary switch contacts (P-4) of the reactor trip breakers which initiate protective functions can be tested on-line to verify proper operation.

Testing is accomplished using selector switches and voltmeters mounted on the front panels of the reactor trip switchgear cabinets.

The complete reactor trip system is normally required to be in service.

However, to permit on-line testing of the various protection channels or to permit continued operation in the event of a subsystem instrumentation channel failure, the Callaway Technical Specifications define the required number of operable channels. The Callaway Technical Specifications also define the required actions in the event that the channel operability requirements cannot be met.

k. Channel bypass or removal from operation The protection system is designed to permit periodic testing of the analog channel portion of the reactor trip system during reactor power operation without initiating a protective action, unless a trip condition actually exists.

This is because of the coincidence logic required for reactor trip. Additional information is given in Section 7.2.1.1.2.

l. Operating bypasses Where operating requirements necessitate automatic or manual bypass of a protective function, the design is such that the bypass is removed automatically whenever permissive conditions are not met. Devices used to achieve automatic removal of the bypass of a protective function are considered part of the protection system and are designed in accordance with the criteria of this section. Indication is provided in the control room if some part of the system has been administratively bypassed or taken out of service.

m. Indication of bypasses Bypass indication is addressed in Table 7.5-3.

7.2-29 Rev. OL-20 11/13

The design provides for administrative control of access to the means for manually bypassing channels or protective functions.

o. Multiple setpoints For monitoring neutron flux and steam generator low-low level, multiple setpoints are used. When a more restrictive trip setting becomes necessary to provide adequate protection for a particular mode of operation or set of operating conditions, the protection system circuits are designed to provide positive means or administrative control to ensure that the more restrictive trip setpoint is used. The devices used to prevent improper use of less restrictive trip settings are considered part of the protection system and are designed in accordance with the criteria of this section.

p. Completion of protective action The protection system is so designed that, once initiated, a protective action goes to completion. Return to normal operation requires action by the operator.

q. Manual initiation Switches are provided on the control board for manual initiation of protective action. Failure in the automatic system does not prevent the manual actuation of the protective functions. Manual actuation relies on the operation of a minimum of equipment.

r. Access The design provides for administrative control of access to all setpoint adjustments, module calibration adjustments, and test points.

s. Identification of protective actions Protective channel identification is discussed in Section 7.1.2.3. Indication is discussed in item t below.

t. Information readout The protection system provides the operator with complete information pertinent to system status and safety. All transmitted signals (flow, pressure, temperature, etc.) which can cause a reactor trip will be either indicated or recorded for every channel, including all neutron flux power 7.2-30 Rev. OL-20 11/13

Any reactor trip will actuate an alarm and an annunciator. Such protective actions are indicated and identified down to the channel level.

Alarms and annunciators are also used to alert the operator of deviations from normal operating conditions so that he may take appropriate corrective action to avoid a reactor trip. Actuation of any rod stop or trip of any reactor trip channel will actuate an alarm.

u. System repair The system is designed to facilitate the recognition, location, replacement, and repair of malfunctioning components or modules. Refer to the discussion in item j above.

.2.3 Specific Control and Protection Interactions

.2.3.1 Neutron Flux r power range neutron flux channels are provided for overpower protection. An ated auctioneered high signal is derived by auctioneering the four channels for omatic rod control (automatic rod insertion only - automatic rod withdrawal no longer ilable). If any channel fails in such a way as to produce a low output, that channel is apable of proper overpower protection but will not cause control rod movement ause of the auctioneer. Two-out-of-four overpower trip logic will ensure an overpower if needed, even with an independent failure in another channel.

ddition, channel deviation signals in the nuclear instrumentation system (NIS), as cussed in Section 7.7.1.3.1, will give an alarm if any neutron flux channel deviates nificantly from the average of the flux signals. Also, the protection system will respond y to rapid changes in indicated neutron flux; slow changes or drifts are compensated he reactor control system (See Section 7.7.1.1). Finally, an overpower signal (See tion 7.7.1.4) from any neutron flux intermediate or power range channel will block rod withdrawal. The setpoints for these rod stops are below the reactor trip points. The intermediate range rod stop (C-1) is blocked as a part of a controlled tup.

.2.3.2 Coolant Temperature accuracy of the narrow range resistance temperature detector (RTD) temperature asurements is demonstrated during plant startup tests by comparing temperature asurements from these RTDs with one another as well as with the temperature asurements obtained from the wide range RTDs. The comparisons are done with the ctor coolant system in an isothermal condition. The linearity of the T measurements 7.2-31 Rev. OL-20 11/13

ing plant startup tests. The absolute value of T versus plant power is not important, se, as far as reactor protection is concerned. Reactor trip system setpoints are ed upon percentages of the indicated T at nominal full power rather than on olute values of T. This is done to account for loop differences which are inherent.

percent T scheme is relative, not absolute, and therefore provides better protective on without the requirement of absolute accuracy. For this reason, the linearity of the signals as a function of power is of importance rather than the absolute values of the As part of the plant startup tests, the RTD signals will be compared with the core exit rmocouple signals.

actor control is based upon signals derived from protection system channels after ation by isolation amplifiers such that no feedback effect can perturb the protection nnels. Since control is based on the average temperature of the loop with the highest perature, the control rods are always moved based upon the most pessimistic perature measurement with respect to margins to DNB. A spurious low average perature measurement from any loop temperature control channel will cause no trol action. A spurious high average temperature measurement will cause rod ertion (safe direction) when operating in the automatic rod control mode.

vg and T channel deviation signals in the control system will give an alarm if any perature channel deviates significantly from the auctioneered (highest) value. Rod drawal blocks and turbine runbacks (power demand reduction) will also occur if any out of the four overtemperature or overpower T channels indicate an adverse dition.

.2.3.3 Pressurizer Pressure pressurizer pressure protection channel signals are used for high and low pressure tection and as inputs to the overtemperature T trip protection function. Isolated put signals from these channels are used for pressure control. These are used to trol pressurizer spray and heaters. Safety-related automatic actuation signals are o used to actuate the power-operated relief valves. Pressurizer pressure is sensed by response pressure transmitters.

purious high pressure signal from one channel can cause decreasing pressure by uation of either spray or relief valves. Additional redundancy is provided in the low ssurizer pressure reactor trip and in the logic for safety injection to ensure low ssure protection.

erpressure protection is based upon the positive surge of the reactor coolant duced as a result of turbine trip under full load, assuming that the core continues to duce full power. The self-actuated safety valves, with a nominal set pressure of 2460 g, are sized on the basis of steam flow from the pressurizer to accommodate this ge at a pressure of 2,500 psia and an accumulation of 3 percent. No credit is taken the relief capability provided by the power-operated relief valves during this surge.

7.2-32 Rev. OL-20 11/13

ievable with heaters is slow, and ample time and pressure alarms are available to t the operator of the need for appropriate action.

dundancy is not compromised by having a shared tap (see Section 7.2.1.1.2) since logic for this trip is two out of four. If the shared tap is plugged, the affected channels remain static. If the impulse line bursts, the indicated pressure will drop to zero. In er case, the fault is easily detectable, and the protective function remains operable.

.2.3.4 Pressurizer Water Level ee pressurizer water level channels are used for reactor trip. Isolated signals from se channels are used for pressurizer water level control. A failure in the level control tem could fill or empty the pressurizer at a slow rate (on the order of half an hour or re).

high water level trip setpoint provides sufficient margin so that the undesirable dition of discharging liquid coolant through the safety valves is avoided. Even at full er conditions, which would produce the worst thermal expansion rates, a failure of water level control would not lead to any liquid discharge through the safety valves.

s is due to the automatic high pressurizer pressure reactor trip actuating at a pressure iciently below the safety valve setpoint.

control failures which tend to empty the pressurizer, two-out-of-four logic for safety ction action on low pressure ensures that the protection system can withstand an ependent failure in another channel. In addition, ample time and alarms exist to alert operator of the need for appropriate action.

.2.3.5 Steam Generator Water Level basic function of the reactor protection circuits associated with low-low steam erator water level is to preserve the steam generator heat sink for removal of long m residual heat. Should a complete loss of feedwater occur, the reactor would be ped on low-low steam generator water level. In addition, redundant auxiliary dwater pumps are provided to supply feedwater to maintain residual heat removal ability after trip. This reactor trip acts before the steam generators are dry. This uces the required capacity, increases the time interval before auxiliary feedwater mps are required, and minimizes the thermal transient on the reactor coolant system steam generators.

refore, a low-low steam generator water level reactor trip circuit is provided for each am generator to ensure that sufficient initial thermal capacity is available in the steam erator at the start of the transient. Of the two available low-low level setpoints, one responding to an adverse and one, a normal containment environment, the ironmental Allowance Modifier (EAM) enables the appropriate setpoint. This trip is 7.2-33 Rev. OL-20 11/13

erator water level trip logic ensures a reactor trip, if needed, even with an ependent failure in another channel used for control and when degraded by an itional second postulated random failure.

purious low flow signal from the two feedwater flow channels, which are averaged, uld cause an increase in feedwater flow. A spurious low feedwater flow signal would cate a steam flow/feed flow mismatch and create an error signal causing the dwater control system to compensate for what is perceived to be insufficient dwater flow. In addition, a spurious high steam flow signal from the two steam flow nnels, which are averaged, would also indicate a steam flow/feed flow mismatch and ate an error signal causing the feedwater control system to increase feedwater flow to tch the perceived high steam flow demand. The mismatch between steam flow and dwater flow produced by the spurious signal would actuate alarms to alert the rator of the situation in time for manual correction (see Figure 7.2-1, sheets 13, 14).

e condition continues, a two-out-of-four high-high steam generator water level signal ny loop, independent of the indicated feedwater flow, will cause feedwater isolation trip the turbine. The turbine trip will result in a subsequent reactor trip if power is ve the P-9 setpoint. The high-high steam generator water level trip is an equipment tective trip preventing excessive moisture carryover which could damage the turbine ding.

ddition, the three-element feedwater controller incorporates reset action on the level r signal, such that with expected controller settings a rapid increase or decrease in flow signal would cause only a small change in level before the controller would pensate for the level error. A slow change in the feedwater signal would have no ct at all. A spurious low or high steam flow signal would have the same effect as high ow feedwater signal, discussed above. A spurious high steam generator water level nal from the average of two level channels will tend to close the feedwater control ve. A spurious low steam generator water level signal from the average of two level nnels will tend to open the feedwater control valve. Before a reactor trip would occur, out of four channels in a loop would have to indicate a low-low water level. Any slow t in the water level signal will permit the operator to respond to the level alarms and e corrective action.

omatic protection is provided in case the spurious high level reduces feedwater flow iciently to cause low-low level in the steam generator. Automatic protection is also vided in case the spurious low level signal increases feedwater flow sufficiently to se high level in the steam generator. A turbine trip and feedwater isolation would ur on two-out-of-four high-high steam generator water level in any loop.

7.2-34 Rev. OL-20 11/13

s of plant instrument air or loss of component cooling water is discussed in tion 7.3.8.2. Load rejection and turbine trip are discussed in further detail in tion 7.7.

control interlocks, called rod stops, that are provided to prevent abnormal power ditions which could result from excessive control rod withdrawal are discussed in tion 7.7.1.4 and listed in Table 7.7-1. Excessively high power operation (which is vented by blocking of manual rod withdrawal), if allowed to continue, might lead to a ety limit (as given in the Callaway Technical Specifications) being reached. Before h a limit is reached, protection will be available from the reactor trip system. At the er levels of the rod block setpoints, safety limits have not been reached; and, refore, these rod withdrawal stops do not come under the scope of safety-related tems, and are considered as control systems.

.3 TESTS AND INSPECTIONS reactor trip system meets the testing requirements of IEEE Standard 338-1971, as cussed in Section 7.1.2.6.2. The testability of the system is discussed in tion 7.2.2.2.3. The initial test intervals are specified in the Callaway Technical cifications. Written test procedures and documentation, conforming to the uirement of IEEE Standard 338-1971, are available for audit by responsible sonnel. Periodic testing complies with Regulatory Guide 1.22, as discussed in tions 7.1.2.5.2 and 7.2.2.2.3.

following exceptions are taken to the surveillance test methodology defined in tion 3.6.2 of WCAP 11883 (Reference 5) regarding the SG water level low-low trip:

1. Each level channel is tested one-at-a-time during the level channel testing with zero time delay as described in the WCAP.

2. The TTD function and timers discussed in Reference 5 are no longer applicable to Callaway.

3. Section 3.6.2.2. is titled OUTAGE TESTING. The PROM logic modules and the EAM testing described under this section may be performed on-line and not restricted to performance during outages.

.4 REFERENCES Reid, J. B., "Process Instrumentation for Westinghouse Nuclear Steam Supply Systems (4 Loop Plant Using WCID 7300 Series Process Instrumentation),"

WCAP-7913, January 1973. (Additional background information only.)

7.2-35 Rev. OL-20 11/13

Katz, D. N., "Solid State Logic Protection System Description," WCAP-7488-L (Proprietary), January, 1971 and WCAP-7672 (Non-Proprietary), June 1971.

(Additional background information only.)

Gangloff, W. C. and Loftus, W. D., "An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients," WCAP-7706-L (Proprietary) and WCAP-7706 (Non-Proprietary), July 1971.

Leach, C. E., Gongaware, B. L., Turley, C. R., Erin, L. E., Miranda, S., "

Implementation of the Steam Generator Low-Low Level Reactor Trip Time Delay and Environmental Allowance Modifier in the Callaway Plant", WCAP-11883 (Proprietary) and WCAP-11884 (Non-Proprietary), August, 1988 submitted via ULNRC-1822 dated 8-30-88 and approved via Amendment 43 to Facility Operating License NPF-30 dated 4-14-89.

The following exceptions are taken to the surveillance test methodology defined in Section 3.6.2 of WCAP 11883:

1. Each level channel is tested one-at-a-time during the level channel testing with zero time delay as described in the WCAP.

2. The TTD function and timers discussed in Reference 5 are no longer applicable to Callaway..

3. Section 3.6.2.2 is titled OUTAGE TESTING. The PROM logic modules and the EAM testing described under this section may be performed on-line and not restricted to performance during outages.

Union Electric letters ULNRC-1863 dated 11-18-88, ULNRC-1884 dated 12-28-88, ULNRC-1905 dated 2-7-89, and ULNRC-1913 dated 2-15-89.

Callaway Replacement Steam Generator Program NSSS Engineering Report, WCAP-16140 (Proprietary), July 2004.

Gruber, T. J. and Harbaugh, T. D., Westinghouse SSPS Universal Logic Board Replacement Summary Report 6D30225G01/G02/G03/G04, WCAP-16769-P, Revision 2, February, 2011.

Harbaugh, T. D. and Hines, E. F., Westinghouse SSPS Safeguards Driver Board Replacement Summary Report 6D30252G01/G02, WCAP-16770-P, Revision 0, August, 2008.

7.2-36 Rev. OL-20 11/13

Revision 1, April, 2011.

7.2-37 Rev. OL-20 11/13

Coincidence Protection eactor Trip Logic Interlocks Comments ower range high neutron flux 2/4 Manual block of low setting High and low setting; manual permitted by P-10 block and automatic reset of low setting by P-10 ntermediate range high neutron flux 1/2 Manual block permitted by P-10 Manual block and automatic reset by P-10 ource range high neutron flux 1/2 Manual block permitted by P-6; Manual block and automatic interlocked with P-10 reset by P-6; automatic block above P-10 ower range high positive neutron flux 2/4 No interlocks -

ate eleted - -

vertemperature T 2/4 No interlocks -

verpower T 2/4 No interlocks -

ressurizer low pressure 2/4 Interlocked with P-7 Automatic block below P-7 ressurizer high pressure 2/4 No interlocks -

ressurizer high water level 2/3 Interlocked with P-7 Automatic block below P-7 ow reactor coolant flow 2/3 low flow in any Interlocked with P-7 and P-8 Low flow in one loop will cause a loop reactor trip when above P-8, and a low flow in two loops will cause a reactor trip when above P-7 and below P-8; automatic block below P-7 1/4 loops Interlocked with P-8 Automatic block below P-8 2/4 loops Interlocked with P-7 Automatic block below P-7 eactor coolant pump undervoltage 1/2 in both busses Interlocked with P-7 Low voltage on all busses permitted below P-7 (automatic block below P-7)

Rev. OL-15 5/06

Coincidence Protection eactor Trip Logic Interlocks Comments eactor coolant pump underfrequency 1/2 in both busses Interlocked with P-7 Underfrequency on one motor in both busses will trip all reactor coolant pump breakers and cause reactor trip; reactor trip automatically blocked below P-7 ow-low steam generator water level 2/4 in any loop No interlocks Two level setpoints corresponding to normal and adverse containment environments;.

afety injection Coincident with Interlocked with P-11. (If reactor See Section 7.3 for engineered actuation of safety coolant is less than 1970 psig, safety features actuation injection P-11 allows manual block) conditions urbine (anticipatory trip)

. Low trip fluid pressure 2/3 Interlocked with P-9 Automatic block below P-9

. Turbine stop valve close 4/4 Interlocked with P-9 Automatic block below P-9 anual 1/2 No interlocks -

Rev. OL-15 5/06

signation Derivation Function I. Power Escalation Permissives Presence of P-6: 1/2 neutron flux Allows manual block of source (intermediate range) above setpoint range reactor trip and de-energization of the detector high voltage Absence of P-6: 2/2 neutron flux Defeats the block of source range (intermediate range) below setpoint reactor trip and restores detector high voltage 0 Presence of P-10: 2/4 neutron flux Allows manual block of power (power range) above setpoint range (low setpoint) reactor trip Allows manual block of intermediate range reactor trip and intermediate range rod stops (C-1)

Blocks source range reactor trip and de-energizes detector high voltage (back-up for P-6)

Absence of P-10: 3/4 neutron flux Defeats the block of power range (power range) below setpoint (low setpoint) reactor trip Defeats the block of intermediate range reactor trip and intermediate range rod stops (C-1)

Input to P-7 1 Presence of P-11: 2/3 pressurizer Allows manual block of safety pressure below setpoint injection actuation on low pressurizer pressure signal Absence of P-11: 2/3 pressurizer Defeats manual block of safety pressure above setpoint injection actuation Opens all accumulator isolation valves Rev. OL-13 5/03

signation Derivation Function II. Blocks of Reactor Trips Absence of P-7: 3/4 neutron flux Blocks reactor trip on low reactor (power range) below setpoint coolant flow in more than one (absence of P-10) loop, undervoltage, and underfrequency, pressurizer low 2/2 turbine impulse chamber pressure pressure, and pressurizer high below setpoint (absence of P-13) level Absence of P-8: 3/4 neutron flux Blocks reactor trip on low reactor (power range) below setpoint coolant flow in a single loop Absence of P-9: 3/4 neutron flux Blocks reactor trip on turbine trip (power range) below setpoint 3 Absence of P-13: 2/2 turbine impulse Input to P-7 chamber pressure below setpoint Rev. OL-13 5/03

Typical Trip Typical Time eactor Trip Signal Typical Range Accuracy Response (sec)*

ower range high neutron flux 1 to 120% of full power** +/-1% of full power 0.2 ntermediate range high neutron flux 8 decades of neutron flux overlapping source +/- 5% of full scale; 0.2 range by 2 decades and including 150% full +/- 1% of full scale from power (10-11 to 10-3 amperes) 10% to 50% of full power ource range high neutron flux 6 decades of neutron flux (1 to 106 counts/sec) +/- 5% of full scale 0.65 ower range high positive neutron flux rate +18% of full power +/- 5% 0.2 eleted - - -

vertemperature T TH 530 to 650°F +/- 3.2°F (+/-7.2°F for DBEs) 4.0 TC 510 to 630°F TAV 530 to 630°F PPRZR 1,700 to 2,500 psig I(AFD) -50 to +50% power***

Tsetpoint 0 to 150% power***

verpower T TH 530 to 650°F +/- 2.7°F 4.0 TC 510 to 630°F TAV 530 to 630°F Tsetpoint 0 to 150% power****

ressurizer low pressure 1,700 to 2,500 psig +/- 18 psi (compensated signal) 0.6

(+/- 98 psi for DBEs) ressurizer high pressure 1,700 to 2,500 psig +/- 18 psi (noncompensated signal) 0.6

(+/- 98 psi for DBEs) ressurizer high water level Entire cylindrical portion of pressurizer +/- 2.25% of span between taps at design 1.2 (distance between taps) temperature and pressure

(+/- 12.25% of span for DBEs) ow reactor coolant flow 0 to 120% of rated flow +/- 2.75% of P span 0.3

(+/- 12.75% of span for DBEs) eactor coolant pump undervoltage 70 to 100 volts # +/- 1% of span 1.2 Rev. OL-18 12/10

Typical Trip Typical Time eactor Trip Signal Typical Range Accuracy Response (sec)*

eactor coolant pump underfrequency 54 to 60 Hz +/- 0.6% of span (+/- 1% of span for DBEs) 0.3 ow-low steam generator narrow range 437-587 See Reference 7. See Reference 7.

ater level urbine trip - 0.3 0.3 The overall allowable response time for each reactor trip channel is given in Table 16.3-1. The channel response time value is the elapsed time from when the parameter being sensed by the channel reaches the safety setpoint until either the undervoltage trip coil in the reactor trip breaker is de-energized or the shunt trip coil is energized. The time until the control and shutdown rods are free to fall into the core is an additional portion of the overall response time. It includes the reactor trip breaker response time and the gripper release time.

Recorder range is 200% of full power during overpower excursions is available if so configured.

Indicator range is -30% to +30% power. Signal range for use in f1 (I) penalty term of OT-T equation is -40% to +40% power at full power. Recorder range is -60% to +60% power.

Function generator card scaling is based on -10V to +10V representing -75% to +75% power.

T signal range is 0 to 100°F but does not correspond to 0-150% power. 100°F T exceeds 150% power.

Undervoltage relay span; corresponds to 8400-12000 volts on RCP motor (PA system) busses.

Rev. OL-18 12/10

Technical rip(a) Accident (b) Specification (c) ower range high neutron flux trip (low setpoint) Uncontrolled Rod Cluster Control Assembly Bank Withdrawal From a 3.3.1, Table 3.3.1-1, Subcritical or Low Power Startup Condition (15.4.1) Function 2.b Feedwater System Malfunctions that Result in a Decrease in Feedwater Temperature (15.1.1) or an Increase in Feedwater Flow (15.1.2)

Spectrum of Rod Cluster Control Assembly Ejection Accidents (15.4.8) ower range high neutron flux trip (high setpoint) Uncontrolled Rod Cluster Control Assembly Bank Withdrawal From a 3.3.1, Table 3.3.1-1 Subcritical or Low Power Startup Condition (15.4.1) Function 2.a Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power (15.4.2)

Startup of an Inactive Reactor Coolant Loop at an Incorrect Temperature (15.4.4)

Feedwater System Malfunctions that Result in a Decrease in Feedwater Temperature (15.1.1) or an Increase in Feedwater Flow (15.1.2)

Chemical and Volume Control System Malfunction that Results in a Decrease in the Boron Concentration in the Reactor Coolant, (Mode 1, 15.4.6)

Excessive Increase in Secondary Steam Flow (15.1.3)

Inadvertent Opening of a Steam Generator Relief or Safety Valve (15.1.4)

Steam System Piping Failure (15.1.5)

Spectrum of Rod Cluster Control Assembly Ejection Accidents (15.4.8) ntermediate range high neutron flux trip Uncontrolled Rod Cluster Control Assembly Bank Withdrawal From a See Note d, 3.3.1, Subcritical or Low Power Startup Condition (15.4.1) Table 3.3.1-1, Function 4 ource range high neutron flux trip Uncontrolled Rod Cluster Control Assembly Bank Withdrawal From a See Note d, 3.3.1, Subcritical or Low Power Startup Condition (15.4.1) Table 3.3.1-1, Function 5 Chemical and Volume Control System Malfunction that Results in a Decrease in the Boron Concentration in the Reactor Coolant (Mode 2, 15.4.6)

Rev. OL-13 5/03

Technical rip(a) Accident (b) Specification (c) ower range high positive neutron flux rate trip Spectrum of Rod Cluster Control Assembly Ejection Accidents (15.4.8) 3.3.1, Table 3.3.1-1, Function 3 Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power (15.4.2) eleted - -

vertemperature T trip Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power (15.4.2) 3.3.1, Table 3.3.1-1, Function 6 Chemical and Volume Control System Malfunction that Results in a Decrease in the Boron Concentration in the Reactor Coolant (Mode 1, 15.4.6)

Loss of External Electrical Load (15.2.2)

Turbine Trip (15.2.3)

Feedwater System Malfunctions that Result in a Decrease in Feedwater Temperature (15.1.1) or an Increase in Feedwater Flow (15.1.2)

Excessive Increase in Secondary Steam Flow (15.1.3)

Inadvertent Opening of a Pressurizer Safety or Relief Valve (15.6.1)

Inadvertent Opening of a Steam Generator Relief or Safety Valve (15.1.4)

Loss-of-Coolant Accidents Resulting from a Spectrum of Postulated Piping Breaks within the Reactor Coolant Pressure Boundary (15.6.5)

Steam System Piping Failures (15.1.5)

Feedwater System Pipe Break (15.2.8)

RCCA Misoperation (Single Rod Withdrawal) (15.4.3)

Steam Generator Tube Failure (15.6.3)

Loss of Normal Feedwater Flow(15.2.7)

Rev. OL-13 5/03

Technical rip(a) Accident (b) Specification (c) verpower T trip Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power (15.4.2) 3.3.1, Table 3.3.1-1, Function 7 Feedwater System Malfunctions that Result in a Decrease in Feedwater Temperature (15.1.1) or an Increase in Feedwater Flow (15.1.2)

Excessive Increase in Secondary Steam FLow (15.1.3)

Inadvertent Opening of a Steam Generator Relief or Safety Valve (15.1.4)

Steam System Piping Failures (15.1.5) ressurizer low pressure trip Inadvertent Opening of a Pressurizer Safety or Relief Valve (15.6.1) 3.3.1, Table 3.3.1-1, Function 8.a Loss-of-Coolant Accidents Resulting from a Spectrum of Postulated Piping Breaks within the Reactor Coolant Pressure Boundary (15.6.5)

Steam Generator Tube Failure (15.6.3)

Inadvertent Opening of a Steam Generator Relief or Safety Valve (15.1.4)

Steam System Piping Failure (15.1.5)

Inadvertent Operation of the ECCS during Power Operation (15.5.1) ressurizer high pressure trip Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power (15.4.2) 3.3.1, Table 3.3.1-1, Function 8.b Loss of External Electrical Load (15.2.2)

Turbine Trip (15.2.3)

Feedwater System Pipe Break (15.2.8)

Reactor Coolant Pump Shaft Seizure (Locked Rotor) (15.3.3)

Rev. OL-13 5/03

Technical rip(a) Accident (b) Specification (c) ressurizer high water level trip Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power (15.4.2) 3.3.1, Table 3.3.1-1, Function 9 Loss of External Electrical Load (15.2.2)

Turbine Trip (15.2.3)

Feedwater System Pipe Break (15.2.8) ow reactor coolant flow Partial Loss of Forced Reactor Coolant Flow (15.3.1) 3.3.1, Table 3.3.1-1, Function 10 Loss of Non-Emergency AC Power to the Station Auxiliaries (15.2.6)

Complete Loss of Forced Reactor Coolant Flow (15.3.2)

Reactor Coolant Pump Shaft Seizure (Locked Rotor) (15.3.3)

Startup of an Inactive Reactor Coolant Loop at an Incorrect Temperature (15.4.4) eactor coolant pump under-voltage voltage trip Complete Loss of Forced Reactor Coolant Flow (15.3.2) 3.3.1, Table 3.3.1-1, Function 12 eactor coolant pump under-frequency trip Complete Loss of Forced Reactor Coolant Flow (15.3.2) 3.3.1, Table 3.3.1-1, Function 13 ow-low steam generator water level trip Loss of Normal Feedwater Flow (15.2.7) 3.3.1, Table 3.3.1-1, Function 14 Feedwater System Malfunction that Results in an Increase in Feedwater Flow (15.1.2)

Turbine Trip (15.2.3)

Loss of Non-Emergency AC Power to the Station Auxiliaries (15.2.6)

Feedwater System Pipe Break (15.2.8)

Rev. OL-13 5/03

Technical rip(a) Accident (b) Specification (c) eactor trip on turbine trip Loss of External Electrical Load (15.2.2) 3.3.1, Table 3.3.1-1, Function 16 (Technical Specifications include the anticipatory reactor trip on turbine trip; however, this trip function is not directly credited in any Chapter 15 analysis. See Section 15.1.2.)

Turbine Trip (15.2.3)

Loss of Non-Emergency AC Power to the Station Auxiliaries (15.2.6) afety injection signal actuation trip Inadvertent Opening of a Steam Generator Relief or Safety Valve (15.1.4) See Note e, 3.3.1, Table 3.3.1-1, Function 17 Steam System Piping Failure (15.1.5) See Note e Feedwater System Pipe Break (15.2.8)

Inadvertent Operation of the ECCS during Power Operation (15.5.1)

Steam Generator Tube Failure (15.6.3) anual trip Available for all Accidents (Chapter 15.0) See Note d, 3.3.1, Table 3.3.1-1, Function 1 Rev. OL-13 5/03

ES:

rips are listed in order of discussion in Section 7.2.

eferences refer to accident analyses presented in Chapter 15.0.

eferences refer to the Callaway Technical Specifications.

his trip is not assumed to function in the accident.

ccident assumes that the reactor is tripped at end-of-life, which is the worst initial condition for this case.

rip functions available for a given accident. See Table 15.0-6 and the Chapter 15 text for the specific trip function credited in the analysis of record.

Rev. OL-13 5/03

engineered safety feature actuation systems (ESFAS) are comprised of the rumentation and controls to sense accident situations and initiate the operation of essary engineered safety features. The occurrence of a limiting fault, such as a s-of-coolant accident (LOCA) or a steam line break, requires a reactor trip plus uation of one or more of the engineered safety features in order to prevent or mitigate mage to the core and reactor coolant system components and ensure containment grity.

rder to accomplish these design objectives, the engineered safety feature systems FS) have proper and timely initiating signals which are supplied by the sensors, smitters, and logic components making up the various instrumentation channels of ESFAS.

piping and instrumentation diagrams for the ESFS are included as figures in those tions of this FSAR where the mechanical systems are described. The location and out drawings are referenced in Section 1.2. The electrical schematic diagrams and control logic diagrams are referenced in Section 1.7. The engineered safety feature uation logic diagrams are included as figures in this section, and are referenced in the ropriate ESF discussions below.

auxiliary supporting ESFS function is described in Chapters 8.0, 9.0, and 10.0.

ir controls function to support the primary ESF system is described in the support tion. For each primary ESF system, a list of these auxiliary supporting engineered ety feature systems is provided in Table 7.3-12.

.1 CONTAINMENT COMBUSTIBLE GAS CONTROL SYSTEM

.1.1 Description concentration of hydrogen in the containment atmosphere is monitored by the tem described in Section 6.2.5. The containment combustible gas control equipment scribed briefly below and more completely in Section 6.2.5) maintains this hydrogen centration below the minimum concentration capable of combustion. The emergency aust fans are described in Section 9.4.2.

.1.1.1 System Description

a. Initiating circuits The containment combustible gas control equipment is operated manually from control switches located in the main control room. It is not necessary for either recombiner or purge equipment to be initiated automatically because it would take approximately 5.1 days for the H2 concentration to reach the control limit of 3 percent H2 by volume with no H2 recombiners in 7.3-1 Rev. OL-22 11/16

b. Logic The combustible gas control system is manually controlled, as shown by the drawings referenced in Section 1.7.

c. Bypass Indication of system bypass is provided as described in Section 7.5.2.2.

The CIS isolates the H2 sampling and purge lines which can manually be reopened when necessary.

d. Interlocks There are no interlocks on these controls.

e. Sequencing On loss of offsite power coincident with SIS, the fans (which are MCC loads) are picked up as soon as the diesel generator output breaker is closed onto the bus.

f. Redundancy Controls are provided on a one-to-one basis with the mechanical equipment so that the controls preserve the redundancy of the mechanical equipment.

g. Diversity Diversity of control is provided in that the combustible gas control equipment may be controlled from local controls at motor control centers, as well as from the main control room panels.

h. Actuated devices Table 7.3-1 lists the actuated devices.

i. Supporting systems The supporting systems required for these controls are the Class 1E ac system (described in Section 8.3) and the containment atmosphere monitoring system (described in Section 6.2.5).

7.3-2 Rev. OL-22 11/16

sign bases for the containment combustible gas control system are that operation will controlled manually from the main control room and that no single failure shall prevent containment combustible gas control system from functioning. In addition, the owing conditions are considered for the control system components:

a. Range of transient and steady state conditions and circumstances The electrical power supply characteristics for the controls on this system are as described in Section 8.3. The range of possible environmental conditions for these controls is as described in Section 3.11(B).

b. Malfunctions, accidents, or other unusual events Fire Fire protection is discussed in Section 9.5.1.

Missile Missile protection is discussed in Section 3.5.

Earthquake Earthquake protection is discussed in Sections 3.7(B) and 3.7(N).

.1.1.3 Drawings re is no automatic actuation signal for this system, although the equipment controls ude interfaces with sensors and with other devices. However, at the device level, the mixing fans automatically start, and the H2 sampling system isolation valves omatically close, on receipt of CIS. References to the drawings associated with this tem are provided as described in the introductory material for this section.

final control logic diagrams for the individual devices are referenced in FSAR tion 1.7. These compare with the PSAR as follows:

a. Recombiner and emergency exhaust fan controls

1. Recombiners: no functional change, added fault protection.

2. Emergency exhaust fans. (See Section 7.3.3.1.3.)

b. Mixing fan controls Functionally the hydrogen mixing fans operate as shown in the diagrams referenced in Section 1.7. Details of motor overload protection have been added since the PSAR. The control switch maintains contact in slow and fast and has momentary contact for stop. The hydrogen mixing fans are loaded onto the diesel generators as soon as the diesels are able to accept 7.3-3 Rev. OL-22 11/16

fans.

electrical schematic diagrams in Chapter 8.0 are in accordance with the control logic grams.

.1.2 Analysis

a. Conformance to NRC general design criteria The applicable criteria are listed in Table 7.1-2. No deviations or exceptions to those criteria are taken (see Section 3.1).

b. Conformance to Regulatory Guide 1.7 is described in Section 6.2.5.

c. Conformance to IEEE Standard 279-1971 The design of the control system is based on the applicable requirements of IEEE Standard 279-1971, as follows:

1. General Functional Requirement - Paragraph 4.1 The H2 mixing fans are able to function automatically and reliably over the full range of transients for all plant conditions for which credit was taken in the analyses. The rest of the system functions for all of these plant conditions when manually initiated. The system response time and accuracy are as required in the accident analyses. The H2 sampling line is manually actuated.

2. Single Failure Criterion - Paragraph 4.2 Through use of redundant, independent systems, as previously described, any single failure or multiple failures resulting from a single credible event will not prevent the system from performing its intended function, when required.

3. Quality of Components and Modules - Paragraph 4.3 Components and modules used in the construction of the system exhibit a quality consistent with the nuclear power plant design life objective, require minimum maintenance, and have low failure rates.

The program for quality assurance is described in Chapter 17.0.

7.3-4 Rev. OL-22 11/16

The system is qualified to perform its intended functions under the environmental conditions specified in Sections 3.10(B) and (N) and 3.11(B) and (N).

5. Channel Integrity - Paragraph 4.5 All channels will maintain functional capability under all conditions described in Section 7.3.1.1.2.

6. Channel Independence - Paragraph 4.6 Discussions of the means used to ensure channel independence are given in Sections 7.1.2.2 and 8.3.1.4.

7. Control and Protection System Interaction - Paragraph 4.7 No credible failure at the output of an isolation device will prevent the associated channel from performing its intended function. No single random failure in one channel will prevent the other channel from performing the intended function.

8. Derivation of System Outputs - Paragraph 4.8 To the extent feasible, the system inputs are from direct measurement of the desired variable.

9. Capability for Sensor Checks - Paragraph 4.9 Sufficient means have been provided to check the operational availability of the system.

10. Testing and Calibration - Paragraph 4.10 The control system has the capability of testing the devices used to derive the final system output.

11. Channel Bypass or Removal from Operation - Paragraph 4.11 Testing of one channel can be accomplished during reactor operation without initiating a protective action at the system level.

7.3-5 Rev. OL-22 11/16

There are no permissive conditions on bypasses. Bypass of one channel will not bypass the other channel. Bypass of one system will not bypass any other system.

13. Indication of Bypass - Paragraph 4.13 If the protective action of any part of the system has been bypassed or deliberately rendered inoperative, the fact will be continuously indicated in the control room, as described in Section 7.5.

14. Access to Means for Bypassing - Paragraph 4.14 Appropriate administrative controls will be applied to ensure that access to the means for manually bypassing the system is adequately protected.

15. Multiple Set Points - Paragraph 4.15 The system is designed so that there are no multiple setpoints.

16. Completion of Protective Action Once It is Initiated - Paragraph 4.16 The system is designed so that once protective action is initiated, it is carried through to completion.

17. Manual Initiation - Paragraph 4.17 Manual initiation of each function is provided in the control system with a minimum of equipment, by direct control of motor control centers and solenoid valves from panel-mounted control switches.

System level actuation of the safety function is not provided since the time required for operation of these functions allows the station operator to take individual action for each controlled device.

18. Access to Set Point Adjustments, Calibration and Test Points -

Paragraph 4.18 Appropriate administrative controls will be applied to ensure that access to the means for adjusting, calibrating, and testing the system is adequately protected.

7.3-6 Rev. OL-22 11/16

System protective actions are described and identified down to the channel level.

20. Information Readout - Paragraph 4.20 Sufficient information is provided to allow the station operator to make a prompt decision regarding the system operating requirements. The indications required for these decisions are provided by supporting systems, as listed in the system description discussed in Section 7.3.1.1.1.i.

21. System Repair - Paragraph 4.21 The system is designed to facilitate the recognition, location, replacement, repair, and adjustment of malfunctioning components or modules.

22. Identification - Paragraph 4.22 Protection system components are identified, as described in Section 7.1.2.3.

d. Conformance to NRC regulatory guides The applicability of regulatory guides is as shown in Table 7.1-2.

References to the discussions of these regulatory guides are presented in Section 7.1.2.5.1.

e. Failure modes and effects analysis See Table 7.3-2.

f. Periodic testing Periodic testing of the mechanical equipment associated with this system is discussed in Section 6.2.5. There is no automatic actuation equipment for the entire system, but there is automatic device actuation, as described in Section 7.3.1.1.3. Provisions for periodic testing of the containment isolation valves are discussed in Chapter 16, Table 16.6-1 and the Callaway Technical Specifications.

7.3-7 Rev. OL-22 11/16

.2.1 Description containment purge isolation system detects any abnormal amount of radioactivity in containment purge effluent, and initiates appropriate action to ensure that any ase of radioactivity to the environs is controlled. The containment purge systems are o isolated by CIS.

.2.1.1 System Description

a. Initiating circuits Redundant and independent gaseous radiation monitors measure the radioactivity levels of the containment purge effluent. These monitors provide trip signals to bistable units in the ESF actuation system. The bistables generate redundant trip signals, and transmit them to the automatic actuation logic. Since the dampers also close on CIS, the initiating logic for CIS shown in Figure 7.2-1 (Sheet 8) is also applicable.

These monitors are only required for automatic containment purge isolation in MODES 1 through 4. For plant conditions during CORE ALTERATIONS and during movement of irradiated fuel within containment, the function of the monitors is to alarm only and the trip signals for automatic actuation of CPIS may be bypassed. One instrumentation channel at a minimum is required for the alarm only function during refueling activities.

b. Logic A logic diagram for the ESF actuation system is provided as Figure 7.3-1.

This diagram shows only the actuation systems; it does not detail the bypass, bypass interlock, or test provisions. The logic for the containment purge isolation actuation subsystem is included in this figure.

The ESFAS hardware consists of solid-state bistables and logic elements, with electromechanical relays as the final output devices. The output relays are all energize-to-actuate, with contact operation as required for each actuated device.

The ESFAS is divided into three input-logic-output channels. These channels all meet the independence and separation criteria, as described elsewhere in this chapter. The logic channels are uniquely associated with the output channels. The input signals from all three input channels are isolated as necessary, and the isolated signals are transmitted to the logic channels as shown in Figure 7.3-1.

7.3-8 Rev. OL-22 11/16

are included to provide isolated analog signals to the BOP computer.

Adequate physical separation or barriers are provided between differing separation groups, and wiring is routed in separated wireways, where appropriate. The wiring is color-coded with regard to separation group.

The digital signal isolation modules utilize optical isolators with appropriate signal and power conditioning circuits. The output circuits are powered by the devices receiving signals from the isolation modules, so no power isolation is required. There are no connections between the input and output circuits, except for the optical coupling in the isolation devices.

The analog signal isolation modules utilize transformers as the isolation devices. The analog input signals and the input power are converted to pulse trains and applied to the primary windings, and then they are reconstructed by circuits connected to the transformer secondaries. There are no connections between the input and output circuits, except for the magnetic coupling in the transformers.

Both the analog and the digital signal isolation modules are tested to ensure a minimum isolation potential of 1,500 Vac rms between the input terminals and the output terminals (all input terminals shorted together and all output terminals shorted together), and between the terminals and ground (all terminals shorted together). The 1,500 Vac rms test voltage was applied for at least 60 seconds for each test.

Once generated, any actuation signal remains present until it is manually reset. Each bistable automatically resets when its input signal returns to the "safe" side of the setpoint-deadband region.

An automatic test system is provided. The system periodically checks the operability of the channel, and alerts the plant operator, via the annunciator and BOP computer alarms, if a fault is detected. Provision is also included for manual testing. These test provisions do not compromise the integrity of any channel. They are isolated and will not propagate any fault, and the automatic test function is overridden by any actuation input. Bistable bypass switches are provided to permit the testing of bistables. The switches are key-locked, and the key cannot be removed from the lock unless the switch is in the "OPERATE" position. Visual indication of any bypass of any bistables is provided at the ESFAS cabinets; channel-level bypass indication is provided on the main control board.

c. Bypass 7.3-9 Rev. OL-22 11/16

ALTERATIONS and during movement of irradiated fuel in containment.

d. Interlocks There are no interlocks on these controls.

e. Sequencing There is no automatic sequencing of operation. The system is permanently connected to the diesel bus and is energized as soon as the diesel output breaker closes.

f. Redundancy Controls are provided on a one-to-one basis with the mechanical equipment so that the controls preserve the redundancy of the mechanical equipment. As discussed in Section7.3.2.1.1.a this feature has relaxed requirements during CORE ALTERATIONS and during movement of irradiated fuel in containment

g. Diversity Diversity of sensing is provided in that containment purge isolation can be actuated by the containment purge gaseous radioactivity monitors, and by the CIS.

h. Actuated devices Table 7.3-3 lists the actuated devices.

i. Supporting systems Supporting systems for the containment purge isolation are the four 125-V dc power supplies discussed in Section 8.3 and the instrument air system described in Section 9.3.1. The isolation function is fail-safe with respect to all of these support systems, that is to say, loss of these support systems will not prevent isolation.

.2.1.2 Design Bases design bases for the containment purge isolation system are described in Section

.4.1.1 (Safety Design Bases 3 and 6) and Section 7.3.1.1.2 (as modified in Sections

.2.1.1.a and 7.3.2.2).

7.3-10 Rev. OL-22 11/16

logic for the containment purge isolation system is shown on the engineered safety ture actuation system logic diagram, Figure 7.3-1. The differences between this logic that provided in the PSAR are as follows:

a. Logic memories are provided at the final actuation outputs, rather than on each digital input.

b. The indications and alarms for this system have been revised.

c. Purge supply fans (shutdown and mini): Additional details on overload protection, stop on containment purge isolation signal (CPIS) (isolated) from Westinghouse-supplied ESFAS, and stop on supply air low temperature.

d. Purge exhaust fans (shutdown and mini): Additional details on overload protection, stop on CPIS, and stop on high charcoal temperature in the exhaust filter-adsorber unit.

e. The purge system containment isolation dampers operate as shown in Figure 7.3-1. The system differs from the PSAR in that the CIS is replaced by the CPIS.

f. The containment minipurge fan discharge damper opens when the fan is running and closes when the fan is stopped.

.2.2 Analysis

a. Conformance to NRC general design criteria The applicable criteria are listed in Table 7.1-2. No deviations or exceptions to those criteria are taken. As discussed in Section 7.3.2.1.1.a this conformance is relaxed during CORE ALTERATIONS and during movement of irradiated fuel in containment.

b. Conformance to IEEE Standard 279-1971 The design of the control system conforms to the applicable requirements of IEEE Standard 279-1971, as listed and discussed in Section 7.3.1.2, except that the system actuation is automatic. The radiation monitor ranges and setpoints are in Table 11.5-3, Table 12.3-3, and Section 16.11.2.4. As discussed in Section 7.3.2.1.1.a this conformance is relaxed during CORE ALTERATIONS and during movement of irradiated fuel in containment.

7.3-11 Rev. OL-22 11/16

The applicability of the regulatory guides is as shown in Table 7.1-2.

References to the discussions of these regulatory guides are presented in Section 7.1.2.5.1. As discussed in Section 7.3.2.1.1.a this conformance is relaxed during CORE ALTERATIONS and during movement of irradiated fuel in containment.

d. Failure modes and effects analysis See Table 7.3-4.

e. Periodic testing Periodic testing of the mechanical equipment associated with this system is discussed in Section 9.4. Periodic testing of the actuation system is discussed in the Callaway Technical Specifications.

.3 FUEL BUILDING VENTILATION ISOLATION

.3.1 Description on detection of high radioactivity by the fuel building exhaust gaseous radioactivity nitors, the fuel building ventilation system is automatically realigned through the FAS to meet the following requirements:

a. Isolate normal ventilation.

b. Initiate operation of the emergency exhaust system to maintain the fuel building atmosphere at a negative pressure.

c. Reduce the flow of fuel building air to the outside atmosphere to a minimum consistent with maintaining the required building negative pressure.

d. Filter the exhaust air through HEPA and charcoal filters.

escription of the entire fuel building ventilation system is given in Section 9.4.

.3.1.1 System Description

a. Initiating circuits Two independent gaseous radioactivity monitors measure the radioactivity level in the fuel building exhaust line, and provide trip signals to bistable 7.3-12 Rev. OL-22 11/16

The emergency exhaust system is on standby for an automatic start following receipt of a fuel building isolation signal or an SIS. The initiation of the LOCA mode of operation (SIS signal) takes precedence if both signals are received so that the emergency ventilation is directed to the auxiliary building (see Section 9.4).

b. Logic The logic for the fuel building ventilation isolation actuation system is included in Figure 7.3-1. The actuation signal is transmitted to each actuated device, and causes each device to assume its "safe" state.

c. Bypass There is no device level override on this system.

d. Interlocks There are no interlocks on these controls.

e. Sequencing There is no automatic sequencing of operation. The system is permanently connected to the diesel bus and is energized as soon as the diesel output breaker closes.

f. Redundancy Controls are provided on a one-to-one basis with the mechanical equipment so that the controls preserve the redundancy of the mechanical equipment. There are two channels of actuation initiated by redundant radioactivity monitors or redundant manual initiation switches.

g. Diversity Diversity of control is provided in that the fuel building ventilation isolation system can be actuated by either automatic signals or manual control.

h. Actuated devices Table 7.3-5 lists the actuated devices.

i. Supporting systems 7.3-13 Rev. OL-22 11/16

and the instrument air system described in Section 9.3.1. The isolation function is fail-safe with respect to all of these support systems; that is to say, loss of these support systems will not prevent isolation.

.3.1.2 Design Bases design bases for the fuel building ventilation isolation system are discussed in tion 9.4.2.1.1 (Safety Design Bases 1, 3, 4, and 6).

itionally, the design bases described in Section 7.3.1.1.2 are applicable for the trol system components.

.3.1.3 Drawings logic diagram for the fuel building ventilation isolation actuation system is included in ure 7.3-1. The differences between this logic and that provided in the PSAR are the e as those for the containment purge isolation system (see Section 7.3.2.1.3). In ition, actuation system reset is not provided in the fuel building.

control logic diagrams, the electrical schematic diagrams, the piping and instrument grams, and the physical location drawings for this system are included in the rences in the introductory material for this section.

.3.2 Analysis

a. Conformance to NRC general design criteria The applicable criteria are listed in Table 7.1-2. No deviations or exceptions to those criteria are taken.

b. Conformance to IEEE Standard 279-1971 The design of the control system conforms to the applicable requirements of IEEE Standard 279-1971, as listed and discussed in Section 7.3.1.2c, except that the system functions automatically. The radiation monitor trip setpoint is provided in the Callaway Technical Specifications.

c. Conformance to NRC regulatory guides The applicability of the regulatory guides is as shown in Table 7.1-2.

References to the discussions of conformance to these regulatory guides are presented in Section 7.1.2.5.1.

d. Failure modes and effects analysis 7.3-14 Rev. OL-22 11/16

e. Periodic testing Periodic testing of the mechanical equipment associated with this system is discussed in Section 9.4.2. Provisions for the periodic testing of the actuation system are discussed in the Callaway Technical Specifications.

.4 CONTROL ROOM VENTILATION ISOLATION

.4.1 Description on detection of high gaseous radioactivity levels, the normal supply of outside air to control room will be terminated, as described in Section 6.4. In this event, the control m air will be recycled and filtered, and a small supply of fresh makeup air will be vided. The control room will be maintained at a set positive pressure to prevent the ess of the local ambient atmosphere. Normal ventilation will be restored only by nual operation by the plant operator, and will be maintained only if the local ambient osphere poses none of the monitored hazards.

.4.1.1 System Description

a. Initiating circuits The gaseous radioactivity level of the air provided to the main control room from the local ambient atmosphere is monitored.

If acceptable levels are exceeded, trip signals from these monitors are transmitted to bistables in the ESFAS isolating the control room as described above. Monitors are also provided to measure the particulate and iodine radioactivity levels in the normal supply air.

The sensitivities and response times of these monitors are listed in Table 7.3-7.

In addition to the above, control room isolation will be initiated upon:

1. Fuel building ventilation isolation

2. Containment isolation Phase A

3. Manual initiation

4. High containment purge radioactivity level (CPIS)

b. Logic 7.3-15 Rev. OL-22 11/16

and, subject to the provisions of bypass or override, causes each device to assume its "safe" state.

c. Bypass Manual override is available by means of pull-to-lock switches on the fans.

d. Interlocks There are no interlocks on these controls.

e. Sequencing CRVIS is sequenced to Class 1E and control room HVAC units.

f. Redundancy Controls are provided on a one-to-one basis with the mechanical equipment so that the controls preserve the redundancy of the mechanical equipment. Redundancy is provided in the gaseous radioactivity monitors, the actuation signals, and manual actuation switches.

g. Diversity Diversity of actuation is provided in that the control room ventilation system may be isolated by either an automatic system or by operator manual actuation. Diversity is provided by actuation from the gaseous radioactivity and manual switches.

h. Actuated devices Table 7.3-8 lists the actuated devices.

i. Supporting system The supporting system required for the controls is the vital Class 1E ac system described in Section 8.3.

.4.1.2 Design Bases design bases for the control room ventilation isolation system are that no single ure shall prevent the isolation of the control room ventilation system. The radiation nitor trip setpoint is provided in the Callaway Technical Specifications.

7.3-16 Rev. OL-22 11/16

.4.1.3 Drawings logic diagram for the control room ventilation isolation actuation system is included igure 7.3-1. The differences between this logic and that presented in the PSAR are same as those for the containment purge isolation system, Section 7.3.2.1.3.

er drawings pertaining to this system are included in the references in Section 1.7.

.4.2 Analysis

a. Conformance to NRC general design criteria The applicable criteria are listed in Table 7.1-2. No deviations or exceptions to those criteria are taken.

b. Conformance to IEEE Standard 279-1971 The design of the control system conforms to the applicable requirements of IEEE Standard 279-1971, as listed and discussed in Section 7.3.1.2c, except that the system is automatically actuated. The setpoints are provided in the Callaway Technical Specifications.

c. Conformance to NRC regulatory guides The applicability of regulatory guides is as shown in Table 7.1-2.

References to the discussions of these regulatory guides are presented in Section 7.1.2.5.1.

d. Failure modes and effects analysis This analysis is given in Table 7.3-9.

e. Periodic testing Periodic testing of the mechanical equipment associated with this system is discussed in Section 9.4.1. Provisions for the periodic testing of the actuation system are discussed in the Callaway Technical Specifications.

7.3-17 Rev. OL-22 11/16

.5.1 Description purpose of device level manual override is to provide the capability for manually rriding the actuation signal command when there is an operational need to do so in post-event situation. This equipment is only included in the designs of the post-event nitoring and sampling systems to allow manual override of the containment isolation nal. When the override function has been achieved, an amber light on the main trol board indicates that the device has been removed from the state initiated by the uation signal. Operation of the control switch to the position corresponding to the uation signal command is indicated by extinguishing the amber light indication. Logic grams are referenced in Section 1.7.

.5.2 Analysis design of the override feature is in conformance with the criteria, guides, and ndards applicable to the control circuits to which it is applied. Failure modes and cts analysis are provided in Table 7.3-10.

.6 AUXILIARY FEEDWATER SUPPLY

.6.1 Description auxiliary feedwater system (AFS) consists of two motor-driven pumps, one steam ine-driven pump, and piping, valves, instruments, and controls, as shown in Figure 4-9. The pumps are started automatically on receipt of signals from the actuation c, as shown in Figure 7.3-1. All three pumps can also be started manually from trol switches in the control room or at the auxiliary shutdown control panel.

two sources of water for the AFS are the nonsafety-related condensate storage tank T) and the nonsafety-related hardened condensate storage tank (HCST). However, se tanks are not seismic Category I and are not credited for accident mitigation.

automatic subsystem is provided, therefore, to monitor the water supply pressure m the CST and initiate switchover to the essential service water system should the ply from the nonsafety-related condensate storage tank be interrupted.

h motor-driven pump feeds two steam generators through individual motor-operated control valves. AFS flow can be regulated manually from the control room or from auxiliary shutdown control panel.

turbine-driven pump feeds all four steam generators through individual air-operated control valves. AFS flow can be regulated manually from the control room or from auxiliary shutdown control panel.

7.3-18 Rev. OL-22 11/16

AFS pump turbine is supplied with motive power from two main steam lines through normally closed, air-operated steam supply valves. A normally closed tor-operated trip and throttle valve is also provided at the inlet to the pump driver.

ntrol of the steam supply valves and trip and throttle valve, as well as manual speed trol for the turbine-driven pump, is provided in the control room and at the auxiliary tdown control panel.

status of the motor-driven pumps, the turbine-driven pump, the turbine steam supply ves, and the trip and throttle valve is indicated in the control room and at the auxiliary tdown control panel. The AFS flow to each steam generator is indicated on both the n control board and at the auxiliary shutdown control panel.

AFS equipment is described in Section 10.4.9.

auxiliary feedwater (AFW) system automatically supplies feedwater to the steam erators to remove decay heat from the reactor coolant system upon the loss of the mal feedwater supply. The motor-driven AFW pumps start automatically upon steam erator water level low-low in any steam generator, upon trip of both turbine-driven W pumps (an anticipatory start signal for which no credit is taken in any accident lysis), upon actuation of AMSAC (anticipated transient without scram mitigation tem actuation circuitry), and upon actuation by the LOCA sequencer or shutdown uencer. The turbine-driven AFW pump is automatically started by steam generator er level low-low in any two steam generators, 4.16-kV safety-related bus NB01 or 02 undervoltage, and upon actuation of AMSAC. All three AFW trains can also be nually actuated. Initiating circuitry is described further in Section 7.3.6.1.1.a.

ddition to initiating functions described above, the auxiliary feedwater actuation nal (AFAS) closes the steam generator blowdown and sample isolation valves, when iliary feedwater is required by plant conditions. All remote manually operated valves he suction from the nonsafety-related CST and in the discharge to the steam erators are normally open.

tain actuations during Control Room evacuation in a fire event are not automatic but uire recovery actions. Specific detail on Control Room fire is discussed in Section

.1.

.6.1.1 System Description

a. Initiating circuits The motor-driven pumps are started on the occurrence of any one of the following signals:

7.3-19 Rev. OL-22 11/16

2. Safeguards sequence signal (initiated by safety injection signal or loss-of-offsite-power)

3. Auxiliary feedwater actuation (AFAS-M)

AFAS-M is generated on the occurrence of any one of the following events:

1. Trip of both main feedwater pumps (Manual block of the main feed pump trip signals is provided at the main control board, and is indicated on the ESFAS status panel. This block permits startup and shutdown of the plant without automatic start of the AFPs, while allowing the AFPs to remain available to respond to a demand from any other source.)

2. 2 out of 4 low-low level signals for any one steam generator (at solid state protection system)

3. ATWS Mitigation System Actuation Circuitry (AMSAC)

4. Manual AFAS-M initiation The turbine-driven pump is started on the occurrence of either of the following signals:

1. Manual start

2. Auxiliary feedwater actuation (AFAS-T)

AFAS-T is generated on the occurrence of any one of the following events:

1. Loss-of-offsite-power

2. Low-low level for any two steam generators (at solid state protection system)

3. ATWS Mitigation System Actuation Circuitry (AMSAC)

4. Manual AFAS-T initiation The steam generator sample line containment isolation valves and the steam generator blowdown isolation valves are all automatically closed on the occurrence of a safety-injection signal, a loss-of-offsite-power signal, or an AFAS. The signal which causes this closure is reset automatically upon reset of the AFAS.

7.3-20 Rev. OL-22 11/16

See Figures 7.3-1 and 7.7-16.

c. Bypass There is no device level override on this system.

Section 7.7.1.11 discusses AMSAC bypass capabilities.

d. Interlocks The auxiliary feedwater supply valves from the nonsafety-related condensate storage tank and from the ESW system are interlocked with the CST supply pressure sensors, in the presence of an Auxiliary Feedwater Actuation signal, receipt of 2-out-of-3 low pressure signals initiates switchover to essential service water. The AMSAC is blocked when 1-out-of-2 turbine impulse chamber pressure signals corresponds to less than 40% of reactor power, after a 360 sec. time delay.

e. Redundancy Sufficient actuation and control channels are provided throughout the auxiliary feedwater system to ensure the required flow to at least two steam generators in the event of a single failure.

f. Diversity The auxiliary feedwater system is diversified by utilizing a turbine-driven pump with air and dc motor-operated valves and two ac motor-driven pumps with ac motor-operated valves as described in Section 10.4.9.

Diversity in initiating signals can be seen on Figure 7.3-1.

g. Actuated devices

1. Auxiliary feedwater pump turbine steam supply valves (2)

2. Auxiliary feedwater pump trip and throttle valve (1)

3. Auxiliary feedwater flow control valves (8) (manual only)

4. Auxiliary feedwater pump electric motors (2)

5. Essential service water supply valves (4)

6. Condensate storage tank supply valves (3) 7.3-21 Rev. OL-22 11/16

8. Steam generator blowdown sample isolation valves (8)

h. Supporting systems The Class 1E electric system is required for auxiliary feedwater control.

The pressurized gas supply required for motive force is normally supplied from the instrument air header, which is not safety related. In addition, each valve has a seismic Category I auxiliary gas supply (see Section 9.3.1).

i. Portion of system not required for safety Instrumentation provided for monitoring system performance (refer to Section 7.5.3.5) is not required for safety. The AMSAC is not required for safety.

.6.1.2 Design Bases iliary feedwater is required, as described in Section 10.4.9. No single failure shall vent this system from operating.

ditionally, Section 7.3.1.1.2 is applicable to the control system components.

system must provide full auxiliary feedwater flow within 60 seconds of the detection ny condition requiring auxiliary feedwater. AMSAC will, in the absence of the RPS, ate AFW flow within 90 seconds of an ATWS event.

.6.1.3 Drawings logic diagram for the auxiliary feedwater supply actuation system is included in ure 7.3-1. The differences between this logic and that provided in the PSAR are the e as those discussed for the containment purge isolation system.

er drawings pertaining to this system are included in Section 7.3 and 7.7.1.11. The c associated with automatic switchover to the ESW has been added.

.6.2 Analysis

a. Conformance to NRC general design criteria

1. General Design Criterion 13 Instrumentation necessary to monitor station variables associated with hot shutdown is provided in the main control room and on the 7.3-22 Rev. OL-22 11/16

the surveillance instrumentation is provided in Section 7.5.

2. General Design Criterion 19 All controls and indications required for safe shutdown of the reactor are provided in the main control room. In the event that the main control room must be evacuated, adequate controls and indications are located outside the main control room to (1) bring to and maintain the reactor in a hot standby condition and (2) provide capability to achieve cold shutdown.

The auxiliary shutdown control panel, located outside the main control room, is described in Section 7.4.3.

3. General Design Criterion 34 The auxiliary feedwater system provides an adequate supply of feedwater to the steam generators to remove reactor decay heat following reactor trip. Two steam generators with auxiliary feedwater supply are sufficient to remove reactor decay heat without exceeding design conditions of the reactor coolant system.

4. Other general design criteria The remaining applicable general design criteria are listed in Table 7.1-2 and Section 10.4.9. No exceptions are taken to those criteria.

b. Conformance to IEEE Standard 279-1971 The design of the control system conforms to the applicable requirements of IEEE Standard 279-1971, as listed and discussed in Section 7.3.1.2c, except that this system is automatically actuated. The setpoints for safety injection, steam generator water level low-low, and for pump suction transfer to ESW are provided in the Callaway Technical Specifications.

During testing of the two-out-of-three low pressure supply instrument channels, it is permitted to disconnect the instrument transmitter leads at the instrument rack to simulate the transmitter signals. This is consistent with the instrument cabinet design.

c. Conformance to NRC regulatory guides 7.3-23 Rev. OL-22 11/16

7.1.2.5.1.

d. Failure modes and effects analysis See Table 7.3-11.

e. Periodic testing Periodic testing of the mechanical equipment associated with this system is discussed in Section 10.4.9.4. Provisions for the periodic testing of the actuation system are discussed in the Callaway Technical Specifications.

See Section 7.7.1.11 for a discussion of AMSAC testing provisions.

.7 MAIN STEAM AND FEEDWATER ISOLATION

.7.1 Description signals that initiate automatic closure of the main steam and feedwater isolation ves are generated in the ESFAS described in Section 7.3.8. The logic diagrams for generation of these signals are shown in Figure 7.2-1 (Sheets 8 and 13). The ainder of this section concentrates on the non-Westinghouse portion of the main am and feedwater isolation system (MSFIS).

main steam and feedwater isolation valves are operated by system-medium uators. The actuators are powered by the system-medium, which is controlled by ctrically operated solenoid valves. Each main steam and feedwater isolation valve six solenoid valves, three in each actuation train. Each actuation train is powered m a separate Class 1E electrical system and is capable of closing the valve ependent of the opposite actuation train.

non-Westinghouse MSFIS consists of two independent Class 1E actuation trains.

hin each train, three Programmable Logic Controllers (PLCs) produce a 2 out of 3 c configuration for each actuation relay per valve. The use of the same software in PLCs in each train can produce the possibility of a Common Mode Software Failure SF). Consequently, a diverse backup means to fast close the main steam isolation ves through the use of an Emergency Override Panel and Fast Close toggle switches cluded in each train to mitigate the consequences of the CMSF.

.7.1.1 System Description

a. Initiating circuits 7.3-24 Rev. OL-22 11/16

protection system (SSPS). Manual operation is also provided.

Two manual Fast Close swtiches are provided for the main steam isolation valves. Each switch has the capability to actuate both actuation trains associated with all four valves. Train isolation at the switches is assured by fire retardant sleeving on the wire going to the switches and by qualification testing that was performed on the switches. This feature is provided to conserve main steam that would be lost to the condenser in the event of a single train actuation.

Two manual Fast Close switches are provided for the feedwater isolation valves. Each swtich has the capability to actuate both actuation trains associated with all four valves. Train isolation at the switches is assured by fire retardant sleeving on the wire going to the swtiches, and by qualification testing that was performed on the swtiches. This feature is provided to conserve feedwater that would be lost to the condenser in the event of a single train actuation. Refer to Table 7.1-5 Postion 5.

b. Logic In addition to the manual and automatic trip modes of operation, manual controls are provided for opening and closing the main steam and main feedwater isolation valves.

c. Bypass See Section 7.3.8.

d. Interlocks See Section 7.3.8.

e. Redundancy Two complete actuation trains are provided for each actuator. Each actuation train consists of three solenoid valves and is capable of closing the main steam and main feedwater isolation valve regardless of the state of the opposite actuation train.

7.3-25 Rev. OL-22 11/16

See Section 7.3.8 for a discussion of diversity with regard to the automatic actuation signal.

g. Actuated devices The actuated devices are the main steam and feedwater isolation valves.

h. Supporting systems The system makes use of the Class 1E dc power system and of the compressed gas system (for testing only).

i. Portions of the system not required for safety For the main steam and main feedwater isolation valves, each actuation train includes provisions to Normal Close the valves, while both actuation trains are required to remotely Open the valves. This function is not required for safety. The vent lines downstream of the safety related rupture disk, which include manual isolation valves, along with the actuation position indication, are also not required for safety.

.7.1.2 Design Bases design bases for the main steam and feedwater isolation actuation system are vided in Section 7.3.8. The design bases for the remainder of the main steam and dwater isolation system are that the system isolates the main steam and feedwater en required, and that no single failure can prevent any valve from performing its uired function. See Section 7.3.8 for additional discussion.

ddition, Section 7.3.1.1.2 is applicable to the control system components.

.7.1.3 Drawings Figures 7.2-1 (Sheet 8), 7.3-2, and 7.3-3. Other drawings pertaining to this system included in the introductory material for this section.

.7.2 Analysis

a. Conformance to NRC general design criteria See Section 7.3.8.

7.3-26 Rev. OL-22 11/16

The design of the valve control system conforms to the applicable requirements of IEEE Standard 279-1971, as listed and discussed in Section 7.3.1.2, except that the system is automatically actuated. The setpoints are provided in the Callaway Technical Specifications.

c. Conformance to NRC regulatory guides See Section 7.3.8.

d. Failure modes and effects analysis See Table 10.3-3 and Table 10.4-7.

e. Periodic testing The valve control system includes provisions for verifying the proper operation of the electronic logic circuits. The frequency of actuation system testing is provided in the Callaway Technical Specifications. The mechanical system testing provisions are given in Technical Specification 3.7 and FSAR Sections 10.3.4 and 10.4.7.4.

Note that each valve can be closed within the appropriate time limit by either actuator side. Testing is administratively controlled to ensure that both sides of a given actuator will not be set to "TEST" mode simultaneously.

.8 NSSS ENGINEERED SAFETY FEATURE ACTUATION SYSTEM

.8.1 Description Westinghouse solid state protection system (SSPS) consists of two parts: the ctor trip system (RTS), which is described in Section 7.2, and the engineered safety ture actuation system (ESFAS), which is described here. The ESFAS monitors ected plant parameters and, if predetermined safety limits are exceeded, transmits nals to logic matrices sensitive to combinations indicative of primary or secondary tem boundary ruptures (Condition III or IV events). When certain logic combinations ur, the system sends actuation signals to the appropriate engineered safety feature ponents. The ESFAS meets the requirements of GDCs 13, 20, 21, 22, 23, 24, 25, 28, 34, 35, 37, 38, 40, 41, 43, 44, 46, 54, 55, and 56.

.8.1.1 System Description equipment which provides the actuation functions is listed below and discussed in section. (For additional background information, see References 1, 2, and 3.)

7.3-27 Rev. OL-22 11/16

b. Solid state logic protection system (Ref. 2)

c. Engineered safety feature test cabinet (Ref. 3)

d. Manual actuation circuits ESFAS consists of two discrete portions of circuitry: 1) an analog portion consisting hree or four redundant channels per parameter or variable to monitor various plant ameters, such as the reactor coolant system and steam system pressures, peratures and flows, and containment pressures; and 2) a digital portion consisting of redundant logic trains which receive inputs from the analog protection channels and form the logic needed to actuate the engineered safety features. Each digital train is able of actuating the engineered safety feature equipment required. Any single ure within the engineered safety feature actuation system does not prevent system on, when required.

redundant concept is applied to both the analog and logic portions of the system.

aration of redundant analog channels begins at the process sensors and is ntained in the field wiring, containment vessel penetrations, and analog protection ks terminating at the redundant safeguards logic racks. The design meets the uirements of GDCs 20, 21, 22, 23, and 24.

variables are sensed by the analog circuitry, as discussed in Reference 1 and in tion 7.2. The outputs from the analog channels are combined into actuation logic, as wn in Figure 7.2-1 (Sheets 5, 6, 7, and 8). Tables 7.3-13 and 7.3-14 give additional rmation pertaining to logic and function.

alog Circuitry process analog sensors and racks for the engineered safety feature actuation tem are described in Reference 1. This reference discusses the parameters to be asured, including pressures, flows, tank and vessel water levels, and temperatures, well as the measurement and signal transmission considerations. These latter siderations include the transmitters, orifices and flow elements, resistance perature detectors, as well as automatic calculations, signal conditioning, and ation and mounting of the devices.

sensors monitoring the primary system are shown on Figure 5.1-1. The secondary tem sensor locations are shown on the steam system flow diagrams given in apter 10.0.

ntainment pressure is sensed by four physically separated differential pressure smitters located outside of the containment (which are connected to the containment osphere by a filled and sealed hydraulic transmission system). The distance from 7.3-28 Rev. OL-22 11/16

C-56 and Regulatory Guide 1.11. Separation is maintained for transmitters, PT0934 and GNPT0936. However, physical separation of the impulse lines, per erence 3, is not maintained for transmitters GNPT0935 and GNPT0937. This latter aration is not required due to the instruments not being impacted by incidents such as siles, pipe whip, high pressure jets, or falling objects from LOCA or MSLB accidents.

s, no adverse impact is produced as a result of this lack of separation.

ital Circuitry engineered safety feature logic racks are discussed in detail in Reference 2. The cription includes the considerations and provisions for physical and electrical aration, as well as details of the circuitry. References 5, 6, and 7 provide additional cussion on the replacement logic rack circuit boards associated with active safety ctions. These references also cover certain aspects of on-line test provision, visions for test points, consideration for the instrument power source, and siderations for accomplishing physical separation. The outputs from the analog nnels are combined into actuation logic, as shown on Sheets 5, 6, 7, 8, and 14 of ure 7.2-1.

a. Initiating circuits

1. Containment pressure (see Table 7.3-14)

2. Steam line pressure (see Table 7.3-14)

3. Steam line pressure rate (see Table 7.3-14)

4. Manual (see Tables 7.3-13 and 14)

Manual actuation switches are provided on the main control board for the safety injection signal (SIS), the containment isolation signal phase-A (CIS-A), and containment isolation signal phase-B/

containment spray actuation signal (CIS-B/CSAS). The switches are momentary-contact and are arranged and operate as follows:

(a) SIS: Two switches, each with two sets of contacts connected mechanically but electrically isolated. One set of contacts in each switch is wired to separation group 1, the other to separation group 4. Operation of either switch actuates both trains of the SIS. The switch wiring is in accordance with the separation requirements of IEEE 279-1971.

7.3-29 Rev. OL-22 11/16

CIS-A.

(c) CIS-B/CSAS: Two sets of two switches each, each switch arranged and wired as described for SIS. Operation of both switches in either set activates both trains of both CIS-B and CSAS. Operation of any one switch, or of any two switches not in the same set does not actuate CIS-B/CSAS.

Manual controls in the control room are also provided to switch from the injection to the recirculation phase after a LOCA.

b. Logic The actuation logic is shown in Figure 7.2-1 (Sheets 5, 6, 7, and 8). Tables 7.3-13 and 7.3-14 give additional information pertaining to the logic.

c. Bypass Bypasses are designed to meet the requirements of IEEE Standard 279-1971, Sections 4.11, 4.12, 4.13, and 4.14. Bypasses are provided to permit testing of the fast-close logic circuitry. However, access to the bypass switches is administratively controlled to prevent simultaneous bypass of both actuation channels for any one valve. The bypass condition is indicated in the main control room. The P-4/Low Tavg bypass switch does not have to meet Section 4.12 of IEEE 279-1971 since this feedwater isolation circuitry does not provide a protective function.

d. Interlocks Interlocks are also discussed in Sections 7.2, 7.6, and 7.7. The protection (P) interlocks are given on Tables 7.2-2 and 7.3-15. The safety analyses demonstrate that the protective systems ensure that the NSSS will be put into and maintained in a safe state following a Condition II, III, or IV accident commensurate with pertinent criteria in the Callaway Technical Specifications. The protective systems have been designed to meet IEEE Standard 279-1971 and are entirely redundant and separate, including all permissives and blocks. All blocks of a protective function are automatically cleared whenever the protective function is required to function in accordance with GDC-20, GDC-21, and GDC-22 and Sections 4.11, 4.12, and 4.13 of IEEE Standard 279-1971 (except as discussed under c. above). Control interlocks (C) are identified in Table 7.7-1.

Because control interlocks are not safety-related, they have not been specifically designed to meet the requirements of IEEE Protection System Standards.

7.3-30 Rev. OL-22 11/16

e. Sequencing The containment spray pumps start 15 seconds after a CSAS with no undervoltage condition present. With an undervoltage condition, 12 seconds must be added for diesel startup.

f. Redundancy Redundancy for the system is provided by redundant process channels which are physically and electrically separated. Redundant train logic is also provided in the SSPS, which is physically and electrically separated.

The process signals are combined from the process control systems into the SSPS according to the prescribed logic defined in Sections 7.2 and 7.3 to produce actuation signals for RTS and ESFS operations.

g. Diversity Functional diversity, as described in Reference 4, has been designed into the system. The extent of diverse system variables has been evaluated for postulated accidents. Generally, two or more diverse protection functions would automatically terminate an accident before unacceptable consequences could occur.

1. Regarding the engineered safety feature actuation system for a LOCA, a safety injection signal can be obtained manually or by automatic initiation from either of two diverse parameter measurements.

(a) Low pressurizer pressure.

(b) High containment pressure (Hi-1).

2. For a steam line break accident, safety injection signal actuation is provided by:

(a) Lead-lag compensated low steam line pressure.

(b) For a steam line break inside containment, high containment pressure (Hi-1) provides an additional parameter for generation of the signal.

(c) Low pressurizer pressure.

7.3-31 Rev. OL-22 11/16

h. Actuated devices Function Initiation The specific functions which rely on the ESFAS for initiation are:

1. A reactor trip, provided one has not already been generated by the reactor trip system.

2. Cold leg injection isolation valves which are opened for injection of borated water by safety injection pumps into the cold legs of the reactor coolant system.

3. Charging pumps, safety injection pumps, residual heat removal pumps, and associated valving which provide emergency makeup water to the cold legs of the reactor coolant system following a LOCA.

4. Containment air recirculation fans and cooling system which serve to cool the containment and limit the potential for release of fission products from the containment by reducing the pressure following an accident.

5. Those pumps which serve as part of the heat sink for containment cooling (e.g., service water and component cooling water pumps).

6. Motor-driven auxiliary feedwater pumps.

7. Phase A containment isolation, whose function is to prevent fission product release (isolation of all lines not essential to reactor protection).

8. Steam line isolation to prevent the continuous, uncontrolled blowdown of more than one steam generator and thereby uncontrolled reactor coolant system cooldown (see Section 7.3.7).

9. Main feedwater line isolation as required to prevent or mitigate the effect of excessive cooldown.

10. Start the emergency diesels to ensure a back-up supply of power to the emergency and supporting systems components.

7.3-32 Rev. OL-22 11/16

12. Containment spray actuation which performs the following functions:

(a) Initiates containment spray to reduce containment pressure and temperature following a loss-of-coolant or steam line break accident inside of the containment.

(b) Initiates Phase B containment isolation which isolates the containment following a LOCA, or a steam or feedwater line break within the containment to limit radioactive releases.

(Phase B isolation, together with Phase A isolation, results in isolation of all but safety injection and spray lines penetrating the containment.)

Final Actuation Circuitry The outputs of the solid state logic protection system (the slave relays) are energized to actuate, as are most final actuators and actuated devices.

These devices are listed as follows:

1. Safety injection system pump and valve actuators. See Section 6.3 for flow diagrams and additional information.

2. CIS-A isolates all nonessential process lines on receipt of safety injection signal. CIS-B isolates the remaining process lines (which do not include safety injection lines) on receipt of a 2/4 hi-3 containment pressure signal. For further information, see Section 6.2.4.

3. Emergency fan coolers (see Section 6.2.2.2)

4. Essential service water pump and valve actuators (see Section 9.2.1.2)

5. Auxiliary feedwater pumps start (see Section 10.4.9)

6. Diesel start (see Section 8.3)

7. Feedwater isolation (see Section 10.4.7)

8. Ventilation isolation valves and damper actuator (see Section 6.4)

9. Steam line isolation valve actuators (see Section 7.3.7 and Section 10.3) 7.3-33 Rev. OL-22 11/16

If an accident is assumed to occur coincident with a loss of offsite power, the engineered safety feature loads must be sequenced onto the diesel generators to prevent overloading them. This sequence is discussed in Section 8.3. The design meets the requirements of GDC-35.

i. Support systems The following systems are required for support of the engineered safety features:

1. Essential service water system - heat removal (see Section 9.2.1)

2. Component cooling water system - heat removal (see Section 9.2)

3. Electrical power distribution systems (see Section 8.3)

4. Essential HVAC systems (see Section 9.4)

Table 7.3-12 provides a list of the auxiliary support ESF systems.

j. Portion of system not required for safety The system produces annunciator, status light, and computer input signals to indicate individual channel status. The system provides signals to the reactor trip annunciators for sequence of events indication, and indicates the condition of blocks and permissives. Semiautomatic testing features are provided for on-line testing. All monitoring for the testing is at the protection system cabinets. Equipment used to accomplish these functions is isolated from the protection functions and is not required for the safety of the plant. Section 7.3.7.1.1.i discusses individual steam and feedwater isolation control switches that are not required for safety.

.8.1.2 Design Bases functional diagrams presented in Figure 7.2-1 (Sheets 5, 6, 7, and 8) provide a phic outline of the functional logic associated with requirements for the ESFAS.

quirements of the ESFS are given in Chapter 6.0. The design bases information uired in IEEE Standard 279-1971 is given in Sections 7.3.1.2c and 7.3.8.2b.

a. Automatic actuation requirements The ESFAS receives input signals (information) from the reactor plant and containment and automatically provides timely and effective signals to actuate the components and subsystems comprising the ESFAS.

7.3-34 Rev. OL-22 11/16

The ESFAS has provisions in the control room for manually initiating the functions of the engineered safety feature system.

c. Equipment protection Equipment related to safe operation of the plant is designed, constructed, and installed to protect it from damage. This is accomplished by conformance to accepted standards, criteria, and consideration of potential environmental conditions. The criteria for equipment protection are given in Chapter 3.0. As an example, certain equipment is seismically qualified in accordance with IEEE Standard 344-1975. During construction, independence and separation is achieved, as required by IEEE Standard 279-1971, IEEE Standard 384-1974, and Regulatory Guide 1.75, either by barriers, physical separation, or demonstration test. This serves to protect against complete destruction of a system by fires, missiles, or other hazards.

.8.1.2.1 Generating Station Conditions following is a summary of those generating station conditions requiring protective on:

a. Primary system

1. Rupture in small pipes or cracks in large pipes.

2. Rupture of a reactor coolant pipe (LOCA).

3. Steam generator tube rupture.

b. Secondary system

1. Minor secondary system pipe breaks resulting in steam release rates equivalent to a single dump, relief, or safety valve.

2. Rupture of a major steam pipe.

.8.1.2.2 Generating Station Variables following list summarizes the generating station variables required to be monitored the automatic initiation of safety injection during each accident identified in the ceding section. Post-accident monitoring requirements are given in Table 7.5-1.

7.3-35 Rev. OL-22 11/16

1. Pressurizer pressure

2. Containment pressure (not required for steam generator tube rupture)

b. Secondary system accidents

1. Pressurizer pressure

2. Steam line pressures and pressure rate

3. Containment pressure

.8.1.2.3 Spatially Dependent Variables only variable sensed by the ESFAS which has spatial dependence is reactor coolant perature. The effect on the measurement is negated by using three hot leg sampling ops per loop. One dual element RTD is mounted in a thermowell in each of the three pling scoops associated with each hot leg.

scoops extend into the flow stream at locations 120° apart in the cross sectional ne. Each scoop has five orifices which sample the hot leg flow along the leading edge he scoop. Outlet ports are in the scoops to direct the sampled fluid past the sensing ment of the RTDs. One of each of the RTD's dual elements is used while the other is nstalled spare. Three readings from each hot leg are averaged to provide a hot leg ding for that loop. Therefore, the spatial dependency is compensated by both the ted mixing in the sampling scoops and, more importantly, by the electronic averaging he three hot leg readings per loop. Cold leg stratification, and the resulting issue of tial dependence, is not of concern due to the mixing action of the reactor coolant mps.

.8.1.2.4 Limits, Margins, and Levels erational limits and setpoints are discussed in Chapter 15.0 and the Callaway hnical Specifications. DNBR margin is discussed in Section 4.4.2.2.6. Setpoint rgins are discussed in the setpoint calculations.

.8.1.2.5 Abnormal Events malfunctions, accidents, or other unusual events which could physically damage tection system components or could cause environmental changes are as follows:

a. LOCA (see Section 15.6.5) 7.3-36 Rev. OL-22 11/16

c. Earthquakes (see Chapters 2.0 and 3.0)

d. Fire (see Section 9.5.1)

e. Missiles (see Section 3.5)

f. Flood (see Chapters 2.0 and 3.0)

.8.1.2.6 Minimum Performance Requirements imum performance requirements are as follows:

a. System response times The ESFAS response time is defined in the TS as the interval required for the ESF equipment to be capable of performing its safety function subsequent to the time that the appropriate variable exceeds its actuation setpoint. The ESF equipment is actuated by the output of the ESFAS, which is by the operation of the dry contacts of the slave relays (600 and 700 series relays) in the output cabinets of the solid state protection system. The response times listed below include the interval of time which will elapse between the time the parameter as sensed by the sensor exceeds the nominal trip setpoint and the time the solid state protection system slave relay dry contacts are operated. These values (as listed below) are maximum allowable values consistent with the safety analyses and the Technical Specifications and were systematically verified during plant preoperational startup tests. For the overall ESF response time, refer to Table 16.3-2. In a similar manner for the overall reactor trip system instrumentation response time, refer to Table 16.3-1. These maximum delay times include all compensation and, therefore, require that any such network be aligned and operating during verification testing.

The ESFAS is capable of having response time tests routinely performed-using methods similar to those used for tests performed during the preoperational test program or following significant component changes.

Maximum allowable time delays in generating the actuation signal for loss-of-coolant protection are:

1. Pressurizer pressure 2.0 seconds 7.3-37 Rev. OL-22 11/16

1. Steam line pressure 2.0 seconds

2. Steam line pressure rate 2.0 seconds

3. High - 2 containment pressure 2.0 seconds for closing main steam line isolation valves

4. Actuation signals for auxiliary See Table 16.3-2 feedwater pumps

b. System Accuracies Accuracies required for generating the required actuation signals for loss-of-coolant protection are:

1. Pressurizer pressure See Table 7.2-3 and (uncompensated) Section 15.0.3.2 and approved setpoint calculations.

Accuracies required in generating the required actuation signals for steam line break protection are given:

1. Steam line pressure See CSA in Callaway Setpoint Methodology Report and approved calculations.

2. Containment pressure signal See CSA in Callaway Setpoint Methodology Report and approved calculations.

c. Ranges of sensed variables to be accommodated until conclusion of protective action is ensured.

Ranges required in generating the required actuation signals for loss-of-coolant protection are given:

1. Pressurizer pressure 1,700 to 2,500 psig

2. Containment pressure 0 to 69 psig 7.3-38 Rev. OL-22 11/16

1. Tavg 530 to 630°F

2. Steam line pressure 0 to 1,300 psig

3. Containment pressure 0 to 69 psig

.8.1.2.7 Bistable Trip Setpoints re are three values applicable to engineered safety feature actuation:

a. Safety analysis limit

b. Allowable value

c. Nominal trip setpoint safety analysis limit is the value assumed in the accident analysis.

nominal trip setpoint is the value set into the equipment and is obtained by adding or tracting the channel statistical allowance to/from the safety analysis limit. The minal trip setpoint allows for the normal expected rack drift, such that the Callaway hnical Specification allowable values will not be exceeded under normal operation.

allowable value is in the Callaway Technical Specifications and is obtained by ing or subtracting a calculated allowance to/from the nominal trip setpoint. This culated allowance accounts for the function-specific allowances discussed in the es for Technical Specifications 3.3.1 and 3.3.2.

stinghouse setpoint studies performed for the replacement steam generators (RSGs) vide an allowance from the nominal trip setpoint to the technical specification wable value to account only for rack calibration accuracy. The difference between nominal trip setpoints for reactor trips and ESF actuations started by SG water level

-low, SG water level high-high, and low steamline pressure and their safety analysis ts includes the same error terms discussed in Appendix 3A, RG 1-105. The Nominal Setpoints and Allowable Values section in the Background Bases for Technical cifications 3.3.1 and 3.3.2 discuss some differences between the pre-RSG and post-G setpoint methodologies, but the major difference is the tightening of the band ween the NTS and the AV for the above RTS and ESFAS functions. Designers ose setpoints, such that the accuracy of the instrument is adequate to meet the umptions of the safety analysis.

setpoints that require trip action are given in the Callaway Technical Specifications.

rther discussion on setpoints is found in Section 7.2.2.2.1.

7.3-39 Rev. OL-22 11/16

ch is actually set into the equipment. The only requirement on the instrument's uracy value is that over the instrument span the error must always be less than or al to the error value assumed in the accident analysis. The instrument does not need e the most accurate at the setpoint value as long as it meets the minimum accuracy uirement. The accident analysis accounts for the expected errors at the actual point.

nge selection for the instrumentation covers the expected range of the process able being monitored, consistent with its application. The design of the reactor tection and engineered safety features systems is such that the bistable trip setpoints not require process transmitters to operate within 5 percent of the high and low end of ir calibrated span or range. Functional requirements established for every channel in reactor protection and engineered safety feature systems stipulate the maximum wable errors on accuracy, linearity, and reproducibility. The protection channels have capability for and are tested to ascertain that the characteristics throughout the entire n, in all aspects, are acceptable and meet functional requirement specifications. As a ult, no protection channel operates normally within 5 percent of the limits of its cified span.

specific functional requirements for response time, setpoint, and operating span are ed on the results and evaluation of safety studies carried out using data pertinent to plant. This establishes adequate performance requirements under both normal and ted conditions, including consideration of process transmitter margins such that even er a highly improbable situation of full power operation at the limits of the operating p [as defined by the high and low pressure reactor trip, T overpower and rtemperature trip lines (DNB protection), and the steam generator safety valve ssure setpoint] adequate instrument response is available to ensure plant safety.

.8.1.3 Final System Drawings schematic diagram for the systems discussed in this section is listed in Section 1.7.

.8.2 Analysis

a. Conformance to GDCs Conformance to GDCs is described in Section 7.1.

b. Conformance to IEEE 279-1971

1. Single Failure Criteria 7.3-40 Rev. OL-22 11/16

actuation system, with the following exception.

In the engineered safety feature, a loss of instrument power will call for actuation of engineered safety feature equipment controlled by the specific bistable that lost power (containment spray exempted).

The actuated equipment must have power to comply. The power supply for the protection system is discussed in Sections 7.6 and 8.3.

For containment spray, the final bistables are energized to trip to avoid spurious actuation. In addition, manual containment spray requires a simultaneous actuation of two manual controls. This is considered acceptable because spray actuation on hi-hi containment pressure signal provides automatic initiation of the system via protection channels meeting the criteria in Reference 3.

Moreover, two sets (two switches per set) of containment spray manual initiation switches are provided to meet the requirements of IEEE Standard 279-1971. Also it is possible for all engineered safety feature equipment (valves, pumps, etc.) to be individually manually actuated from the control board. Hence, a third mode of containment spray initiation is available. The design meets the requirements of GDCs 21 and 23.

2. Equipment Qualification Equipment qualifications are discussed in Sections 3.10(N) and 3.11(N).

3. Channel Independence The discussion presented in Section 7.2.2.2.3 is applicable. The engineered safety feature slave relay outputs from the solid state logic protection cabinets are redundant, and the actuation signals associated with each train are energized up to and including the final actuators by the separate ac power supplied which powers the logic trains.

4. Control and Protection System Interaction The discussions presented in Section 7.2.2.2.3 are applicable.

5. Capability for Sensor Checks and Equipment Test and Calibration 7.3-41 Rev. OL-22 11/16

ESFAS.

The following discussions cover those areas in which the testing provisions differ from those for the reactor trip system.

Testing of ESFAS To facilitate engineered safety feature actuation testing, four cabinets (two per train) are provided which enable operation, to the maximum practical extent, of safety feature loads on a group-by-group basis until actuation of all devices has been checked.

The testing program meets the requirements of GDCs 21, 37, 40, and 43 and Regulatory Guide 1.22, as discussed in Section 7.1.2.5.2. The tests described in item 3 above and further discussed in Section 6.3.4 meet the requirements on testing of the emergency core cooling system, as stated in GDC-37, except for the operation of those components that will cause an actual safety injection. The test, as described, demonstrates the performance of the full operational sequence that brings the system into operation, the transfer between normal and emergency power sources, and the operation of associated cooling water systems. The safety injection and residual heat removal pumps are started and operated and their performance verified in a separate test described in Section 6.3.4. When the pump tests are considered in conjunction with the emergency core cooling system test, the requirements of GDC-37 on testing of the emergency core cooling system are met as closely as possible without causing an actual safety injection.

The system design, as described in Sections 6.3 and 7.2.2.2.3 item 3 above, provides complete periodic testability during reactor operation of all logic and components associated with the emergency core cooling system. This design meets the requirements of Regulatory Guide 1.22, as discussed in the above sections. The testing capability is as follows:

(a) Prior to initial plant operations, ESFS tests are conducted.

(b) Subsequent to initial startup, ESFS tests are conducted during each regularly scheduled refueling outage.

(c) During on-line operation of the reactor, all of the engineered safety feature analog and logic circuitry can be fully tested.

7.3-42 Rev. OL-22 11/16

actuators whose operation is not compatible with continued on-line plant operation can be checked by means of continuity testing.

(d) During normal operation, the operability of testable final actuation devices of the ESFS can be tested by manual initiation from the control room.

Performance Test Acceptability Standard for the SIS and for the Automatic Demand Signal for CSAS Generation During reactor operation, the basis for ESFAS acceptability will be the successful completion of the overlapping tests performed on the initiating system and the engineered safety feature actuation system (see Figure 7.3-2). Checks of process indications verify operability of the sensors. Analog checks and tests verify the operability of the analog circuitry from the input of these circuits through to and including the logic input relays, except for the input relays associated with the containment spray function which are tested during the solid state logic testing. Solid state logic testing also checks the digital signal path from and including logic input relay contacts through the logic matrices and master relays and performs continuity tests on the coils of the output slave relays. Final actuator testing operates the output slave relays and verifies the operability of those devices which require safeguards actuation and which can be tested without causing plant upset. A continuity check is performed on the actuators of the untestable devices. Operation of the final devices is confirmed by control board indication and visual observation that the appropriate pump breakers close and automatic valves shall have completed their travel.

The basis for acceptability for the engineered safety feature interlocks will be control board indication of proper receipt of the signal upon introducing the required input at the appropriate setpoint.

Maintenance checks (performed during regularly scheduled refueling outages), such as resistance to ground of signal cables in radiation environments, are based on qualification test data which identifies what constitutes acceptable radiation, thermal, etc.,

degradation.

7.3-43 Rev. OL-22 11/16

During reactor operation, complete system testing (excluding sensors or those devices whose operation would cause plant upset) is performed periodically, as specified in the Callaway Technical Specifications. Testing, including the sensors, is also performed during scheduled plant shutdown for refueling. See the Callaway Technical Specifications for frequency of testing.

Engineered Safety Feature Actuation Test Description The following sections describe the testing circuitry and procedures for the on-line portion of the testing program. The guidelines used in developing the circuitry and procedures are:

(a) The test procedures must not involve the potential for damage to any plant equipment.

(b) The test procedures must minimize the potential for accidental tripping.

(c) The provisions for on-line testing must minimize complication of engineered safety feature actuation circuits so that their reliability is not degraded.

Description of Initiation Circuitry Several systems comprise the total engineered safety feature system, the majority of which may be initiated by different process conditions and be reset independently of each other.

The remaining functions (listed in item h of Section 7.3.8.1.1) are initiated by a common signal (safety injection) which in turn may be generated by different process conditions.

In addition, operation of all other vital auxiliary support systems, such as auxiliary feedwater, component cooling, and service water, is initiated by the safety injection signal.

Each function is actuated by a logic circuit which is separated between each of the two redundant trains of the engineered safety feature initiation circuits.

The output of each of the initiation circuits consists of a master relay which drives slave relays for contact multiplication as required. The 7.3-44 Rev. OL-22 11/16

the redundant counterparts. The master and slave relay circuits operate various pump and fan circuit breakers or starters, motor-operated valve contactors, solenoid-operated valves, emergency generator starting, etc.

Analog Testing Analog testing is identical to that used for reactor trip circuitry and is described in Section 7.2.2.2.3.

An exception to this is containment spray, which is energized to actuate 2/4 and reverts to 2/3 when one channel is in test.

Solid State Logic Testing Except for containment spray channels, solid state logic testing is the same as that discussed in Section 7.2.2.2.3. During logic testing of one train, the other train can initiate the required engineered safety feature function. For additional details, see References 2, 5, 6, and 7.

Actuator Testing At this point, testing of the initiation circuits through operation of the master relay and its contacts to the coils of the slave relays has been accomplished. The engineered safety feature logic slave relays in the solid state protection system output cabinets are subjected to coil continuity tests by the output relay tester in the solid state protection system cabinets. Slave relays (K601, K602, etc.) do not operate because of reduced voltage applied to their coils by the mode selector switch (TEST/OPERATE). A multiple position master relay selector switch selects the master relays and corresponding slave relays to which the coil continuity test voltage is applied.

The master relay selector switch is returned to OFF before the mode selector switch is placed back in the OPERATE mode. However, failure to do so will not result in defeat of the protective function.

The engineered safety feature actuation system slave relays are activated during the testing by the on-line test cabinet, so that overlap testing is maintained.

The engineered safety feature actuation system final actuation device or actuated equipment testing is performed from the solid 7.3-45 Rev. OL-22 11/16

test cabinets provided for each of the two protection trains, A and B.

Each set of cabinets contains individual test switches necessary to actuate the slave relays. To prevent accidental actuation, test switches are of the type that must be rotated and then depressed to operate the slave relays. Assignments of contacts of the slave relays for actuation of various final devices or actuators have been made such that groups of devices or actuated equipment can be operated individually during plant operation without causing plant upset or equipment damage. In the unlikely event that a safety injection signal is initiated during the test of the final device that is actuated by this test, the device will already be in its proper position to perform its safety function.

During this last procedure, close communication is maintained between the main control room operator and the tester at the test cabinet. Prior to the energizing of a slave relay, the operator in the main control room assures that plant conditions will permit operation of the equipment that will be actuated by the relay. After the tester has energized the slave relay, the main control room operator observes that all equipment has operated, as indicated by appropriate indicating lamps, monitor lamps, and annunciators of the control board, and records all operations. He then resets all devices and prepares for operation of the next slave relay actuated equipment.

By means of the procedure outlined above, all engineered safety feature devices actuated by engineered safety feature actuation systems initiation circuits, with the exceptions noted in Section 7.1.2.5.2 under a discussion of Regulatory Guide 1.22, are operated by the automatic circuitry.

Actuator Blocking and Continuity Test Circuits Those few final actuation devices that cannot be designed to be actuated during plant operation (discussed in Section 7.1.2.5.2) have been assigned to slave relays for which additional test circuitry has been provided to individually block actuation of a final device upon operation of the associated slave relay during testing.

Operation of these slave relays, including contact operations, and continuity of the electrical circuits associated with the final devices control are checked in lieu of actual operation. The circuits provide for monitoring of the slave relay contacts, the devices' control circuit cabling, control voltage, and the devices' actuation solenoids.

Interlocking prevents blocking the output from more than one output 7.3-46 Rev. OL-22 11/16

simultaneously. Therefore, the redundant device associated with the protection train not under test will be available in the event protection action is required. If an accident occurs during testing, the automatic actuation circuitry will override testing, as noted above. One exception to this is that if the accident occurs while testing a slave relay whose output must be blocked, those few final actuation devices associated with this slave relay will not be actuated; however, the redundant devices in the other train would be operational and would perform the required safety function.

Actuation devices to be blocked are identified in Section 7.1.2.5.2.

The continuity test circuits for these components that cannot be actuated on-line are verified by proving lights on the safeguards test racks.

The typical schemes for blocking operation of selected protection function actuator circuits are shown in Figure 7.3-3 as details A and B. The schemes operate as explained below and are duplicated for each safeguards train.

Detail A shows the circuit for contact closure for protection function actuation. Under normal plant operation and equipment not under test, the test lamps "DS*" for various circuits will be energized.

Typical circuit path will be through the normally closed test relay contact "K8*" and through test lamp connections 1 to 3. Coils "X1" and "X2" will be capable of being energized for protection function actuation upon closure of solid state logic output relay contacts "K*."

Coil "X1" is typical for a motor control center starter coil. "X2" is typical for a breaker closing auxiliary coil, motor starter master coil, coil of a solenoid valve, auxiliary relay, etc. When the contacts "K8*"

are opened to block energizing of coil "X1" or "X2," the white lamp is deenergized, and the slave relay "K*" may be energized to perform continuity testing. The operability of the blocking relay in both blocking and restoring normal service can be verified by opening the blocking relay contact in series with lamp terminal 1, which deenergizes the test lamp, and by closing the blocking relay contact in series with lamp terminal 1, which energizes the test lamp and verifies that the circuit is now in its normal, i.e., operable condition.

Detail B shows the circuit for contact opening for protection function actuation. Under normal plant operation, and equipment not under test for 125-volt dc actuation devices, the white test lamps "DS*" for the various circuits will be energized, and green test lamp "DS*" will be deenergized. Typical circuit path for white lamp "DS*" will be 7.3-47 Rev. OL-22 11/16

capable of being deenergized for protection function actuation upon opening of solid state logic output relay contact "K*." Coil "Y2" is typical for a solenoid valve coil, auxiliary relay, etc. When the contact "K8*" is closed to block deenergizing of coil "Y2," the green test lamp is energized, and the slave relay "K*" may be energized to verify operation (opening of its contacts). To verify operability of the blocking relay in both blocking and restoring normal service, close the blocking relay contact to the green lamp - the green test lamp should now be energized also; open this blocking relay contact - the green test lamp should be deenergized, which verifies that the circuit is now in its normal, i.e., operable position.

Time Required for Testing It is estimated that analog testing can be performed at a rate of several channels per hour. Logic testing of both trains A and B can be performed in less than 30 minutes. Testing of actuated components (including those which can only be partially tested) will be a function of control room operator availability. It is expected to require several shifts to accomplish these tests. During this procedure, automatic actuation circuitry will override testing, except for those few devices associated with a single slave relay whose outputs must be blocked and then only while blocked. It is anticipated that continuity testing associated with a blocked slave relay could take several minutes. During this time, the redundant devices in the other train would be functional.

Summary of On-Line Testing Capabilities The procedures described provide capability for checking completely from the process signal to the logic cabinets and from there to the individual pump and fan circuit breakers or starters, valve contactors, pilot solenoid valves, etc., including all field cabling actually used in the circuitry called upon to operate for an accident condition. For those few devices whose operation could adversely affect plant or equipment operation, the same procedure provides for checking from the process signal to the logic rack. To check the final actuation device, a continuity test of the individual control circuits is performed.

The procedures require testing at various locations.

(a) Analog testing and verification of bistable setpoint are accomplished at process analog racks. Verification of 7.3-48 Rev. OL-22 11/16

(b) Logic testing through operation of the master relays and low voltage application to slave relays is done at the solid state protection system logic rack test panel.

(c) Testing of pumps, fans, and valves is done at the test panel located in the vicinity of the solid state protection system logic racks in combination with the control room operator.

(d) Continuity testing for those circuits that cannot be operated is done at the same test panel mentioned in item c above.

The reactor coolant pump essential service isolation valves consist of the isolation valves for the component cooling water return and the seal water return header.

The main reason for not testing these valves periodically is that the reactor coolant pumps may be damaged. Although pump damage from this type of test would not result in a situation which endangers the health and safety of the public, it could result in unnecessary shutdown of the reactor for an extended period of time while the reactor coolant pump or certain of its parts are replaced.

Testing During Shutdown Emergency core cooling system tests will be performed periodically as stated in the Callaway Technical Specifications, with the reactor coolant system isolated from the emergency core cooling system by closing the appropriate valves. A test safety injection signal will then be applied to initiate operation of active components (pumps and valves) of the emergency core cooling system. This is in compliance with GDC-37.

Containment spray system tests will be performed at each major fuel reloading. The tests will be performed with the isolation valves in the spray supply lines at the containment blocked closed and are initiated by tripping the normal actuation instrumentation.

Periodic Maintenance Inspections The maintenance procedures which follow will be accomplished per applicable plant procedures. The frequency will depend on the operating conditions and requirements of the reactor power plant. If any degradation of equipment operation is noted, either 7.3-49 Rev. OL-22 11/16

performance must be achieved at all times.

Typical maintenance procedures include the following:

(a) Check cleanliness of all exterior and interior surfaces.

(b) Check all fuses for corrosion.

(c) Inspect for loose or broken control knobs and burned out indicator lamps.

(d) Inspect for moisture and condition of cables and wiring.

(e) Mechanically check all connectors and terminal boards for looseness, poor connections, or corrosion.

(f) Inspect the components of each assembly for signs of overheating or component deterioration.

(g) Perform complete system operating check.

The balance of the requirements listed in IEEE 279-1971 (Sections 4.11 through 4.22) is discussed in Section 7.2.2.2.3. Section 4.20 receives special attention in Section 7.5.

6. Manual Resets and Blocking Features The manual reset feature associated with containment spray actuation is provided in the standard design of the Westinghouse solid state protection system design for two basic purposes: first, the feature permits the operator to start an interruption procedure of automatic containment spray in the event of false initiation of an actuate signal; second, although spray system performance is automatic, the reset feature enables the operator to start a manual takeover of the system to handle unexpected events which can be better dealt with by operator appraisal of changing conditions following an accident.

Manual control of the spray system does not occur once actuation has begun by just resetting the associated logic devices alone.

Components will seal in (latch) so that removal of the actuate signal, in itself, will neither cancel or prevent completion of protective action, nor provide the operator with manual override of the automatic system by this single action. In order to take complete 7.3-50 Rev. OL-22 11/16

initial actuate signals in the associated motor control center, in addition to tripping the pump motor circuit breakers, if stopping the pumps is desirable or necessary.

The manual reset feature associated with containment spray, therefore, does not perform a bypass function. It is merely the first of several manual operations required to take control from the automatic system or interrupt its completion should such an action be considered necessary.

In the event that the operator anticipates system actuation and erroneously concludes that it is undesirable or unnecessary and imposes a standing reset condition in one train (by operating and holding the corresponding reset switch at the time the initiate signal is transmitted) the other train will automatically carry the protective action to completion. In the event that the reset condition is imposed simultaneously in both trains at the time the initiate signals are generated, the automatic sequential completion of system action is interrupted, and control has been taken by the operator. Manual takeover will be maintained, even though the reset switches are released, if the original initiate signal exists. Should the initiate signal then clear and return again, automatic system actuation will repeat.

Note also that any time delays imposed on the system action are to be applied after the initiating signals are latched. Delay of actuate signals for fluid systems lineup, load sequencing, etc., does not provide the operator time to interrupt automatic completion, with manual reset alone, as would be the case if time delay were imposed prior to sealing of the initial actuate signal.

The manual block features associated with pressurizer and steam line safety injection signals provide the operator with the means to block initiation of safety injection during plant startup. These block features meet the requirements of Section 4.12 of IEEE Standard 279-1971 in that automatic removal of the block occurs when plant conditions require the protection system to be functional.

The P-4/Low Tavg bypass switch does not have to meet Section 4.12 of IEEE 279-1971 since this feedwater isolation circuitry does not provide a protective function.

7.3-51 Rev. OL-22 11/16

There are two system level switches. Each switch actuates all four main steam line isolation and bypass valves of the system level.

Automatic initiation of switchover to recirculation with manual completion is in compliance with Section 4.17 of IEEE Standard 279-1971, with the following comment.

Manual initiation of either one of two redundant safety injection actuation main control board mounted switches provides for actuation of the components required for reactor protection and mitigation of adverse consequences of the postulated accident, including delayed actuation of sequenced started emergency electrical loads as well as components providing switchover from the safety injection mode to the cold leg recirculation mode following a loss of primary coolant accident. Therefore, once safety injection is initiated, those components of the emergency core cooling system (see Section 6.3) which are realigned as part of the semiautomatic switchover go to completion on low refueling storage tank water level without any manual action.

Manual operation of other components or manual verification of proper position as part of the emergency procedures is not precluded nor otherwise in conflict with the above-described compliance to Section 4.17 of IEEE Standard 279-1971 for the semiautomatic switchover circuits.

No exception to the requirements of IEEE Standard 279-1971 has been taken in the manual initiation circuit of safety injection.

Although Section 4.17 of IEEE Standard 279-1971 requires that a single failure within common portions of the protective system shall not defeat the protective action by manual or automatic means, the standard does not specifically preclude the sharing of initiation circuitry logic between automatic and manual functions. It is true that the manual safety injection initiation functions associated with one actuation train (e.g., train A) share portions of the automatic initiation circuitry logic of the same logic train; however, a single failure in shared functions does not defeat the protective action of the redundant actuation train (e.g., train B). A single failure in shared functions does not defeat the protective action of the safety function. It is further noted that the sharing of the logic by manual and automatic initiation is consistent with the system level action requirements of the IEEE Standard 279-1971, Section 4.17 and consistent with the minimization of complexity.

7.3-52 Rev. OL-22 11/16

Conformance to regulatory guides and associated IEEE standards is provided in Sections 7.1.2.5 and 7.1.2.6.

d. Failure mode and effects analyses Failure mode and effects analyses have been performed on the engineered safety feature systems' equipment, and the results are provided in Reference 3. The interface criteria provided in Appendices B and C of Reference 3 have been met in the design. A separate, yet similar, failure modes and effects analysis has been performed for the P-4/Low Tavg bypass switch with acceptable results.

The discussions presented in Section 7.2.2.1 are also applicable to the NSSS ESFAS. (See also References 4-7 in Section 7.3.9.)

In addition to the consideration given in this reference a loss of instrument air or loss of component cooling water to vital equipment has been considered. Neither the loss of instrument air nor the loss of cooling water (assuming no other accident conditions) can cause safety limits, as given in the Callaway Technical Specifications, to be exceeded. Likewise, loss of either of the two will not adversely affect the core or the reactor coolant system nor will it prevent an orderly shutdown if this is necessary.

Furthermore, all pneumatically operated valves and controls will assume a preferred operating position upon loss of instrument air. It is also noted that, for conservatism during the accident analysis (Chapter 15.0), credit is not taken for the instrument air systems nor for any control system benefit.

The design does not provide any circuitry which will directly trip the reactor coolant pumps on a loss of component cooling water. Normally, indication in the control room is provided whenever component cooling water is lost.

The reactor coolant pumps can run 10 minutes after a loss of component cooling water. This provides adequate time for the operator to correct the problem or trip the plant, if necessary.

The initiation and operation of the auxiliary feedwater system are described in the Callaway Technical Specifications.

e. Periodic testing Periodic testing is described in Section 7.3.8.2b. Testing frequency is provided in the Callaway Technical Specifications.

7.3-53 Rev. OL-22 11/16

effectiveness of the engineered safety feature actuation system is evaluated in apter 15.0, based on the ability of the system to contain the effects of Condition III and vents, including loss-of-coolant and steam line break accidents. The engineered ety feature actuation system parameters are based upon the component performance cifications which are given by the manufacturer or verified by test for each ponent. Appropriate factors to account for uncertainties in the data are factored into constants characterizing the system.

ESFAS must detect Condition III and IV events and generate signals which actuate engineered safety features. The system must sense the accident condition and erate the signal actuating the protection function reliably and within a time ermined by and consistent with the accident analyses in Chapter 15.0.

ch longer times are associated with the actuation of the mechanical and fluid system ipment associated with engineered safety features. This includes the time required switching, bringing pumps and other equipment to speed, and the time required for m to take load.

erating procedures require that the complete engineered safety feature actuation tem normally be operable. However, redundancy of system components is such that system operability assumed for the safety analyses can still be met with certain rumentation channels out of service. Channels that are out of service are to be ced in the tripped mode or bypass mode in the case of containment spray.

.8.3.1 Loss-of-Coolant Protection analysis of LOCA and in system tests, it has been verified that, except for very small lant system breaks which can be protected against by the charging pumps followed an orderly shutdown, the effects of various LOCAs are reliably detected by the low ssurizer pressure signal; the emergency core cooling system is actuated in time to vent or limit core damage.

large coolant system breaks, the passive accumulators inject first, because of the id pressure drop. This protects the reactor during the unavoidable delay associated actuating the active emergency core cooling system phase.

h containment pressure also actuates the emergency core cooling system.

refore, emergency core cooling actuation can be brought about by sensing this other ct consequence of a primary system break; that is, the engineered safety feature uation system detects the leakage of the coolant into the containment. The eration time of the actuation signal of 2.0 seconds, after detection of the sequences of the accident, is adequate.

7.3-54 Rev. OL-22 11/16

gate the effects of a LOCA.

delay time between detection of the accident condition and the generation of the uation signal for these systems is within the limits provided in Table 16.3-2, well within capability of the protection system equipment. However, this time is short compared hat required for startup of the fluid systems.

analyses in Chapter 15.0 show that the diverse methods of detecting the accident dition and the time for generation of the signals by the protection systems are quate to provide reliable and timely protection against the effects of loss of coolant.

.8.3.2 Steam Line Break Protection emergency core cooling system is also actuated in order to protect against a steam break. A response time of 2.0 seconds is assumed to elapse between sensing low am line pressure (as well as high steam pressure rate) and generation of the uation signal. Analysis of steam line break accidents, assuming this delay for signal eration, shows that the emergency core cooling system is actuated for a steam line ak in time to limit or prevent further core damage for steam line break cases.

ditional protection against the effects of steam line break is provided by feedwater ation which occurs upon actuation of the emergency core cooling system. Feedwater isolation is initiated in order to prevent excessive cooldown of the reactor vessel, tect the reactor coolant system boundary, and limit the containment pressure.

ditional protection against a steam line break accident is provided by closure of all am line isolation valves in order to prevent uncontrolled blowdown of all steam erators. The generation of the protection system signal (2.0 seconds) is again short, pared to the time to trip the fast-acting steam line isolation valves. The steam line ation valve closure time is system pressure dependent. The closure time curve for steam line isolation valves is located in the Technical Specification Bases.

ddition to actuation of the engineered safety features, the effect of a steam line break ident also generates a signal resulting in a reactor trip on overpower or following ergency core cooling system actuation. However, the core reactivity is further uced by the highly borated water injected by the emergency core cooling system.

analyses in Chapter 15.0 of the steam line break accidents and an evaluation of the tection system instrumentation and channel design show that the engineered safety ture actuation systems are effective in preventing or mitigating the effects of a steam break accident.

7.3-55 Rev. OL-22 11/16

Reid, J. B., "Process Instrumentation for Westinghouse Nuclear Steam Supply System (4 Loop Plant Using WCID 7300 Series Process Instrumentation),"

WCAP-7913, January 1973. (Additional background information only)

Katz, D. N., "Solid State Logic Protection System Description," WCAP-7488-L (Proprietary), January 1971, and WCAP-7672 (Non-Proprietary), June 1971.

(Additional background information only)

Mesmeringer, J.C., "Failure Mode and Effects Analysis (FMEA) of the Engineered Safety Features Actuation System," WCAP-8584, Revision 1 (Proprietary) and WCAP-8760, Revision 1 (Non-Proprietary), February 1980.

Gangloff, W. C. and Loftus, W. D., "An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients," WCAP-7706-L (Proprietary) and WCAP-7706 (Non-Proprietary), July 1971.

Gruber, T. J. and Harbaugh, T. D., Westinghouse SSPS Universal Logic Board Replacement Summary Report 6D30225G01/G02/G03/G04, WCAP-16769-P, Revision 2, February, 2011.

Harbaugh, T. D. and Hines, E. F., Westinghouse SSPS Safeguards Driver Board Replacement Summary Report 6D30252G01/G02, WCAP-16770-P, Revision 0, August, 2008.

Gruber, T. J. and Harbaugh, T. D., Westinghouse SSPS Undervoltage Driver Board Replacement Summary Report 6D30350G01/G02,WCAP-16771-P, Revision 1, April, 2011.

7.3-56 Rev. OL-22 11/16

Actuating Channel Description 1 4 t H2 Purge Inside Valve X t H2 Purge Outside Valve X t H2 Sample 1 Delivery Inside Valves X t H2 Sample 2 Delivery Inside Valves X t H2 Sample 1 Delivery Outside Valve X t H2 Sample 2 Delivery Outside Valve X t Sample 1 Return Valve X t H2 Sample 2 Return Valve X t H2 Mixing Fan 1 X t H2 Mixing Fan 2 X t H2 Mixing Fan 3 X t H2 Mixing Fan 4 X ergency Exhaust Fans X X t H2 Thermal Recombiner 1 X t Thermal Recombiner 2 X

Ctmt = Containment itional details are provided on the electrical schematic diagrams and the control c diagrams referenced in Section 1.7.

Rev. OL-13 5/03

Failure Effect on System Detection Remarks of one ac power channel control Loss of redundancy Immediate - indicator lights Remaining channel fully operable of one dc power channel control Spurious valve closure Immediate - indicator lights Remaining channel fully operable rol switch OPEN Loss of redundancy Periodic testing or spurious operation Loss of control from main control room or g failure SHORT Spurious operation may occur of instrument air system No effect There are no air-operated components in this system Rev. OL-13 5/03

Actuating Channel Description 1 4 t Shutdown Purge Supply Valve Inside X t Shutdown Purge Supply Valve Outside X t Shutdown Purge Exhaust Valve Inside X t Shutdown Purge Exhaust Valve Outside X t Shutdown Purge Supply Fan and Damper Nonsafety t Shutdown Purge Exhaust Fan and Damper Nonsafety t Mini-purge Supply Valve Inside X t Mini-purge Supply Valve Outside X t Mini-purge Exhaust Valve Inside X t Mini-purge Exhaust Valve Outside X t Mini-purge Supply Fan and Damper Nonsafety t Mini-purge Exhaust Fan and Damper Nonsafety

Ctmt = Containment itional details are provided on the electrical schematic diagrams and the control c diagrams referenced in Section 1.7.

Rev. OL-13 5/03

Failure Mode Effect on System Detection Remarks of one ac power channel No effect Immediate-annunciator Air-operated valves are controlled by dc solenoids of one dc power channel System isolates Immediate-annunciation on loss of bus. Trip - isolates Periodic test on individual device level of instrument air system Purge valves fail closed Immediate-indicator lights and Valves fail in safe position annunciation ation (a) HI (a) System isolates (a) Immediate-annunciator (a) Trip - isolates ensor fails: (b) LO (b) 1 channel remains operable (b) Immediate-computer or periodic testing (b) See Note 1 or wiring fails open or shorts 1 channel remains operable Immediate-computer or periodic testing See Note 1 ble fails System loses one channel or trips Periodic testing Either trip or detected by periodic testing nput open Loss of one sensing parameter in one Periodic testing Diverse inputs (radiation, manual) fully channel operable nput shorted Spurious trip Immediate-annunciator Spurious closure; however, valves are normally closed al input open Loss of system level manual initiation in Periodic testing Redundant train and automatic actuation one train and device level control fully operable on affected train al input shorted Spurious trip Immediate-annunciator Spurious closure; however, valves are normally closed ut relay coil open or shorted No automatic actuation of associated Periodic testing (open); Manual control not impaired, other train devices in one train only. Immediate-annunciator (shorted) will isolate.

ut relay mechanically jammed No automatic actuation of associated Periodic testing Manual control not impaired, other train devices in one train only will isolate ut wiring fails: (a) OPEN Loss of redundancy Periodic testing Redundant train will still be operable (b) SHORT May produce spurious isolation Periodic testing or spurious isolation Spurious isolation E 1: Channel failure alarm operates for failures between the radiation detector and the microprocessor. Periodic testing detects failures between the microprocessor and ESFAS cabinets.

For plant conditions during CORE ALTERATIONS and during movement of irradiated fuel within containment, the function of the monitors is to alarm only and the trip signals for automatic actuation of CPIS may be bypassed. One instrumentation channel at a minimum is required for the alarm only function during plant refueling activities.

Rev. OL-13 5/03

Actuating Channel Description 1 4 l Building Exhaust Fan A X l Building Exhaust Fan B X side Air Supply Isolation Damper* X side Air Supply Isolation Damper* X l Building Supply Fan A** Nonsafety l Building Supply Fan B** Nonsafety ergency Filter Supply Isolation (A) X ergency Filter Supply Isolation (B) X nt Fuel Pool Exhaust Isolation (A) X nt Fuel Pool Exhaust Isolation (B) X itional details are provided on the electrical schematic diagrams and the control c diagrams referenced in Section 1.7.

These two dampers are in series.

Normally operating; trip on FBVIS.

Rev. OL-13 5/03

Failure Mode Effect on System Detection Remarks of one ac power channel Loss of redundancy Immediate-annunciator Other channel will still be operable of one dc power channel Disables the associated actuation channel Immediate-annunciation of loss of bus. Reduces system to minimum sufficiency Periodic test on individual device level of instrument air system None - not applicable Not applicable Vent dampers are electricically operated ation sensor fails HI System isolates Immediate-annunciator Trip-isolates LO 1 channel remains operable Immediate-computer or periodic testing See Note 1 or wiring fails open or short 1 channel remains operable Immediate-computer or periodic testing See Note 1 ble fails System either isolates or loses one Periodic testing Either trip or detected by periodic testing channel al input open Loss of system level manual initiation for Periodic testing Redundant train and automatic actuation one train and device level control fully operable on affected train.

al input shorted Spurious trip Immediate-annunciator Spurious isolation ut relay coil open or shorted No automatic actuation of associated Periodic testing (open); Manual control and redundant train are not devices in one train only Immediate-annunciator (Shorted) impaired.

ut relay mechanically jammed No automatic actuation of associated Periodic testing Manual control and redundant train are not devices in one train only impaired ut wiring fails OPEN Loss of redundancy Periodic testing Redundant train will still be operable.

SHORT May produce spurious isolation Periodic testing or spurious isolation Spurious isolation E 1: Channel failure alarm operates for failures between the radiation detector and the microprocessor. Periodic testing detects failures between the microprocessor and ESFAS cabinets. System is reduced to minimum sufficiency.

Rev. OL-13 5/03

Minimum Concentration Requiring Isolation Type Ci/cc Limiting Isotope Response Time aseous See Tables 11.5-3 and Xe133 Less than 5 seconds 12.3-3 Rev. OL-13 5/03

I. ACTUATED EQUIPMENT LIST uation Channel scription Number ntrol Room Filtration System A Dampers 1 ntrol Room Filtration System B Dampers 4 per Cable Spreading Room Ventilation Isolation (2 dampers) 4 ntrol Room A/C Unit A 1 ntrol Room A/C Unit B 4 ntrol Room Ventilation Isolation (2 dampers) 4 er Cable Spreading Room Ventilation Isolation (2 dampers) 1 ntrol Building Outside Air Supply Unit

ntrol Building Exhaust Fan A

ntrol Building Exhaust Fan B

ess Control Exhaust Fan A

ess Control Exhaust Fan B

ntrol Building Outside Air System Isolation (5 dampers) 1&4 gr and Battery Room Ventilation Isolation (2 dampers) 4 F SWGR Rm Ventilation Isolation (2 dampers) 4 ess Control Area Ventilation Isolation (3 dampers) 4 ntrol Room Pressurization System A 1 ntrol Room Pressurization System B 4 ss 1E A/C System A 1 ss 1E A/C System B 4 ntrol Building Exhaust System Isolation (5 dampers) 1&4 ntrol Building Access Control Exhaust System Isolation (3 dampers) 4&1 Laboratory Ventilation Isolation (2 dampers) 1 Laboratory Ventilation Isolation (2 dampers) 4 ase and Tank Area Ventilation Isolation (2 dampers) 1 ase and Tank Area Ventilation Isolation (2 dampers) 4 mpanion Power Unit ESFAS, CRVIS (where applicable) 1 mpanion Power Unit ESFAS, CRVIS (where applicable) 4 itional details are provided on the electrical schematic diagrams and the control c diagrams references in Section 1.7. The method for achieving isolation damper undancy is shown in Table 7.3-8, Sheet 2.

Nonsafety related Rev. OL-19 5/12

II. CONTROL BUILDING ISOLATION DAMPERS annel 1 Dampers Corresponding Channel 4 Dampers ntrol Building Exhaust System 11 (HZ 13G) D312 (HZ 184D) 14 (HZ 59B) D301 (HZ 184B) 18 (HZ 13B) D016 (HZ 55B) 18 (HZ 13B) D013 (HZ 98B) 18 (HZ 13B) D012 (HZ 122B) 18 (HZ 13B) D219 (HZ 123B) 83 (HZ 13E) D015 (HZ 57B) ntrol Building Supply System 09 (HZ 13F) D310 (HZ 184C) 79 (HZ 13D) D005 (HZ 57A) 06 (HZ 59A) D300 (HZ 184A) 02 (HZ 13A) D004 (HZ 55A) 02 (HZ 13A) D007 (HZ 98A) 02 (HZ 13A) D008 (HZ 122A) 02 (HZ 13A) D009 (HZ 123A) 98 (HZ 172A) D199 (HZ 173A) ess Control Exhaust System 25 (HZ 13C) D220 (HZ 123C) 13 (HZ 13H) D314 (HZ 184E) 03 (HZ 172B) D202 (HZ 173B)

Rev. OL-19 5/12

Failure Mode Effect on System Detection Remarks of one ac power channel Loss of redundancy Immediate-annunciator Other channel will still be operable ation sensor fails HI Spurious trip Immediate-annunciator Trip-isolates LO Loss of redundancy Immediate-computer or periodic testing See Note 1 or wiring fails open or shorts Loss of redundancy Immediate-computer or periodic testing See Note 1 ble fails Loss of one channel of automatic Periodic testing Either trip or detected by periodic testing actuation or trip al input open Loss of system level manual initiation for Periodic testing Redundant train and automatic actuation one train and device level control are fully operable on affected train al input shorted Spurious trip Immediate-annunciator Spurious isolation ut relay coil open or shorted No automatic actuation of associated Periodic testing (open); Redundant train will still be operable, also devices in one train only Immediate-annunciator (shorted) manual control available ut relay mechanically jammed Loss of redundancy Periodic testing Redundant train will still be operable, also manual control available ut wiring fails OPEN Loss of redundancy Periodic testing Redundant train will still be operable SHORT May produce spurious isolation Periodic testing or spurious isolation Spurious isolation nput open Loss of one sensing parameter in open Periodic testing Diverse inputs (radiation, manual) fully channel operable nput shorted Spurious trip Immediate-annunciator Spurious isolation E 1: Channel failure alarm operated for failures between the radiation detector and the microprocessor. Periodic testing detects failures between the microprocessor and ESFAS cabinets. System is reduced to minimum sufficiency.

Rev. OL-13 5/03

Failure Modes Effect on the System Detection Remarks re of bypass relays:

ypass relay fails to actuate a. Loss of bypass function a. Periodic slave relay testing (SJ system a. No loss of automatic protective valves only) function Undetectable (GS system valves only). The bypass function is not a protective action, so detection is not required ypass relay fails to de-actuate b. Blocks automatic protective function in b. Periodic slave relay testing b. Redundant train will operate except for one train H2 Analyzer Iso valves H2 Analyzer Iso valves are maintained normally closed nterposing relay fails to actuate c. Loss of bypass function and amber c. Periodic slave relay testing c. No loss of automatic protective logic indication ESFAS status panel function Loss of bypass function (Ctmt Atmos. Undetectable (Ctmt Atmos. Monitor No loss of automatic protective Monitor Iso valves) Iso valves). The bypass function is function not a protective action, so detection is not required nterposing relay fails to de-actuate d. Blocks automatic protective function in d. Periodic slave relay testing, or Amber d. Redundant train will operate one train light on ESFAS status panel will illuminate when valve is open Periodic slave relay testing (Ctmt Redundant train will operate Atmos. Monitor Iso valves) utput wiring/opens or shorts Loss of redundancy or may produce Periodic testing or immediate testing if Redundant channel will operate spurious operation spurious operation is indicated Rev. OL-14 12/04

Failure Modes Effect on the System Detection Remarks ailure of indicating light No loss of control Periodic testing Function will be achieved without indication; system level bypass annunciation and indication will be provided Rev. OL-14 12/04

Failure Mode Effect on System Detection Remarks of one Class 1E ac power supply Loss of one motor-driven auxiliary feed Immediate-annunciator The redundant motor-driven auxiliary feed pump and pump, associated feed control valves, and steam-driven auxiliary feed pump are still available.

one essential service water suction valve in The redundant suction valve in the turbine-driven affected train and one in the turbine-driven pump supply is not affected.

pump suction of one Class 1E dc power supply:

oss of Separation Loss of control power to one motor-driven Immediate-annunciator The redundant motor-driven auxiliary feed pump and roup 1 auxiliary feed pump. Two of the feed steam-driven auxiliary feed pump are still available.

regulating valves for the turbine-driven pump The other two feed regulating valves for the fail open. turbine-driven pump function normally.

oss of Separation Loss of turbine-driven pump due to Immediate-annunciator The two motor-driven auxiliary feed pumps and roup 2 dc-controlled steam supply valves associated valves remain completely functional.

oss of Separation No effect -- No auxiliary feedwater components are controlled roup 3 from this group.

oss of Separation Same as for Separation Group 1,except that Immediate-annunciator Same as for Separation Group 1 roup 4 it occurs to the other train of one Class 1E instrument power Loss of one indication train loss or partial trip Immediate-annunciator Redundant train(s) still available.

ly of one protection train of instrument air supply Does not affect system function Immediate-annunciator Air reservoirs are utilized as a backup air supply.

y injection signal open Loss of "safety injection signal" auto initiation Periodic testing Does not affect manual initiation or other auto in one channel only initiations.

y injection signal shorted Starts motor-driven auxiliary feed pump and Immediate-annunciator Operator override to terminate auxiliary feedwater closes steam generator blowdown and supply is possible after assessment of situation.

sample valves.

of power signal open Loss of "loss of power" auto initiation in one Periodic testing Does not affect manual initiation or other auto channel initiations.

of power signal shorted Starts the steam-driven auxiliary feed pump Immediate-annunciator Operator override to terminate auxiliary feedwater and closes steam generator blowdown and supply is possible after assessment of situation.

sample valves Rev. OL-19 5/12

Failure Mode Effect on System Detection Remarks out sequence signal open Loss of blackout auto initiation in one Periodic testing Redundant train and turbine-driven pump operate.

motor-driven pump out sequence signal shorted Starts one motor-driven auxiliary feed pump Immediate-annunciator Operator override to terminate supply of auxiliary and closes steam generator blowdown and feedwater is possible after assessment of situation.

sample valves out signal or safety injection signal Loss of one motor-driven pump Periodic testing Other motor-driven pump and turbine-driven pump ed will operate manual controls still operable to start affected pump.

feed pump trip signal open Main feed pump trip will not initiate auxiliary Periodic testing Does not affect manual initiation or other auto feedwater initiations.

feed pump trip signal shorted Starts motor-driven auxiliary feed pump and Immediate-annunciator Operator override to terminate supply of auxiliary closes steam generator blowdown and feedwater is possible after assessment of situation.

sample valves al control switch failure open Loss of manual initiation of the associated Periodic testing Does not affect auto initiations or manual initiation of function other equipment.

al control switch shorted Starts associated auxiliary feed pump and Immediate-annunciator Operator will regulate to proper level.

closes steam generator blowdown and sample valves Rev. OL-19 5/12

System Section mponent cooling water 9.2.2 ential service water (ESW) 9.2.1.2 ntainment spray 6.0, 7.3 ergency exhaust 9.4.2 sel generator building ventilation 9.4.7 W pump house ventilation 9.4.8 n steam 10.3 n feedwater 10.4.7 Rev. OL-13 5/03

No. of Functional Unit No. of Channels Channels To Trip Safety Injection

a. Manual 2 1

b. Containment pressure (Hi-1) 3 2

c. Low steam line pressure 12 (3/steam line) 2 in any one lead-lag compensated steam line

d. Pressurizer low pressure(a) 4 2 Containment Spray

a. Manual(b) 4 2

b. Containment pressure (Hi-3) 4 2 TES Permissible bypass if reactor coolant pressure is less than 2,000 psig.

Manual actuation of the containment spray system requires the simultaneous operation of two separate switches, as described in Section 7.3.8.1.1. Note that this also initiates phase B containment isolation. The requirement for the simultaneous operation of two switches is desirable to prevent the inadvertent actuation of this system.

Rev. OL-13 5/03

No. of Functional Unit No. of Channels Channels to Trip Containment Isolation

a. Automatic safety injection See item 1 (b)

(Phase A) through (d) of Table 7.3-13

b. Containment pressure See item 2 (b) of (Phase B) Table 7.3-13

c. Manual Phase A 2 1 Phase B See item 2 (a) of Table 7.3-13 Steam Line Isolation

a. High steam line negative 12 (3/steam line) 2/steam line in pressure rate any steam line

b. Containment pressure (Hi-2) 3 2

c. Low steam line pressure 12 (3/steam line) 2/steam line in (lead-lag compensated) any steam line

d. Manual 2* 1*

Feedwater Line Isolation

a. Safety injection See item 1 of Table 7.3-13

b. Steam generator high-high 4/loop 2/loop level 2/4 on any steam generator

c. Steam generator low-low level 4/loop 2/loop 2/4 on any steam generator

d. Reactor coolant low average 1/loop 2 (Note 1) temperature 2/4

e. Reactor trip See Figure 7.2-1, (Note 2)

Sheet 2 Rev. OL-14 12/04

No. of Functional Unit No. of Channels Channels to Trip

f. Manual 2* 1*

Manual actuation of either switch closes all main feedwater isolation valves or all main steam isolation and bypass valves. It is also possible to operate these valves with individual switches. However, those controls are provided for normal operation only.

e 1: The feedwater line will isolate on low Tavg only in conjunction with reactor trip (P-4). This feedwater isolation signal may be bypassed for normal reactor startups and shutdowns.

e 2: The feedwater line will isolate on reactor trip in conjunction with low Tavg (see Note 1), high-high steam generator level, or safety injection.

Rev. OL-14 12/04

signation Input Function Performed Reactor trip Actuates turbine trip Feedwater isolation signal occurs on Tavg below setpoint. This feedwater isolation signal may be bypassed for normal reactor startups and shutdowns. This circuitry does not provide a required protective function.

Prevents opening of main and bypass feedwater control valves which were closed by safety injection or high-high steam generator water level Allows manual block of the automatic reactuation of safety injection Reactor not tripped Defeats the block preventing automatic reactuation of safety injection 1 2/3 pressurizer Allows manual block of safety injection pressure below actuation on low pressurizer pressure setpoint signal Allows manual block of safety injection actuation and steam line isolation on low lead/lag compensated steam line pressure signal and allows steam line isolation on high steam line negative pressure rate 2/4 steam generator Closes all feedwater isolation valves, level above setpoint in feedwater control valves. Trips both main any steam generator feedwater pumps which closes the pump discharge valves. Actuates turbine trip.

Rev. OL-13 5/03

functions necessary for safe shutdown are available from instrumentation and trol channels that are associated with the major systems in both the primary and ondary plant. These channels are normally aligned to serve a variety of operational ctions, including startup and shutdown, as well as protective functions. There are no tems dedicated as safe shutdown systems, per se. However, procedures for uring and maintaining the plant in a safe condition can be instituted by appropriate nment of selected systems in the nuclear steam supply system. The discussion of se systems, together with the applicable codes, criteria, and guidelines, is found in er sections of this safety analysis report. In addition, the alignment of shutdown ctions associated with the engineered safety features, which are invoked under tulated limiting fault situations, is discussed in Sections 6.3 and 7.3.

he event of a turbine or reactor trip, loss of offsite power is assumed, and the plant will placed in a hot standby condition. If required by a limiting condition of operation per Callaway Technical Specifications or if recovery from an event will cause the plant to shut down for an extended period of time, the plant will be taken to a cold shutdown D) condition. During the safe shutdown condition, an adequate heat sink is provided emove reactor core residual heat. Boration capability is provided to compensate for on decay and to maintain the required core shutdown margin. Redundancy of tems and components is provided to enable continued maintenance of the hot ndby condition. If required, it is assumed that permanent or temporary repairs can be de to correct or circumvent any failures which might otherwise impede eventually ng the plant to the cold shutdown condition.

instrumentation and control functions which are required to be aligned for ntaining safe shutdown of the reactor, that are discussed in this section and endix 5.4A, are the minimum number under nonaccident conditions. These ctions will permit the necessary operations that will:

a. Prevent the reactor from achieving criticality in violation of the parameters prescribed in the Callaway Technical Specifications.

b. Provide an adequate heat sink so that design and safety limits on reactor coolant system temperature and pressure are not exceeded.

designation of systems that can be used for safe shutdown depends on identifying se systems which provide the following capabilities for maintaining a safe shutdown:

a. Circulation of reactor coolant

b. Boration

c. Residual heat removal 7.4-1 Rev. OL-23 6/18

specific systems, together with the necessary associated instrumentation and trols, are identified for both hot standby and cold shutdown in Appendix 5.4A and in tions 7.4.1 and 7.4.2.

ntenance of a shutdown with these systems and associated instrumentation and trols has included consideration of the accident consequences that might jeopardize e shutdown conditions. The accident consequences that are germane are those that uld tend to degrade the capabilities for boration, adequate supply of auxiliary dwater, and residual heat removal.

results of the accident analyses are presented in Chapter 15.0. Of these, the owing produce the consequences that are most pertinent:

a. Chemical and volume control system malfunction that results in a decrease in the boron concentration in the reactor coolant (uncontrolled boron dilution) (15.4.6)

b. Loss of normal feedwater flow (15.2.7)

c. Loss of external electrical load and/or turbine trip (15.2.2 and 15.2.3)

d. Loss of nonemergency ac power to the station auxiliaries (15.2.6) se analyses show that safety is not adversely affected by these incidents, with the ociated assumptions being that the instrumentation and controls discussed in tion 7.4.1 are available to control and/or monitor shutdown. These available systems allow the maintenance of hot standby even under the accident conditions listed ve, which would tend toward a return to criticality or a loss of heat sink.

ddition to the operation of systems required for safe shutdown, as described below, following general considerations are applicable:

a. The turbine is tripped (note that this can be accomplished at the turbine as well as inside the control room).

b. The reactor is tripped (note that this can be accomplished at the reactor trip switchgear as well as inside the control room).

c. All automatic systems continued functioning (discussed in Sections 7.2 and 7.7).

7.4-2 Rev. OL-23 6/18

effect a unit shutdown, the unit will be brought to, and maintained at, a safe shutdown dition under control from the main control room or the auxiliary shutdown control el. Hot standby is defined as the condition in which the reactor is subcritical and the ctor coolant system temperature and pressure are in the normal operating range.

portions of the reactor trip system required to achieve the shutdown condition are cribed in Section 7.2. The system and component controls and monitoring indicators vided on the auxiliary shutdown control panel are listed in Section 7.4.3. The imum systems/controls and monitoring indicators required to maintain a safe hot ndby under the conditions discussed in note 4 of Table 3.11(B)-3, i.e. SSE and loss of ite power, are highlighted below.

a. Essential System and Component Controls See Appendix 5.4A

b. Essential Monitoring Indicators

1. Steam Generators (a) Water level for each steam generator (b) Pressure for each steam generator

2. Pressurizer (a) Water level (b) Pressure (reactor coolant system pressure or pressurizer pressure)

3. Auxiliary feedwater system (a) Suction pressure for each auxiliary feedwater pump

4. Chemical and Volume Control System (a) Boric acid tank level (b) Safety grade, excess letdown flow to PRT (c) RCP seal injection flow (d) ECCS CCP discharge flow to the Boron Injection Header 7.4-3 Rev. OL-23 6/18

(a) RWST level

6. Component Cooling Water System (a) Flow to components inside containment

.1.1 Auxiliary Feedwater Control auxiliary feedwater pumps start automatically, as described in Section 7.3.6.1.1, or be started manually. Start/stop pump controls located on the auxiliary shutdown trol panel (as well as inside the control room) are provided, as well as control for the control valves.

.1.2 Atmospheric Steam Relief

.1.2.1 Description instrumentation and controls for the atmospheric steam relief system consist of trols, transmitters, and indicators to provide automatic or manual actuation of the er-operated atmospheric steam relief valves (also referred to as the atmospheric am dump valves) to remove reactor heat from the reactor coolant system.

h the safety valves and the power-operated atmospheric steam dump valves are ated upstream of the main steam isolation valves, outside of the containment, and h provide a means of removing reactor heat in a hot standby condition. The safety ves are full-capacity, spring-loaded valves which are actuated by high main steam line ssure. They are described more fully in Section 10.3. The power-operated ospheric steam dump valves, however, are the preferred mode of steam relief to id prolonged operation of the safety valves. The power-operated portion of the relief tem is safety related, except as specifically noted otherwise in Paragraphs h and i ow.

ressure transmitter and pressure controller are provided for each of the steam erators to actuate the atmospheric steam dump valve and control the steam pressure predetermined setting. Manual control capability is provided in the control room, on auxiliary shutdown control panel, and locally for AB-PV-2 and 3 for steam dump valve ulation. The status of the power-operated atmospheric steam dump valves is cated by open and closed indicating lights and by the controller output indication.

a. Initiating circuits No initiating circuits are required for the self-actuated safety valves. Each atmospheric steam dump valve is automatically actuated to regulate the steam generator pressure via the pressure controller and can be manually 7.4-4 Rev. OL-23 6/18

Section 7.5.

b. Logic No logic is required for the spring-loaded safety valves. Each atmospheric steam dump valve is individually controlled by its own pressure control loop. Normal atmospheric steam dump valve operation is the automatic mode, but, alternatively, it may be operated in a manual mode.

c. Bypass No bypass is provided. Placement of the power-operated steam valve controller in the manual mode does not preclude the steam relief functional requirement since the safety relief valves provide a steam pressure relief capability.

d. Interlock No interlock is provided for the atmospheric steam relief system.

e. Redundancy Any two of the four atmospheric steam dump valves provide sufficient steam relief for hot standby requirements. Redundancy is accomplished on a system basis since any two of the four associated steam generators are adequate for the heat removal requirements.

f. Diversity Diversity is accomplished by the spring-loaded safety valves operating as backup to the atmospheric steam dump valves.

g. Actuated devices The safety valves are self-actuated.

The atmospheric steam dump valves are air operated, fail closed, and require a pressurized gas supply for operation.

h. Supporting systems The controls for the atmospheric steam dump valves are powered from the Class 1E power system (Section 8.3). The pressurized gas supply required for motive force is normally supplied from the instrument air 7.4-5 Rev. OL-23 6/18

i. Portion of system not required for safety The alarms to the station annunciator and computer are not required for safety.

j. Design bases information The design bases of the atmospheric steam relief system (in accordance with Section 3 of IEEE Standard 279-1971) are:

1. The generating station condition which requires protective action is hot standby heat removal at controlled steam generator pressure, with or without loss of offsite power.

2. The range of transient and steady-state conditions of both the energy supply and the environment during normal, abnormal, and accident circumstances throughout which the system must perform:

The equipment is located outside the containment and is designed to withstand the temperature range, relative humidity, and atmospheric pressure for that location (refer to Tables 3.11(B)-1 and 3.11(B)-2 for specific values). The Class 1E power system is discussed in Section 8.3.

3. The malfunctions, accidents, or other unusual events which could physically damage protection system components for which provisions must be incorporated to retain necessary protective action:

The atmospheric steam relief system is designed to withstand the effects of earthquake without loss of function. The system is designed and its components are physically located to prevent loss of function from missile damage.

4. Minimum performance requirements, including system response times, system accuracies, ranges of the magnitudes, and change of sensed variables to be accommodated until proper conclusion of the protective action is assured:

The atmospheric steam relief controls are analog in nature, and the response of conventional process control equipment adjusted for stable pressure controlling operation is adequate in view of the following:

7.4-6 Rev. OL-23 6/18

(steam dump to condenser) system is not available. The requirement is for the power-operated atmospheric steam dump valves to relieve the safety valves from a sustained pressure controlling function in the hot standby mode. Thus, response time and accuracy are not critical for the required performance. The steam generator pressure will be relatively constant (no load steam pressure), with no rapid change required in the mass flow rate from the atmospheric steam dump valves.

k. Drawings Logic Diagram (refer to Section 1.7).

.1.2.2 Analysis

a. Conformance to NRC general design criteria

1. General Design Criteria 13 and 19 Instrumentation necessary to monitor station variables associated with hot standby is provided with adequate indication in the main control room and on the auxiliary shutdown control panel. Controls for the atmospheric steam relief are provided at each location. A description of the surveillance instrumentation is provided in Section 7.5.

2. General Design Criterion 34 The power-operated atmospheric steam dump valves provide an adequate means of venting the steam generators to remove reactor decay heat following reactor trip. Modulation of the power-operated atmospheric steam dump valves provides the desired rate of heat removal from the reactor coolant system to maintain the hot standby condition.

The power-operated atmospheric steam dump system has sufficient redundancy to ensure its intended function, assuming a single failure.

b. Conformance to NRC regulatory guides

1. Regulatory Guide 1.22 The atmospheric steam relief controls can be tested periodically.

7.4-7 Rev. OL-23 6/18

The atmospheric steam relief controls are designed to withstand the effects of SSE without loss of function. The atmospheric steam relief controls are classified seismic Category I, in accordance with the guide.

c. Conformance to IEEE Standard 279-1971 The controls for the power-operated atmospheric steam relief system conform to the applicable requirements of IEEE Standard 279-1971. The control circuits are designed so that any single failure will not prevent proper protective action (removal of reactor decay heat) when required.

This is accomplished by redundant steam relief systems in that only two of the four valves are needed to provide sufficient capacity. The atmospheric steam dump valves utilize control power from independent Class 1E power systems. The controller for each of the four valves is powered from a separate independent system. Each atmospheric steam dump valve has a separate bottled gas supply system to provide motive power. In order to prevent interaction between the redundant systems, the control channels are wired independently and separated with no electrical connections between control channels.

d. Conformance to other criteria and standards Conformance to other criteria and standards is indicated in Table 7.1-2.

.1.3 Other Systems and Controls Required for Hot Standby

.1.3.1 Description e unit is maintained in a hot standby condition for a prolonged time, negative ctivity must be added. The systems and controls required for this function are cribed in Appendix 5.4A.

.1.3.2 Analysis nformance to the GDCs, IEEE-279-1971, applicable Regulatory Guides, and other ustry standards are presented in Table 7.1-2.

.2 COLD SHUTDOWN

.2.1 Description systems and controls required for cold shutdown are described in Appendix 5.4A.

instrumentation and controls for these systems may require some authorized field 7.4-8 Rev. OL-23 6/18

side the control room.

.2.2 Analysis results of the analysis which determined the applicability to the nuclear steam supply tem cold shutdown systems of the General Design Criteria, IEEE Standard 279-1971, licable regulatory guides, and other industry standards are presented in Table 7.1-2.

.3 SAFE SHUTDOWN FROM OUTSIDE THE CONTROL ROOM standby is a safe and stable plant condition for a reactor plant that incorporates a bined Westinghouse/Areva NSSS. Examination of Condition II, III, or IV events for Westinghouse/Areva NSSS has revealed none that require cool down to cold tdown conditions for safety reasons. Eventual achievement of cold shutdown ditions may be required for long-term recovery. However, there is no safety reason y this must be accomplished in some limited period of time. While the plant is in the standby condition, the auxiliary feedwater system and the steam generator safety ves or atmospheric steam dump valves can be used to remove residual heat to meet safety requirements. The long-term safety grade supply of AFW allows extended ration at hot standby conditions. Boration, from outside of the control room, during hot standby condition is discussed in Section 7.4.3.1.3. Additionally, nothing in the nt design precludes the eventual achievement of cold shutdown, even assuming an E, a loss of offsite power, and the most limiting single failure, if arbitrary restrictions not placed on either the time required to cool down or on permissible operator ons outside the control room.

.3.1 Description mporary evacuation of the control room is required because of some abnormal ion condition, the operators can establish and maintain the station in a hot standby dition from outside the control room through the use of controls located at the iliary shutdown control panel, at the switchgear, or at motor control centers, and other al stations. Hot standby is a stable plant condition reached following a plant tdown. The hot standby condition can be maintained safely for an extended period of

e. In the unlikely event that access to the control room is restricted, the plant can be ely kept at a hot standby, until the control room can be reentered, by the use of the ential monitoring indicators and the controls listed in Sections 7.4.3.1.1 and 7.4.3.1.2.

auxiliary shutdown panel room is located in the northeast corner of the auxiliary ding one level below the control room at Elevation 2026. There are two distinct iliary shutdown panels at this location; one panel is associated with instrumentation control circuits used for controlling safe shutdown equipment in train A, and the other el is associated with instrumentation and control circuits used for controlling safe tdown equipment in train B. Both panels are electrically separated and are ociated with the same safety-grade circuits that serve their respective trains. The 7.4-9 Rev. OL-23 6/18

el RP118B and the control room. Switches are provided on RP118B to isolate and ove control from the control room for the train B safe shutdown equipment necessary ake the plant to and maintain the plant in a safe hot standby condition independent of control room. This capability is assured in the event a postulated fire causes damage he control room and subsequent evacuation of the operators. Train B controls and rumentation were selected to be isolated because the controls and instrumentation the turbine-driven auxiliary feedwater pump are located on this panel. A description he control room fire is provided in Section 9.5.1. Refer to Table 7.4-1 for the list of rumentation and controls on RP118B that have an isolation feature.

ough the prime intent of the auxiliary shutdown control panel is the maintaining of hot ndby from outside the control room, this panel can also be used for certain functions en implementing cold shutdown from outside the control room.

.3.1.1 Auxiliary Shutdown Panel following controls and monitoring indicators are provided on the auxiliary shutdown trol panel.

a. Controls

1. START/STOP control for each motor-driven auxiliary feedwater pump (1) (5) (6)

2. START/STOP controls for the turbine-driven auxiliary feedwater pump (steam supply and trip and throttle valve controls) (5) (6)

3. MANUAL control for all auxiliary feedwater flow control valves (2) (5)

(7)

4. OPEN/CLOSE control for essential service water to the auxiliary feedwater pump suction valves and condensate storage tank to the auxiliary feedwater pump suction valves (1) (5) (6)

5. Auxiliary feedwater pump turbine speed control (2) (5)

6. AUTOMATIC/MANUAL control for each power-operated atmospheric steam dump valve (2) (5) (8)

7. ON/OFF/AUTO control for two pressurizer backup heater groups (3)

(6)

8. OPEN/CLOSE control for the containment isolation valves in the letdown line (1) (5) (6) 7.4-10 Rev. OL-23 6/18

throttle valve isolation valves

b. Monitoring indicators (4)

1. Water level for each steam generator (both wide range and narrow range) (5) (9)

2. Pressure for each steam generator (5)

3. Reactor coolant system pressure (wide range) (5) (10)

4. Pressurizer pressure

5. Pressurizer level (5) (11)

6. Suction pressure for each auxiliary feedwater pump (5) (12)

7. Auxiliary feedwater pump turbine speed (rpm) (5) (13)

8. Discharge pressure for each auxiliary feedwater pump

9. Auxiliary feedwater flow to each steam generator (5) (14)

10. Condensate storage tank level

11. Reactor coolant (cold leg) wide range temperature (all four loops)

(15)

12. Source range nuclear power indicators (16)

13. Intermediate range nuclear power indicator

14. Wide range neutron flux indicator (5) (17)

15. Indicating lights (on-off/open-closed) for all power-operated equipment listed in a. above.

16. Reactor coolant (hot leg) wide-range temperature (two loops) (18) 7.4-11 Rev. OL-23 6/18

TES: (1) Train A paralleled with the control switch in the control room (control can be accomplished from either location without use of a transfer switch; the equipment responds to the last command from either location).

(2) Transfer of the control circuit with switch at the auxiliary shutdown panel is provided for the analog instrument control loop.

(3) "AUTO" mode is not operable after transfer.

(4) A list of monitoring instrumentation, including number of channels, is provided in Table 7.5-2.

(5) Safety-related monitoring indicator or control.

(6) Train B controls in the main control room can be isolated from the auxiliary shutdown panel controls. Control is transferred through a transfer switch located at the auxiliary shutdown panel.

(7) AL-HK-0005B, AL-ZL-0005B, AL-HK-0010B, and AL-ZL-0010B can be isolated from the main control board by RP147B.

(8) AB-PIC-0002B, AB-ZL-0002B, AB-PIC-0004B, and AB-ZL-0004B can be isolated from the main control board by RP147A, RP147B, RP334, and RP335.

(9) AE-LI-0502A and AE-LI-0504A can be isolated from the main control board by SB148A and SB148B.

(10) BB-PI-0406X can be isolated from the main control board by SB148B.

(11) BB-LI-0460B can be isolated from the main control board by SB148A.

(12) AL-PI-0026B and AL-PI-0024B can be isolated from the main control board by RP147A and RP147B.

(13) FC-HIK-0313B is fed from separation group 2 and can be isolated from the main control board by RP147A via FC-HS-0313.

(14) AL-FI-0003B and AL-FI-0001B are fed from separation groups 2 and 4 and can be isolated from the main control board by RP147A and RP147B.

7.4-12 Rev. OL-23 6/18

from the main control board by SB148A.

(16) SE-NI-0061X is fed from separation group 4.

(17) SE-NI-0031C is fed from separation group 5 and is (18) non-safety related.

(19) SE-NI-0061Y is fed from separation group 4.

(20) BB-TI-0443A is fed from separation group 4 and can be isolated from the main control board by SB148A.

.3.1.2 Controls at Switchgear Motor Control Centers, and Other Locations ddition to the controls and monitoring indicators listed above, the following essential trols are provided outside of the control room with a communication network between se control locations and the auxiliary shutdown control panel:

1. Reactor trip capability at the reactor trip switchgear.

2. START/STOP controls for both ECCS centrifugal charging pumps.

Location: ECCS charging pump switchgear.

3. START/STOP controls for the component cooling water pumps. Location:

Component cooling water pumps switchgear.

4. START/STOP controls for the containment fan cooler units. Location:

Cooler fan motor control centers.

5. START/STOP controls for the control room air-conditioning units. Location:

At the equipment.

6. START/STOP controls for the diesel generators. Location: Each diesel generator local control panel.

7. START/STOP controls for the essential service water pumps. Location:

Essential service water pump switchgear.

.3.1.3 Controls for Extended Hot Standby rder to maintain an extended hot standby (greater than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ), additional negative ctivity must be added to the RCS to accommodate the positive reactivity added ugh xenon decay. This can be accomplished by manual control of the normal rging and letdown systems via controls at the auxiliary shutdown panel, motor control ters, switchgears, and control of individual equipment at the device location.

7.4-13 Rev. OL-23 6/18

ans of the controls and indications on the auxiliary shutdown panel (ASP) and the itional controls listed in Section 7.4.3.1.2 of the FSAR. Prior to approximately hours after reactor shutdown, sufficient boron would be added to the reactor coolant tem (RCS) to cancel the effects of xenon decay. (See Section 5.4A.3.1) ation can be accomplished from outside the control room using only redundant ety-grade equipment by operating one of two ECCS centrifugal charging pumps, ng suction from the refueling water storage tank (RWST), and charging into the RCS ugh either the normal charging path or the boron injection flow path.

he absence of a safety injection (SI) signal, one ECCS centrifugal charging pump uld be started from its switchgear (NB01 or NB02), and isolation of normal letdown m the ASP would cause automatic realignment of pump suction from the volume trol tank (VCT) to the RWST via a VCT low level signal. Charging into the RCS could through the normal charging line, in which all air-operated valves are fail-open. An rnative charging path is the boron injection flow path. The normally closed valves in t path can be opened using local switches at motor control centers NG01B and/or 04C.

provide sufficient volume for the injection of additional borated water to the RCS, a uction of RCS average temperature can be accomplished by manually controlling am release to the atmosphere from the redundant secondary-side atmospheric relief ves. Necessary controls and instrumentation are on the ASP. Under the conditions of S makeup from the RWST, no letdown, and pressurizer level maintained within the mal range, sufficient boron can be added to the RCS to maintain keff 0.99 at all peratures between normal operating temperature and 80°F at any time in core life, uming that the xenon concentration in the core at the time of shutdown was the ilibrium value or less. In addition, sufficient boron can be added in this manner to ntain extended hot standby conditions. Therefore, the Callaway design permits ievement of extended hot standby conditions from outside the control room by means edundant, safety-grade systems and equipment only.

ddition to the normal charging and letdown systems, the systems discussed in pendix 5.4A may be used to maintain an extended hot standby by local actions side the control room.

.3.1.4 Design Bases Information ccordance with NRC General Design Criterion 19, the capability of establishing a hot ndby condition and maintaining the station in a safe status in that mode is considered essential function. To ensure the availability of the auxiliary shutdown control panel essential control and indications after control room evacuation, the following design tures have been utilized:

7.4-14 Rev. OL-23 6/18

no loss of essential functions. The essential local control stations are also designed to withstand earthquakes with no loss of essential functions.

b. The essential local stations and the auxiliary shutdown control panel, including essential controls and indicators, are designed to comply with applicable portions of IEEE Standard 279-1971.

tain actuations during control room evacuation in a fire event are not automatic and y require recovery actions. Specific detail on Control Room fire is discussed in FSAR tion 9.5.1.

.3.2 Analysis analysis of the control systems required for safe shutdown is found in Section 7.4.1.

discussion below is limited to the auxiliary shutdown control panel and essential al control stations.

a. Conformance to NRC general design criteria

1. General Design Criterion 19 The auxiliary shutdown control panel, in conjunction with the local control stations discussed in Section 7.4.3.1, provides adequate controls and indications located outside the main control room to maintain the reactor and the reactor coolant system in the hot standby condition in the event that the main control room must be evacuated. For discussion on potential cold shutdown capability from outside the main control room, see Section 7.4.2.

b. Conformance to NRC regulatory guides

1. Regulatory Guide 1.22 The auxiliary shutdown control panel and the essential controls and indications are designed to be tested periodically during station operation.

2. Regulatory Guide 1.29 The auxiliary shutdown control panel and the essential controls and indications are designed to withstand the effects of an SSE without loss of function or physical damage. The auxiliary shutdown control panel and essential controls and indications are classified Seismic Category I.

7.4-15 Rev. OL-23 6/18

The auxiliary shutdown control panel, and the essential controls and indications, are designed to conform to applicable portions of IEEE Standard 279-1971. The control circuits for the essential controls and indications are designed such that any single failure will not prevent proper protective action when required. This is accomplished by fully redundant controls and indications utilizing independent Class 1E power systems.

To prevent interaction between the redundant systems, the control channels are wired independently and separated with no electrical connections between redundant control systems. Nonessential control circuits and nonessential monitor circuits are electrically isolated from essential controls and indications to prevent jeopardizing the reliability of the systems required for safe shutdown.

d. Conformance to other guides, criteria, and standards The additional guides, criteria, and standards listed in Table 7.1-2 apply only to the essential instrumentation and controls required for hot standby from outside the control room.

7.4-16 Rev. OL-23 6/18

rument No. Service Sep. Group PI-455B Pressurizer Pressure NV (5)

-LI-459B Pressurizer Level 1

-LI-460B Pressurizer Level 4

-PI-406X RCS Pressure (wide range) 4 PI-405X RCS Pressure (wide range) 1 HIS-51B Pzr Htrs Backup Gp A NV (5)

-HIS-52B Pzr Htrs Backup Gp B NV (6)

PI-516X SG A Pressure 4 PI-524B SG B Pressure 1 PI-535X SG C Pressure 4 PI-544B SG D Pressure 1 LI-501A SG A Level (wide range) 1

-LI-502A SG B Level (wide range) 4 LI-503A SG C Level (wide range) 1

-LI-504A SG D Level (wide range) 4

-PIC-1B SG A Stm Dump to Atmos Ctrl 1

-PIC-2B SG B Stm Dump to Atmos Ctrl 2

-PIC-3B SG C Stm Dump to Atmos Ctrl 3

-PIC-4B SG D Stm Dump to Atmos Ctrl 4 HS-1 SG A Stm Dump to Atmos Ctrl Xfr Sw 1 HS-2 SG B Stm Dump to Atmos Ctrl Xfr Sw 2

-HS-3 SG C Stm Dump to Atmos Ctrl Xfr Sw 3

-HS-4 SG D Stm Dump to Atmos Ctrl Xfr Sw 4

-ZL-1B SG A Stm Dump to Atmos Vlv Posn 1 Rev. OL-23 6/18

rument No. Service Sep. Group

-ZL-2B SG B Stm Dump to Atmos Vlv Posn 2

-ZL-3B SG C Stm Dump to Atmos Vlv Posn 3

-ZL-4B SG D Stm Dump to Atmos Vlv Posn 4

-HIS-8149AB Letdown Throttle Valve A Isol Vlv NV (5)

-HIS-8149BB Letdown Throttle Valve B Isol Vlv NV (5)

-HIS-8149CB Letdown Throttle Valve C Isol Vlv NV (5)

-HIS-8152A Letdown Ctmt Isol Vlv 4

-HIS-8160A Letdown Ctmt Isol Vlv 1

-HK-5B SG D Aux Fw Ctrl Vlv MD Pmp B 4 HS-5 SG D Aux Fw Ctrl Vlv Xfr Sw 4

-ZL-5B SG D Aux Fw Ctrl Vlv Posn 4 HK-6B SG D Aux Fw Ctrl Vlv TD Pmp 1 HS-6 SG D Aux Fw Ctrl Vlv Xfr Sw 1 ZL-6B SG D Aux Fw Ctrl Vlv Posn 1 HK-7B SG A Aux Fw Ctrl Vlv MD Pmp B 4 HS-7 SG A Aux Fw Ctrl Vlv Xfr Sw 4 ZL-7B SG A Aux Fw Ctrl Vlv Posn 4 HK-8B SG A Aux Fw Ctrl Vlv TD Pmp 1 HS-8 SG A Aux Fw Ctrl Vlv Xfr Sw 1 ZL-8B SG A Aux Fw Ctrl Vlv Posn 1 HK-9B SG B Aux Fw Ctrl Vlv MD Pmp A 1 HS-9 SG B Aux Fw Ctrl Vlv Xfr Sw 1 ZL-9B SG B Aux Fw Ctrl Vlv Posn 1

-HK-10B SG B Aux Fw Ctrl Vlv TD Pmp 4 HS-10 SG B Aux Fw Ctrl Vlv Xfr Sw 4 Rev. OL-23 6/18

rument No. Service Sep. Group

-ZL-10B SG B Aux Fw Ctrl Vlv Posn 4 HK-11B SG C Aux Fw Ctrl Vlv MD Pmp A 1 HS-11 SG C Aux Fw Ctrl Vlv Xfr Sw 1 ZL-11B SG C Aux Fw Ctrl Vlv Posn 1 HK-12B SG C Aux Fw Ctrl Vlv TD Pmp 4 HS-12 SG C Aux Fw Ctrl Vlv Xfr Sw 4 ZL-12B SG C Aux Fw Ctrl Vlv Posn 4

-FI-1B SG D Aux Fw Flow 4 FI-2B SG A Aux Fw Flow 1

-FI-3B SG B Aux Fw Flow 2 FI-4B SG C Aux Fw Flow 3 PI-15B MD Aux Fw Pmp B Disch Press NV (6)

PI-18B MD Aux Fw Pmp A Disch Press NV (5)

PI-21B Turb Driven Aux Fw Pmp Disch Press NV (6)

PI-25B MD Aux Fw Pmp A Suct Press 1

-PI-24B MD Aux Fw Pmp B Suct Press 4

-PI-26B Turb Driven Aux Fw Pmp Suct Press 2

-HIS-22B MD Aux Fw Pmp B 4 HIS-23B MD Aux Fw Pmp A 1 ZL-312AD, AE, AF AFPT Trip & Throt Vlv Posn 2

-HIS-312B Turb Driven Aux Fw Pmp Trip and 2 Throt Vlv Control

-SI-0313B AFPT Speed Gov Ctrl 2

-HIS-0313B

-HIS-5B Turb Drvn Aux Fw Pmp Stm Isol Vlv 2

-HIS-6B Turb Drvn Aux Fw Pmp Stm Isol Vlv 2 Rev. OL-23 6/18

rument No. Service Sep. Group LI-4B Cond Stor Tank Level NV (6)

-HIS-30B ESW to MD Aux Fw Pmp B 4 HIS-31B ESW to MD Aux Fw Pmp A 1 HIS-32B ESW to Turb Driven Aux Fw Pmp 1

-HIS-33B ESW to Turb Driven Aux Fw Pmp 4

-HIS-34B CST to MD Aux Fw Pmp B 4 HIS-35B CST to MD Aux Fw Pmp A 1 HIS-36B CST to Turb Driven Aux Fw Pmp 1 TI-413X W.R. RCS Cold Leg Temp Loop 1 NV (6)

-TI-423X W.R. RCS Cold Leg Temp Loop 2 4 TI-433X W.R. RCS Cold Leg Temp Loop 3 NV (5)

TI-443X W.R. RCS Cold Leg Temp Loop 4 NV (5)

NI-31C Source Range Nuclear Inst NV (5)

-NI-61X Source Range Neutron Flux 4 LI-517X SG A Level (narrow range) 4 LI-528X SG B Level (narrow range) 1 LI-537X S.G. C Level (narrow range) 4 LI-548X S.G. D Level (narrow range) 1 HIS-459A RCS Letdown to Regen Hx NV (5)

HIS-460A RCS Letdown to Regen Hx NV (5)

HS-313 AFPT Gov Ctrl Transfer Sw 2 NI-35C Intermediate Range Nuclear Inst NV (5)

-NI-61Y Wide Range Neutron Flux 4

-ZL-315B, 317B AFPT Gov Vlv Position 2 ZL-312DB AFPT Throttle Vlv Trip Mech Pos 2 Rev. OL-23 6/18

rument No. Service Sep. Group

-TI-443A W.R. RCS Hot Leg Temp Loop 4 4 TI-413Y W.R. RCS Hot Leg Temp Loop 1 NV (5)

-HIS-1 Ctrl Rm Instr Xfr Sw 2

-HIS-2 Ctrl Rm Instr Xfr Sw 4

-HIS-3 Ctrl Rm Instr Xfr Sw NV (6)

- NON-VITAL

- INSTRUMENTATION AND CONTROLS ON RP118B THAT CAN BE ISOLATED FROM CONTROL ROOM CIRCUITS Rev. OL-23 6/18

information necessary to monitor the nuclear steam supply systems, the tainment systems, and the balance of plant is displayed on the operator's console the various control boards located within the control room. These indications include information to control and operate the unit through all operating conditions, including cipated operational occurrences and accident and post-accident conditions. Hot tdown information is also displayed on the auxiliary shutdown control panel located side the control room (refer to Section 7.4.3). This section is limited to the discussion hose display instruments which provide information to enable the operator to assess ctor status, the onset and severity of accident conditions, and engineered safety ture system (ESFS) status and performance, or to enable the operator to intelligently form vital manual actions such as safe shutdown and initiation of manual ESFSs.

activity control is monitored by sampling of the reactor coolant for boron.

surveillance instrumentation, which includes indicators, annunciators, recorders, lights, consists of specific instrumentation for the following functions:

a. Reactor trip

b. Engineered safety features

c. Safe shutdown s section discusses instrumentation that is required for safety as well as rumentation that is only indirectly related to safety. The safety-related display rumentation provided in the control room is listed in Table 7.5-4 and 7.5-5.

s section also furnishes a summary of important display instrumentation provided to nitor system status and performance. The bypassed status indication is treated arately to establish a clear definition of the system of bypass indication. Most of the play instrumentation defined for bypass, status, and performance monitoring in Tables

-1 and 7.5-2 is not safety related (with the exception of the SA066 ESF status inets and light display panels, RWST temperature, diesel day tank level, ESW pump charge pressure and flow, CCW temperature, RHR pump miniflow, containment perature, AFW flow and turbine speed, RCS temperature, and Gamma-Metrics tron flux monitors), as shown on Table 7.1-2, Sheet 2, since failure in no way rades the operation of safety systems and poses no threat to public health and ety.

er to Section 1.7 for drawings associated with auxiliary shutdown panel, ety-related display instrumentation, and main control board layouts and ESFS logic grams.

7.5-1 Rev. OL-21 5/15

play instrumentation for the reactor trip system actuation is provided by the nuclear am system supplier and is discussed in Sections 7.2 and 7.7 and Tables 7.5-1 and

-2.

.2 ENGINEERED SAFETY FEATURE SYSTEM play instrumentation is provided to monitor actuation parameters, bypasses, status, performance of the ESFSs.

.2.1 System Actuation Parameters

.2.1.1 Description ESFS actuation parameter display instrumentation comprises those display rument channels which will provide for informed operator action during and following accident. The displays provide the information necessary to enable the operator to ermine the nature and predict the course of an accident occurrence. They also allow operator to monitor the effects of an accident through key variables which reflect ether the plant is responding properly to safety measures (and, consequently, whether ESFS is functioning adequately). The information provided by the displays enables operator to estimate the magnitude of an impending threat or to determine the ential for radioactive release, to manually initiate the ESFS in the unlikely event of FS actuation equipment malfunctions or unanticipated post-accident conditions, and llow early indication of necessary actions to take to protect the public.

h parameter monitored for ESFS actuation is displayed in the main control room for rator information. Parameters associated with automatic actuation as well as those uired to enable the operator to initiate manual ESFS actuation are displayed.

dundant analog instrument channels, consisting of transmitters, alarm units, and cators, provide the required information.

omatic actuation of the ESFS is provided by the engineered safety feature actuation tem (ESFAS) described in Section 7.3. The indicators provided for the actuating ameters display the same analog signals monitored by the ESFAS. One indicator is vided for each channel of each parameter.

le 7.5-1 is a tabulation of the type of readout provided, the number of channels, and range, accuracy, and location for display instrumentation provided to monitor the FS actuation parameters.

accuracy and ranges are sufficient to monitor the full range of accident conditions.

dicted accident transients will result in less than full-scale readings on safety-related play indicators.

7.5-2 Rev. OL-21 5/15

dundant indicators displaying the same parameter are located close enough to each er to enable visual comparison. Comparisons between duplicate information nnels or between functionally related channels will enable the operator to readily ntify a malfunction.

ESFS actuation parameter displays are visually discernible from other displays on panels so that they are readily located in the event of an accident. Color-coded meplates identify all safety-related display instrumentation. Wire and cable are or-coded to differentiate between redundant channels and are physically separated in the plant.

.2.1.2 Analysis SIGN CRITERIA - The ESFS actuation parameter instruments are designed to ain available in the event of a single failure. Redundant indicator channels are ered from redundant Class 1E 120-V vital instrument ac power supplies (Section

.1.1.5). Display instrumentation is capable of operating independent of offsite power.

indication channels are designed in accordance with Sections 4.2, 4.4, 4.6, and 4.10 EEE Standard 279-1971, except that safety-related, Class 1E recorders are required e operable following, but not necessarily during, an SSE. Recorders for ESFAS nnels that monitor safety-related, Regulatory Guide 1.97 Category 1 and 2 ameters at Callaway, as defined in Table 7A-3, do not have to be seismically qualified lass 1E indicators are provided and the recorders are isolated from the Class 1E tions of the channel. All recorders located on the main control board panels must sfy seismic II/I requirements. Refer also to Section 7A.3.3. Wiring associated with ESFS actuation displays is physically separated in accordance with the requirements egulatory Guide 1.75 (refer to Appendix 3A). A detailed comparison of the Callaway nt design to the recommendations of Regulatory Guide 1.97 is contained in endix 7A.

er to Table 7.1-2 for applicable guides and standards for this equipment.

EQUACY - The ESFS actuation parameter displays provide sufficient information to ble the operator to assess accident conditions and to perform the necessary ration of manual ESFS. Each of the ESFAS parameters is displayed, providing the rator with information on those parameters indicative of accident conditions.

information supplied by the ESFS actuation parameter displays enables the rator to perform manual actuation. Containment sump level indication and refueling er storage tank level indication provide assurance that adequate net positive suction d (NPSH) exists for operation in the sump recirculation mode (Chapter 6.0). Control m ventilation monitors provide the operator with the necessary information on which ase his decision for operation of control room ventilation isolation and filtration.

7.5-3 Rev. OL-21 5/15

peration, and determine if manual action is necessary. Containment post-accident iation monitors provide information concerning the radioactive content of the tainment atmosphere. Containment hydrogen concentration indication provides rmation to judge the significance of a metal-water reaction and furnishes the rmation necessary for manual hydrogen control through the use of the combustible control systems.

recorders provided for the variables furnish trend information, such as the tainment pressure and temperature transients, to help predict the course of an ident. In addition, the recorders provide a historical record for post-accident review.

.2.2 System Bypasses

.2.2.1 Description asses within the ESFAS are indicated on the main control boards or ESFAS cabinets ights and are alarmed by the plant computer. Bypass of containment airborne eous radiation actuation or of containment purge isolation for periodic testing and ntenance and the bypass of low reactor coolant pressure actuation of the safety ction system for startup and shutdown are examples of such bypasses. Bypass is omplished in the ESFAS cabinets by turning a key associated with a particular uation bistable. This causes a light to indicate that a bistable within that actuation nnel is bypassed. In the latter example, backlighted switches accomplish the bypass ction from the main control boards. Refer to Section 7.3 for identification of the ass functions and their use.

ass of ESFAS equipment operation can be effected a number of ways. Handswitch ull-to-lock position, loss of control power, breaker in test or not in operating position, closure of manual valves for system or device testing or maintenance are some of means by which an ESFS or vital supporting system might be rendered inoperative a system level. The following describes the system of bypass indication and unciation provided.

number of bypass features or devices provided for operational purposes or routine ing is minimized by design, but wherever such features or devices are an integral part he design and are used more frequently than once a year and the bypass results in eating system functions, a means of indication is provided on the engineered safety ture status panel (ESFSP). Each piece of ESFS equipment (pump, valve, fan, etc.,

uding vital support system equipment) or small group of equipment (subsystem) ch must operate upon automatic or manual ESFS actuation is monitored by a status t indicating availability of that component or group of components. Unavailability is cated by a red indicating light. Thus, a bypass of a component by operation of a trol switch or by "racking out" a breaker which results in a bypass of system function 7.5-4 Rev. OL-21 5/15

status lights for actuated ESFS equipment are arranged in groups in a central ation on the main control boards, in accordance with the ESFS and the train in that tem. In addition to the individual component indication, annunciation is provided on a tem-level basis for each ESFS train. A bypass of one or more components within a tem train actuates a corresponding audible alarm to annunciate the fact that a train of ipment may be inoperable. Final determination of system inoperability is cedurally controlled.

omatic system level indication of bypass and inoperable status, called for by gulatory Guide 1.47, applies only to automatically initiated systems, including those tems which directly support the automatically initiated systems but which themselves y not be automatically initiated because they are normally in the operating mode.

ndering equipment inoperable through the use of features provided strictly for equent evolutions (once a year or less often) is not specifically and automatically cated. Such features include the P-4/Low Tavg bypass-switch, manual valves vided for isolation of equipment for repair, electrical cable connections, or other nual disconnects. However, manual initiation of safety features equipment bypass cation on a system-level basis is provided in the status display panel. Under ministrative control, manual bypass indication can be set up or removed. The omatic indication feature cannot be removed by operator action.

.2.2.2 Analysis SIGN CRITERIA - The system of bypass indication is designed to satisfy the uirements of IEEE Standard 279-1971 (Paragraph 4.13), Branch Technical Position B 21, and Regulatory Guide 1.47. Refer to Table 7.5-3 for a comparison with gulatory Guide 1.47 recommendations. The intent of IEEE Standard 308-1971, veillance Requirements, is satisfied to the extent of indicating control circuit power ilability for ESFS equipment. Other indications responsive to IEEE Standard

-1971 are described in Chapter 8.0.

system of indicating lights for bypasses of ESFS actuation channels or sensor nnels is located in the ESFAS cabinets and is designed to the requirements of IEEE ndard 279-1971. The indicating lights and associated wiring are located in the inets corresponding to the channel indicated and are powered by the power source ociated with the cabinet. The ESFAS and associated bypass indication system are igned as seismic Category I equipment, and also are designed to withstand all tulated environmental conditions, as stated in Tables 3.11(B)-1 and 3.11(B)-2.

EQUACY - The system of status lights for bypass indication, together with other play information available to the operator, and periodic testing provide assurance that operator will be constantly aware of the status of the ESFS. The automatic indication 7.5-5 Rev. OL-21 5/15

bypass indication system is used to supplement administrative procedures by viding indications of safety system availability or status. Administrative procedures not require operator action based solely on the bypass indicators.

design of the bypass indication system allows testing during normal plant operation.

h indicating and annunciating functions can be verified.

cess indicators are provided for ESFS actuation parameters (Section 7.5.2.1.1) so t, for parameters that vary in value during plant operation, closure of a manual valve he transmitter sensing line results in a discrepant indication and response when pared with the corresponding indicators for the redundant channels of the same ameter. The process indicators thus provide indication of impulse line blockage or ass, which obviates the need for position indication for the manual instrument valves.

ESFS actuation parameters which do not vary during operation, sufficient undancy is provided so that more than one manual instrument valve would have to be ced in the wrong position before system level actuation could be blocked.

ersity in actuating parameters and the capability for manual system actuation make it n more improbable that ESFS function can be blocked by improper instrument valve ition. For the preceding reasons, instrument valves are not included in the status t displays.

items that do not affect the ESFS function no indication system is provided for nual valve position or circuit bypass features.

eration of manual valves, use of manual disconnects, or other operations occurring e a year or less frequently, which could impair ESFS performance, are controlled by ministrative procedures. Thus, the probability for system blocks or bypasses existing isclosed between periodic functional tests is minimal.

.2.3 System Status

.2.3.1 Description information important in evaluating the readiness of the ESFS prior to operation and status of active components during system operation is displayed for the operator in main control room. The display information consists of process indicators, indicating ts, alarms, and recorders. The display is sufficient but supplemented by the plant puter outputs.

le 7.5-1 lists the display information provided, together with the type of readout, mber of channels, and their range, accuracy, and location.

7.5-6 Rev. OL-21 5/15

sisting of a transmitter, power supply, and any necessary signal conditioners. Where alarm is provided, the instrument loop includes an alarm unit providing a contact put to the plant annunciator. Many of the analog signals are monitored by the plant puter to enable display or logging of status or alarm information. Recorders are vided in lieu of, or in addition to, the indicators where a trend or a time history of the cess variable is desired.

cating lights are provided to monitor equipment status. In addition to the system level ilability and bypass indicating lights described in Section 7.5.2.2, indicating lights are vided at each control switch for equipment.

h motor-driven component (pump, fan, etc.) has ON and OFF indicating lights, each otely controlled open-closed service valve or damper has corresponding EN-CLOSED light indication, and each breaker control switch has its associated n-closed indicating light. A red light is used to indicate an operating status; for mple, motor running, valve fully open, or breaker closed. The green light indicates t the equipment is not in an operating state; for example, motor off, valve fully closed, reaker open. Amber lights, where provided, signify equipment bypassed, locked out, ot in automatic readiness. The indicating lights for a given control circuit are rated from the control circuit power. Thus, loss of control circuit power would be ompanied by a loss of indicating lights for that device.

.2.3.2 Analysis SIGN CRITERIA - Status light switches and wiring are designed to the same ndards as the associated control circuits. The analog process instruments for status rmation which are not required for safety system operation do not require special ign requirements and are, therefore, of standard commercial quality.

EQUACY - Sufficient instrumentation is provided to furnish the plant operator the essary information and the ESFS status to enable accurate assessment of the diness of the ESFS prior to operation and the status of active components during ration. The ESFS instrumentation is arranged by system on the main control board rovide the plant operator with a logical arrangement of information to facilitate his luation of the ESFS status.

h power-operated component in the ESFS is equipped with instrumentation to vide equipment status information. Auxiliary contacts from the motor starters or akers provide motor status indication, while position transmitters and position tches provide valve position indication.

cess variables important for evaluating system readiness are displayed. Pressures levels providing information on the ESFS status regarding adequate tank inventories 7.5-7 Rev. OL-21 5/15

sistance temperature detectors and thermocouples are utilized to monitor peratures of tanks subject to a freezing environment or tanks containing boric acid utions to preclude undisclosed freezing or crystallization and loss of availability.

.2.4 System Performance

.2.4.1 Description play information important in evaluating the performance of an ESFS during periodic

, continuous normal operation, or post-accident operation is provided on the main trol boards. Sufficient process indicators, alarms, and recorders are provided to ble the operator to determine whether a system is performing normally or if there is e unanticipated failure within a system. The plant computer monitors selected rument channels to supplement the display information.

le 7.5-1 lists the display information provided for the ESFS performance, together the type of readout, number of channels, and their range, accuracy, and location.

.2.4.2 Analysis SIGN CRITERIA - The instrumentation is arranged by system on the main control rd to facilitate the operator's evaluation of the system performance. The formance monitoring instrumentation is not required for the operation of the safety tems and does not warrant special design and is, therefore, of standard commercial lity.

EQUACY - Sufficient instrumentation is provided to furnish the operator with the rmation to assess operating ESFS performance.

ficient process indicators, alarms, and recorders are provided to enable the operator etermine whether a system is performing normally or if there is some unanticipated ure within a system.

fluid systems, discharge pressure indication is provided for each pump, and flow cation is provided for each system. Together, the flow and pressure enable the rator to verify proper pump performance and verify fluid delivery performance.

perature indication is provided for each system heat exchanger inlet and outlet. The rator has the information, together with the system flow, to verify proper cooling formance.

perature indication is also provided for each ventilation system incorporating rcoal filtration, to verify proper temperature range for expected filter performance.

7.5-8 Rev. OL-21 5/15

.3 SAFE SHUTDOWN important display information provided for operator use during safe shutdown rations is briefly described, analyzed, and tabulated in this section. Further cussion of the functional adequacy and use of the hot and cold shutdown control rumentation is provided in Section 7.4.

.3.1 Hot Shutdown Control

.3.1.1 Description hot shutdown control display instruments are required for manual operations to ely maintain the plant in a hot shutdown condition.

le 7.5-2 lists the display information provided for hot shutdown control, together with type of readout, number of channels, and their range, accuracy, and location.

se instruments are provided on the main control board in the main control room and the auxiliary shutdown control panel outside of the main control room. Two or more arate and redundant channels of display information are provided for each required cess variable.

.3.1.2 Analysis SIGN CRITERIA - Since the hot shutdown information display systems are designed rotection systems standards, the display parameters remain available in the event of ngle failure. Redundant indication channels are powered by redundant, 120-V vital rument ac power supplies (Section 8.3.1.1.5). The indication channels are designed ccordance with the portions of IEEE Standard 279-1971 applicable to indication nnels.

er to Table 7.1-2 for applicable guides and standards for this equipment.

EQUACY - Compliance with the design criteria ensures the availability of the display ruments to present the information required to maintain the plant in a hot shutdown dition.

ee channels of narrow range level and pressure are indicated on the main control rd for each steam generator, which enable the operator to control auxiliary feedwater he steam generator and to regulate atmospheric relief. Three channels of primary tem wide range pressure and pressurizer level are provided which enable the rator to control the pressurizer heaters and coolant inventory.

7.5-9 Rev. OL-21 5/15

nnels of primary system wide range pressure and pressurizer level are indicated.

.3.2 Cold Shutdown Control

.3.2.1 Description display instruments required to bring the plant to a cold shutdown condition are vided in the main control room. For cold shutdown from outside of the control room, Section 7.4.2.

le 7.5-2 lists the display information provided for cold shutdown control, together with type of readout, number of channels, and their range, accuracy, and location.

.3.2.2 Analysis SIGN CRITERIA - Refer to Section 7.4.

EQUACY - Refer to Section 7.4.

.3.3 System Bypasses

.3.3.1 Description bypass indicating light system is provided specifically for the shutdown systems.

tain components used for shutdown have bypass/availability indicating lights vided, if these items also have an ESFS function, but no shutdown system-level ass indication is provided. Those shutdown components and systems having ass/availability indicating lights are the auxiliary feedwater system, auxiliary dwater pump suction valves (essential service water), ECCS centrifugal charging mps, essential service water pumps, component cooling water pumps, reactor building coolers, emergency diesel generators, and the control room ventilation system.

.3.3.2 Analysis bypass indications on safe shutdown equipment are included in Table 7.5-2. The lysis provided for the design criteria and adequacy of the ESFS bypass indications in tion 7.5.2.2.2 is applicable to safe shutdown equipment bypasses.

.3.4 System Status

.3.4.1 Description rmation important in evaluating the readiness of the safe shutdown systems prior to ration and the status of components during system operation is displayed in the main 7.5-10 Rev. OL-21 5/15

h control switch on the auxiliary shutdown control panel is provided with associated cating lights. The plant computer may also be used to supplement the other displays additional process variables or equipment status.

description of the equipment provided for ESFS status display information (Section

.2) also applies to the safe shutdown status displays.

.3.4.2 Analysis safe shutdown system status displays are listed in Table 7.5-2. The analysis vided for the design criteria and adequacy of the ESFS status displays in Section

.2.3.2 is applicable.

.3.5 System Performance

.3.5.1 Description display information important in evaluating the performance of safe shutdown tems during system operation and periodic tests is listed in Table 7.5-2. Indicators, ms, and recorders are provided to enable the operator to determine whether the tem is performing normally or if there is some failure within the system.

.3.5.2 Analysis analysis provided for the design criteria and adequacy of the ESFS performance plays is applicable to the safe shutdown systems performance displays.

7.5-11 Rev. OL-21 5/15

ENDS of Readout/Display Readout/Display Location ear scale indicator or log scale indicator CB - Control board (main) ecorder ++ SC - System cabinets in control room dicator light LP - Local panel ontrol room annunciator or computer alarm isplay on demand via plant computer afety-related, Class 1E Type of Number of Channels Indicated Channel Accuracy Readout/Display ayed Parameter Readout/Display Available Required Range % of Full Scale Locations neered Safety Feature System ation tor coolant system wide range pressure I #, R 3 1 0-3,000 psig +/-4.3*,*** CB, LP, SC ainment pressure I #, R 4 1 0-69 psig +/-4*,*** CB, SC ainment pressure (extended range) I #, R 2 1 180 psig +/-4*,*** CB m generator pressure (steam line) I #, R 3 per loop 1 per loop 0-1,300 psig +/-14*,*** CB, LP tor coolant system wide range I #, R 2 1 0-700°F +/-4*,*** CB, SC erature (hot) tor coolant system wide range I #, R 2 1 0-700°F +/-4*,*** CB, LP erature (cold) eling water storage tank level I #, R 4 1 0-100 % +/-5*,*** CB, SC acid tank level I #, R 2 per tank 1 per tank 0-100 % +/-4*,*** CB, SC m generator water level I #, R 4 per loop 1 per loop 0-100 % +/-35*,*** CB, SC, LP (3 narrow, 1 wide range) rol room air intake - gaseous I #, A, R 2 1 10-7 to 10-2 Ci/cc +/-25 SC activity Rev. OL-24 11/19

Type of Number of Channels Indicated Channel Accuracy Readout/Display ayed Parameter Readout/Display Available Required Range % of Full Scale Locations ainment gaseous radioactivity I#, A, R 2 1 10-7 to 10-2 Ci/cc +/-25 SC ainment hydrogen I#, R#, A 2 1 0-10 percent +/-4 SC, CB ainment sump level I#, R#, A 2 1 0 to +13 feet +/-4 CB ainment purge gaseous radioactivity I#, R, A 2 1 10-7 to 10-2 Ci/cc +/-25 SC building gaseous radioactivity I#, R, A 2 1 10-7 to 10-2 Ci/cc +/-25 SC ainment air temperature I#, R# 4 1 0 - 400°F +/-4 CB ainment post accident radiation I#, R# 2 1 1 - 108 R/hr +/-10% RDG CB rol bldg sump level I#, A, C 2 1 0 - 66" +/-4 CB el bldg sump level I#, A, C 2 1 0 - 30" +/-4 CB pump room sump level I#, A, C 2 1 0 - 24" +/-4 CB iary bldg sump level I#, A, C 2 1 0 - 24" +/-4 CB neered Safety Feature System sses (Note 1) istable bypass L, A 1 per train On for bypass - SC, CB ation system signal bypass L 1 per equip train On for bypass - SC pment bypass L, A 1 per equipment On for bypass - CB pment Safety Feature Systems Status 1) status** L 1 per valve Open - closed - CB T temperature I# 2 0 - 200°F +/-4 CB mulator tank nitrogen header pressure A 1 per accumulator Low alarm - CB Rev. OL-24 11/19

Type of Number of Channels Indicated Channel Accuracy Readout/Display ayed Parameter Readout/Display Available Required Range % of Full Scale Locations pment status L 1 per motor On/off - CB n 4.l6-kV and 480-Volt load center L One/power channel Current status - CB rical distribution el day tank level I#, A 1 per tank 0 - 612 gallons and +/-4 CB, LP 0-8.65 ft. (standpipe) el starting air accumulator pressure L, A 1 per diesel Low alarm - CB, LP pumphouse forebay level C 2 (-243.5)-(-3.5)in. 4 CB ate heat sink temperature I, R 1 0 - 150°F +/-4 LP mulator pressure I, A 2 each tank 0 - 700 psig +/-1.5 CB mulator water level I, A 2 each tank 0 - 100 % +/-2.25 CB ainment differential pressure I 1 (-)85 to (+)85 inches +/-4 CB of water neered Safety Feature System rmance ainment spray pump discharge pressure I 1 per pump 0-300 psig +/-4 CB ainment spray flow I 1 per header 0-2 x 106 lb/hr +/-4 CB ntial service water pump discharge I# 1 per pump 0-300 psig +/-4 CB ure ntial service water flow I# 1 per header 0-15 x 106 lb/hr +/-4 CB ponent cooling water temperature I# 1 per header 0-200°F +/-4 CB ogen recombiner heater power I# 1 per unit 0-100 kW +/-4 SC ogen recombiner temperature I 1 per unit 0-2,000°F +/-4 SC rol room filtration temperature A, C 1 per filter 150-400°F +/-4 CB Rev. OL-24 11/19

Type of Number of Channels Indicated Channel Accuracy Readout/Display ayed Parameter Readout/Display Available Required Range % of Full Scale Locations building exhaust filter temperature A, C 1 per filter 150-400°F +/-4 CB el generator performance - (see Chapter 8.0) - - -

dual heat exchanger temperature (inlet/ C, R 1 each heat 50 - 400°F +/-1 CB t) exchanger S charging pump inlet/discharge I 1 each pump 0 - 150 psig (inlet) +/-2 LP ure 0 - 3,500 psig (disch) y injection pump suction pressure I 1 each pump 0 - 200 psig +/-2 LP dual heat removal pump suction I 1 each pump 0 - 700 psig +/-2 LP ure y injection header pressure I 1 each header 0 - 2,000 psig +/-1 CB dual heat removal pump discharge I, A 1 each pump 0 - 700 psig +/-1 CB ure al charging flow I, A 1 0 - 200 gpm +/-1 CB y injection pump header flow I 1 each pump 0 - 800 gpm +/-1 CB dual heat removal pump hot leg I 1 0 - 4500 gpm +/-2 CB ulation flow dual heat removal pump minimum flow I# 1 each pump 0 - 1,774 gpm +/-1.5 LP Safety-related, Class 1E recorders are not required to function during an earthquake, but must function with the required accuracy without operator action as soon as the seismic excitation is removed.

Channel accuracy in % of span.

See Section 6.3.5.5 for accumulator isolation valve position indication.

Accuracy includes DBE effects.

1: The SA066 ESF status cabinets and light display panels are Class 1E.

Rev. OL-24 11/19

ENDS of Readout/Display Readout/Display Location ear scale indicator or log scale indicator CB - Control board (main) ecorder AP - Auxiliary shutdown control panel dicator light SC - System cabinets in control room ontrol room annunciator or computer alarm isplay on demand via the plant computer afety-related, Class 1E Type of Number of Channels Indicated Channel Accuracy Readout/Display ayed Parameter Readout/Display Available Required Range % of Full Scale Locations hutdown Control m generator water level (narrow range) I#, R++ 3 per loop 1 per loop 0-100 % (1) +/-35*,** (hot) CB, SC I# 1 per loop 1 per loop 0-100 % (1) +/-35*,** (hot) AP m generator water level (wide range) I#, R 1 per loop 1 per loop 0-100% (2) +/-35*,**(hot) CB, SC I# 1 per loop 1 per loop 0-100% (2) +/-35*,** (hot) AP m generator pressure (steam line) I#, R 3 per loop 1 per loop 0-1,300 psig +/-14*,** CB, SC I# 1 per loop 1 per loop 0-1,300 psig +/-14*,** AP m line pressure for SG ARV operation I# 1 per loop 1 per loop 0-1,500 psig +/-4 CB I# 1 per loop 1 per loop 0-1,500 psig +/-4 AP surizer water level I#, R 3 1 0-100 % +/-35*,** CB, SC I# 2 1 0-100 % +/-35*,** AP tor coolant system wide range pressure I#, R 3 1 0-3,000 psig +/-4.3*,** CB, SC I# 2 1 0-3,000 psig +/-4.3*,** AP iary feedwater pump suction pressure I#, A 3 1 0-100 psia +/-4 CB I# 3 1 0-100 psia +/-4 AP ensate storage tank supply to AFW I# 19-36 psia +/-4 CB ressure 3 1 38-566 inches above tube sheet

-566 inches above tube sheet Rev. OL-21 5/15

Type of Number of Channels Indicated Channel Accuracy Readout/Display ayed Parameter Readout/Display Available Required Range % of Full Scale Locations Shutdown Control e listed above for hot shutdown and the ing:

ce range nuclear instrumentation I, R 2 1 to 106 counts/ +/-7 CB, SC second I 1 +/-7 AP 1 to 106 counts/

second ce range neutron flux I#, R#*** 2 0.1 to 105 counts/ +/-3 CB second I# 1 +/-3 AP 0.1 to 105 counts/

second mediate range nuclear instrumentation I, R 2 8 decades(10-11 to 10- +/-7 CB, SC 3 amps)

I 1 +/-7 AP 8 decades(10-11 to 10-3 amps) range neutron flux I#, R#*** 2 10-8 to 200% power +/-3 CB I# 1 +/-3 AP 10-8 to 200% power nd Cold Shutdown System Bypasses (Note 1)

Section 7.5.3.3 hutdown System Status (Note 1) ensate storage tank level I, A 1 0-100 % +/-5*,** CB I 1 0-100 % +/-5*,** AP ensate storage tank temperature C 1 30-100°F +/-4 CB status L 1 per valve assoc Open-closed - CB, AP with system channel mulator tank nitrogen header pressure A 1 per accumulator Low alarm - CB Rev. OL-21 5/15

Type of Number of Channels Indicated Channel Accuracy Readout/Display ayed Parameter Readout/Display Available Required Range % of Full Scale Locations pment status L 1 per motor assoc On-off - CB, AP with system channel S centrifugal charging pump room A 1 per room High alarm - CB erature ponent cooling water pump room A 1 per room High alarm - CB emperature r-driven auxiliary feedwater pump room A 1 per room High/low alarm - CB emperature t fuel pool cooling pump room A 1 per room High alarm - CB emperature switchgear room temperature A 1 per room High alarm - CB rical penetration room temperature A 1 per room High alarm - CB gency diesel generator room temperature A, C 1 per room High alarm - CB ntial service water pump room A, C 1 per room High alarm - CB emperature ainment temperature I#, R# 4 0 - 400°F +/-4 CB iary shutdown panel room temperature A 1 High alarm - CB Shutdown System Status (Note 1) e listed above for hot shutdown and the ing:

dual heat removal pump room temperature A 1 per room High alarm - CB y injection pump room temperature A 1 per room High alarm - CB nd Cold Shutdown System Performance iary feedwater pump discharge pressure I, A, C 1 per pump 0 - 2,000 psig +/-4 CB I 1 per pump 0 - 2,000 psig +/-4 AP Rev. OL-21 5/15

Type of Number of Channels Indicated Channel Accuracy Readout/Display ayed Parameter Readout/Display Available Required Range % of Full Scale Locations iary feedwater flow I#, C 1 per stm gen 0 - 2 x 105 lb/hr +/-4 CB I# 1 per stm gen 5 AP 0 - 2 x 10 lb/hr iary feedwater pump turbine speed I# 1 0 - 6,000 rpm +/-4 CB I# 1 0 - 6,000 rpm +/-4 AP tor coolant temperature (see Note 2) oop 1 cold leg I#, R 1 0 - 700°F +/-4*,** CB I 1 (Note 2) 0 - 700°F +/-4*,** AP hot leg I#, R 1 0 - 700°F +/-4*,** CB I 1 (Note 2) 0 - 700°F +/-4*,** AP oop 2 cold leg I#, R 1 0 - 700°F +/-4*,** CB I# 1 (Note 2) 0 - 700°F +/-4*,** AP hot leg I#, R 1 0 - 700°F +/-4*,** CB oop 3 cold leg R 1 0 - 700°F +/-4*,** CB I 1 (Note 2) 0 - 700°F +/-4*,** AP hot leg R 1 0 - 700°F +/-4*,** CB oop 4 cold leg R 1 0 - 700°F +/-4*,** CB I 1 (Note 2) 0 - 700°F +/-4*,** AP hot leg R 1 0 - 700°F +/-4*,** CB I# 1 (Note 2) 0 - 700°F +/-4*,** AP ce range nuclear instrumentation I, R 2 1 to 106 counts/sec +/-7 CB, SC I 1 6 +/-7 AP 1 to 10 counts/sec ce range neutron flux I#, R#*** 2 0.1 to 105 counts/sec +/-3 CB I# 1 5 +/-3 AP 0.1 to 10 counts/sec mediate range nuclear instrumentation I, R 2 8 decades(10-11 to +/-7 CB, SC 10-3 amps)

I 1 +/-7 AP 8 decades(10-11 to

-3 10 amps)

Rev. OL-21 5/15

Type of Number of Channels Indicated Channel Accuracy Readout/Display ayed Parameter Readout/Display Available Required Range % of Full Scale Locations range neutron flux I#, R#*** 2 10-8 to 200% power +/-3 CB I# 1 -8 +/-3 AP 10 to 200% power nd Cold Shutdown System Performance tor vessel water level I#, R, C 2 static, 2 2 static, 2 Bottom to top of (Note 3) CB, SC dynamic dynamic vessel exit temperature R*, L, A, 50 (minus CETs 4 per quadrant 0-2500°F (Note 4) SC C retired in place) ees of subcooling I#, 2 NA 200°F subcooled to (Note 5) CB, SC R#,L.A, 2000°F superheated C

Channel accuracy in % of span.

Accuracy includes DBE effects.

Only the SEN-0061 loop is recorded.

Accuracy is sufficient to indicate that water level is above pressurizer heaters and below 100% of span.

One narrow range/level channel per loop is recorded on the main control board steam flow/feed flow recorders, AE-FR-0510, 0520, 0530, and 0540.

1: The SA066 ESF status cabinets and light display panels are Class 1E.

2: Three of the four cold leg indicators on AP are powered from different separation groups, as are the two AP hot leg indicators. The circuitry for the redundant indicators is isolated and runs in different separation groups (two cold leg indicators from separation group 5, one cold leg indicator from separation group 6, one cold leg indicator from Class 1E separation group 4, one hot leg indicator from separation group 5, and one hot leg indicator from Class 1E separation group 4). No single failure can inhibit the indication at the auxiliary shutdown panel of at least one cold leg temperature associated with a steam generator having both an auxiliary feedwater supply and an operable power-operated relief valve, and at least one hot leg temperature associated with a steam generator having both an auxiliary feedwater supply and an operable power-operated relief valve.

3: Static - +/-7.73% of narrow range reactor vessel level span (at 100% level, 670°F )**

Dynamic - +/-6% of wide range reactor vessel differential pressure span (at all elevations up to 670°F )**

4: Indication of degraded core cooling (incore CETs @ 700°F ): +/-30°F **

Indication of inadequate core cooling (incore CETs @ 1200°F): +/-200°F **

Rev. OL-21 5/15

Type of Number of Channels Indicated Channel Accuracy Readout/Display ayed Parameter Readout/Display Available Required Range % of Full Scale Locations 5: Indication of core subcooling margin (RCS pressure > 1000 psig): +/-50°F **

(400 psig < RCS pressure < 1000 psig): +/-100°F **

Rev. OL-21 5/15

Regulatory Guide 1.47 Position Union Electric Position C. Regulatory Position The Callaway Plant design complies with Regulatory Guide 1.47. Refer to Section 7.5.2.2.1 for a description of the bypassed and inoperable status indication system.

ollowing comprises an acceptable method for implementing the requirements of on 4.13 of IEEE Std 279-1971 and Criterion XIV of Appendix B to 10 CFR Part 50 espect to indicating the bypass or inoperable status of portions of the protection m, systems actuated or controlled by the protection system, and auxiliary or orting systems that must be operable for the protection system and the system it tes to perform their safety-related functions:

dministrative procedures should be supplemented by a system that automatically ndicates at the system level the bypass or deliberately induced inoperability of the rotection system and the systems actuated or controlled by the protection system.

he indicating system of C.1. above should also be activated automatically by the ypassing or deliberately induced inoperability of any auxiliary or supporting system hat effectively bypasses or renders inoperable the protection system and the ystems actuated or controlled by the protection system.

utomatic indication in accordance with C.1. and C.2. above should be provided in he control room for each bypass or deliberately induced inoperable status that eets all of the following conditions:

. Renders inoperable any redundant portion of the protection system, systems actuated or controlled by the protection system, and auxiliary or supporting systems that must be operable for the protection system and the systems it actuates to perform their safety-related functions;

. Is expected to occur more frequently than once per year; and

. Is expected to occur when the affected system is normally required to be operable.

anual capability should exist in the control room to activate each system-level ndicator provided in accordance with C.1. above.

Rev. OL-13 5/03

Notes 1 and 2 PAMS Indicator Separation ameter Tag No. Group I II DE RANGE RCS T HOT LEG LOOP 1 BB-TI 413A X DE RANGE RCS T HOT LEG LOOP 2 BB-TI 423A X DE RANGE RCS T COLD LEG LOOP 1 BB-TI 413B X DE RANGE RCS T COLD LEG LOOP 2 BB-TI 423B X ESSURIZER WATER LEVEL BB-LI 459A X ESSURIZER WATER LEVEL BB-LI 460A X ESSURIZER WATER LEVEL BB-LI 461 X EAM GEN. LOOP 3 PRESSURE AB-PI 534A X EAM GEN. LOOP 1 PRESSURE AB-PI 514A X EAM GEN. LOOP 2 PRESSURE AB-PI 524A X EAM GEN. LOOP 4 PRESSURE AB-PI 544A X EAM GEN. LOOP 1 PRESSURE AB-PI 515A X EAM GEN. LOOP 2 PRESSURE AB-PI 525A X EAM GEN. LOOP 4 PRESSURE AB-PI 545A X EAM GEN. LOOP 3 PRESSURE AB-PI 535A X EAM GEN. LOOP 1 PRESSURE AB-PI 516A X EAM GEN. LOOP 4 PRESSURE AB-PI 546A X EAM GEN. LOOP 2 PRESSURE AB-PI 526A X EAM GEN. LOOP 3 PRESSURE AB-PI 536A X EAM GEN. LOOP 2 WATER LEVEL N. R. AE-LI 529 X EAM GEN. LOOP 3 WATER LEVEL N. R. AE-LI 539 X EAM GEN. LOOP 1 WATER LEVEL N. R. AE-LI 519 X EAM GEN. LOOP 4 WATER LEVEL N. R. AE-LI 549 X EAM GEN. LOOP 1 WATER LEVEL N. R. AE-LI 518 X EAM GEN. LOOP 2 WATER LEVEL N. R. AE-LI 528 X EAM GEN. LOOP 3 WATER LEVEL N. R. AE-LI 538 X EAM GEN. LOOP 4 WATER LEVEL N. R. AE-LI 548 X EAM GEN. LOOP 1 WATER LEVEL N. R. AE-LI 517 X EAM GEN. LOOP 2 WATER LEVEL N. R. AE-LI 527 X EAM GEN. LOOP 3 WATER LEVEL N. R. AE-LI 537 X EAM GEN. LOOP 4 WATER LEVEL N. R. AE-LI 547 X NTAINMENT PRESSURE N. R. GN-PI 934 X NTAINMENT PRESSURE N. R. GN-PI 935 X Rev. OL-21 5/15

Notes 1 and 2 PAMS Indicator Separation ameter Tag No. Group I II NTAINMENT PRESSURE N. R. GN-PI 936 X NTAINMENT PRESSURE N. R. GN-PI 937 X EAM GEN. LOOP 1 W. R. WATER LEVEL AE-LI 501 X EAM GEN. LOOP 2 W. R. WATER LEVEL AE-LI 502 X EAM GEN. LOOP 3 W. R. WATER LEVEL AE-LI 503 X EAM GEN. LOOP 4 W. R. WATER LEVEL AE-LI 504 X C. S. W. R. PRESSURE BB-PI 405 X C. S. W. R. PRESSURE BB-PI 403 X RIC ACID TANK WATER LEVEL BG-LI 102 X W. S. T. WATER LEVEL BN-LI 930 X W. S. T. WATER LEVEL BN-LI 931 X W. S. T. WATER LEVEL BN-LI 932 X W. S. T. WATER LEVEL BN-LI 933 X CS CENTRIFUGAL CHARGING PUMP FLOW EM-FI 917A X CS CENTRIFUGAL CHARGING PUMP FLOW EM-FI 917B X NTAINMENT PRESSURE W. R. GN-PI 938 X NTAINMENT PRESSURE W. R. GN-PI 939 X C. S. EXCESS LETDOWN HEAT BG-TI 137A X EXCHANGER FLOW TO PRT TEMP C. S. EXCESS LETDOWN HEAT BG-TI 137B X EXCHANGER FLOW TO PRT TEMP C. S. EXCESS LETDOWN HEAT BG-FI 138A X EXCHANGER FLOW TO PRT C. S. EXCESS LETDOWN HEAT BG-FI 138B X EXCHANGER FLOW TO PRT RIC ACID TANK WATER LEVEL BG-LI 104 X RIC ACID TANK WATER LEVEL BG-LI 105 X RIC ACID TANK WATER LEVEL BG-LI 106 X LUME CONTROL TANK WATER LEVEL BG-LI-112 X LUME CONTROL TANK WATER LEVEL BG-LI-185 X S W. R. PRESSURE BB-PI-406 X AL INJECTION FLOW BG-FI 215A X AL INJECTION FLOW BG-FI 215B X ACTOR VESSEL WATER LEVEL N. R. BB-LI-1311 X Rev. OL-21 5/15

Notes 1 and 2 PAMS Indicator Separation ameter Tag No. Group I II ACTOR VESSEL WATER LEVEL W. R. BB-LI-1312 X ACTOR VESSEL WATER LEVEL N. R. BB-LI-1321 X ACTOR VESSEL WATER LEVEL W. R. BB-LI-1322 X S TEMPERATURE MARGIN TO SATURATION BB-TI-1390A X S TEMPERATURE MARGIN TO SATURATION BB-TI-1390B X CESS LETDOWN PATH TO PRT ISOLATION BB-HCI-8157A X CESS LETDOWN PATH TO PRT ISOLATION BB-HCI-8157B X TES:

PAM I routed as Separation Group 1. PAM II routed as Separation Group 4.

See Westinghouse process control block diagrams for the applicable protection set.

Rev. OL-21 5/15

Separation ameter Indicator Tag No. Group A STEAM DUMP TO ATMOSPHERE AB-PIC-01A 01 B STEAM DUMP TO ATMOSPHERE AB-PIC-02A 02 C STEAM DUMP TO ATMOSPHERE AB-PIC-03A 03 D STEAM DUMP TO ATMOSPHERE AB-PIC-04A 04 XILIARY FEEDWATER-FLOW TO S.G. D AL-FI-1A 4 XILIARY FEEDWATER-FLOW TO S.G. A AL-FI-2A 1 XILIARY FEEDWATER-FLOW TO S.G. B AL-FI-3A 2 XILIARY FEEDWATER-FLOW TO S.G. C AL-FI-4A 3 NDENSATE STORAGE TANK-PRESSURE AL-PI-37 1 NDENSATE STORAGE TANK-PRESSURE AL-PI-38 2 NDENSATE STORAGE TANK-PRESSURE AL-PI-39 4 RBINE DRIVEN AUXILIARY FEED PUMP-SUCTION PRESS. AL-PI-26A 2 TOR DRIVEN AUXILIARY FEED PUMP A-SUCTION PRESS. AL-PI-25A 1 TOR DRIVEN AUXILIARY FEED PUMP B-SUCTION PRESS. AL-PI-24A 4 NTROL ROOM AIR INTAKE-GASEOUS RADIOACTIVITY GK-RIC-4* 4 NTROL ROOM AIR INTAKE-GASEOUS RADIOACTIVITY GK-RIC-5* 1 NTAINMENT-GASEOUS RADIOACTIVITY GT-RIC-31* 4 NTAINMENT-GASEOUS RADIOACTIVITY GT-RIC-32* 1 NTAINMENT-HYDROGEN GS-AI-10 4 NTAINMENT-HYDROGEN GS-AI-19 1 NTAINMENT SUMP NORMAL LEVEL LF-LI-10 4 NTAINMENT SUMP NORMAL LEVEL LF-LI-9 1 NTAINMENT PURGE-GASEOUS RADIOACTIVITY GT-RIC-33* 4 NTAINMENT PURGE-GASEOUS RADIOACTIVITY GT-RIC-22* 1 EL BUILDING-GASEOUS RADIOACTIVITY GG-RIC-28* 4 EL BUILDING-GASEOUS RADIOACTIVITY GG-RIC-27* 1 NTAINMENT-AIR TEMPERATURE GN-TI-61 4 NTAINMENT-AIR TEMPERATURE GN-TI-60 1 Rev. OL-13 5/03

Separation ameter Indicator Tag No. Group NTAINMENT-AIR TEMPERATURE GN-TI-63 4 NTAINMENT-AIR TEMPERATURE GN-TI-62 1 NTROL BUILDING SUMP-LEVEL LF-LI-125 4 NTROL BUILDING SUMP-LEVEL LF-LI-124 1 SEL GENERATOR BUILDING SUMP-LEVEL LE-LI-106 4 SEL GENERATOR BUILDING SUMP-LEVEL LE-LI-105 1 R PUMP ROOM SUMP-LEVEL LF-LI-101 4 R PUMP ROOM SUMP-LEVEL LF-LI-102 1 XILIARY BUILDING SUMP-LEVEL LF-LI-104 4 XILIARY BUILDING SUMP-LEVEL LF-LI-103 1 21 BAT CHARGER AMPS NK-II-1 1 11 BAT AMPS NK-II-2 1 01 125 V DC BUS VOLTS NK-EI-1 1 22 BAT CHARGER AMPS NK-II-3 2 12 BAT AMPS NK-II-4 2 02 125 V DC BUS VOLTS NK-EI-2 2 23 BAT CHARGER AMPS NK-II-5 3 13 BAT AMPS NK-II-6 3 03 125 V DC BUS VOLTS NK-EI-3 3 24 BAT CHARGER AMPS NK-II-7 4 14 BAT AMPS NK-II-8 4 04 125 V DC BUS VOLTS NK-EI-4 4 21 BAT CHARGER AMMETER POTENTIOMETER NK-IY-1 1 22 BAT CHARGER AMMETER POTENTIOMETER NK-IY-3 2 23 BAT CHARGER AMMETER POTENTIOMETER NK-IY-5 3 24 BAT CHARGER AMMETER POTENTIOMETER NK-IY-7 4 11 BAT AMMETER POTENTIOMETER NK-IY-2B 1 12 BAT AMMETER POTENTIOMETER NK-IY-4B 2 13 BAT AMMETER POTENTIOMETER NK-IY-6B 3 14 BAT AMMETER POTENTIOMETER NK-IY-8B 4 Rev. OL-13 5/03

Separation ameter Indicator Tag No. Group ST TEMP BN-TI-2 1 ST TEMP BN-TI-5 4 MT RECIRC SUMP B LEVEL EJ-LI-8 4 MT RECIRC SUMP A LEVEL EJ-LI-7 1 W SURGE TANK B LEVEL EG-LI-2 4 W HX B DISCH TEMP EG-TI-32 4 W B PMP DISCH FLOW EF-FI-54 4 W B PMP DISCH PRESS. EF-PI-2 4 W TRAIN B TEMP EF-TI-62 4 W TRAIN A TEMP EF-TI-61 1 W A PMP DISCH PRESS. EF-PI-1 1 W A PMP DISCH FLOW EF-FI-53 1 W HX A DISCH TEMP EG-TI-31 1 W SURGE TK A LEVEL EG-LI-1 1 W HX TO RCP FLOW EG-FI-128 1 W HX TO RCP FLOW EG-FI-129 4 ERGENCY FUEL OIL DAY TK A LVL JE-LI-12A 1 ERGENCY FUEL OIL DAY TK B LVL JE-LI-32A 4 6 KV BUS NB01 VOLTS NB-EI-1 1 6 KV BUS NB02 VOLTS NB-EI-2 4 6 KV BUS NB01 SYNCHROSCOPE NB-EI-3 1 6 KV BUS NB02 SYNCHROSCOPE NB-EI-4 4 P TURBINE SPEED CONTROL FC-HIK-313A 2 MT HIGH RANGE RADIATION GT-RIC-59 1 MT HIGH RANGE RADIATION GT-RIC-60 4 URCE RANGE NEUTRON FLUX SE-NI-60A 1 DE RANGE NEUTRON FLUX SE-NI-60B 1 URCE & WIDE RANGE NEUTRON FLUX (1) SE-NIR-61 4 Digital display on radiation monitoring panel SP-067.

TES:

nstrument on the MCB is a dual pen indicating recorder.

Rev. OL-13 5/03

.1 INSTRUMENTATION AND CONTROL POWER SUPPLY SYSTEM instrumentation and control power supply system is described in Section 8.3.1.1.5.

ety-related BOP transmitters not powered directly from the system described in

.1.1.5 are powered by input buffers in the BOP analog equipment cabinets.

h BOP electronic analog input buffer is able to withstand an open circuit, a short uit, or a single or multiple-point ground on the field wiring, without affecting any other rument loop in any separation group.

open circuit would interrupt the field current and drive the buffer output offscale "low."

field bus power supply voltage is not high enough to cause any damage if it were denly unloaded. There would be no consequential damage to the electronics.

hort circuit would apply the full field bus voltage across on-board current-limiting stors designed and provided to limit such current to a safe value. The buffer output uld be driven to the high limit with no consequential damage to the electronics.

ingle ground on an input buffer field line would connect one side of the field bus power ply to system ground through an on-board, current-limiting resistor designed and vided to limit the resultant current to a safe value. The buffer output would take on e arbitrary value, with no consequential damage to the electronics.

round on both field lines of an input buffer would result in a condition similar to an ut line short circuit. The buffer output would be driven to the high limit, but there uld be no consequential damage to the electronics.

.2 RESIDUAL HEAT REMOVAL SYSTEM ISOLATION VALVES

.2.1 Description residual heat removal system (RHRS) isolation valves are normally closed and are ned only for residual heat removal system operation after system pressure is uced to approximately 400 psig and system temperature has been reduced to roximately 350°F.

re are two motor-operated valves in series in each of the two residual heat removal mp suction lines from the reactor coolant system (RCS) hot legs. The two valves rest the RCS (valves 8702A and 8702B) are designated as the inner isolation valves, le the two valves nearest the residual heat removal pumps (valves 8701A and 8701B) designated as the outer isolation valves. The interlock and alarm features provided the outer isolation valves, shown on Figure 7.6-1 (Sheet 1), are identical to those vided for the inner isolation valves, shown on Figure 7.6-1 (Sheet 2), except that 7.6-1 Rev. OL-21 5/15

h valve is interlocked so that it cannot be opened unless the RCS pressure is below reset pressure. This interlock prevents the valve from being opened when the RCS ssure plus the residual heat removal pump pressure is above the RHRS design ssure. A control room alarm will actuate if an RHR suction isolation valve is not fully sed and RCS pressure is greater than the design pressures for RHR system ration. Power is removed from these valves above the interlock setpoint to prevent dvertant opening during operation.

ddition, the valves cannot be opened unless the isolation valves in the following lines closed:

a. Recirculation line from the residual heat exchanger outlet to the suction of the high head safety injection pumps.

b. RHR pump suction line from the refueling water storage tank.

c. RHR pump suction line from the containment sump.

.2.2 Analysis ed on the scope definitions in IEEE Standards 279-1971 and 338-1971, these criteria not apply to the residual heat removal isolation valve interlocks. However, because of possible severity of the consequences of loss of function, the requirements of IEEE ndard 279-1971 have been applied with the following comments.

a. For the purpose of applying IEEE Standard 279-1971 to this circuit, the following definitions are used:

(1) Protection system The two valves in series in each line and all components of their interlocking and closure circuits.

(2) Protective action The interlocks which prevent opening an RHRS isolation valve when RCS pressures are above the preset value.

b. IEEE Standard 279-1971, Section 4.10 The above-mentioned pressure interlock and alarm signals and logic will be tested on-line from the analog signal through to the train signal which activates the slave relay (the slave relay provides the final output signal to 7.6-2 Rev. OL-21 5/15

low pressure RHRS from the RCS, which would reduce the safety margin.

c. IEEE Standard 279-1971, Section 4.15 This requirement does not apply, as the setpoints are independent of the mode of operation and are not changed.

Environmental qualification of the valves and wiring is discussed in Section 3.11(N).

.3 REFUELING INTERLOCKS ctrical interlocks (i.e., limit switches), as discussed in Section 9.1.4, are provided for imizing the possibility of damage to the fuel during fuel handling operations.

.4 ACCUMULATOR MOTOR-OPERATED VALVES safety injection system accumulator discharge isolation valves are motor-operated, mally open valves which are controlled from the main control board.

se valves are interlocked so that:

a. They open automatically on receipt of an SIS with the main control board switch in either the "AUTO" or "CLOSE" position.

b. They open automatically whenever the RCS pressure is above the safety injection unblock pressure (P-11) specified in the Callaway Technical Specifications only when the main control board switch is in the "AUTO" position.

c. They cannot be closed as long as an SIS is present.

interconnection of the interlock signals to the accumulator isolation valve meets the owing criteria:

a. Automatic opening of the accumulator isolation valves when: (1) the primary coolant system pressure exceeds a preselected value (specified in the Callaway Technical Specifications) or (2) a safety injection signal has been initiated. Both signals are provided to the valves.

b. Utilization of a safety injection signal to automatically remove (override) any bypass features that are provided to allow an isolation valve to be closed for short periods of time when the RCS is at pressure (in accordance with the provisions of the Callaway Technical Specifications).

7.6-3 Rev. OL-21 5/15

c. Removal of power from the valve operators is discussed in Section 6.3.2.

control circuit for these valves is shown on Figure 7.6-2. The valves and control uits are further discussed in Sections 6.3.2 and 6.3.5.

four main control board position switches for these valves provide a "spring return to o" from the open position and a "maintain position" from the closed position.

"maintain closed" position is required to provide an administratively controlled nual block of the automatic opening of the valve at pressure above the safety injection lock pressure (P-11). The manual block or "maintain closed" position is required en performing periodic check valve leakage tests when the reactor is at pressures ve P-11. The maximum permissible time that an accumulator isolation valve can be sed when the reactor is at pressure (above 1000 psig) is specified in the Callaway hnical Specifications.

ministrative control is required to ensure that any accumulator isolation valve which been closed at pressures above the safety injection unblock pressure is reopened, t the circuit breaker is subsequently locked in the open position, and that the main trol board position switch is returned to the "AUTO" position. Valve position alarms sound if the valves are not open when above P-11.

ing plant shutdown, the accumulator isolation valves are closed. To prevent an dvertent opening of these valves during that period, the valve motor circuit breakers be locked in the open position. These valve circuit breakers are closed momentarily ing the startup procedures in order to open the valves, after which the breakers are in locked in the open position.

se normally open, motor-operated valves have alarms, indicating a malpositioning h regard to their emergency core cooling system function during the injection phase).

alarms sound in the main control room.

alarm will sound for any accumulator isolation valve, under the following conditions, en the RCS pressure is above the "safety injection unblocking pressure."

a. Valve motor-operated limit switch indicates valve not open.

b. Valve stem-operated limit switch indicates valve not open. The alarm on this switch will repeat itself at given intervals.

ditionally, an ESF status panel bypass indication is provided whenever any of these ves leaves the fully open position.

7.6-4 Rev. OL-21 5/15

details of achieving cold leg recirculation following safety injection are given in tion 6.3.2.8 and on Table 6.3-8. Figure 7.6-3 shows the logic which will be used to omatically open the sump valves.

.6 INTERLOCKS FOR RCS PRESSURE CONTROL DURING LOW TEMPERATURE OPERATION basic function of the RCS pressure control during low temperature operation is cussed in Section 5.2.2. As noted in Section 5.2.2, this pressure control includes omatic actuation logic for two pressurizer power-operated relief valves (PORVs). The ction of this actuation logic is to continuously monitor RCS temperature and pressure ditions, with the actuation logic unblocked only when plant operation is at a perature below the reference nil ductility temperature (RNDT). The monitored tem temperature signals are processed to generate the reference pressure limit gram which is compared to the actual monitored RCS pressure. This comparison vides an actuation signal to an actuation device which will cause the PORV to omatically open, if necessary, to prevent pressure conditions from exceeding wable limits. Refer to Figure 7.6-4 for the block diagram showing the interlocks for S pressure control during low temperature operation.

generating station pressure and temperature variables required for this interlock are nnelized as follows:

a. Pressure and Temperature Inputs to PCV455A (1) Four wide range RCS temperature signals derived from channels in a Train A related protection set.

(2) One wide range RCS pressure signal derived from a channel in a Train A related protection set.

b. Pressure and Temperature Inputs to PCV456A (1) Four wide range RCS temperature signals derived from channels in a Train B related protection set.

(2) One wide range RCS pressure signal derived from a channel in a Train B related protection set.

wide range RCS temperatures in each protection set are auctioneered in an tioneering device in each protection set to select the lowest reading.

alarm is actuated when the auctioneered low temperature from the RCS wide range perature channels falls within the range of cold overpressure mitigation system 7.6-5 Rev. OL-21 5/15

lowest reading is selected and input to a function generator which calculates the rence pressure limit program, considering the plant's allowable pressure and perature limits. Also available from the related protection set is the wide range RCS ssure signal. The reference pressure from the function generator is compared to the ual RCS pressure monitored by the wide range pressure channel. The error signal ived from the difference between the reference pressure and the actual measured ssure will first annunciate a main control board alarm whenever the actual measured ssure approaches, within a predetermined amount, the reference pressure. On a her increase in measured pressure, the error signal will generate an actuation signal.

monitored generating station variables that generate the actuation signal for the undant PORV are processed in a similar manner.

on receipt of the actuation signal, the actuation device will automatically cause the RV to open. Upon sufficient RCS inventory letdown, the operating RCS pressure will rease, clearing the actuation signal. Removal of this signal causes the PORV to se.

.6.1 Analysis of Interlocks ny criteria presented in IEEE Standards 279-1971 and 338-1971 do not apply to the rlocks for RCS pressure control during low temperature operation, because the rlocks do not perform a protective function but, rather, provide automatic pressure trol at low temperatures as a back-up to the operator. However, although IEEE ndard 279-1971 criteria do not apply, some advantages of the dependability and efits of an IEEE Standard 279-1971 design have accrued by including selected ments, as noted above, in the protection sets and by organizing the control of the two RVs (either of which can accomplish the RCS pressure control function) into dual nnels.

design of the low temperature interlocks for RCS pressure control is such that tinent features include:

a. No credible failure at the output of the protection set racks, after the output leaves the racks to interface with the interlocks, will prevent the associated protection system channel from performing its protective function because of the separation of Train B interlocks from Train A (see Figure 7.6-4).

b. Testing capability for elements of the interlocks within (not external to) the protection system is consistent with the testing principles and methods discussed in Section 7.2.2.2.3, item J. It should be noted that there is an annunciator which provides an alarm when the COMS is armed coincident with a closed position of the motor-operated (MOV) pressurizer relief block 7.6-6 Rev. OL-21 5/15

c. A loss of offsite power will not defeat the provisions for an electrical power source for the interlocks because these provisions are through onsite power, which is described in Section 8.3.

.7 ISOLATION OF ESSENTIAL SERVICE WATER (ESW) TO THE AIR COMPRESSORS

.7.1 Description stated in Section 9.2.1.2.2.1, ESW flow to the nonsafety-related air compressors and ociated aftercoolers is maintained following a DBA. Instrumentation and controls are vided to automatically isolate each train of the ESW to the air compressors on high

. ESW to the air compressors can also be isolated by remote manual means.

h control system (one per train of the ESW) utilizes a differential pressure transmitter bistable which senses flow through the associated isolation valve. On high flow icative of gross leakage in the nonseismic portion of the system), the control system omatically closes the isolation valve.

isolation valve will remain in the closed position until the valve is manually reset by operator in the control room.

eans of remote manual isolation is provided in the control room. The status of each ation valve is indicated by open and closed indicating lights in the control room.

isolation valves are air operated and are designed to fail closed on the loss of air electrical power.

a. Initiating circuits Each isolation valve is automatically actuated by flow monitoring instrumentation. The isolation valves can also be closed via control switches in the control room.

b. Logic The logic diagram for the isolation of the ESW to the air compressors is provided in Section 1.7.

c. Bypass No bypass is provided.

7.6-7 Rev. OL-21 5/15

No interlock is provided.

e. Redundancy Redundancy is accomplished on a system basis. Each train of the ESW is provided with an independent control system and isolation valve.

f. Actuated devices The isolation valves are the actuated devices.

g. Supporting systems The controls for ESW isolation to the air compressors are powered from the Class 1E power system (refer to Chapter 8.0).

h. Portion of system not required for safety Isolation valve position inputs to the station computer are not required for safety.

i. Design bases The design bases for ESW isolation to the air compressors are described in Section 9.2.1.2.1 (Safety Design Bases 5 and 6).

Additionally, Section 7.3.1.1.2a. and b. are applicable to the control system components.

.7.2 Analysis

a. Conformance to NRC regulatory guides (1) Regulatory Guide 1.22 The isolation system controls can be tested periodically.

(2) Regulatory Guide 1.29 The isolation system controls are designed to withstand the effects of an earthquake without loss of function. The isolation system controls are classified seismic Category I, in accordance with the guide.

7.6-8 Rev. OL-21 5/15

The controls for the isolation system conform to the applicable requirements of IEEE Standard 279-1971. The control circuits are designed so that any single failure will not compromise the ESW system's safety function. This is accomplished by redundancy provided in the ESW system. Each isolation system utilizes control power from independent Class 1E power systems. In order to prevent interaction between the redundant systems, the control channels are wired independently and separated with no electrical connections between control channels.

c. Conformance to other criteria and standards Conformance to other criteria and standards is indicated in Table 7.1-2.

.8 ISOLATION OF THE NONSAFETY-RELATED PORTION OF THE COMPONENT COOLING WATER (CCW) SYSTEM

.8.1 Description nonseismic portion of the CCW system is isolated by two isolation valves in series t are provided in both the supply and return lines (see Figure 9.2-3). These valves omatically close upon low-low surge tank level or SIS. The nonseismic portion of the W system can also be isolated by remote manual means.

o independent level transmitters (one per surge tank) are provided. On low-low surge k level, the isolation valves are automatically closed and will remain in the closed ition until the valves are manually reset by the operator in the control room. Each el transmitter and its associated bistable provides isolation signals to one valve in the ply line and one valve in the return line.

isolation valves are air operated and are designed to fail closed on loss of air and ctrical power.

eans of remote manual isolation is provided in the control room. The status of each ation valve is indicated by open and closed indicating lights in the control room.

SIS to the isolation valves is discussed in Section 7.3.

a. Initiating circuits Each isolation valve is automatically actuated by level monitoring instrumentation. The isolation valves can also be closed via control switches in the control room.

b. Logic 7.6-9 Rev. OL-21 5/15

c. Bypass No bypass is provided.

d. Interlock An interlock is provided to defeat the isolation of one set of isolation valves (one in the supply line and one in the return line) on low-low surge tank level. This interlock will allow continued plant operation for a period of time if the corresponding train of the CCW is out of service.

e. Redundancy Redundancy is accomplished by providing two independent sets of level instrumentation.

f. Diversity Diversity within the types of instrumentation functions that can initiate isolation of EGHV0069A/B and EGHV0070A/B is accomplished by actuation circuitry associated with a safety injection signal (SIS) or low-low surge tank level. The CCW system is required to mitigate Chapter 6 and Chapter 15 accidents and transients that generate a SIS or rely on RHR for safe shutdown. Diversity for the generation of the SIS is accomplished by actuation on low pressurizer pressure, low steamline pressure, or containment pressure High-1. The CCW system must also be capable of isolating the non-safety, non-seismic piping to the radwaste service loads after a postulated hazard (earthquake, pipe break, etc.) as discussed in Chapter 3. For such an event, isolation on low-low surge tank level or by remote manual operator action to close EGHV0069A/B and EGHV0070A/B from the main control room is available.

g. Actuated devices The isolation valves are the actuated devices.

h. Supporting systems The controls for isolation of the nonseismic portion of the CCW system are powered from two independent Class 1E power systems.

i. Portion of system not required for safety 7.6-10 Rev. OL-21 5/15

j. Design bases The design bases for isolation of the nonsafety-related portion of the CCW system are described in Section 9.2.2.1.1 (Safety Design Bases 5 and 6).

Additionally, Section 7.3.1.1.2a and b are applicable to the control system components.

.8.2 Analysis

a. Conformance to NRC regulatory guides (1) Regulatory Guide 1.22 The isolation system controls can be tested periodically.

(2) Regulatory Guide 1.29 The isolation system controls are designed to withstand the effects of an earthquake without loss of function. The isolation system controls are classified seismic Category I, in accordance with the guide.

b. Conformance to IEEE Standard 279-1971 The controls for the isolation system conform to the applicable requirements of IEEE Standard 279-1971. The control circuits are designed so that any single failure will not compromise the CCW system's safety function. This is accomplished by redundant flow and surge tank level instrumentation.

The CCW isolation system and the surge tank level instrumentation utilize power from two independent Class 1E power systems. In order to prevent interaction between the redundant systems, the control channels are wired independently and separated with no electrical connections between control channels.

c. Conformance to other criteria and standards Conformance to other criteria and standards is indicated in Table 7.1-2.

7.6-11 Rev. OL-21 5/15

protection and detection is discussed in Section 9.5.1.

.10 INTERLOCKS FOR PRESSURIZER PRESSURE RELIEF SYSTEM

.10.1 Description of Pressurizer Pressure Relief System pressurizer pressure relief (PPR) system provides the following:

a. Capability for RCS overpressure mitigation during cold shutdown, heatup, and cooldown operations to minimize the potential for impairing reactor vessel integrity when operating at or near the vessel ductility limits.

b. Capability for RCS depressurization following Condition II, III, and IV events (e.g., see Sections 15.5.1 and 15.6.3).

.10.2 Description of Pressurizer Pressure Relief System Interlocks rlocks for the PPR system control the opening and closing of the pressurizer PORVs.

se interlocks provide the following functions:

a. Pressurizer pressure control via Class 1E automatic actuation circuit (refer to Section 7.7.1.5 for a description).

b. RCS pressure control during low temperature operation (refer to Sections 5.2.2 and 7.6.6 for a description).

c. RCS pressure control to achieve and maintain a cold shutdown and to heatup, using equipment that is required for safety (refer to Appendix 5.4A for a description).

interlock functions that provide pressurizer pressure control are derived from cess parameters as shown on Figure 7.2-1, Sheet 11 and the interlock logic functions well as process parameter inputs required for low temperature operation, as shown on ure 7.6-4. The functions shown on Figure 7.6-4 include those needed for the PORV ck valves as well as the pressurizer PORVs to meet both interlock logic and manual automatic operation requirements where manual operation is at the main control rd.

7.6-12 Rev. OL-21 5/15

.11.1 Description suction of the ECCS charging pumps is normally supplied by a line containing two mally open motor-operated valves which connects to the bottom of the volume control k (VCT). These VCT outlet isolation valves are designated as LCV-112B, which is igned to the A train, and LCV-112C, which is assigned to the B train.

h VCT outlet isolation valve is controlled by its train associated level channel. Refer igure 7.6-5 (Sheet 1 of 2) for the logic diagram. When the control switch is in the mal position, the valve receives a signal to close on a low-low level signal from its ociated channel. The valves also receive a signal to close on an SIS signal.

interlock between the above signal and the emergency makeup signal from its train ociated RWST valve position prevents the valve from automatically closing unless its n associated valve from the RWST to the charging pump suction header is open.

s system ensures that the ECCS charging pumps will always have a source of fluid protects them against loss of NPSH and cavitation damage.

h RWST valve is controlled by its train associated level channel. Refer to Figure

-5 (Sheet 2 of 2) for the logic diagram. When the control switch is in the normal ition, the valve receives a signal to open on a low-low level signal from its associated nnel. The valves also receive a signal to open on an SIS signal.

rder to avoid any interface between control grade instrumentation functions and tection grade instrumentation channels which are derived from level transmitters 112 and LT-185, a third VCT level instrumentation channel derived from level smitter LT-149 is provided. This channel performs all the control grade functions so t LT-112 and LT-185 may be dedicated to switchover of ECCS charging pump suction he RWST on low-low VCT level.

.11.2 Evaluation of Switchover of ECCS Charging Pump Suction ddition to having complete electrical separation from channels LT-112 and LT-185, upper level tap from LT-149 is on the VCT vent line at the same pressure point as ssure transmitter PT-115. This ensures adequate physical separation of the different des of equipment. LT-185 and LT-149 share the lower level tap. A postulated rupture his tap would result in a false "empty" indication by the affected transmitter, which uld initiate switchover.

7.6-13 Rev. OL-21 5/15

.12.1 Description rumentation is provided to mitigate the consequences of inadvertent addition of orated, primary grade water into the reactor coolant system. The boron dilution gation system is identical to that reviewed and approved by the NRC for initial nsing of Comanche Peak Units 1 and 2 (Docket Nos. 50-445 and 50-446).

ure 7.6-6 is a simplified system block diagram showing the flux doubling detection tem and the protection system output for isolation valve actuation.

he event of a boron dilution transient, the nuclear instrumentation source range in junction with the flux-multiplication meter will detect a multiplication of the neutron

. This information is sent to the solid state protection system which automatically ates isolation valve movement to terminate the transient. An alarm is sounded at the e for plant operators to indicate that flux multiplication in excess of the setpoint has urred and isolation valve movement started.

dit is taken for the instrumentation to provide for operator alert and for automatically ating isolation valve movement in Modes 3, 4, and 5.

.12.2 Analysis analysis of effects and consequences of inadvertent boron dilution transients is ered in Section 15.4.6.

.12.3 Qualification alification of the instrumentation is discussed in WCAP-8587 Supplement 1, uipment Qualification Data Package" ESE-47.

.13 ECCS CHARGING PUMP MINIFLOW INTERLOCK

.13.1 Description ECCS charging pump miniflow interlock provides the following semi-automatic iflow valve opening and closing features. The interlock automatically closes the iflow valve with the manual main control board switch for the valve in the normal ition when the actual flow from the pump increases above the preset amount ncident with the presence of a latched-in safety injection actuation signal. The rlock also automatically opens the miniflow valve with the manual main control board tch for the valve in the normal position when the actual flow from the pump decreases ow the preset amount coincident with the presence of a latched-in safety injection 7.6-14 Rev. OL-21 5/15

uded in this interlock logic is a retentive memory to retain the SIS until the reset for valve is actuated. The purpose of this retention is to maintain miniflow isolation trol after the primary SIS has been reset at the systems level at the main control rd.

.14 NEUTRON FLUX MONITORING SYSTEM

.14.1 Description dundant Class 1E neutron flux monitors, independent from the NSSS protection tem, have been provided in the Callaway Plant design. The monitors have the ability to monitor excore neutron flux from 10-8 to 200 percent power. Class 1E cation is provided on the main control panel and auxiliary shutdown panel. In ition, a Class 1E recorder is provided on the main control panel to track the neutron during normal operation and during an event.

.14.2 Qualification alification of instrumentation is discussed in the SNUPPS Report of Independent view of Environmental Qualification Programs to NUREG-0588.

7.6-15 Rev. OL-21 5/15

general design objectives of the plant control systems are:

a. To establish and maintain power equilibrium between the primary and secondary system during steady state unit operation.

b. To constrain operational transients so as to preclude unit trip and reestablish steady state unit operation.

c. To provide the reactor operator with monitoring instrumentation that indicates all required input and output control parameters of the systems and provides the operator with the capability of assuming manual control of the system.

.1 DESCRIPTION plant control systems described in this section perform the following functions:

actor Control System

a. Enables the nuclear plant to accept a step load decrease of 10 percent and a ramp decrease of 5 percent per minute over the entire power range without reactor trip, steam dump, or pressurizer relief actuation, subject to possible xenon limitations.

b. Maintains reactor coolant average temperature (Tavg) within prescribed limits by creating the bank demand signals for manually moving groups of RCCAs during normal operation and operational transients. The Tavg control also supplies a signal to pressurizer water level control and steam dump control.

d Control System

a. Provides for reactor power modulation by manual or automatic (insertion only) control of control rod banks in a preselected sequence and for manual operation of individual banks.

b. Systems for monitoring and indicating

1. Provide alarms to alert the operator if the required core reactivity shutdown margin is not available due to excessive control rod insertion.

2. Display control rod position.

7.7-1 Rev. OL-23 6/18

nt Control System Interlocks

a. Prevent further manual withdrawal of the control banks when signal limits are approached that indicate the approach to a DNBR limit or kW/ft limit.

b. Limit automatic turbine load increase to values for which the NSSS has been designed.

ssurizer Pressure Control ntains or restores the pressurizer pressure to the design pressure +/-35 psi (which is in reactor trip and relief and safety valve actuation setpoint limits) following normal rational transients that induce pressure changes by control (manual or automatic) of ters and spray in the pressurizer. Provides steam relief by controlling the power relief ves.

ssurizer Water Level Control ablishes and maintains the pressurizer water level within specified limits as a function he average coolant temperature. Changes in level are caused by coolant density nges induced by loading, operational, and unloading transients. Level changes are duced by means of charging flow control (manual or automatic) as well as by manual ection of letdown throttle valves. Maintaining coolant level in the pressurizer within scribed limits by actuating the charging and letdown system provides control of the ctor coolant water inventory.

am Generator Water Level Control

a. Establishes and maintains the steam generator water level within predetermined limits during normal operating transients.

b. The steam generator water level control system also maintains the steam generator water level to within predetermined limits and unit trip conditions.

It regulates the feedwater flow rate so that under operational transients the water level for the reactor coolant system does not decrease below a minimum value. Steam generator water inventory control is manual or automatic through the use of feedwater control valves.

am Dump Control (Also Called Turbine Bypass)

a. Permits the nuclear plant to accept a sudden loss of load without incurring reactor trip. Steam is dumped to the condenser and/or the atmosphere, as 7.7-2 Rev. OL-23 6/18

b. Ensures that stored energy and residual heat are removed following a reactor trip to bring the plant to equilibrium no-load conditions without actuation of the steam generator safety valves.

c. Maintains the plant at no-load conditions and permits manually controlled cooldown of the plant.

ore Instrumentation vides information on the neutron flux distribution and on the core outlet temperatures elected core locations.

SAC ATWS Mitigation System Actuation Circuitry (AMSAC) automatically initiates iliary feedwater and a turbine trip under conditions indicative of an Anticipated nsient Without Scram (ATWS) event. AMSAC actuation ensures that RCS pressure remain below the ASME B&PV Code Level C service limit stress criteria (3200 psig) r the most severe ATWS events (loss of external electrical load or loss of normal dwater flow), per WCAP-8330 and Reference 3.

.1.1 Reactor Control System reactor control system enables the nuclear plant to follow load changes omatically, including the acceptance of step load decreases of 10 percent and ramp reases of 5 percent per minute over the entire power range without reactor trip, am dump, or pressure relief (subject to possible xenon limitations). The system is o capable of allowing manual restoration of coolant average temperature to within the grammed temperature deadband following a change in load. Manual control rod ration may be performed at any time within the range of defined insertion limits.

omatic rod control operation provides automatic control rod insertion but does not w automatic control rod withdrawal.

reactor control system controls the reactor coolant average temperature by ulation of control rod bank position. The reactor coolant loop average temperatures determined from hot leg and cold leg measurements in each reactor coolant loop.

re is an average coolant temperature (Tavg) computed for each loop, where:

T hot + T cold g = -----------------------------

2 7.7-3 Rev. OL-23 6/18

mber pressure) and the highest of the Tavg measured temperatures (which is cessed through a lead-lag compensation unit) from each of the reactor coolant loops stitutes the primary control signal, as shown in general on Figure 7.7-1 and in more ail on the functional diagrams shown in Figure 7.2-1 (Sheet 9). The system is able of allowing manual restoration of coolant average temperature to the grammed value following a change in load. The programmed coolant temperature eases linearly with turbine load from zero power to the full power condition. For an luated Tavg based on positioning of AEHV0038 (high pressure feedwater heater ass valve) the Tavg also supplies a signal to pressurizer level control and steam dump trol and rod insertion limit monitoring.

temperature channels needed to derive the temperature input signals for the reactor trol system are fed from protection channels via isolation amplifiers.

additional control input signal is derived from the reactor power versus turbine load match signal. This additional control input signal improves system performance by ancing response and reducing transient peaks.

core axial power distribution is controlled during load follow maneuvers by changing manual operator action) the boron concentration in the RCS. The control board plays (see Section 7.7.1.3.1) indicate the need for an adjustment in the axial power ribution. Adding boron to the reactor coolant will reduce Tavg and will require the rator to manually withdraw control rods to restore Tavg. This action will reduce power ks in the bottom of the core. Likewise, removing boron from the reactor coolant will ve the rods further into the core to control power peaks in the top of the core.

.1.2 Rod Control System

.1.2.1 Description rod control system receives rod speed and insertion signals from the Tavg control tem. The rod speed demand signal varies over the corresponding range of 3.75 to 45 hes per minute (6 to 72 steps/minute), depending on the magnitude of the input nal. Manual control is provided to move a control bank in or out at a prescribed fixed ed.

ermissive interlock C-5 (see Table 7.7-1) derived from measurements of turbine ulse chamber pressure prevents automatic rod withdrawal when the turbine load is ow 15 percent. In the "AUTOMATIC" mode, the rods are inserted in a predetermined grammed sequence by the automatic programming with the control interlocks (see le 7.7-1).

shutdown banks are always in the fully withdrawn position during normal operation, are moved to this position at a constant speed by manual control prior to criticality. A 7.7-4 Rev. OL-23 6/18

control banks are the only rods that can be inserted under automatic control. Each trol bank is divided into two groups to obtain smaller incremental reactivity changes step. All RCCAs in a group are electrically paralleled to move simultaneously. There dividual position indication for each RCCA.

wer to CRDMs is supplied by two motor generator sets operating from two separate Volt, three phase busses. Each generator is the synchronous type and is driven by 00-Hp induction motor. The ac power is distributed to the rod control power cabinets ugh the two series-connected reactor trip breakers.

variable speed rod drive programmer affords the ability to insert small amounts of ative reactivity at low speed to accomplish fine control of reactor coolant average perature about a small temperature deadband, as well as furnishing rod insertion at h speed. A summary of the RCCA sequencing characteristics is given below.

a. Two groups within the same bank are stepped so that the relative position of the groups will not differ by more than one step.

b. The control banks are programmed so that withdrawal of the banks is sequenced in the following order; control bank A, control bank B, control bank C, and control bank D. The programmed insertion sequence is the opposite of the withdrawal sequence, i.e., the last control bank withdrawn (bank D) is the first control bank inserted.

c. The control bank withdrawals are programmed such that when the first bank reaches a preset position, the second bank begins to move out simultaneously with the first bank which continues to move toward its fully withdrawn position. When the second bank reaches a preset position, the third bank begins to move out, and so on. This withdrawal sequence continues until the unit reaches the desired power level. The control bank insertion sequence is the opposite.

d. Overlap between successive control banks is adjustable between 0 to 50 percent (0 and 115 steps), with an accuracy of +/-1 step.

e. Rod speeds for either the shutdown banks or manual operation of the control banks are capable of being controlled between a minimum of 6 steps per minute and a maximum of 72 (+0, -10) steps per minute.

7.7-5 Rev. OL-23 6/18

dible rod control equipment malfunctions which could potentially cause inadvertent itive reactivity insertions due to inadvertent rod withdrawal (automatic rod withdrawal o longer available), incorrect overlap, or malpositioning of the rods are the following:

a. Failures in the manual rod controls:

1. Rod motion control switch (in-hold-out)

2. Bank selector switch

b. Failures in the overlap and bank sequence program control:

1. Logic cabinet systems

2. Power supply systems ures in the manual rod controls

1. Failure of the rod motion control switch The rod motion control switch is a three-position lever switch. The three positions are "In," "Hold," and "Out." These positions are effective when the bank selector switch is in manual. Failure of the rod motion control switch (contacts failing short or activated relay failures) would have the potential, in the worst case, to produce positive reactivity insertion by rod withdrawal when the bank selector switch is in the manual position or in a position which selects one of the banks.

When the bank selector switch is in the automatic position, the rods would obey the automatic commands and failures in the rod motion control switch would have no effect on the rod motion regardless of whether the rod motion control switch is in "In," "Hold," or "Out" (automatic rod withdrawal is no longer available).

In the case where the bank selector switch is selecting a bank and a failure occurs in the rod motion switch that would command the bank "Out" even when the rod motion control switch was in an "In" or "Hold" position the selected bank could inadvertently withdraw. This failure is bounded in the safety analysis (Chapter 15.0) by the uncontrolled bank withdrawal at subcritical and at power transients. A reactivity insertion of up to 85 pcm/

sec is assumed in the analysis due to rod movement at hot zero power (110 pcm/sec at full power). This value of reactivity insertion rate is consistent with the withdrawal of two banks.

7.7-6 Rev. OL-23 6/18

the circuit arrangement for the movable and lift coils would cause the current available to the mechanisms to divide equally between coils in the two groups (in a power supply). The drive mechanism is designed so that it will not operate on half current. A second feature in this scenario would be the multiplexing failure detection circuit included in each power cabinet.

This circuit would stop rod withdrawal (or insertion).

The second case considered in the potential for inadvertent reactivity insertion due to possible failures is when the selector switch is in the manual position. Such a case could produce, with a failure in the rod motion control switch, a scenario where the rods could inadvertently withdraw in a programmed sequence. The overlap and bank sequence are programmed when the selector switch is in either automatic or manual.

This scenario is also bounded by the reactivity values assumed in the accident analysis. In this case, the operator can trip the reactor, or the protection system would trip the reactor via power range neutron flux-high, or overtemperature T.

2. Failure of the bank selector switch A failure of the bank selector switch produces no consequences when the "in-hold-out" manual switch is in the "Hold" position. This is due to the following design feature:

The bank selector switch is series wired with the in-hold-out lever switch for manual and individual control rod bank operation. With the in-hold-out lever switch in the "Hold" position, the bank selector switch can be positioned without rod movement.

ures in the overlap and bank sequence program control rod control system design prevents the movement of the groups out of sequence as l as limiting the rate of reactivity insertion. The main feature that performs the ction of preventing malpositioning produced by groups out of sequence is included in block supervisory memory buffer and control. This circuitry accepts and stores the ernally generated command signals. In the event of out of sequence input command he rods while they are in movement, this circuit will inhibit the buffer memory from epting the command. If a change of signal command appears, this circuit would stop system after allowing the slave cyclers to finish their current sequencing. Failure of components related to this system will also produce rod deviation alarm and insertion t alarm. Failures within the system such as failures of supervisory logic cards, pulser ds, etc., will also cause an urgent alarm. An urgent alarm will be followed by the owing actions:

7.7-7 Rev. OL-23 6/18

ivation of the alarm light (urgent failure) on the power supply cabinet front panel; and ivation of rod control urgent failure annunciation window on the plant annunciator.

urgent alarm is produced in general by:

gulation failure detector; ase failure detector; ic error detector; tiplexing error detector; or rlock failure detector.

1. Logic cabinet failures The rod control system is designed to limit the rod speed control signal output to a value that causes the pulser (logic cabinet) to drive the control rod driving mechanism at 72 steps per minute. If a failure should occur in the pulses or the reactor control system, the highest stepping rate possible is 77 steps per minute, which corresponds to one step every 780 milliseconds. A commanded stepping rate higher than 77 steps per minute would result in "GO" pulses entering a slave cycler while it is sequencing its mechanisms through a 780 millisecond step. This condition stops the control bank motion automatically, and alarms are activated locally and in the control room. It also causes the affected slave cycler to reflect further "GO" pulses until it is reset.

Failures that cause the 780 millisecond step sequence time to shorten will not result in higher rod speeds, since the stepping rate is proportional to the pulsing rate. Simultaneous failures in the pulser or rod control system and in the clock circuits that determine the 780 millisecond stepping sequence could result in higher CRDM speed; however, in the unlikely event of these simultaneous multiple failures the maximum CRDM operation speed would be no more than approximately 100 steps per minute due to mechanical limitation. This speed has been verified by tests conducted on the CRDMs.

Failures causing movement of the rods out of sequence:

7.7-8 Rev. OL-23 6/18

when operating in the automatic bank overlap control mode with the reactor at near full power output (automatic rod withdrawal is no longer available). The analysis revealed that many of the failures postulated were in a safe direction and that rod movement is blocked by the rod urgent alarm.

2. Power supply system failures Analysis of the power cabinet disclosed no single component failures that would cause the uncontrolled withdrawal of a group of rods serviced by the power cabinet. The analysis substantiates that the design of a power cabinet is "fail-preferred" with regard to a rod withdrawal accident if a component fails. The end results of the failure is either that of blocking rod movement or that of dropping an individual rod or rods or a group of rods. No failure, within the power cabinet, which could cause erroneous drive mechanism operation will remain undetected. Sufficient alarm monitoring (including "urgent" alarm) is provided in the design of the power cabinet for fault detection of those failures which could cause erroneous operation of a group of mechanisms. As noted in the foregoing, diverse monitoring systems are available for detection of failures that cause the erroneous operation of an individual control rod drive mechanism.

In summary, no single failure within the rod control system can cause either reactivity insertions or mal-positioning of the control rods resulting in core thermal conditions not bounded by analyses contained in Chapter 15.0.

.1.3 Plant Control Signals for Monitoring and Indicating

.1.3.1 Monitoring Functions Provided by the Nuclear Instrumentation System power range channels are used to measure power level, axial flux imbalance, and ial flux imbalance. Suitable alarms are derived from these signals, as described ow.

ic power range signals are:

a. Total current from a power range detector (four signals from separate detectors); these detectors are vertical and have a total active length of 10 feet.

b. Current from the upper half of each power range detector (four signals).

7.7-9 Rev. OL-23 6/18

following (including standard signal processing for calibration) are derived from se basic signals:

a. Indicated nuclear power (four signals).

b. Indicated axial flux imbalance (), derived from upper half flux minus lower half flux (four signals).

rm functions derived are as follows:

a. Deviation (maximum minus minimum of four) in indicated nuclear power.

b. Upper radial tilt (maximum to average of four) on upper half currents.

c. Lower radial tilt (maximum to average of four) on lower half currents.

clear power and axial imbalance are selectable for recording on strip charts on the trol board. Indicators are provided on the control board for nuclear power and for al flux imbalance.

axial flux difference (AFD) imbalance deviation alarms are derived from the plant puter which determines the 1-minute averages of each of the operable excore ector outputs to monitor in the reactor core and alerts the operator immediately if one-minute average AFDs for at least two operable excore channels are outside the D limits and thermal power is greater than 50% of rated thermal power. For periods ing which the alarm on axial flux difference is inoperable, the axial flux difference is ged, as defined in Section 16.2.1. No power reduction is required during this period of nual surveillance.

itional background information on the nuclear instrumentation system can be found eference 1.

.1.3.2 Rod Position Monitoring o separate systems are provided to sense and display control rod position as cribed below:

a. Digital rod position indication system The digital rod position indication system measures the actual position of each control rod, using a detector which consists of discrete coils mounted concentrically with the rod drive pressure housing. The coils are located axially along the pressure housing and magnetically sense the entry and presence of the rod drive shaft through its centerline. For each detector, 7.7-10 Rev. OL-23 6/18

By employing two separate channels of information, the digital rod position indication system can continue to function (at reduced accuracy) when one channel fails. Multiplexing is used to transmit the digital position signals from the containment electronics to the control board display unit.

The control board display unit contains a column of light-emitting-diodes (LEDs) for each rod. At any given time, the one LED illuminated in each column shows the position for that particular rod. Since shutdown rods are always fully withdrawn with the plant at power, their position is displayed to

+/-4 steps only from rod bottom to 18 steps and from 210 steps to 228 steps.

All intermediate positions of the rod are represented by a single "transition" LED. Each rod of the control banks has its position displayed to +/-4 steps throughout its range of travel.

Included in the system is a rod at bottom signal for each rod that operates a local alarm. Also a control room annunciator is actuated when any shutdown rod or control bank A rod is at bottom.

b. Demand position system The demand position system counts pulses generated in the rod drive control system to provide a digital readout of the demanded bank position.

demand position and digital rod position indication systems are separate systems, safety criteria were not involved in the separation, which was a result only of rational requirements. Operating procedures require the reactor operator to compare demand and indicated (actual) readings from the rod position indication system so as erify operation of the rod control system.

.1.3.3 Control Bank Rod Insertion Monitoring en the reactor is critical, an indication of reactivity status in the core is the position of control bank in relation to reactor power (as indicated by the reactor coolant system p T) and coolant average temperature. Insertion limits for the control banks are ned as a function of reactor power.

purpose of the control bank rod insertion monitor is to give warning to the operator of essive rod insertion. The monitor is comprised of two alarms:

a. The "low" alarm alerts the operator of an approach to the Rod Insertion Limits ; and

b. The "low-low" alarm alerts the operator to take actions required by the Technical Specifications to: (a) verify shutdown margin or add boron to the 7.7-11 Rev. OL-23 6/18

their insertion limits.

Rod Insertion Limit maintains sufficient core reactivity shutdown margin following ctor trip, provides a limit on the maximum reactivity addition (ejected rod worth) in the kely event of a hypothetical rod ejection, and limits rod insertion so that acceptable lear peaking factors are maintained. Since the amount of shutdown reactivity uired for the design shutdown margin following a reactor trip increases with easing power, the allowable rod insertion limits must be decreased (the rods must be drawn further) with increasing power. Two parameters which are proportional to er are used as inputs to the insertion monitor. These are the T between the hot leg the cold leg, which is a direct function of reactor power, and Tavg, which is grammed as a function of power.

rod insertion monitor uses parameters for each control rod bank as follows:

Z LL = A ( T ) auct + B ( T avg ) auct + C Maximum Value ere:

ZLL = Low-Low alarm setpoint; (T)auct = highest T of all loops; (Tavg)auct = highest Tavg of all loops; A, B, C = constants chosen to maintain rod insertion above the actual Rod Insertion Limit based on physics calculations; and Maximum Value = a limit imposed on ZLL when an individual control rod bank is required to be fully withdrawn based on power level.

control rod bank demand position (Z) is compared to ZLL as follows:

If Z - ZLL D, a low alarm is actuated; and If Z - ZLL E, a low-low alarm is actuated.

ce the highest values of Tavg and T are chosen by auctioneering, a conservatively h representation of power is used in the insertion limit calculation.

value for "D" is chosen to alert the operator of an approach to the Rod Insertion it. The value for "E" is chosen so that the low-low alarm would normally be actuated ore the insertion limit is exceeded.

7.7-12 Rev. OL-23 6/18

control bank D, whereas at low power it would be control banks A, B, or C. Upon a mand to step rods in, the overlap function ensures that the first bank to insert is the k that is not required to be fully withdrawn. Thus, due to the operation of the overlap ction, the monitor provides the operator with correct notification that the insertion limit eing approached or exceeded.

bank is operated in the individual bank select mode, the overlap counter does not ction. Therefore, the rod insertion monitor does not work correctly for that bank, if er level is such that that bank is required to be withdrawn. This is only done during veillance testing, troubleshooting, or recovery of a partially dropped rod. During such lutions, the operators' attention is directed toward the control rods.

Maximum Value is applied to eliminate invalid alarms when rods are fully withdrawn.

rods can be operated at any position above the Rod Insertion Limit, and be fully drawn. Without the Maximum Value feature, the low alarm would continuously be uated for the control banks that are required to be fully withdrawn due to power level.

ddition, analog instrument loop calibration tolerances could also lead to invalid low-alarms for these banks. During control rod surveillance testing, the Maximum Value ture is also needed to allow the alarms to reset after the surveillance is completed.

ure 7.7-2 shows a block diagram representation of the control rod bank insertion nitor. The monitor is shown in more detail on the functional diagrams shown in ure 7.2-1 (Sheet 9). In addition to the rod insertion monitor for the control banks, the nt computer, which monitors individual rod positions, provides an alarm that is ociated with the rod deviation alarm discussed in Section 7.7.1.3.4 to warn the rator if any shutdown RCCA leaves the fully withdrawn position.

d insertion limits are established by:

a. Establishing the allowed rod reactivity insertion at full power consistent with the purposes given above.

b. Establishing the differential reactivity worth of the control rods when moved in normal sequence.

c. Establishing the change in reactivity with power level by relating power level to rod position.

d. Linearizing the resultant limit curve. All key nuclear parameters in this procedure are measured as part of the initial and periodic physics testing program.

unexpected change in the position of the control bank under automatic control, or a nge in coolant temperature under manual control, provides a direct and immediate 7.7-13 Rev. OL-23 6/18

provide an additional check on the reactivity status of the reactor, including core letion.

.1.3.4 Rod Deviation Alarm position of any control rod is compared to the position of other rods in the bank. A deviation alarm is generated by the digital rod position indication system if a preset deviation limit is exceeded. The deviation alarm of a shut-down rod is based on a set insertion limit being exceeded.

demanded and measured rod position signals are also monitored by the plant puter which provides a visual printout and an audible alarm whenever an individual position signal deviates from the other rods in the bank by a preset limit. The alarm be set with appropriate allowance for instrument error and within sufficiently narrow ts to preclude exceeding core design hot channel factors.

ure 7.7-3 is a block diagram of the rod deviation comparator and alarm system lemented by the plant computer. Additionally, the digital rod position indication tem contains rod deviation circuitry that detects and alarms the following conditions:

a. When any two rods within the same control bank are misaligned by a preset distance ( 12 steps), and

b. When any shutdown rod is below the full-out position by a preset distance (18 steps).

.1.3.5 Rod Bottom Alarm rod bottom signal for the control rods in the digital rod position indication system is d to operate a control relay, which generates the "ROD BOTTOM ROD DROP" rm.

.1.4 Plant Control System Interlocks listing of the plant control system interlocks, along with the description of their ivations and functions, is presented in Table 7.7-1. The designation numbers for se interlocks are preceded by "C." The development of these logic functions is shown he functional diagrams (see Figure 7.2-1, Sheets 9 through 16).

.1.4.1 Rod Stops d stops are provided to prevent abnormal power conditions which could result from essive control rod withdrawal initiated by operator violation of administrative cedures.

7.7-14 Rev. OL-23 6/18

withdrawal which is no longer available at Callaway. The C-3 rod stop derived from rtemperature T and the C-4 rod stop derived from overpower T are also used for ine runback, which is discussed below.

.1.4.2 Automatic Turbine Load Runback omatic turbine load runback is initiated by an approach to an overpower or rtemperature condition. This will prevent high power operation that might lead to an esirable condition, which, if reached, will be protected by reactor trip.

bine load reference reduction is initiated by either an overtemperature or overpower signal. Two-out-of-four coincidence logic is used.

od stop and turbine runback are initiated when T > Trod stop both the overtemperature and the overpower condition.

either condition in general Trod stop = Tsetpoint - Bp ere:

Bp = a setpoint bias ere T setpoint refers to the overtemperature T reactor trip value and the overpower reactor trip value for the two conditions.

turbine runback is continued until T is equal to or less than Trod stop.

s function serves to maintain an essentially constant margin to trip.

.1.5 Pressurizer Pressure Control reactor coolant system pressure is controlled by using either the heaters (in the er region) or the spray (in the steam region) of the pressurizer plus steam relief for e transients.

electrical immersion heaters are located near the bottom of the pressurizer. A tion of the heater group is proportionally controlled to correct small pressure ations. These variations are caused by heat losses, including heat losses due to a 7.7-15 Rev. OL-23 6/18

ter power.

spray nozzle is located on the top of the pressurizer. Spray is initiated when the ssure controller spray demand signal is above a given setpoint. The spray rate eases proportionally with increasing spray demand signal until it reaches a maximum ue.

am condensed by the spray reduces the pressurizer pressure. A small continuous ay is normally maintained to reduce thermal stresses and thermal shock and to help ntain uniform water chemistry and temperature in the pressurizer.

wer relief valves limit system pressure for large positive pressure transients. In the nt of a large load reduction, not exceeding the design plant load rejection capability, pressurizer power-operated relief valves might be actuated for the most adverse ditions, e.g., the most negative Doppler coefficient and the maximum incremental rod th. The relief capacity of the power-operated relief valves is sized large enough to t the system pressure to prevent actuation of high pressure reactor trip for the above dition. The automatic actuation circuitry for the PORVs has been upgraded to ss 1E.

lock diagram of the pressurizer pressure control system is shown on Figure 7.7-4.

.1.6 Pressurizer Water Level Control pressurizer operates by maintaining a steam cushion over the reactor coolant. As density of the reactor coolant varies with temperature, the steam water interface is usted to compensate for cooling density variations with relatively small pressure urbances.

water inventory in the reactor coolant system is maintained by the chemical and ume control system. During normal plant operation, the charging flow varies to duce the flow demanded by the pressurizer water level controller. The pressurizer er level is programmed as a function of coolant average temperature, with the highest rage temperature (auctioneered) being used. The pressurizer water level decreases he load is reduced from full load. This is a result of coolant contraction following grammed coolant temperature reduction from full power to low power. The grammed level is designed to match as nearly as possible the level changes resulting m the coolant temperature changes.

control pressurizer water level during startup and shutdown operations, the charging is manually regulated from the main control room. The letdown line isolation valves closed on low pressurizer level.

lock diagram of the pressurizer water level control system is shown on Figure 7.7-5.

7.7-16 Rev. OL-23 6/18

h steam generator is equipped with a three-element feedwater flow controller which ntains a programmed water level which is a function of turbine load. The e-element feedwater controller regulates the feedwater valve by continuously paring the feedwater flow signal, the water level signal, the programmed level, and pressure compensated steam flow signal. The feedwater pump speed is varied to ntain a programmed pressure differential between the steam header and the dwater pump discharge header. The speed controller continuously compares the ual P with a programmed Pref which is a linear function of steam flow. The median hree feedwater header pressure inputs is used to develop a feedwater header ssure input to the digital feedwater control system (DFWCS). Similarly, the median of e steam header pressure inputs is used to develop a steam header pressure input to digital feedwater control system, and the median of three main feedwater pump ed inputs is used to develop a pump speed input to the digital feedwater control tem. This allows the loss of a single input without adversely impacting the control tem. Failure or excessive drifting of an input results in the control system switching to average of the remaining two signals. Continued delivery of feedwater to the steam erators is required as a sink for the heat stored and generated in the reactor following actor trip and turbine trip. An override signal (P-4 coincident with low Tavg) closes all dwater valves, if not bypassed, when the average coolant temperature is below a en temperature and the reactor has tripped (not part of the primary success path for accidents mitigation in Chapter 15). Manual override of the feedwater control tem is available at all times. Five means are provided to override the control signal m the steam generator water level control system:

a. Manual control

b. Low-low SG water level (ensures AFW delivery for residual and decay heat removal)

c. High-high SG water level (prevents SG overfill and excessive moisture carryover to the turbine)

d. P-4 coincident with low Tavg (back-up protection against excessive RCS cooldown)

e. SIS (lessens severity of secondary line breaks inside containment by isolating main feedwater flow).

se override features are shown on Figure 7.2-1, sheets 13 and 14.

en the nuclear plant is operating at very low power levels (as during startup), the am and feedwater flow signals will not be usable for control. Therefore, a secondary omatic control system is provided for operation at low power. This system uses the 7.7-17 Rev. OL-23 6/18

tchover from the bypass feedwater control system (low power) to the main feedwater trol system is initiated by the operator at approximately 25 percent power, and can be pleted either automatically by the DFWCS or manually by the control room rators.

ck diagrams of the steam generator water level control system and the main dwater pump speed control system are shown in Figures 7.7-6 and 7.7-7.

.1.8 Steam Dump Control steam dump system, together with control rod movement, is designed to accept a percent loss of net load without tripping the reactor.

automatic steam dump system is able to accommodate this abnormal load rejection to reduce the effects of the transient imposed upon the reactor coolant system. By assing main steam directly to the condenser, an artificial load is thereby maintained the primary system. The rod control system can then reduce the reactor temperature new equilibrium value without causing overtemperature and/or overpressure ditions. The steam dump steam flow capacity is 40 percent of full load steam flow at load steam pressure.

e difference between the reference Tavg (Tref) based on turbine impulse chamber ssure and the lead-lag compensated auctioneered Tavg exceeds a predetermined ount, and the interlock mentioned below is satisfied, a demand signal will actuate the am dump to maintain the reactor coolant system temperature within control range il a new equilibrium condition is reached.

prevent actuation of steam dump on small load perturbations, an independent load ction sensing circuit is provided. This circuit senses the rate of decrease in the ine load, as detected by the turbine impulse chamber pressure. It is provided to lock the dump valves when the rate of load rejection exceeds a preset value responding to a 10-percent step load decrease or a sustained ramp load decrease of ercent per minute.

lock diagram of the steam dump control system is shown on Figure 7.7-8.

.1.8.1 Load Rejection Steam Dump Controller s circuit prevents a large increase in reactor coolant temperature following a large, den load decrease. The error signal is a difference between the lead-lag pensated auctioneered Tavg and the reference Tavg based on turbine impulse mber pressure.

7.7-18 Rev. OL-23 6/18

normal power operation as described in Section 10.4.7.2.3, or (b) Tavg coastdown ration as described in Section 15.0.2.2. In the case of normal power reduced Tavg ration, the evaluated value of Tavg must be implemented in the control system for per controller function. For Tavg coastdown operation, the evaluated value of Tavg is required to be implemented; however, the load rejection controller gain and steam mp valve open setpoints will require adjustment as described in Section 15.0.2.2.

Tavg signal is the same as that used in the reactor coolant system. The lead-lag pensation for the Tavg signal is to compensate for lags in the plant thermal response in valve positioning. Following a sudden load decrease, Tref is immediately reased and Tavg tends to increase, thus generating an immediate demand signal for am dump. Since control rods are available in this situation, steam dump terminates he error comes within the maneuvering capability of the control rods.

.1.8.2 Plant Trip Steam Dump Controller owing a reactor trip, the load rejection steam dump controller is defeated, and the nt trip steam dump controller becomes active. Since control rods are not available in situation, the demand signal is the error signal between the lead-lag compensated tioneered Tavg and the no-load reference Tavg. When the error signal exceeds a determined setpoint, the dump valves are tripped open in a prescribed sequence. As error signal reduces in magnitude, indicating that the RCS Tavg is being reduced ard the reference no-load value, the dump valves are modulated by the plant trip troller to regulate the rate of removal of decay heat and thus gradually establish the ilibrium hot shutdown condition.

.1.8.3 Steam Header Pressure Controller sidual heat removal at operating temperature is maintained by the steam generator ssure controller (manually selected) which controls the amount of steam flow to the densers. This controller operates a portion of the same steam dump valves to the densers which are used during the initial transient following turbine or reactor trip on d rejection.

.1.9 Incore Instrumentation incore instrumentation system consists of chromel-alumel thermocouples (described ection 18.2.13.2) at fixed core outlet positions and movable miniature neutron ectors which can be positioned at the center of selected fuel assemblies, anywhere ng the length of the fuel assembly vertical axis. The basic system for insertion of se detectors is shown in Figure 7.7-9.

7.7-19 Rev. OL-23 6/18

omel-alumel thermocouples are threaded into guide tubes that penetrate the reactor sel head through seal assemblies, and terminate at the exit flow end of the fuel emblies. The thermocouples are provided with two primary seals--a conoseal and pression-type seal from conduit to head. Thermocouple readings are monitored by computer.

.1.9.2 Movable Neutron Flux Detector Drive System iature fission chamber detectors can be remotely positioned in retractable guide bles to provide flux-mapping of the core. The stainless steel detector shell is welded he leading end of the helical wrap drive cable and to stainless steel sheathed coaxial le. The retractable thimbles, into which the miniature detectors are driven, are hed into the reactor core through conduits which extend from the bottom of the ctor vessel down through the concrete shield area and then up to a thimble seal table.

ir distribution over the core is nearly uniform with about the same number of thimbles ated in each quadrant.

thimbles are closed at the leading ends, are dry inside, and serve as the pressure rier between the reactor water pressure and the atmosphere. For each thimble, an ne magnetic isolation ball check valve, located above the seal table, provides a ond barrier between the reactor water pressure and the atmosphere. Mechanical ls between the retractable thimbles and the conduits are provided at the seal table.

ing reactor operation, the retractable thimbles are stationary. They are extracted nward from the core during refueling to avoid interference within the core. A space ve the seal table is provided for the retraction operation.

drive system for the insertion of the miniature detectors consists basically of drive emblies, 6-path transfer assemblies, and 15-path transfer assemblies, as shown in ure 7.7-9. The drive system pushes hollow helical wrap drive cables into the core the miniature detectors attached to the leading ends of the cables and small meter sheathed coaxial cables threaded through the hollow centers back to the ends he drive cables. Each drive assembly consists of a gear motor which pushes a helical p drive cable and a detector through a selective thimble path by means of a special e box and includes a storage device that accommodates the total drive cable length.

h detector has access to all thimble locations via the 6- and 15-path rotary emblies.

.1.9.3 Control and Readout Description control and readout system provides means for inserting the miniature neutron ectors into the reactor core and withdrawing the detectors while plotting neutron flux sus detector position. The control system is located in the control room. Limit tches in each transfer device provide feedback of path selection operation. Each r box drives a resolver for position feedback. One 6-path transfer selector is provided 7.7-20 Rev. OL-23 6/18

any one of up to 15 selectable paths. A common path is provided to permit cross bration of the detectors.

control room contains the necessary equipment for control, position indication, and recording for each detector.

lux-mapping" consists, briefly, of selecting flux thimbles in given fuel assemblies at ous core quadrant locations. The detectors are driven to the top of the core and pped automatically. An x-y plot (position versus flux level) is initiated with the slow drawal of the detectors through the core from top to a point below the bottom. In a ilar manner, other core locations are selected and plotted. Each detector provides al flux distribution data along the center of a fuel assembly.

ious radial positions of detectors are then compared to obtain a flux map for a region he core.

number and location of these thimbles have been chosen to permit measurement of al-to-average peaking factors to an accuracy of +/-5 percent (95-percent confidence).

asured nuclear peaking factors will be increased by 5 percent to allow for this uracy. If the measured power peaking is larger than acceptable, reduced power ability will be indicated.

erating plant experience has demonstrated the adequacy of the incore rumentation in meeting the design bases stated.

.1.9.4 Power Distribution Monitoring System an enhancement to power distribution measurement and indication capability, the er distribution monitoring system (PDMS) is provided, which consists of a set of pled but independent computer software programs that execute on one or more kstations to generate an on-line, three-dimensional indication of the core power ribution. The PDMS uses the flux map together with a three-dimensional analytical del to yield the continuously measured three-dimensional power distribution. The vable incore neutron detectors are used to calibrate the PDMS.

.1.10 Boron Concentration Monitoring System boron concentration monitoring system utilizes a sampler assembly unit which tains a neutron source and neutron detector located in a shield tank. A thermal tron absorption technique is used. Piping within the shield tank is arranged to vide coolant sample flow between the neutron source and the neutron detector.

utrons originating at the source are thermalized in the sample and the surrounding derator. These neutrons then pass through the sample and impinge upon the ector. The number of neutrons which survive the transit from the source to the 7.7-21 Rev. OL-23 6/18

per transfer function. The neutron cross-section of the boron in the sample is also a ction of the neutron energy and, subsequently, the sample temperature. Therefore, sample temperature is also monitored and the transfer function from the neutron ntrate to boron concentration modified to compensate for the variance of perature.

processor assembly is used to convert the neutron countrate and temperature data m the sampler assembly to parts per million (ppm) of boron, and to prepare the data local and remote display. The system characteristics are listed in Table 7.7-2.

a. Sampler assembly The sampler assembly consists of a polyethylene cylinder encased in a stainless steel liner (see Figure 7.7-10). The polyethylene serves as a neutron moderator and shield. A cavity (source tube) is located in the center of the shield into which is inserted a neutron source on the end of a polyethylene rod (source plug). Immediately adjacent to the source tube is a second larger cavity into which an annulus assembly and a top plug assembly are inserted. Details of these two assemblies are shown in Figure 7.7-11.

The annulus assembly consists of two concentric tubes with top and bottom plates. A neutron detector is positioned inside the smaller tube.

The coolant sample is circulated between the concentric tubes. The sample is brought into and taken out of the annular region via tubes provided for connection to plant piping. The entire assembly is made of stainless steel.

The top plug assembly consists of a polyethylene plug with appropriate ports for the input and output tubes and the detector signal cable. A stainless steel top plate is provided for mounting to the sampler assembly.

b. Processor assembly The processor assembly controls the operation of the system. It processes the neutron countrate and temperature data from the sampler assembly, displays the calculated boron concentration, and transmits the result for remote display. A block diagram which depicts the functional operation of the processor assembly is shown in Figure 7.7-12. The neutron countrate and sample temperature measurements are processed to a microprocessor. The microprocessor repeatedly solves an algorithm to convert the input information to a boron concentration measurement. In order to make the above calculation, several constants are required.

These constants are determined by calibration and are entered in the 7.7-22 Rev. OL-23 6/18

format.

c. Remote display assembly The function of this unit is to display the boron concentration at a location (usually in the control room) remote from the processor assembly. This remote display may be located up to 1,000 feet from the processor assembly. Boron concentration data generated at the process assembly is transmitted over a twisted shielded pair. The remote display assembly contains the circuits necessary to decode and display the data.

The boron concentration monitoring system is designed for use as an advisory system. It is not designed as a safety system or component of a safety system. The boron concentration monitoring system is not part of a control element or control system, nor is it designed for this use. No credit is taken for this system in any accident analysis. Therefore, redundancies of measurement components, self checking subsystems, malfunction annunciations, and diagnostic circuitry are not included in this system.

However, watchdog circuitry provides the operator with appropriate indication if the data becomes stale or frozen. As a general operating aid, it provides information as to when additional check analyses are warranted, rather than a basis for fundamental operating decisions. During normal plant operations, the boron concentration varies between 0 and 1,800 ppm.

The boron concentration monitoring system operates within a +/-10 ppm range.

.1.11 ATWS Mitigation System Actuation Circuitry ATWS Mitigation System Actuation Circuitry (AMSAC) automatically initiates iliary feedwater flow, isolates Steam Generator blowdown and sample lines, and ates a turbine trip under conditions indicative of an Anticipated Transient Without am (ATWS) event.

.1.11.1 SYSTEM DESCRIPTION AMSAC equipment is located in the control room and consists of logic assemblies, ation devices, and interconnecting cables interfacing with other plant equipment.

r Reactor Protection System (RPS) narrow range steam generator level loops and RPS turbine impulse pressure loops provide inputs to AMSAC from the 7300 racks.

AMSAC logic outputs go to the Balance of Plant (BOP) Engineered Safety Features uation System (ESFAS) and Turbine Generator ElectroHydraulic Control (EHC) inets.

7.7-23 Rev. OL-23 6/18

ulse pressure signals are above 40% reactor power (1432 MWt), which enables the 0 permissive. The AMSAC is armed (C-20 permissive) above 40% reactor power disabled 360 seconds after 1 out of 2 power signals falls below 40%. The 25 second SAC time delay allows the RPS to operate first. Whereas AMSAC must be armed ve 40% reactor power, the actual setpoint has been established as 34.9% reactor er to allow for instrument loop inaccuracy.

AMSAC actuation causes the BOP-ESFAS system to start the AFW pumps, close the am generator blowdown isolation valves and close the steam generator sample ation valves. The safety-related systems (RPS and BOP-ESFAS) are isolated from SAC through qualified isolation devices, as shown on Figure 7.7-16. AMSAC also vides signals to the EHC cabinets which energize the 125 Vdc trip bus and trip the ine.

SAC provides two main control board annunciators and several local indicating lights.

e control room annunciator (normally de-energized; energize to alarm) indicates that AMSAC actuation will occur after a 25 second time delay (AMSAC pre-trip alarm) and other annunciator (normally energized; de-energize to alarm) is an AMSAC panel ble alarm that indicates several miscellaneous AMSAC trouble conditions (e.g., C-20 missive circuitry fails to arm above 40% reactor power, master bypass switch closed test or maintenance, operating bypass switch closed for testing individual logic inputs, ctronic module out of service, monitor module logic test, loss of power supply, or self gnostics indicate logic assembly failure).

local indicating lights on the AMSAC logic cabinet include:

a. AMSAC pre-trip light

b. AMSAC panel trouble light (illuminated when any of the above AMSAC panel trouble control room annunciator conditions exist)

c. 5 bypass lights (one master bypass light, 3 individual logic assembly bypass lights, and one operating bypass light for testing individual logic inputs)

d. AMSAC logic trouble light (illuminated when any of the logic assemblies fail or when the C-20 permissive circuitry fails to arm above 38% reactor power)

e. AMSAC armed light (C-20 permissive)

f. power supply trouble light

g. 9 logic assembly, individual relay status (partial trip) lights 7.7-24 Rev. OL-23 6/18

i. electronic module out of service light SAC cannot be manually reset by the operators until after its mitigating actions are pleted. AMSAC actuates automatically; there is no manual AMSAC initiation.

SAC is automatically armed above 40% power and bypassed below 40% power.

SAC initiates auxiliary feedwater flow within 90 seconds of an ATWS event and a ine trip within 30 seconds of an ATWS event (including sensor and relay delays).

SAC utilizes three identical logic assemblies, diverse from the SSPS, and a 2 out of 3 uation logic to prevent inadvertent trips due to the AMSAC circuitry and improve ability. Testing of AMSAC through the final actuation devices will be performed every eling outage.

erences 3-5 provide additional discussions on AMSAC diversity from the RPS, logic er supplies, safety-related interfaces via Class 1E isolation devices, graded QA gram, maintenance and testing bypasses via permanently installed bypass switches unciated by the previously mentioned trouble alarm, electrical independence and sical separation from the RPS, testability at power in bypass, and completion of gative action once initiated. The steam generator level sensors used for input to SAC are different than those used to drive the steam generator level control system, reby precluding adverse control system interactions. The logic power supply, 125

, is independent from the RPS power supplies. AMSAC is capable of performing its nded function upon a loss of offsite power. Removal of the C-20 permissive signal is ayed by 360 seconds to avoid blocking AMSAC before it can perform its function in event a turbine trip occurs. Existing protection system level transmitters, sensing s, and sensor power supplies are used for input to AMSAC. Input isolation is attained 7300 isolation cards; output isolation is attained via isolation relays before going to BOP-ESFAS. AMSAC output can be disabled via the master bypass switch to avoid uation during maintenance and testing. Each of the three logic assemblies is also vided with an individual bypass switch to permit troubleshooting and repair. The AFW uation and turbine trip relay contacts are normally open; these are energize to trip ctions.

.1.11.2 NONSAFETY-RELATED QUALITY ASSURANCE PROGRAM FOR AMSAC EQUIPMENT Quality Assurance Program for Nonsafety-Related AMSAC Equipment invokes tain criteria of 10CFR50 Appendix B. This section uses guidance that was developed he NRC to assist the industry in compliance with the requirements of 10CFR50.62(d).

objective of this section is to provide a description of quality assurance criteria licable to the reliable operation of the AMSAC equipment. This program replaces the described by ULNRC 1472 attachment 1.

7.7-25 Rev. OL-23 6/18

laway Plant's existing line organizations are responsible for compliance with this gram. No separate or unique organization is required to implement the requirements his program.

.1.11.2.2 PROGRAM Plant procedures provide the requirements for implementing this nonsafety-related lity assurance program. These procedures are also used to implement the uirements of this program.

.1.11.3 DESIGN CONTROL sign control shall involve measures to ensure design specification are included or slated into design documents. Safety evaluations shall be performed as required by FR50.59, for design activities. Normal supervisory review of a designer's work is sidered an adequate control measure.

sign control for contractor and subcontractor organizations requires no additional trols other than those Callaway Plant imposes on its own design control.

.1.11.4 PROCUREMENT DOCUMENT CONTROL visions shall be established to ensure system specifications and quality uirements, where applicable, are included in procurement documents.

.1.11.5 INSTRUCTIONS, PROCEDURES AND DRAWINGS ivities associated with nonsafety-related AMSAC equipment shall be accomplished in ordance with documented instructions, procedures, drawings, checklists or any thodology which provides the appropriate degree of guidance to personnel performing lity related activities.

ntenance conducted on equipment under this program shall be planned, controlled procedures, and documented. Work shall be based on vendor information. Any arture from vendor guidance shall be based on adequate engineering rationale.

.1.11.6 DOCUMENT CONTROL ntrols shall be established to control changes to documents affecting quality.

7.7-26 Rev. OL-23 6/18

asures shall be established to ensure all purchases conform to the appropriate curement documents. Acceptance by receipt inspection may be used as a means of acceptance.

.1.11.8 IDENTIFICATION AND CONTROL OF MATERIALS, PARTS AND COMPONENTS identification and control of materials, parts and components shall be accomplished ccordance with station procedures and apply to materials, parts, and components ing storage, installation or use. These procedures shall address control of storage of ironmentally sensitive equipment or material and storage of equipment or material t has a limited shelf-life.

.1.11.9 SPECIAL PROCESSES asures shall be establised to control special processes. Examples of processes that ll be controlled include welding, heat treating and non-destructive testing. Applicable es, standards, specifications, criteria and other special requirements may serve as basis of these controls.

.1.11.10 INSPECTION pections shall be established for activities affecting quality. Inspections are performed erify these activities conform to available documentation, or, if no documentation is ilable, to verify the activities are being satisfactorily accomplished. The line anization is responsible for determining the inspection requirements and for ensuring t sufficient inspections are performed. Inspections need not be performed by viduals independent of the line organization. Inspections shall be performed by wledgeable individuals.

.1.11.11 TEST CONTROL ting shall be performed periodically and the results evaluated to ensure testing uirements have been satisfied. Testing frequency shall be prescribed by the plant cedures, as opposed to the Technical Specifications.

.1.11.12 CONTROL OF MEASURING AND TEST EQUIPMENT ntrols shall be established to control, calibrate and adjust, measuring and test ipment at specific intervals.

7.7-27 Rev. OL-23 6/18

asures shall be establised to control, handling, storage, shipping, cleaning and servation of purchases in accordance with Callaway Plant practices and nufacturer's recommendations.

.1.11.14 INSPECTION, TEST AND OPERATING STATUS asures shall be established to indicate status of inspection, test and operability of alled nonsafety-related AMSAC equipment.

.1.11.15 NONCONFORMING MATERIAL, PARTS OR COMPONENTS terial nonconformances shall be identified and controlled in accordance with the uirements of Callaway Plant procedures. The reporting requirements of 10CFR21 do apply to nonsafety-related AMSAC equipment.

.1.11.16 CORRECTIVE ACTION asures shall be established for the prompt correction of conditions adverse to quality to preclude the repetition of conditions adverse to quality.

.1.11.17 RECORDS asures shall be establised to maintain and control records of activities in accordance the requirements of 10CFR50.59. Measures shall be established to maintain and trol appropriate records to ensure that the requirements specified in the table ompanying the ATWS rule (49 FR 26036, pp 26042-26043) have been met.

.1.11.18 AUDITS ependent audits are not required, if line management periodically reviews the quacy of the quality controls and takes any necessary corrective action. Line nagement is responsible for determining whether reviews conducted by line nagement or audits conducted by an organization independent of line management is ropriate

.2 ANALYSIS plant control systems are designed to assure high reliability in any anticipated rational occurrences. Equipment used in these systems is designed and constructed a high level of reliability.

per positioning of the control rods is monitored in the control room by bank ngements of the individual position columns for each RCCA. A rod deviation alarm rts the operator of a deviation of one RCCA from the other rods in that bank position.

7.7-28 Rev. OL-23 6/18

mbers also detect asymmetrical flux distribution indicative of rod misalignment.

erall reactivity control is achieved by the combination of soluble boron and RCCAs.

g-term regulation of core reactivity is accomplished by adjusting the concentration of ic acid in the reactor coolant. Short-term reactivity control for power changes is omplished by the RCCAs.

axial core power distribution is controlled by moving the control rods through nges in RCS boron concentration. Adding boron will reduce Tavg and require the rator to manually withdraw control rods, thereby reducing the amount of power in the tom of the core. This allows power to redistribute toward the top of the core.

ducing the boron concentration causes the rods to move into the core, thereby ucing the power in the top of the core. As a result, power is redistributed toward the tom of the core.

plant control systems will prevent an undesirable condition in the operation of the nt that, if reached, will be protected by reactor trip. The description and analysis of protection is covered in Section 7.2. Worst-case failure modes of the plant control tems are postulated in the analysis of off-design operational transients and accidents ered in Chapter 15.0, such as, the following:

a. Uncontrolled RCCA bank withdrawal from a subcritical or low power startup condition.

b. Uncontrolled RCCA bank withdrawal at power.

c. RCCA misoperation.

d. Loss of external electrical load and/or turbine trip.

e. Loss of all nonemergency ac power to the station auxiliaries.

f. Feedwater system malfunctions that result in a decrease in feedwater temperature.

g. Excessive increase in secondary steam flow.

h. Inadvertent opening of a steam generator relief or safety valve.

se analyses show that a reactor trip setpoint is reached in time to protect the health safety of the public under those postulated incidents and that the resulting coolant peratures produce a DNBR well above the applicable limiting value. Thus, there will no cladding damage and no release of fission products to the RCS under the umption of these postulated worst-case failure modes of the plant control system.

7.7-29 Rev. OL-23 6/18

ome cases, it is advantageous to employ control signals derived from individual tection channels through isolation amplifiers contained in the protection channel. As h, a failure in the control circuitry does not adversely affect the protection channel.

t results have shown that a short circuit or the application (credible fault voltage from hin the cabinets) of 120 Volt ac or 140 Volt dc on the isolated output portion of the uit (nonprotection side of the circuit) will not affect the input (protection) side of the uit.

ere a single random failure can cause a control system action that results in a erating station condition requiring protective action and can also prevent proper on of a protection system channel designed to protect against the condition, the aining redundant protection channels are capable of providing the protective action n when degraded by a second random failure. This meets the applicable uirements of Section 4.7 of IEEE Standard 279-1971.

pressurizer pressure channels needed to derive the protection signals are ctrically isolated from control.

.2.2 Response Considerations of Reactivity actor shutdown with control rods is completely independent of the control functions ce the trip breakers interrupt power to the CRDMs, regardless of existing control nals. The design is such that the system can withstand accidental withdrawal of trol groups or unplanned dilution of soluble boron without exceeding acceptable fuel ign limits. The design meets the requirements of GDC-25.

single electrical or mechanical failure in the rod control system could cause the idental withdrawal of a single RCCA from the partially inserted bank at full power ration. The operator could deliberately withdraw a single RCCA in the control bank; feature is necessary in order to retrieve a rod, should one be accidentally dropped.

he extremely unlikely event of simultaneous electrical failures which could result in gle RCCA withdrawal, rod deviation would be displayed on the plant annunciator, and individual rod position readouts would indicate the relative positions of the rods in the

k. Withdrawal of a single RCCA by operator action, whether deliberate or by a bination of errors, would result in activation of the same alarm and the same visual cations.

h bank of control rods (A-D) and shutdown banks SA and SB (See Figure 4.3-36) in system are divided into two groups (group 1 and group 2) of up to four or five chanisms each. In the banks with two groups, the rods comprising a group operate in allel through multiplexing thyristors. The two groups in these banks move uentially so that the first group is within one step of the second group in the bank.

group 1 and group 2 power circuits are installed in different cabinets, as shown in ure 7.7-14, which also shows that one group is within one step (5/8 inch) of the other 7.7-30 Rev. OL-23 6/18

ched to the mechanism.

ce the four stationary grippers, moveable gripper, and lift coils associated with the CAs of a rod group are driven in parallel, any single failure which could cause rod drawal would affect a minimum of one group of RCCAs. Mechanical failures are in direction of insertion, or immobility.

ure 7.7-15 illustrates the design features that ensure that no single electrical failure ld cause the accidental withdrawal of a single RCCA from the partially inserted bank ull power operation.

ure 7.7-15 shows the typical parallel connections on the lift, movable, and stationary s for a group of rods. Since single failures in the stationary or movable circuits will ult in dropping or preventing rod (or rods) motion, the discussion of single failure will addressed to the lift coil circuits: 1) due to the method of wiring the pulse sformers which fire the lift coil multiplex thyristors, three of the four thyristors in a rod up could remain turned off when required to fire, if for example the gate signal lead ed open at point X1. Upon "up" demand, one rod in group 1 and four rods in group 2 uld withdraw. A second failure at point X2 in the group 2 circuit is required to withdraw RCCA; 2) timing circuit failures will affect the four mechanisms of a group or the ht mechanisms of the bank and will not cause a single rod withdrawal; and 3) more n two simultaneous component failures are required (other than the open wire ures) to allow withdrawal of a single rod.

identified multiple failure involving the least number of components consists of open uit failure of the proper two out of 16 wires connected to the gate of the lift coil ristors. The probability of open wire (or terminal) failure is 0.016 x 10-6 per hour by

-HDB-217A. These wire failures would have to be accompanied by failure, or egard, of the indications mentioned above. The probability of this occurrence is, refore, too low to have any significance.

ncerning the human element, to erroneously withdraw a single RCCA, the operator uld have to improperly set the bank selector switch, the lift coil disconnect switches, the in-hold-out switch. In addition, the three indications would have to be egarded or ineffective. Such series of errors would require a complete lack of erstanding and administrative control. A probability cannot be assigned to a series of rs such as these.

rod position indication system provides direct visual displays of each control rod embly position. The plant computer alarms for deviation of rods from their banks. In ition, a rod insertion limit monitor provides an audible and visual alarm to warn the rator of an approach to an abnormal condition due to dilution. The low-low insertion t alarm alerts the operator to follow emergency boration procedures. The facility 7.7-31 Rev. OL-23 6/18

important feature of the control rod system is that insertion is provided by gravity fall he rods.

ll analyses involving reactor trip, the single, highest worth RCCA is postulated to ain untripped in its full out position.

e means of detecting a stuck control rod assembly is available from the actual rod ition information displayed on the control board. The control board position readouts, for each rod, give the plant operator the actual position of the rod in steps. The cations are grouped by banks (e.g., control bank A, control bank B, etc.) to indicate he operator the deviation of one rod with respect to other rods in a bank. This serves a means to identify rod deviation.

plant computer monitors the actual position of all rods. Should a rod be misaligned m the other rods in that bank by more than 12 steps, the rod deviation alarm is uated. Misaligned RCCAs are also detected and alarmed in the control room via the tilt monitoring system, which is independent of the plant computer.

ated signals derived from the nuclear instrumentation system are compared with one ther to determine if a preset amount of deviation of average power level has urred. Should such a deviation occur, the comparator output will operate a bistable to actuate a control board annunciator. This alarm will alert the operator to a power alance caused by a misaligned rod. By use of individual rod position readouts, the rator can determine the deviating control rod and take corrective action. The design he plant control systems meets the requirements of GDC-23.

er to Section 4.3 for additional information on response considerations due to ctivity.

.2.3 Step Load Changes Without Steam Dump plant control system restores equilibrium conditions, without a trip, following a percent step reduction in load demand, over the entire power range for automatic trol. Steam dump is blocked for load decrease less than or equal to 10 percent. A d demand greater than full power is prohibited by the turbine control load limit ices.

plant control system minimizes the reactor coolant average temperature deviation ing the transient within a given value and is capable of allowing manual restoration of rage temperature to the programmed setpoint. Excessive pressurizer pressure ations are prevented by using spray and heaters and power relief valves in the ssurizer.

7.7-32 Rev. OL-23 6/18

ilable at Callaway, any overshoot by the automatic rod control system is not possible.

.2.4 Loading and Unloading mp unloading of 5 percent per minute can be accepted over the entire power range er automatic control without tripping the plant. The function of the control system is maintain the coolant average temperature as a function of turbine-generator load.

coolant average temperature increases during loading and causes a continuous urge to the pressurizer as a result of coolant expansion. The sprays limit the resulting ssure increase. Conversely, as the coolant average temperature is decreasing during oading, there is a continuous outsurge from the pressurizer resulting from coolant traction. The pressurizer heaters limit the resulting system pressure decrease. The ssurizer water level is programmed such that the water level is above the setpoint for ter cut out during the loading and unloading transients. The primary concern during ding is to limit the overshoot in nuclear power and to provide sufficient margin in the rtemperature T setpoint.

automatic load controls are designed to adjust the unit generation to match load uirements within the limits of the unit capability and licensed rating.

ing rapid loading transients, a drop in reactor coolant temperature is sometimes used ncrease core power. This mode of operation is applied when the control rods are not erted deep enough into the core to supply all the reactivity requirements of the rapid d increase (the boron control system is relatively ineffective for rapid power changes).

reduction in temperature is initiated by continued turbine loading past the point ere the control rods are completely withdrawn from the core. The temperature drop is overed and nominal conditions restored by a boron dilution operation.

core axial power distribution is controlled during the reduced temperature return to er by placing the control rods in the manual mode when the operating limits are roached. Placing the rods in manual will stop further changes in , and it will also ate the required drop in coolant temperature. Normally, power distribution control is required during a rapid power increase, and the rods will be manually positioned to top of the core. The bite position is reestablished at the end of the transient by reasing the coolant boron concentration.

.2.5 Load Rejection Furnished By Steam Dump System en a load rejection occurs, if the difference between the required temperature point of the RCS and the actual average temperature exceeds a predetermined ount, a signal will actuate the steam dump to maintain the RCS temperature within trol range until a new equilibrium condition is reached.

7.7-33 Rev. OL-23 6/18

er. The steam dump flow reduction is as fast as RCCAs are capable of inserting ative reactivity.

rod control system can then reduce the reactor temperature to a new equilibrium ue without causing overtemperature and/or overpressure conditions. The nominal am dump steam flow capacity to the condenser is 40 percent of full load steam flow at load steam pressure.

steam dump flow decreases proportionally as the control rods act to reduce the rage coolant temperature. The artificial load is therefore removed as the coolant rage temperature is restored to its programmed equilibrium value.

dump valves are modulated by the reactor coolant average temperature signal. The uired number of steam dump valves can be tripped quickly to stroke full open or dulate, depending upon the magnitude of the temperature error signal resulting from s of load.

.2.6 Turbine-Generator Trip With Reactor Trip enever the turbine-generator unit trips at an operating power level above 50-percent er, the reactor also trips. The unit is operated with a programmed average perature as a function of load, with the full load average temperature significantly ater than the equivalent saturation pressure of the steam generator safety valve point. The thermal capacity of the reactor coolant system is greater than that of the ondary system, and because the full load average temperature is greater than the load temperature, a heat sink is required to remove heat stored in the reactor coolant revent actuation of steam generator safety valves for a trip from full power. This heat k is provided by the combination of controlled release of steam to the condenser and makeup of feedwater to the steam generators.

steam dump system is controlled from the reactor coolant average temperature nal whose setpoint values are programmed as a function of turbine load. Actuation of steam dump is rapid to prevent actuation of the steam generator safety valves.

h the dump valves open, the average coolant temperature starts to reduce quickly to no-load setpoint. A direct feedback of temperature acts to proportionally close the ves to minimize the total amount of steam which is bypassed.

feedwater flow is cut off following a reactor trip when the average coolant perature decreases below a given temperature or when the steam generator water el reaches a given high level.

itional feedwater makeup is then controlled manually to restore and maintain steam erator water level while assuring that the reactor coolant temperature is at the 7.7-34 Rev. OL-23 6/18

densers. This controller operates a portion of the same steam dump valves to the densers, which are used during the initial transient following turbine and reactor trip.

pressurizer pressure and level fall rapidly during the transient because of coolant traction. The pressurizer water level is programmed so that the level following the ine and reactor trip is above the heaters. However, if the heaters become uncovered owing the trip, the chemical and volume control system will provide full charging flow estore water level in the pressurizer. Heaters are then turned on to restore ssurizer pressure to normal.

steam dump and feedwater control systems are designed to prevent the average lant temperature from falling below the programmed no-load temperature following trip to ensure adequate reactivity shutdown margin.

.3 REFERENCES Lipchak, J. B., "Nuclear Instrumentation System," WCAP-8255, January 1974.

(For additional background information only.)

Shopsky, W. E., "Failure Mode and Effects Analysis (FMEA) of the Solid State Full Length Rod Control System," WCAP-8976, August 1977.

Adler, M.R., "AMSAC Generic Design Package", WCAP-10858-P-A, Revision 1, July 1987.

Union Electric letters on AMSAC, ULNRC-1472 dated 3-19-87, ULNRC-1492 dated 4-15-87, and ULNRC-1639 dated 10-5-87.

NRC Safety Evaluation Report for Union Electric Co., compliance with ATWS Rule 10CFR50.62, dated 12-24-87.

7.7-35 Rev. OL-23 6/18

signation Derivation Function 1/2 neutron flux (intermediate Blocks control rod withdrawal range) above setpoint (Note 1) 1/4 neutron flux (power range) Blocks control rod withdrawal above setpoint (Note 1) 2/4 overtemperature T above Blocks control rod withdrawal (Note 1)

Actuates turbine runback via load reference Defeats remote load dispatching (if remote load dispatching is used) 2/4 overpower T above setpoint Blocks control rod withdrawal (Note 1)

Actuates turbine runback via load reference Defeats remote load dispatching (if remote load dispatching is used) 1/1 turbine impulse chamber Defeats remote load dispatching pressure below setpoint (if remote load dispatching is used)

Blocks automatic control rod withdrawal (no longer available) 1/1 time derivative (absolute Makes steam dump valves value) of turbine impulse available for either tripping or chamber pressure (decrease modulation. See Figure 7.2-1 only) above setpoint (Sheet 10).

A,B,C Condenser pressure below Absence blocks steam dump to setpoint condenser. See Fig. 7.2-1 (Sheet 10).

e 1: Automatic rod withdrawal is no longer available.

Rev. OL-13 5/03

signation Derivation Function 1 1/1 bank D control rod position Blocks automatic control rod above setpoint withdrawal (no longer available) 0 2/2 turbine impulse chamber Enables AMSAC signals for:

pressures above 38% reactor - turbine trip power (1370 mwt) (See - AFW actuation Section 7.7.1.11) - steam generator blowdown and sample line isolation Reactor trip Makes steam dump valves available for either tripping or modulation Blocks steam dump control via load rejection Tavg controller Absence of P-4 Blocks steam dump control via (Reactor not tripped) plant trip Tavg controller 2 2/4 Tavg below setpoint Blocks steam dump. Allows manual bypass of steam dump block for the three cooldown valves only.

3/4 Tavg above setpoint Defeats the manual bypass of steam dump block for the three cooldown valves.

Rev. OL-13 5/03

erating Conditions Line voltage: 120 Volt ac, +/- 10 percent, 60 Hz +/- 1 percent Pressure: 15 to 225 psig (sample)

Temperature: 70 to 130°F (sample)

Sample flow rate: 0 to 0.4 gpm Ambient temperature: 60 to 105°F Relative humidity: to 95 percent Radiation levels: <2 mr/hr @ 24 inches from all tank surfaces uracy Boron parts/million parts of water Accuracy Standard Deviation 0 - 1,800 ppm +/- 10 ppm 1,800 - 5,000 ppm +/- 1.25 percent Drift: less than 10 ppm/week Rev. OL-14 12/04

1 INTRODUCTION s appendix provides an evaluation of the instrumentation to assess plant and environs ditions following an accident. The plant instrumentation and features provided in the laway Plant have resulted from detailed design evaluations and reviews. Design tures that enable the plant to be taken to cold shutdown while utilizing only ety-grade equipment are described in Appendix 5.4A, Cold Shutdown. Chapter 18.0 vides a comparison of the Callaway design to the requirements of NUREG-0737.

ce most of the instrumentation in the Callaway Plant was purchased and installed r to the issuance of Regulatory Guide 1.97, Revision 2, strict compliance to the many scriptive recommendations is not provided in all cases. However, the Callaway rumentation and control room design is adequate to allow the operators to evaluate mitigate the consequences of postulated accidents.

s appendix provides a detailed comparison of the Callaway design to the ommendations contained in the regulatory guide.

2 ORGANIZATION text of this appendix provides a summary description of the bases for the Callaway rumentation design as they relate to the recommendations of the regulatory guide.

tables provide the data necessary to perform a detailed comparison of the Callaway ign with the recommendations of the regulatory guide.

le 7A-1 is a cross-reference between Table 2 of the regulatory guide and the rmation presented in this appendix. Table 7A-1 lists the variables in the same uence in which they appear in the regulatory guide table, assigns variable ntification numbers, and identifies the data sheet upon which the detailed comparison the Callaway design has been provided.

le 7A-2 provides a summary of the Callaway design to the recommendations of the ulatory guide. This table also serves as an index to the data sheets in Table 7A-3.

le 7A-3 consists of individual data sheets. One data sheet is provided for each able or group of related variables identified in Table 2 of the regulatory guide. The a sheet contains the recommended range, category, and purpose for the variable and udes the multiple listing requirements. A discussion is provided of the Callaway Plant ign bases for ranges, qualification, etc., and other pertinent data which support the quacy of the current design or describe design modifications which are being lemented. ERFIS (Emergency Response Facility Information System), BOP lance of Plant), RRIS (Radiation Release Information System), and NSSS (Nuclear 7A-1 Rev. OL-19 5/12

3 CALLAWAY DESIGN BASIS COMPARISON TO REGULATORY GUIDE 1.97 Callaway design bases are stated throughout the FSAR. The discussions provided ow summarize the Callaway design bases as they pertain to the salient ommendations of the regulatory guide. Appropriate references to other FSAR tions are provided in Table 7A-3 for more detailed information. The discussions ow are intended to aid the review of the Callaway design bases for compliance with intent of the regulatory guide recommendations.

3.1 TYPE A VARIABLES iables classified as Type A for the Callaway design are identified in Table 7A-2. The son for the classification is provided on the corresponding data sheet in Table 7A-3.

following criteria are the bases for identification of Type A variables for the Callaway nt. The terminology used in the discussion is consistent with that of the generic ergency Response Guidelines (ERGs) for Westinghouse plants, which were mitted to the NRC by Westinghouse Owners Group letter OG-64, dated vember 30, 1981.

a. Variables used for event diagnosis are classified as Type A because these variables direct the operator to the appropriate Optimal Recovery Guidelines (formerly termed Emergency Operating Instructions) or to monitoring of critical Safety Functions.

b. Variables used by the operator to perform manual actions prescribed by the Optimal Recovery Guidelines, which are associated with Condition IV events (LOCA, MSLB, and SGTR), are classified as Type A. Condition I, II and III events are not considered in identifying Type A variables (e.g.,

Spurious Safety Injection).

c. Variables which identify the need for operator action to correct single failures are not classified as Type A. These actions are often identified as "Notes" or "Contingency Actions" in the ERGs.

d. Variables associated with operator actions required for events not currently in the design bases of the plant are not identified as Type A variables.

3.2 REDUNDANCY AND DIVERSITY FOR CATEGORY 1 VARIABLES following discussion summarizes salient points of the design with respect to the ulatory recommendations:

7A-2 Rev. OL-19 5/12

failure. This is done on a system, loop, or component basis, as appropriate. For the steam generator heat sink function and pressurizer, it was done on a component basis. For the reactor and reactor coolant loops, it was done on a system basis due to the abundance of diverse or associated variables which are available to indicate the nature of the event and identify its cause.

b. Diverse variables are considered to be those which vary directly with or have a direct relation with the primary variable. Associated variables are those which, when considered with the primary and/or diverse variables, aid in the identification and evaluation of events and the status of the plant.

c. The need for a third reading or a diverse variable is based on the control room operators' need for the identification of the proper recovery from an event. Diversity is not provided solely for TSC/EOF use, accident reconstruction, or range not associated with DBEs.

d. Since the need for a diverse variable arises upon the single failure of the primary instrumentation and that failure must result in ambiguity (e.g., the instrument fails in midscale, not offscale high or low), diverse variables may be performance or commercial grade. Many diverse variables are qualified as Class 1E for reasons other than their diversity function.

e. Items identified as diverse variables are not considered to be part of the post-accident monitoring data base and are not included in the Emergency Response Facility Data Base solely for that purpose. Many diverse variables are part of the post-accident monitoring data base because of their primary function. Since it is highly unlikely that a variable will be required for a diversity function, the EOF/TSC may contact the control room should the need arise.

f. There are no unique PAMS identifiers on the control panels. Emergency operating procedures provide sufficient direction to post-accident monitors that should be used. Regulatory Position C.1.4 was deleted in Revision 3 of Regulatory Guide 1.97.

3.3 RECORDERS dicated recorders are required only where trend information is immediately required operator use. The current value (indicated) of the PAMs variables is normally used by operator for decision-making purposes. Where Class 1E indicators are provided for ety-related Category 1 and Category 2 parameters at Callaway, as discussed in tion 7A.3.7 and justified in the individual data sheets of Table 7A-3, recorders may be formance grade.

7A-3 Rev. OL-19 5/12

rument ranges have been determined, considering the function(s) of the sensed ameters. The installed instrumentation may meet the ranges recommended in the ulatory guide, meet the intent of the recommended range, or have a range ropriate for the design function. Instrumentation that has an appropriate range is ntified on Table 7A-2. The ranges are justified on the individual data sheets of le 7A-3.

3.5 UNNECESSARY VARIABLES eral variables listed in the regulatory guide are not necessary for post-accident nitoring for the Callaway Plant. Table 7A-2 identifies which variables are considered ecessary from a post-accident monitoring standpoint, and the individual data sheets vide a discussion justifying the determination.

3.6 QUALIFICATION FOR CATEGORY 1 PARAMETERS les 7A-2 and 7A-3 show that instrumentation for all variables designated as egory 1 by the NRC and those designated as Type A herein are qualified as Class 1E m the sensor to the indicator.

alification of these devices was documented in the SNUPPS NUREG-0588 submittal ch was provided to the NRC in March 1983. All Class 1E equipment is qualified in ordance with Regulatory Guide 1.89, and Regulatory Guide 1.100 as discussed in endix 3A.

3.7 QUALIFICATION FOR CATEGORY 2 PARAMETERS Callaway design utilizes Class 1E and non-Class 1E sensors, transmitters, cators, and power sources. There is no qualification category between these two egories, as implied by the Category 2 terminology of the regulatory guide.

le 7A-2 shows that many of the Category 2 items are in fact fully qualified to Class 1E ironmental and seismic requirements. These items exceed the regulatory ommendations.

non-Class 1E instruments are termed performance grade. These items are chased to perform in their anticipated service environments for the plant conditions in ch they must function. The regulatory guide implies that they must function in the ident environment for the area in which they are located without consideration of the ign function. If an instrument has to function following an accident, it is fully qualified lass 1E requirements. If the instrument is not required following an accident, it is med non-safety-related and purchased to performance grade requirements. The ipment service conditions are provided in the purchase specification and include iation levels and integrated doses, temperature, relative humidity, and other special 7A-4 Rev. OL-19 5/12

n-Class 1E equipment is supplied from Separation Groups 5 and 6, which are highly able (refer to Section 8.3.1.3). The non-Class 1E 125 V dc buses are backed by the ergency diesel generators.

the purpose of compliance to the regulatory requirements for seismic qualification for s identified as Category 2, the sensors/transmitters continued operation is not umed to be required, since the indicators need not be qualified. Assurance of ssure boundary integrity during and after seismic events is ensured for safety-related tems. No seismic requirements are placed on items in non-safety-related systems.

3.8 QUALIFICATION FOR CATEGORY 3 ITEMS Category 3 qualification guidelines of the regulatory guide imply a possible need to ure that the instrument sensor and transmitter are qualified for an accident ironment. Table 7A-2 identifies those Category 3 instruments located inside the tainment, and the appropriate data sheet of Table 7A-3 justifies the lack of t-accident qualification.

7A-5 Rev. OL-19 5/12

DATA RIABLE

SUMMARY

NT. NO. VARIABLE SHEET NO.

Reactivity Control

.1 Neutron Flux 1.1

.2 Control Rod Position 1.2

.3 RCS Soluble Boron Concentration 13.1

.4 RCS Cold Leg Water Temperature 2.1 Core Cooling

.1 RCS Hot Leg Water Temperature 2.2

.2 RCS Cold Leg Water Temperature 2.1

.3 RCS Pressure 2.3

.4 Core Exit Temperature 1.3

.5 Coolant Level in Reactor 1.4

.6 Degrees of Subcooling 1.5 Maintaining Reactor Coolant System Integrity

.1 RCS Pressure 2.3

.2 Containment Sump Water Level 6.2

.3 Containment Pressure 6.1 Maintaining Containment Integrity

.1 Containment Isolation Valve Position (excluding check 6.3 valves)

.2 Containment Pressure 6.1 Fuel Cladding

.1 Core Exit Temperature 1.3

.2 Radioactivity Concentration or Radiation Level in 13.3 Circulating Primary Coolant Rev. OL-13 5/03

DATA RIABLE

SUMMARY

NT. NO. VARIABLE SHEET NO.

.3 Analysis of Primary Coolant (gamma spectrum) 13.1 Reactor Coolant Pressure Boundary

.1 RCS Pressure 2.3

.2 Containment Pressure 6.1

.3 Containment Sump Water Level 6.2

.4 Containment Area Radiation 11.1

.5 Effluent Radioactivity - Noble Gas Effluent from 12.2 Condenser Air Removal System Exhaust Containment

.1 RCS Pressure 2.3

.2 Containment Hydrogen Concentration 6.4

.3 Containment Pressure 6.1

.4 Containment Effluent Radioactivity - Noble Gases from 12.1 Identified Release Points

.5 Radiation Exposure Rate (inside building or areas, e.g., 11.2 auxiliary building, reactor shield building annulus, and fuel handling building, which are in direct contact with primary containment where penetrations and hatches are located)

.6 Effluent Radioactivity - Noble Gases (from buildings as 12.1 indicated above)

Residual Heat Removal (RHR) or Decay Heat Removal System

.1 RHR System Flow 3.1

.2 RHR Heat Exchanger Outlet Temperature 3.1 Safety Injection Systems

.1 Accumulator Tank Level and Pressure 3.2

.2 Accumulator Isolation Valve Position 3.2 Rev. OL-13 5/03

DATA RIABLE

SUMMARY

NT. NO. VARIABLE SHEET NO.

.3 Boric Acid Charging Flow 3.3

.4 Flow in HPI System 3.3

.5 Flow in LPI System 3.1

.6 Refueling Water Storage Tank Level 3.4 Primary Coolant System

.1 Reactor Coolant Pump Status 2.4

.2 Primary System Safety Relief Valve Positions (including 2.5 PORV and code valves) or Flow Through or Pressure in Relief Valve Lines

.3 Pressurizer Level 2.6

.4 Pressurizer Heater Status 2.7

.5 Quench Tank Level 2.8

.6 Quench Tank Temperature 2.8

.7 Quench Tank Pressure 2.8 Secondary System (Steam Generator)

.1 Steam Generator Level 4.1

.2 Steam Generator Pressure 4.2

.3 Safety/Relief Valve Positions or Main Steam Flow 4.3

.4 Main Feedwater Flow 4.4 Auxiliary Feedwater or Emergency Feedwater System

.1 Auxiliary or Emergency Feedwater Flow 5.1

.2 Condensate Storage Tank Water Level 5.2 Containment Cooling Systems

.1 Containment Spray Flow 10.1 Rev. OL-13 5/03

DATA RIABLE

SUMMARY

NT. NO. VARIABLE SHEET NO.

.2 Heat Removal by the Containment Fan Heat Removal 8.1 System

.3 Containment Atmosphere Temperature 6.5

.4 Containment Sump Water Temperature 6.6 Chemical and Volume Control System

.1 Makeup Flow-In 7.1

.2 Letdown Flow-Out 7.1

.3 Volume Control Tank Level 7.1 Cooling Water System

.1 Component Cooling Water Temperature to ESF System 9.1

.2 Component Cooling Water Flow to ESF System 9.1 Radwaste System

.1 High-Level Radioactive Liquid Tank Level 14.1

.2 Radioactive Gas Holdup Tank Pressure 14.2 0 Ventilation Systems 0.1 Emergency Ventilation Damper Position 15.1 1 Power Supplies 1.1 Status of Standby Power and Other Energy Sources 16.1, 16.2 Important to Safety (hydraulic, pneumatic)

Containment Radiation

.1 Containment Area Radiation - High Range 11.1 Area Radiation

.1 Radiation Exposure Rate (inside buildings or areas where 11.2 access is required to service equipment important to safety)

Rev. OL-13 5/03

DATA RIABLE

SUMMARY

NT. NO. VARIABLE SHEET NO.

Airborne Radioactive Materials Released from Plant

.1 Noble Gases and Vent Flow Rate

.1.1 o Containment or Purge Effluent 12.1

.1.2 o Reactor Shield Building Annulus (if in design) NA

.1.3 o Auxiliary Building (including any building containing 12.1 primary system gases, e.g., waste gas decay tank)

.1.4 o Condenser Air Removal System Exhaust 12.2

.1.5 o Common Plant Vent or Multipurpose Vent Discharging 12.1 Any of Above Releases (if containment purge is included)

.1.6 o Vent From Steam Generator Safety Relief Valves or 12.3 Atmospheric Dump Valves

.1.7 o All Other Identified Release Points 12.4

.2 Particulates and Halogens

.2.1 o All Identified Plant Release Points (except steam 12.5 generator safety relief valves or atmospheric steam dump valves and condenser air removal system exhaust). Sampling with Onsite Analysis Capability Environs Radiation and Radioactivity

.1 Radiation Exposure Meters (continuous indication at fixed 17.1 locations)

.2 Airborne Radiohalogens and Particulates (portable 17.2 sampling with onsite analysis capability)

.3 Plant and Environs Radiation (portable instrumentation) 17.3

.4 Plant and Environs Radioactivity (portable 17.4 instrumentation)

Meteorology

.1 Wind Direction 17.5 Rev. OL-13 5/03

DATA RIABLE

SUMMARY

NT. NO. VARIABLE SHEET NO.

.2 Wind Speed 17.5

.3 Estimation of Atmospheric Stability 17.5 Accident Sampling Capability (Analysis Capability on Site)

.1 Primary Coolant 13.1

.1.1 o Gross Activity 13.1

.1.2 o Gamma Spectrum 13.1

.1.3 o Boron Content 13.1

.1.4 o Chloride Content 13.1

.1.5 o Dissolved Hydrogen or Total Gas 13.1

.1.6 o Dissolved Oxygen 13.1

.1.7 o pH 13.1

.2 Sump 13.2

.2.1 o Gross Activity 13.2

.2.2 o Gamma Spectrum 13.2

.2.3 o Boron Content 13.2

.2.4 o Chloride Content 13.2

.2.5 o pH 13.2

.3 Containment Air

.3.1 o Hydrogen Content 6.4

.3.2 o Oxygen Content 13.1

.3.3 o Gamma Spectrum 13.1 Rev. OL-13 5/03

SENSOR CHANNEL RANGE COMPARISON LOCATION QUALIFICATION NRC CALLAWAY Complies ET VARIABLE QUAL. TYPE A with Meets Appropriate Inside Outside Class Perf.

BER DESCRIPTION CATEGORY VARIABLE Reg. Intent Range Ctmt Ctmt 1E Grade E AND REACTOR VESSEL VARIABLES

.1 Neutron Flux 1 X X X

.2 Control Rod Position 3 X X X

.3 Core Exit Temperature 1 X X X

.4 Reactor Vessel Level 1 X X X*

.5 Subcooling Monitor 2** X X X AND RELATED VARIABLES

.1 RCS Tcold 1 Yes X*** X X*

.2 RCS Thot 1 Yes X*** X X*

.3 RCS Pressure 1 Yes X X X*

.4 RCP Status (motor current) 3 X X X

.5 Primary System Safety Relief 2 X X X Valve Position

.6 Pressurizer Level 1 Yes X X X*

.7 Pressurizer Heater Status 2 X X X

.8 PRT Level 3 X X X

.8 PRT Temperature 3 X X X

.8 PRT Pressure 3 X X X S VARIABLES

.1 RHR/LPI Flow Rate 2 X X X

.1 RHR/Heat Exchanger Tout 2 X X X

.2 Accumulator Tank Level 2 NA**** X X

.2 Accumulator Tank Pressure 2 NA**** X X Rev. OL-24 11/19

SENSOR CHANNEL RANGE COMPARISON LOCATION QUALIFICATION NRC CALLAWAY Complies ET VARIABLE QUAL. TYPE A with Meets Appropriate Inside Outside Class Perf.

BER DESCRIPTION CATEGORY VARIABLE Reg. Intent Range Ctmt Ctmt 1E Grade

.2 Accumulator Isolation Valve 2 X X X Position

.3 ECCS Centrifugal Charging 2 X X X Pump Flow

.3 Safety Injection Pump Flow 2 X X X

.3 RCP Seal Injection Flow 2 X X X

.4 RWST Level 2 Yes X X X*

ONDARY SIDE VARIABLES

.1 Steam Generator Level - Wide 1 X X X*

Range

.1 Steam Generator Level - Narrow 1 Yes NA X X Range

.2 Steam Line Pressure 1 Yes X X X*

.3 Secondary Side PORV Position 2 X X X

.3 Secondary Side Safety Valve 2 NA NA NA Position

.4 Main Feedwater Flow Rate 3 X X X LIARY FEEDWATER SYSTEM VARIABLES

.1 Auxiliary Feedwater Flow Rate 2 X X X

.2 Condensate Storage Tank Level 1 X X X (Pressure)

TAINMENT VARIABLES

.1 Containment Pressure - Design 1 Yes X X X*

Pressure Range

.1 Containment Pressure - 1 X X X*

Extended Range Rev. OL-24 11/19

SENSOR CHANNEL RANGE COMPARISON LOCATION QUALIFICATION NRC CALLAWAY Complies ET VARIABLE QUAL. TYPE A with Meets Appropriate Inside Outside Class Perf.

BER DESCRIPTION CATEGORY VARIABLE Reg. Intent Range Ctmt Ctmt 1E Grade

.2 Containment Normal Sump 1 Yes X X X Level

.2 Containment Recirculation 1 X X X Sump Level

.3 Containment Isolation Valve 1 X X X X Position

.4 Containment Hydrogen 3 X X X Concentration

.5 Containment Atmosphere 2 X X X Temperature

.6 Containment Sump 2 NA****

Temperature RGING AND LETDOWN SYSTEM VARIABLES

.1 Normal Charging Flow 2 X X X

.1 Normal Letdown Flow 2 X X X

.1 Volume Control Tank Level 2 X X X

.1 Letdown Flow - Safety Related 2 X X X TAINMENT COOLING SYSTEM VARIABLES

.1 Containment Cooler Heat 2 NA****

Removal PONENT COOLING WATER SYSTEM VARIABLES

.1 Component Cooling Water 2 X X X Temperature to ESF

.1 Component Cooling Water Flow 2 X X X Rate to ESF TAINMENT SPRAY SYSTEM VARIABLES 0.1 Containment Spray Flow Rate 2 X X X Rev. OL-24 11/19

SENSOR CHANNEL RANGE COMPARISON LOCATION QUALIFICATION NRC CALLAWAY Complies ET VARIABLE QUAL. TYPE A with Meets Appropriate Inside Outside Class Perf.

BER DESCRIPTION CATEGORY VARIABLE Reg. Intent Range Ctmt Ctmt 1E Grade A RADIATION MONITORING 1 1.1 Containment Area Radiation 1 Yes X X X 1.2 Area Radiation Monitor - 2 N/A****

Containment Penetrations Hatches and Areas Important to Safety UENT MONITORS 2.1 Unit Vent and Radwaste 2 X X X Building Vent - Noble Gas 2.2 Condensate Air Removal - 3 X X X Radiation Monitor 2.3 Secondary Side Radiation 2 X X X Release 2.4 AFW Turbine Radiation Release 2 X X X 2.5 Unit Vent and Radwaste 3 X X X Building Vent Particulates and Halogens PLING SYSTEMS 3.1 Post-Accident Sampling System 3 NA**** X X 3.2 Containment Recirculation 3 NA**** X X Sump Sample 3.2 ECCS Room Sump Sample 3 NA****

3.2 Auxiliary Building Sump Sample 3 NA****

3.3 Radiation Level in RCS 1 NA****

WASTE SYSTEM VARIABLES 4.1 Recycle Holdup Tank Level 3 NA****

4.2 Waste Gas Decay Tank 3 NA****

Pressure Rev. OL-24 11/19

SENSOR CHANNEL RANGE COMPARISON LOCATION QUALIFICATION NRC CALLAWAY Complies ET VARIABLE QUAL. TYPE A with Meets Appropriate Inside Outside Class Perf.

BER DESCRIPTION CATEGORY VARIABLE Reg. Intent Range Ctmt Ctmt 1E Grade PER POSITION 5.1 Emergency Ventilation Damper 2 X X X X Position ER SUPPLY STATUS INDICATION 6.1 Electric Power Supply Status 2 X X X 6.2 Gas Accumulator Tank Pressure 2 X X X RONMENTAL MONITORING 7.1 Fixed Radiation Exposure 3 NA****

Meters 7.2 Portable Emergency Monitor - 3 X X X Particulates and Halogen 7.3 Particulates Monitor - Plant and 3 X X X Environs 7.4 Plant and Environs - Gamma 3 X X X Spectra 7.5 Meteorological Parameters 3 X X X Recorder is non-1E Qualified to Category 1 requirements for RCS Tcold and Thot indication.

Complies with range recommended in Revision 3 of Regulatory Guide 1.97.

Unnecessary variables - refer to Table 7A-3 Rev. OL-24 11/19

DATA SHEET 1.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE B.1.1 Neutron Flux 10-6% to 100% full power 1 Function detection, accomplishment of mitigation ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.1.1 Neutron Flux 10-8 to 200% power SENE60 Y 020 Y - - BOP SENE61 Y 020 Y BOP EMARKS edundant Class 1E neutron flux monitors, independent from the NSSS protection system, have been added to the Callaway design. These monitors meet the stated ecommendations. Section 6.2.2 of ANSI/ANS-4.5-1980 recommends that current value, rate, and trend information be available to the control room operators. The instrumentation dentified above provides for current value and trend information (i.e. indication and recording). The Westinghouse NIS equipment provides for current value, rate, and trend nformation; however, the NIS instrumentation is not qualified for post-accident conditions.

Rev. OL-24 11/19

DATA SHEET 1.2 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE B.1.2 Control Rod Position Full in or not full in 3 Verification ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.1.2 Control Rod Full in to full out SF0074 53 N 022 N NSSS Position rods EMARKS he Callaway design meets the stated recommendations.

allaway has 53 full-length control rods arranged in four control banks (A through D) and five shutdown banks (SA-SE). With the exception of shutdown banks SC, SD, and SE, ach bank is divided into two groups. Each group consists of several assemblies which move together.

he rod position monitoring is performed by two separate systems: (1) the digital rod position indication system and (2) a demand position system. The position of each rod is ndicated on a dedicated LED. These systems are described in FSAR Section 7.7.1.3.2.

Rev. OL-24 11/19

DATA SHEET 1.3 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE B.2.4 Core Exit Temperature 1 200°F to 2300°F (for 3 3 Verification operating plants -200°F to 1650°F)

C.1.1 Core Exit Temperature1 200°F to 2300°F (for 13 Detection of potential for breach, accomplishment of operating plants -200°F mitigation, long-term surveillance to 1650°F)

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.2.4 C.1.1 Core Exit 0-2500°F TC0001 through Y RP081A,B Y RP081A,B Y NSSS Temperature TC0050 minus CETs retired in place or removed from service)

EMARKS he Callaway design meets the stated recommendations.

ll 50 thermocouples were originally qualified to Class 1E requirements and provide inputs to the subcooling monitor described on data sheet 1.5. Subcooling monitor display output cale includes 200°F subcooled to 2000°F superheated range.

ll 50 thermocouples (minus those retired in place or removed from service) are indicated and recorded on qualified devices in the control room. Diversity is not required due to xtensive redundancy provided.

Rev. OL-24 11/19

DATA SHEET 1.4 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE B.2.5 Coolant Level in Reactor Bottom of core to Top of 1 Verification, accomplishment of mitigation Vessel (direct indicating or recording device not required ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.2.5 Reactor Vessel Bottom to top of vessel LT 1311 Y 021 Y 080 N NSSS Water Level LT 1312 Y 021 Y 080 N NSSS LT 1321 Y 021 Y - - NSSS LT1322 Y 021 Y - - NSSS EMARKS he Callaway design meets all of the stated recommendations.

he Callaway RV level indication system will provide information on the RV water level with or without the RC pumps in operation. This Class 1E system will utilize two pressure aps to cover the range from the bottom of the vessel to the top of the vessel.

he design includes four indicating devices which provide redundancy (two devices) for the two design conditions.

iversity is provided by the core exit thermocouples described on data sheet 1.3.

Rev. OL-24 11/19

DATA SHEET 1.5 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE B.2.6 Degrees of Subcooling to 35°F superheat 200°F subcooling (With 2 Verification, and analysis of plant conditions confirmatory operator procedures)

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.2.6 Subcooling 200°F subcooled to PT0403, PT0405 Y 022 Y RP081A,B Y NSSS Monitor 2,000°F (1 of 2) (TI1390A,B) (TR1390A,B)

RP081A,B (UU/390A,B) superheat PT0455, PT0456 Y - - NSSS PT0457, PT0458 (2 of 4) TE0413A,B TE0423A,B TE0433A,B TE0443A,B Y TC001 through TC0050 (minus Y CETs retired in place or removed from service)

EMARKS he Callaway subcooling monitor meets all of the stated recommendations.

he subcooling monitor design provisions are described in Section 18.2.13.2. The system is Class 1E and fully qualified.

iversity is not required, since this system is considered to be Category 2 per the regulatory recommendations; however, extensive redundancy in the inputs is provided to ensure ystem reliability.

his system could be utilized by the plant operators following an event; however, it is not considered a Type A variable, since the operator will be able to perform subcooling alculations, using existing instrumentation.

Rev. OL-24 11/19

DATA SHEET 2.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE B.1.4 RCS Cold Leg Water Temperature 1 50°F to 400°F 3 Verification B.2.2 RCS Cold Leg Water Temperature1 50°F to 750°F* 1 Function detection, accomplishment of mitigation, verification, long-term surveillance ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.1.4 RCS 0-700°F TE-413B Y 021 Y 022 N NSSS Temperature

.2.2 Wide Range 0-700°F TE-423B Y 021 Y 022 N NSSS Tcold 0-700°F TE-433B Y - - 022 N NSSS 0-700°F TE-443B Y - - 022 N NSSS EMARKS he RCS wide-range Tcold instruments are Class 1E and powered from Protection Sets I and II. Protection Set I instruments are indicated separately on a qualified indicator. The cold and Thot readings for each loop are recorded on a dual pen recorder. All RCS Thot and Tcold wide-range instrument readings are available on qualified indicators in the Core ub-cooling Monitors (RP081A&B).

he existing range meets the recommended range of Revision 3 of Regulatory Guide 1.97. Other associated variables will be available to help ensure that the operator is aware of rimary system parameters.

iversity is not required due to the extensive redundancy provided; however, the operator can use the steam line pressure of the associated steam generator to estimate the Tcold eadings. Tcold will trend with Tsat for each steam generator. Associated variables which provide useful information include Thot and the core exit temperatures.

his parameter is a Type A variable, and it is used throughout the EOIs.

ision 3 of Regulatory Guide 1.97 revised the range to 50°F to 700°F. Thus, the existing range now meets the regulatory recommendation.

Rev. OL-24 11/19

DATA SHEET 2.2 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE B.2.1 RCS Hot Leg Water Temperature 1 50°F to 750°F 1 Function detection, accomplishment of mitigation, verification, long-term surveillance ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.2.1 RCS 0-700°F TE-413A Y 021 Y 022 N NSSS Temperature 0-700°F TE-423A Y 021 Y 022 N NSSS Wide Range THot 0-700°F TE-433A Y - - 022 N NSSS 0-700°F TE-443A Y - - 022 N NSSS EMARKS he RCS wide-range Thot instruments are Class 1E and powered from Protection Sets I and II. Protection Set I instruments are indicated separately on a qualified indicator. As oted on data sheet 2.1, Thot is recorded with Tcold of the same loop on a dual pen recorder. All RCS Thot and Tcold wide-range instrument readings are available on qualified ndicators in the Core Sub-cooling Monitors (RP081A&B).

he existing range meets the recommended range of Revision 3 of Regulatory Guide 1.97.

iversity is not required due to the extensive redundancy provided; however, the operator could use the core exit thermocouples as a diverse measurement. Refer to data sheet 1.3.

his parameter is a Type A variable, and it is used throughout the EOIs.

Rev. OL-24 11/19

DATA SHEET 2.3 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE B.2.3 RCS Pressure 1 0-3000 psig (4,000 psig 1 2 Function detection, accomplishment of mitigation, for CE plants) verification, long-term surveillance B.3.1 RCS Pressure1 0-3000 psig (4,000 psig 12 Function detection, accomplishment of mitigation for CE plants)

C.2.1 RCS Pressure1 0-3000 psig (4,000 psig 12 Detection of potential or actual breach, accomplishment of for CE plants) mitigation, long-term surveillance C.3.1 RCS Pressure1 0-3000 psig (4,000 psig 12 Detection of potential for breach, accomplishment of for CE plants) mitigation.

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.2.3 RCS Pressure 0-3,000 psig PT-405 Y 022 Y 022 N NSSS

.3.1 0-3,000 psig PT-403 Y 022 Y 022 N NSSS

.2.1 0-3,000 psig PT-406 Y 002 Y - - -

A Pressurizer 1,700 to 2,500 psig PT-455 Y 002 N 022 N NSSS Pressure PT-456 Y 002 N PR 455 - Select NSSS PT-457 Y 002 N 1 of 4 NSSS PT-458 Y 002 N NSSS EMARKS he RCS pressure instruments meet all of the stated requirements.

CS pressure is a Type A variable, and is used throughout the EOIs.

Rev. OL-24 11/19

DATA SHEET 2.4 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.3.1 Reactor Coolant Pump Status Motor Current 3 To monitor operation ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.3.1 Reactor 0-600A CT-PA0107 N 021 N - - BOP Coolant Pump 0-600A CT-PA0108 N 021 N - - BOP Motor Current 0-600A CT-PA0204 N 021 N - - BOP 0-600A CT-PA0205 N 021 N - - BOP EMARKS he design meets the stated recommendations.

Rev. OL-24 11/19

DATA SHEET 2.5 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.3.2 Primary System Safety Relief Closed-not closed 2 Operation status, to monitor for loss of coolant Valve Positions (including PORV and code valves) or Flow Through or Pressure in Relief Valve Lines ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.3.2 PORV Position Closed-not closed ZS-455A Y 021 Y - - BOP ZS-456A Y 021 Y - - BOP

.3.2 PORV Closed-not closed ZS-8000A Y 021 Y - - BOP Block ZS-8000B Y 021 Y - - BOP Valve Position

.3.2 Safety Valve Closed-not closed ZS-8010A Y 021 Y - - BOP Position ZS-8010B Y 021 Y - - BOP ZS-8010C Y 021 Y - BOP EMARKS he design meets the stated recommendations. Section 18.2.6.2 provides more information on these items.

ince the design provides position monitoring of the subject valves, the flow through or pressure in the discharge lines to the PRT is not provided.

iversity is not required, since this is an NRC Category 2 variable. However, the PRT parameters described on data sheet 2.8 are available.

Rev. OL-24 11/19

DATA SHEET 2.6 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.3.3 Pressurizer Level Bottom to top 1 To ensure proper operation of pressurizer ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.3.3 Pressurizer Bottom to top of straight LT-459 Y 002 Y 002 N NSSS Level shell LT-460 Y 002 Y Select 1 of 3 NSSS LT-461 Y 002 Y NSSS EMARKS he range covered meets the intent of the recommended range. Approximately 85 percent of the total volume is covered. Monitoring level in the hemispherical heads is not dvisable, since the volume-to-level ratio is not linear.

his is a Type A variable, and is used throughout the EOIs for operator action.

iversity is not required due to the extensive redundancy provided.

Rev. OL-24 11/19

DATA SHEET 2.7 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.3.4 Pressurizer Heater Status Electric current 2 To determine operating status ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.3.4 Pressurizer 0-300A CT-NB0106 Y 015 Y - - BOP Heater Current 0-300A CT-NB0208 Y 015 Y - - BOP EMARKS he Callaway design meets the stated recommendations.

iversity is not required, since this is an NRC Category 2 variable.

Rev. OL-24 11/19

DATA SHEET 2.8 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.3.5 Quench Tank Level Top to bottom 3 To monitor operation D.3.6 Quench Tank Temperature 50°F to 750°F 3 To monitor operation D.3.7 Quench Tank Pressure 0 to design pressure 4 3 To monitor operation ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.3.5 Pressurizer Top to bottom LT-470 N 021 N - - NSSS Relief Tank Level

.3.6 Relief Tank 50 to 350 TE-468 N 021 N - - NSSS Temperature

.3.7 Relief Tank 0-100 psig (design) PT-469 N 021 N - - NSSS Pressure EMARKS he PRT is a horizontal, cylindrical tank. The level is measured for 100 of the 114-inch tank diameter, which is essentially top to bottom.

he PRT temperature range is adequate to monitor any expected conditions in the tank. The PRT design pressure is 100 psig (Tsat = 327.8°F), and the rupture disc release ressure is 91 psig, nominal. Following breach of the disc, the temperature of the tank cannot exceed the saturation temperature associated with the existing containment pressure.

he PRT parameters are available in the ERFIS and NSSS computers; therefore, it is not necessary to provide a dedicated recorder.

lthough these instruments are located inside the containment, they are not qualified for post-accident conditions, since they are not required following a LOCA or MSLB. Primary nd secondary loop parameters, as well as containment parameters, are available to allow the operator to determine the nature and course of the accident. The EOIs do not ndicate any use of these parameters following an event. Refer to Section 7A.3.8.

Rev. OL-24 11/19

DATA SHEET 3.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.1.1 RHR System Flow 0 to 110% design flow 10 2 To monitor operation D.1.2 RHR Heat Exchanger Outlet Temperature 32°F* to 350°F 2 To monitor operation and for analysis D.2.5 Flow in LPI System 0 to 110% design flow 10 2 To monitor operation ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.1.1 RHR/LPI-Inj./ 0-114% FT-618 N 017 N 018 N NSSS Recirc. FT-619 N 017 N 018 N NSSS Cold Leg D.2.5 LPI - Hot Leg 0-169% FT-988 N 018 N - - NSSS Recirculation Flow D.1.2 RHR Heat 50-400°F TE-612 N - - 018 N NSSS Exchanger A TE-604 N - - 018 N NSSS Inlet/Outlet Temperatures D.1.2 RHR Heat 50-400°F TE-613 N - - 018 N NSSS Exchanger B TE-605 N - - 018 N NSSS Inlet/Outlet Temperatures Revision to Regulatory Guide 1.97 revised the range to 40°F to 350°F EMARKS he proper operation of the RHR system is verified by observing pump and valve status indications provided on the main control board, which contains mimic diagrams of the flow aths. These indications are fully qualified to Class 1E requirements.

he RHR system (Figure 5.4-7) serves the dual function of residual heat removal and low pressure injection/recirculation. The flow rates are indicated for all modes of operation; owever, they are provided for performance monitoring only. The flow rate and temperature monitoring is not required for any safety-related function and, therefore, the instruments Rev. OL-24 11/19

DATA SHEET 3.1 (Continued)

EMARKS (Continued) re not Class 1E. The proper operation of the RHR system is verified by observing pump and valve status indications provided on the main control board, which contains mimic iagrams of the flow paths. These indications are fully qualified to Class 1E requirements.

ince the sensors/transmitters are part of the pressure boundary, they are designed to remain intact following an SSE; however, functionality is not assured.

he RHR injection phase runout flow is limited to 4,428 gpm. The range of FT-618 and 619 is 0 to 5,500 gpm. The RHR hot leg recirculation flow is 2,662 gpm for one RHR pump perating. The range of FT-988 is 0 to 4,500 gpm.

rain A flow (FT-618) and temperatures (TE-604 and 612) are recorded on TR-612. Train B flow (FT-619) and temperatures (TE-605 and 613) are recorded on TR-613. The heat xchanger inlet temperatures are not considered to be part of the Regulatory Guide 1.97 data base.

he RHR heat exchanger outlet temperature range from 50°F to 400°F is adequate to monitor any expected conditions leaving the heat exchanger. The minimum temperature of he RHR system will be 60°F in the long term following an accident due to the automatic temperature control on the CCW system, which provides cooling water to the RHR heat xchanger. The air-operated temperature control valve which bypasses flow around the CCW heat exchanger is a safety-related qualified valve; however, it is supplied by a onsafety-related instrument air system. This system will most likely be available during the long term following an accident, and it may be loaded onto the emergency diesel enerator.

this automatic control is not available, many options exist for operator action to control the CCW and/or RHR temperatures and flows to maintain a minimum RHR heat exchanger utlet temperature at or above 50°F; therefore, the existing range of the outlet temperature indicators is adequate. With the given decay heat, it would take several days for the utlet temperature to approach the low end of the currently monitored range. With operators periodically monitoring RCS water temperature after an accident, it is not deemed redible for the outlet temperature to fall below 50°F with no remedial actions being taken by the operating staff. As evidenced by the Revision 3 change to the low end of the range from 32°F to 40°F), it is Callaway's position that this required range is arbitrary and not based on plant-specific requirements for post-accident monitoring.

Rev. OL-24 11/19

DATA SHEET 3.2 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.2.1 Accumulator Tank Level and Pressure 10% to 90% volume 2 To monitor operation 0 to 750 psig D.2.2 Accumulator Isolation Valve Position Closed or open 2 Operation status ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.2.1 Accumulator 13+ inches LT-950 through 957 N 018 N - - NSSS Tank Level (Unnecessary)

D.2.1 Accumulator 0-700 psig PT-960 through 967 N 018 N - - NSSS Tank Pressure (Unnecessary)

D.2.2 Accumulator Closed/Open ZS 8808AA, AB Y 018 Y - - BOP Isolation Valves through DA, DB EMARKS he accumulator isolation valve position indication requirements are met.

ccumulator tank level and pressure indication are unnecessary variables and need not be provided for post-accident monitoring. Therefore, Category 2 instruments are not equired. Remark 3 provides additional justification. Remarks 4 and 5 discuss the available pressure and level monitors and their ranges. These remarks also address the dequacy of the existing ranges when compared to the recommended ranges of Table 2 of Regulatory Guide 1.97. Since these variables are unnecessary, the comparison is rovided only for information.

able 2 of Regulatory Guide 1.97 lists accumulator pressure and level under Type D variables which are defined therein as: "Type D Variables: Those variables that provide nformation to indicate the operation of individual safety systems and other systems important to safety. These variables are to help the operator make appropriate decisions in sing the individual systems important in mitigating the consequences of an accident."

ccumulator level and pressure indication do not provide information which is relevant to the defined purpose of a Type D variable. The accumulators are designed to passively nject water into the RCS when the primary pressure falls below the accumulator cover gas pressure (602 to 648 psig per Technical Specifications). The nitrogen cover gas would ot be injected until much lower pressures (around 300 psig) are reached. Since the discharge of water from the accumulators is beneficial for transients resulting from RCS breaks, he accumulator discharge valves are locked open and cannot be opened from the control room. Section 15.6 provides RCS depressurization curves for various size LOCAs. The ccumulators inject water for all LOCAs analyzed except for the 3-inch LOCA wherein the analysis was terminated at 2500 seconds.

Rev. OL-24 11/19

DATA SHEET 3.2 (Continued)

EMARKS (Continued) the operator had determined that there is no further need or potential need for accumulator water injection and he desired to preclude the addition of nitrogen during the long-term OCA recovery phase and if the RCS pressure had not dropped below 300 psig, the operator may vent the accumulators and/or isolate the discharge of the accumulators by irecting the power breakers to be unlocked (outside the control room), provided that this action would not violate any procedures.

or a LOCA, there is no need to determine if accumulator water has been injected. If water has been injected, it was needed or at least not adverse to the core.

hould there be a question as to whether the accumulators actually discharged nitrogen into a depressurized but relatively intact primary system, the operator could utilize the ressure and RV level indication to determine if nitrogen was in the pressurizer or the vessel head. These areas can be vented from the control room, it is deemed appropriate.

ther Condition IV events (SGTR and MSLB) do not result in RCS depressurization transients which result in discharge of accumulator nitrogen into the RCS. For these events, the perating staff will isolate or depressurize the accumulators prior to proceeding to a cold shutdown condition. The operating staff has two variables available to them to indicate the uccessful completion of this action: valve position of the accumulator discharge valves and valve position of the nitrogen vent valves. The operator is capable of isolating or epressurizing the accumulators even with an assumed single failure. Therefore, the accumulator level and pressure indications are unnecessary for these events as well as a OCA.

he range of the accumulator tank pressure transmitter is adequate to monitor any expected pressure in the accumulator. The maximum pressure allowed by the plant Technical pecification is 648 psig. No fluid addition to the tank is expected following an accident due to the check valve in the discharge line from each accumulator. Therefore, there is no eed to extend the pressure indication beyond the present 700 psig range.

he recommended range of level indication from 10 to 90 percent of tank volume is unnecessary. The plant Technical Specifications require that the content of the tank be aintained within a very narrow range (6061 to 6655 gallons). The instrumentation provided monitors the level of the tank for a span of 13 inches in which the normal level is aintained. Monitoring the level above the Technical Specification value is not required because fluid addition following an accident is not postulated.

onitoring the levels between the present range and the recommended range of 10 percent of tank volume is not required because the addition of water contained in that volume, s noted previously, is beneficial and of no concern following an accident.

Rev. OL-24 11/19

DATA SHEET 3.3 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.2.3 Boric Acid Charging Flow 0-110% design flow 10 2 To monitor operation D.2.4 Flow in HPI System 0-110% design flow10 2 To monitor operation ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.2.3 ECCS 0-280% FT-917A Y 018 Y - - NSSS Centrifugal 0-280% FT-917B Y 018 Y - - NSSS Charging Pump Flow (Boron Inj.)

D.2.4 Safety Injection 0-123% FT-918 N 017 N - - NSSS Pump Flow 0-123% FT-922 N 017 N - - NSSS D.2.4 Charging to 0-250% FT-215A Y 001 Y - - NSSS RCP Seals 0-250% FT-215B Y 001 Y - - NSSS EMARKS he SI pump flow rate is 650 gpm for hot let recirculation. The range of FT-918 and 922 (shown on Figures 6.3-1, Sheet 2) is 0 to 800 gpm. The ECCS centrifugal charging pump ow rate to the boron injection path is RCS pressure-dependent (see Tables 15.6-10 and 15.6-12) for injection and recirculation. The range of FT-917A and 917B (shown on Figure

.3-1, Sheet 3) is 0 to 1,000 gpm.

he flow to the RCP seals (shown on Figure 9.3-8) is provided by the normal charging pump or ECCS centrifugal charging pumps, as described in Section 9.3.4. The normal flow ate is 32 gpm (8 gpm per pump). This flow path is also utilized as part of safe shutdown with only safety-related equipment. Refer to Appendix 5.4A. The range of FT-215A and 15B is 80 gpm.

he safety injection flow is provided for performance monitoring only and is not required following an accident; therefore, the transmitters are not Class 1E. The ECCS centrifugal harging pump flow elements/transmitters are used during safe shutdown; therefore, they are Class 1E.

Rev. OL-24 11/19

DATA SHEET 3.4 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.2.6 Refueling Water Storage Tank Level Top to bottom 2 To monitor operation ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.2.6 Refueling Water Top to bottom LT-930 Y 018 Y 018 N NSSS Storage Tank LT-931 Y 018 Y 018 N NSSS Level LT-932 Y 018 Y - - NSSS LT-933 Y 018 Y - - NSSS EMARKS he RWST level instrumentation is shown on Figure 6.3-1, Sheet 1, and fully meets the stated requirements.

he RWST level indications and alarms are utilized during switchover from injection to recirculation in a 2-out-of-4 logic. RWST level is a Type A variable, per the assumptions tated in Section 7A.3.1.

Rev. OL-24 11/19

DATA SHEET 4.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.4.1 Steam Generator Level From tube sheet to 1 To monitor operation separators ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.4.1 Steam 13 inches above tube LT-501 Y 025 Y 026 N NSSS Generator Level sheet to separators LT-502 Y 025 Y 026 N NSSS

- Wide Range LT-503 Y 025 Y 026 N NSSS LT-504 Y 025 Y 026 N NSSS NA Steam 150 inches LT-517, 518, 519, LT- Y 026 Y - - NSSS Generator Level 527,528,529 Y 026 Y - - NSSS

- Narrow Range LT-537,538,539 Y 026 Y - - NSSS LT-547,548,549 Y 026 Y - - NSSS LT-551,2,3&4 Y 025 N - - NSSS EMARKS he steam generator wide range instrumentation provides level indication from 13 inches above the tube sheet to the moisture separators (a range of 573 inches) and meets the ntent of the recommended range. The steam generator is essentially dry when the level drops below the lower tap (less than 450 gallons).

he four narrow range level transmitters on each loop are fully qualified and are considered to be a Type A variable per the assumptions stated in Section 7A.3.1. The narrow range ansmitters are used to identify a steam generator tube rupture.

he narrow range instruments provide diverse indications within their range (437 to 587 inches above the tube sheet) and would indicate the failure (high or low) of a wide range nstrument.

Wide range steam generator level measurement meets the intent of the single failure criterion for Category 1 variables by virtue of independent, diverse variables. In the Callaway mergency procedures, auxiliary feedwater (AFW) flow, reactor coolant pressure, and reactor coolant temperature indications are diverse variables which are used to determine hether adequate core cooling is provided in the absence of wide range level indication on one steam generator. The Callaway design of having one wide range level indicator, in onjunction with one AFW flow indicator, per steam generator is consistent with NUREG-0737 Item II.E.1.2 for Westinghouse plants (see Section 18.2.8.1).

Rev. OL-24 11/19

DATA SHEET 4.2 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.4.2 Steam Generator Pressure From atmospheric 2 To monitor operation pressure to 20 percent above the lowest safety valve setpoint ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.4.2 Steam Line 0-1,300 psig (0-110% PT-514,5,6 Y 026 Y 026 (PT-514) N NSSS Pressure above lowest safety PT-524,5,6 Y 026 Y 026 (PT-524) N NSSS valve setpoint) PT-534,5,6 Y 026 Y 026 (PT-535) N NSSS PT-544,5,6 Y 026 Y 026 (PT-545) N NSSS NA Steam Line 0-1,500 psig 126% PT-1 Y 006 Y - - -

Pressure for PT-2 Y 006 Y - - -

PORV PT-3 Y 006 Y - - -

Operation PT-4 Y 006 Y - - -

EMARKS he lowest safety valve setpoint is 1,185 psig. The steam line pressure transmitters have a range of 0 to 1,300 psig, which is 110 percent above the lowest setpoint. Assuming a epeatability factor of +/-3 percent total channel accuracy of the steam line pressure monitoring channels, a margin of 40 psi exists between the upper range of the steam line pressure ansmitters and the opening setpoint of the lowest safety valve.

n addition, the Callaway atmospheric relief valves are fully qualified and available for controlled heat removal and steam generator level control by maintaining a steam discharge ate approximately equal to the auxiliary feedwater addition rate.

hese atmospheric relief valves are set at 1140 psig and would lift prior to the safety valve with the lowest set pressure. The operation of these valves provides another 45 psi argin between the opening of a relief valve and the 1300 psig range of the steam line pressure indicators. Using this setpoint, the steam line pressure transmitters have a range of to 114 percent. The existing range of 0 to 1300 psig is adequate for the Callaway design since it provides sufficient margins above the expected secondary side pressures.

he steam line pressure transmitters used for PORV operation have a range of 0 to 1,500 psig, which is 126 percent of the lowest setpoint. These instruments are not considered art of the RG 1.97 data set per the assumptions stated in Section 7A.3.2 and are not inputted to the ERFIS data systems. These instruments are fully qualified and meet the equirements of Category 2 instrumentation.

Rev. OL-24 11/19

DATA SHEET 4.2 (Continued)

EMARKS (Continued) he steam line pressure is a Type A variable per the assumptions stated in Section 7A.3.1, and is used to detect an SGTR and secondary side break and to identify the affected team generator.

Rev. OL-24 11/19

DATA SHEET 4.3 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.4.3 Safety/Relief Valve Positions or Main Steam Closed - not closed 2 To monitor operation Flow ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.4.3 Atmospheric Closed - not closed ZS-1 Y 006 Y - - BOP Relief Valve ZS-2 Y 006 Y - - BOP Position (PORV) ZS-3 Y 006 Y - - BOP ZS-4 Y 006 Y - - BOP D.4.3 Safety Valve See Note 2 Position (20 valves)

EMARKS he atmospheric relief valve (PORV) position fully meets the stated requirements.

he number of safety valves open is determined by the radiological release information system (RRIS) computer using main steam flow and other valve positions (main steam solation valves, condenser dump valves, atmospheric relief valves).

Rev. OL-24 11/19

DATA SHEET 4.4 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.4.4 Main Feedwater Flow 0-110 percent design 3 To monitor operation flow10 ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.4.4 Main Feedwater 0-120 percent of VWO FT-510 N 026 N 006 N NSSS Flow flow FT-511 N 026 N - - NSSS FT-520 N 026 N 006 N NSSS FT-521 N 026 N - - NSSS FT-530 N 026 N 006 N NSSS FT-531 N 026 N - - NSSS FT-540 N 026 N 006 N NSSS FT-541 N 026 N - - NSSS EMARKS he Callaway design meets all of the stated recommendations.

he flow transmitter has a range from 0 to 4.8 x 106 lbs/hr. The VWO flow is 3.99 x 106 lbs/hr for each line (based on 0% steam generator tube plugging; see Tables 10.3-2 and 0.4-6).

Rev. OL-24 11/19

DATA SHEET 5.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.5.1 Auxiliary or Emergency Feedwater Flow 0-110 percent design 2 (1 for B & W To monitor operation flow10 plants)

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.5.1 Auxiliary 0-160% FT-1 Y 006 - - - BOP Feedwater Flow FT-2 Y 006 - - - BOP FT-3 Y 006 - - - BOP FT-4 Y 006 - - - BOP NA 0-160% FT-7 Y - - - - BOP FT-9 Y - - - - BOP FT-11 Y - - - - BOP EMARKS he auxiliary feedwater system is described in Section 10.4.9 and shown on Figure 10.4-9.

uxiliary feedwater flow to each steam generator is monitored by Class 1E flow loop. Each flow transmitter is powered by a different separation group (1 through 4) corresponding o the power supply for the steam line PORV. Only two of the four steam generators are required to establish a heat sink for the RCS. The required flow indication to two intact team generators is assured assuming a single failure.

comparison of the AFWS to the NUREG-0737 requirements for reliability and flow indication is provided in Section 18.2.7 which shows complete compliance to all ecommendations.

he flow transmitters have a range of 0 to 400 gpm. The design flow the steam generators is 250 gpm for a normal shutdown. For a MSLB the design flow to two intact steam enerators is 500 gpm (250 gpm each).

Rev. OL-24 11/19

DATA SHEET 5.2 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.5.2 Condensate Storage Tank Level Plant Specific 1 To ensure water supply for auxiliary feedwater (Can be Category 3 if not primary source of AFW. Then whatever is primary source of AFW should be listed and should be Category 1.)

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.5.2 Condensate Top to bottom PT-24 Y 005 Y - - BOP Storage Tank PT-25 Y 005 Y - - BOP Level (indicated PT-26 Y 005 Y - - BOP by pump suction pressure)

NA Condensate Appropriate for PT-37 Y 026 Y - - BOP Storage Tank automatic switchover to PT-38 Y 026 Y - - BOP Level (for ESW PT-39 Y 026 Y - - BOP automatic AFWS switchover)

NA Condensate 0-100% LT-4 N 005 N - - BOP Storage Tank Level EMARKS he CST is shown on Figure 9.2-12, and the pressure transmitters are shown on Figure 10.4-9. As stated in Section 10.4.9, the CST level will be determined by PT-24, 25, and 26.

he automatic switchover to ESW upon the depletion of CST water volume will be initiated by PT-37, 38, and 39. LT-4 is non-safety grade and provides a direct level reading; owever, this instrument is not considered part of the RG 1.97 data base.

ince there is no manual action required for switchover to the alternate source of auxiliary feedwater (ESW), the CST level measurements are not Type A variables.

Rev. OL-24 11/19

DATA SHEET 6.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE B.3.3 Containment Pressure 1 4 0 to design pressure (psig) 1 Function detection accomplishment of mitigation, verification B.4.2 Containment Pressure1 10 psia to design pressure 4 1 Same C.2.2 Containment Pressure1 10 psia to design pressure4 , 1 Detection of breach, accomplishment of mitigation, psig (5 psia for subatmospheric verification, long-term surveillance containments)

C.3.3 Containment Pressure1 10 psia to 3 times design 1 Detection of potential for or actual breach, accomplishment pressure4 for concrete (4 times of mitigation, verification design pressure for steel) (5 psia for subatmospheric containments)

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E B.3.3 Containment 0-69 psig PT-934 Y 018 Y 018 N NSSS B.4.2 Pressure PT-935 Y 018 Y 018 N NSSS C.2.2 (normal design PT-936 Y 018 Y 018 - NSSS range) PT-937 Y 018 Y 018 - NSSS C.3.3 Containment -5 to 180 PT-938 Y 020 Y 020 N NSSS Pressure - Wide PT-939 Y 020 Y 020 N NSSS Range NA Containment -3 to +3 psig PDY-40 N 020 N - - BOP Pressure (normal operating range)

EMARKS he Callaway design meets all of the stated requirements.

he design pressure of the containment is 60 psig. The peak calculated pressure following a LOCA and MSLB are described in Section 6.2. As stated in Section 7A.3.2, diversity is ot required in extended ranges not associated with DBEs.

Rev. OL-24 11/19

DATA SHEET 6.1 (Continued)

EMARKS (Continued) onitoring of subatmospheric conditions recommended in items B.4.2, C.2.2, and C.3.3 is accomplished by the wide range instruments.

ormal containment pressure will be maintained near atmospheric pressure and measured by pressure transmitters located inside and outside of the containment. The difference in ressures will be indicated in the control room. This instrumentation is not part of the Regulatory Guide 1.97 data base.

Rev. OL-24 11/19

DATA SHEET 6.2 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE B.3.2 Containment Sump Water Level 1 Narrow range (sump) Wide 2 Function detection, accomplishment of mitigation, range (bottom of containment 1 verification to 600,000-gallon level equivalent)

C.2.3 Containment Sump Water Level1 Narrow range (sump) Wide 2 Detection of breach, accomplishment of mitigation, range (bottom of containment 1 verification, long-term surveillance to 600,000-gallon level equivalent)

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E B.3.2 Normal Sump 836,000 gallons LIT-9 Y 018 Y - - BOP C.2.3 Water Level LIT-10 Y 018 Y 020 Y BOP NA Recirculation 576,000 gallons LIT-7 Y 018 Y - - BOP Sump Level LIT-8 Y 018 Y 020 Y BOP EMARKS efer to Section 18.2.12.2 for a comparison with NUREG-0737 requirements.

he Callaway design provides for Class 1E level monitoring in each of the two containment normal sumps and above each of the two recirculation sumps. The bottoms of the ormal and recirculation sumps are at Elevations 1,995 feet and 1,992 feet, respectively. The levels in each normal sump are monitored from 6 inches above the sump bottoms for he next 156 inches. The LOCA results in the maximum flood level of 2004'-6" (348,000 gallons, minimum). The normal sump level extends to 2008'-6", providing ~4 feet of range bove the maximum flood level.

he normal sumps are provided with twin level elements which are indicated on one continuous indicator. The recirculation sump level instruments monitor containment water level bove the recirculation sump curb. The monitored level begins at elevation 2000 - 6. Redundancy is provided in each type of sump. Diversity is not required, since there are four ndependent water level measurements.

normal sump level is a Type A variable for Callaway. The normal sump level is used for event identification. The recirculation sump level is not a Type A variable. Although the ecirculation sump level could be used for event identification, it is not required and would not respond following an event since its range begins at the top of the 6-inch of curb Rev. OL-24 11/19

DATA SHEET 6.2 (Continued)

EMARKS (Continued) round the sump. Similarly, since switchover to recirculation is initiated automatically on low RWST level, verification of containment water level is not required nor part of a replanned manual safety function. Refer to Section 7A.3.1.

Rev. OL-24 11/19

DATA SHEET 6.3 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE B.4.1 Containment Isolation Valve Position Closed - not closed 1 Accomplishment of isolation (excluding check valves)

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E B.4.1 Containment Closed - not closed See Figure 6.2.4-1 Y Misc. Y - - BOP Isolation Valve Position (excluding manual and check valves)

EMARKS efer to Section 6.2.4 and 18.2.11 for discussions of containment isolation. As noted in Section 6.2.4, manual valves do not have position indication in the control room. The osition of the manual valves is verified on a periodic basis in accordance with the Technical Specifications In addition, these valves are under administrative control and are locked r sealed closed whenever containment integrity is required.

Rev. OL-24 11/19

DATA SHEET 6.4 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE C.3.2 Containment Hydrogen Concentration 0 to 10% (capable of 3 Detection of potential for breach, accomplishment of operating from 10 psia to mitigation, long-term surveillance maximum design pressure4)

E.6.3.1 Hydrogen Content 0 to 10% 3 Release assessment, verification analysis ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E C.3.2 Containment 0-10% AT-10 Y 020 Y 020 Y BOP

.6.3.1 Hydrogen AT-19 Y 020 Y - - BOP Concentration EMARKS he hydrogen analyzers are described in Section 6.2.5 and shown on Figure 6.2.5-1.

he hydrogen analyzers meet all of the stated requirements. Refer to Section 18.2.12.2 for a comparison with NUREG-0737 requirements. The analyzers will operate properly ithin the recommended containment pressure ranges.

G 1.97, Revision2, Table 2 recommends Category 1. However, the hydrogen analyzers are Category 3, as defined in RG 1.97, per 10 CFR 50.44 as amended by the NRC ffective October 16, 2003.

Rev. OL-24 11/19

DATA SHEET 6.5 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.6.3 Containment Atmosphere Temperature 40°F to 400°F 2 To indicate accomplishment of cooling ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.6.3 Containment 0-400°F TE-60 Y 018 Y - - BOP Atmosphere TE-61 Y 018 Y - - BOP Temperature TE-62 Y 018 Y - - BOP TE-63 Y 018 Y 020 Y BOP EMARKS he Callaway design meets all of the stated recommendations.

he Callaway design utilizes containment pressure to verify that containment heat removal is being accomplished. Refer to data sheet 8.1 for a further discussion.

ontainment temperature is not a Type A variable, since it does not meet the requirements discussed in Section 7A.3.1.

Rev. OL-24 11/19

DATA SHEET 6.6 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.6.4 Containment Sump Water Temperature 50°F to 250°F 2 To monitor operation ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.6.4 Containment Sump Water Temperature (unnecessary variable)

EMARKS his variable is unnecessary for the Callaway Plant. The recommended purpose is to "monitor operation"; however, there is no system at Callaway for it to monitor. Containment ooling is monitored by the air temperature monitors described on data sheet 6.5.

ump temperature is not required for RHR operation or assurance of NPSH available, since NPSH calculations conservatively assume saturated water was present. See Safety valuation Eleven of Section 6.2.2.1.3 and Table 6.2.2-7.

rimary system, PRT, and other containment parameters are all available to help determine the plant conditions. Sump level indications indicate the amount of water, and the other arameters indicate its source.

ote that proper RHR functions during the recirculation mode are provided by other variables described on data sheet 3.1.

he Callaway SER (NUREG-0830) in Section 6.2.1.1 (page 6-4) indicates that the NRC Staff agrees that this variable is not necessary and finds this exception to the guidelines of egulatory Guide 1.97 acceptable.

he Callaway SER also addresses the containment heat removal systems and similarly finds them acceptable. Page 6-10 indicates that the RHR system serves to remove heat om the containment during the recirculation mode following a LOCA by cooling the containment sump fluid in the RHR heat exchanger. During this mode of operation, the RHR nlet temperature monitors described on Data Sheet 3.1 would provide indication of the containment sump water temperature. As noted on Data Sheet 3.1, the RHR heat exchanger nlet temperature is not considered to be part of the Regulatory Guide 1.97 data base.

Rev. OL-24 11/19

DATA SHEET 7.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.7.1 Makeup Flow - In 0 to 110% design flow 10 2 To monitor operation D.7.2 Letdown Flow - Out 0 to 110% design flow10 2 To monitor operation D.7.3 Volume Control Tank Level Top to bottom 2 To monitor operation ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E Normal 50 to 267% FT-121 N 002 N - - NSSS Charging Flow Normal Letdown 0 to 267% FT-132 N 002 N - - NSSS Flow Volume Control Top to bottom of straight LT-185 Y 002 Y - - -

Tank Level shell LT-112 Y 002 Y - - -

LT-149 N - - - - NSSS Safety Related 0 to 167% FT-138A Y 001 Y - - NSSS Letdown 0 to 167% FT-138B Y 001 Y - - NSSS EMARKS he normal charging and letdown flow rates are described on this data sheet. The DBA-related portion of the charging system is described on data sheet 3.3.

he volume control tank level is Class 1E to ensure a suction source from the RWST (automatically) on low VCT level.

he level of the VCT is monitored for the straight shell portion only. The span is 75 inches. The hemispherical heads are not monitored, since the volume-to-level ratio is not linear.

ppendix 5.4A describes the safety grade cold shutdown system provided in the SNUPPS design. As part of this design, a Class 1E letdown system is provided to the PRT through he excess letdown heat exchanger. FT-138A and B have a range of 0 to 50 gpm. The maximum emergency letdown flow rate at RCS loop temperatures above 400°F is 30 gpm.

he maximum emergency letdown flow at less than or equal to 400°F is 50 gpm.

Rev. OL-24 11/19

DATA SHEET 8.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.6.2 Heat Removal by the Containment Fan Heat Plant specific 2 To monitor operation Removal System ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.6.2 Containment Cooler Heat Removal -

(unnecessary variable)

EMARKS uantification of the amount of heat being removed by the containment fan coolers is an unnecessary variable and is not provided for Callaway. The accomplishment of post-ccident heat removal is verified by monitoring the operation of the fan coolers and monitoring the containment pressure and air temperature. Containment pressure and air emperature monitors are described on Data Sheets 6.1 and 6.5.

onitoring of containment air cooler operation is provided by three sets of indications, all of which are safety-related and qualified for post-accident operation. These items do ndicate that the air coolers are operating; however, they do not quantify the amount of heat being removed from the containment atmosphere.

he handswitches for each containment air cooler fan are provided with lights which indicate the mode of operation (stop, slow, or fast) for each containment air cooler.

he ESF status panel indicates whether the fan coolers are being provided with power (control and fan power supply). If the control fuse blows or if the power breaker trips, a red ouble light appears on one of the ESF status panel windows "Ctmt Cooler Fan SGN01A (B, C or D)." Also, an audio alarm is generated.

he containment isolation valves serving each set of two containment air coolers are also provided with Class 1E hand indication switches in the control room. These position witches indicate that the isolation valves are open and that the lines to each cooler are capable of passing the cooling water flow. Since the containment isolation valves are ormally open and receive a confirmatory open signal on the receipt of a safety injection signal, the ESF status panel also contains windows for these valves. A red light will appear nd an audio alarm will be sounded if any valve fails to take its post-accident position (open).

n Callaway, the heat removal capability of the containment air coolers is accurately determined by sophisticated mathematical and computer modeling developed by the air cooler upplier. The accuracy of the model was verified during the prototype testing of three different coils at three different post-accident pressures. Topical Report AAF-TR-7101 Rev. OL-24 11/19

DATA SHEET 8.1 (Continued)

EMARKS (Continued)

Reference 1 of FSAR Section 6.2.2.3) provides a comparison of the measured heat removal during the tests to the computer analysis predictions. The comparisons show very lose agreement between the predicted and actual heat removal abilities. The NRC has approved the topical report for reference in construction permit and operating license pplications.

uring the transient of an accident, heat removal by air coolers cannot be used by an operator, since too many variables are changing rapidly. The amount of energy released to the ontainment cannot be accurately quantified. Heat removal mechanisms are those identified in Section 6.2.1 and include heat transfer to passive heat sinks, containment sprays, nd containment air coolers. The operator must determine what equipment is operating and watch the changes in containment pressure, temperature, sump level, and radiation evels to determine the nature of the accident.

he operability of the air coolers is verified periodically throughout the life of the plant in accordance with Technical Specification Paragraph 4.6.2.3, which ensures the proper peration of the system.

Rev. OL-24 11/19

DATA SHEET 9.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.8.1 Component Cooling Water Temperature to ESF 32°F* to 200°F 2 To monitor operation System D.8.2 Component Cooling Water Flow to ESF 0 to 110% design flow10 2 To monitor operation System ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.8.1 CCW Heat 0-200°F TE-31 Y 019 Y - - BOP Exchanger TE-32 Y 019 Y - - BOP Discharge Temperature D.8.2 CCW Pump 0-137 percent FT-95 N - - - - BOP Discharge Flow FT-96 N - - - - BOP FT-97 N - - - - BOP FT-98 N - - - - BOP EMARKS he component cooling water system is described in Section 9.2.2. The Callaway design meets the recommended ranges.

ection 7A.3.7 describes the qualification of NRC Category 2 variables, as provided for Callaway. The instruments described herein are located outside of the containment in areas erved by Class 1E room coolers. These instruments are not required for the proper operation of the system; rather, they are provided for performance monitoring only.

ince these instruments are part of the system pressure boundary, they are seismically designed to ensure integrity of the system boundary.

ision 3 of Regulatory Guide 1.97 revised the range to 40°F to 200°F.

Rev. OL-24 11/19

DATA SHEET 10.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.6.1 Containment Spray Flow 0-110% design flow 10 2 To monitor operation ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.6.1 Containment 0-126% (design flow - FT-5 N 017 N - - BOP Spray Flow injection) 0-106% (design flow - FT-11 N 017 N - - BOP recirculation)

EMARKS he containment spray system is described in Section 6.2.2. The spray system need only operate during the injection phase for cooling purposes. During this phase, the flow rate onitor exceeds the recommended range.

ection 7A.3.7 describes the qualification of NRC Category 2 items, as provided for Callaway. These instruments are located outside of the containment in areas served by lass 1E room coolers. These instruments are provided for performance monitoring and not to allow proper system operation.

he instruments are part of the pressure boundary and are seismically designed to ensure its integrity.

lass 1E operability indications for each containment spray train are provided in the control room. All motor-operated valves in the flow paths are provided with hand indication witches and receive a CSAS to open. The containment spray pumps also have hand switches and start automatically on a CSAS. The ESF status indication panel provides ackup information on a component and system level and indicates the system's status. Should the power breakers trip or the control fuses blow, an amber light will appear and an udio signal will be generated.

Rev. OL-24 11/19

DATA SHEET 11.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE C.2.4 Containment Area Radiation 1 4 1 R/hr to 10 R/hr 3 6,7 Detection of breach, verification E.1.1 Containment Area Radiation - High Range1 1 R/hr to 10 7 1 6,7 Detection of significant releases, release assessment, long-term surveillance, emergency plan actuation ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E C.2.4 Containment 1 to 108 R/hr4 RE-59 Y 067 Y - - BOP Area Radiation E.1.1 RE-60 Y 067 Y 20 Y BOP EMARKS hese monitors are capable of meeting their identified purpose over an appropriate range as described in Section 18.2.12.1 and Section 18.2.12.2.

s described in Section 7A.3.2, diverse variables are performance grade. Diversity for containment area radiation is provided by portable survey equipment with the capability to etect gamma radiation over the required range as described in data sheet 17.3. Also the Callaway design includes area radiation monitors with a range to 10 R/hr located inside he containment.

his is a Type A variable and is used for event identification in the EOIs.

For accidents involving temperature transients in containment, these monitors are not capable of meeting the RG 1.97 system accuracy requirements below 25 R/hr.

Rev. OL-24 11/19

DATA SHEET 11.2 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE C.3.5 Radiation Exposure Rate (inside buildings or 10 -1 4 R/hr to 10 R/hr 2 7 Indication of breach areas, e.g., auxiliary building, reactor shield building annulus, fuel handling, which are in direct contact with primary containment where penetrations and hatches are located)1 E.2.1 Radiation Exposure Rate1 (inside building or 10-1 R/hr to 104 R/hr 27 Detection of significant releases, release assessment, areas where access is required to service long-term surveillance equipment important to safety)

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E C.3.5 Radiation (Unnecessary Variable)

Exposure Rate E.2.1 EMARKS rea radiation monitors are shown on Figure 12.3-2 and are provided in accordance with the criteria stated in Section 12.3.4.1. Process and effluent monitors are provided in ccordance with the criteria stated in Section 11.5. Area monitors are provided in the corridors of the auxiliary building and not in the penetration areas or equipment spaces. As escribed in Section 12.3.4.2.2.2.9, a portable monitor may be used to determine the conditions in any equipment space.

he process and effluent monitors will provide indication of releases and/or breaches in the systems in operation following an event. Use of extended range area monitors in the reas adjacent to the containment are not appropriate since the background, direct radiation levels can be expected to be quite high. The process and effluent monitors provide the equired public protection.

he existing area radiation monitors provide for adequate employee protection with their range to 10R/hr. Should this range be exceeded, employee entry will be prohibited until ose rates have been established by portable instrumentation.

xposure rate monitors associated with variable C.3.5 were deleted in Revision 3 of Regulatory Guide 1.97.

Rev. OL-24 11/19

DATA SHEET 12.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE C.3.4 Containment Effluent Radioactivity - Noble 10 -6 Ci/cc to 2 8,9 Detection of breach, accomplishment of mitigation, Gases from Identified Release Points1 verification 10-2 Ci/cc C.3.6 Effluent Radioactivity1 Noble Gases (from 10-6 Ci/cc to 28 Indication of breach buildings or areas where penetrations and 3 10 Ci/cc hatches are located)

E.3.1.1 Containment of Purge Effluent 10-6 Ci/cc to 105 Ci/cc 28 Detection of significant releases; release assessment 0 to 110% vent design flow10 (Not needed if effluent discharges through common plant vent)

E.3.1.3 Auxiliary Building1 (including any building 106 Ci/cc to 28 Detection of significant releases, release assessment, containing primary system gases, e.g., waste 3 long-term surveillance 10 Ci/cc gas decay tank) 0 to 110% vent design flow10 (Not needed if effluent discharges through common plant vent)

E.3.1.5 Common Plant Vent or Multipurpose Vent 10-6 Ci/cc to 28 Detection of significant releases, release assessment, Discharge Any of above Releases (if 3 long-term surveillance 10 Ci/cc containment purge is included) 0 to 110% vent design flow10 10 -6 Ci/cc to 104 Ci/cc ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E C.3.4 Plant Unit Vent Wide 10 -7 5 to 10 Ci/cc GT-RE-21B N SP010 N SP010 N RRIS

.3.1.5 Range Gas Radwaste Building Wide 10-7 to 105 Ci/cc GH-RE-10B N SP010 N SP010 N RRIS Range Gas Rev. OL-24 11/19

DATA SHEET 12.1 (Continued)

EMARKS he plant unit vent receives the discharge from the containment purge, auxiliary building, control building, fuel building, and the condenser air removal filtration system. The adwaste building vent receives the discharge from the radwaste building exhaust fans. The radwaste building contains the waste gas decay tanks.

he unit vent flow rate is determined by fan run contacts which are inputted to the RRIS computer. Each system is balanced and assumed to be operating at the design flow. The igh range monitor has an isokinetic flow monitor. These provisions adequately meet the requirements of the item.

he radwaste building vent is a constant flow vent receiving the discharge of the radwaste building exhaust fans. Flow rate monitoring is not required. The high range monitor for he radwaste building vent also has an isokinetic nozzle.

Rev. OL-24 11/19

DATA SHEET 12.2 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE C.2.5 Effluent Radioactivity - Noble Gas Effluent from 10-6 to 10-2 Ci/cc 3 8 Detection of breach, verification Condenser Air Removal System Exhaust1 E.3.1.4 Condenser Air Removal Exhaust1 10-6 to 105 Ci/cc 28 Detection of significant releases, release assessment 0 to 110 percent vent design flow10 (not needed if effluent discharges through common plant vent)

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E C.2.5 Condenser Air Removal 10-7 to 10-2 Ci/cc RE-92 N 056 N 056 N RRIS Exhaust Radioactivity

.3.1.4 Condenser Air Removal Exhaust (not required-discharge through plant vent)

EMARKS he condenser air removal exhaust discharges through the plant vent: therefore, the monitor for item E.3.1.4 is not required. The existing condenser air removal exhaust monitor eets the requirements of item C.2.5.

Rev. OL-24 11/19

DATA SHEET 12.3 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE E.3.1.6 Vent from Steam Generator Safety Relief -1 3 10 Ci/cc to 10 Ci/cc 2 12 Detection of significant release assessment Valves or Atmospheric Dump Valves (duration of releases in seconds and mass of steam per unit time)

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.6 Vent from Steam 4.06 x 10 Ci/cc

-2 RE-111 N SP010 N SP010 N RRIS Generator RE-112 N SP010 N SP010 N RRIS to 4.06 x 10-3 Ci/cc Safety Relief RE-113 N SP010 N SP010 N RRIS Valves or RE-114 N SP010 N SP010 N RRIS Atmospheric Dump Valves EMARKS he Callaway Plant monitors the atmospheric relief valve plumes. The atmospheric relief valves are set to open at a lower pressure than the safety relief valves and are Class 1E, ighly reliable components. These valves are provided with position indication. It is assumed that the relief valves will be open and releasing the same concentration and istribution of radionuclides any time any of the safety valves on the same steam line are open.

adiation detectors will be positioned to view the plume directly from each of the four atmospheric relief valves.

etermination of releases from the safety valves and the atmospheric relief valves is made by RRIS computer using main steam pressure and flow and atmospheric relief valve osition.

P010 indication range is 1-1E5 mR/hr.

Rev. OL-24 11/19

DATA SHEET 12.4 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE E.3.1.7 All other Identified Release Points -6 2 10 Ci/cc to 10 Ci/cc 2 8 Detection of significant releases, release assessment, 0-110 percent vent design long-term surveillance flow10 ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.7 Auxiliary -2 5.51 x 10 to RE-385 N SP010 N SP010 N RRIS Feedwater 5.51 x 103 Ci/cc Pump Turbine Exhaust Monitor EMARKS radiation detector monitoring the plume of the auxiliary feedwater turbine exhaust is used to determine the release.

his release is from the main steam line; thus, the monitor was designed with the same capabilities as the monitors for steam generator releases (Data Sheet 12.3). The range ecommended is not applicable to secondary side releases, as can be seen by the different ranges recommended here and on Data Sheet 12.3.

P010 indication range is 1-1E5 mR/hr.

Rev. OL-24 11/19

DATA SHEET 12.5 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE E.3.2 Particulates and Halogens E.3.2.1 All Identified Plant Release Points (except 10-6 Ci/cc to 102 Ci/cc 313 Detection of significant releases, release assessment, steam generator safety relief valves or 0 to 110% vent design long-term surveillance atmospheric steam dump valves and flow10 condenser air removal system exhaust).

Sampling with Onsite Analysis Capability ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.1 Unit Vent 10-3 Ci/cc to 102 Ci/cc GT-RE-21B N N/A N - -

Monitors (See data sheet 12.5, Particulates III. Remarks, Note 3 Iodines Radwaste 10-3 Ci/cc to 102 Ci/cc GH-RE-10B N N/A N - -

Building (See data sheet 12.5, Vent Monitors III. Remarks, Note 3)

Particulates Iodines EMARKS he Callaway design meets all of the stated recommendations. Refer to Sections 11.5 and 18.2.12.2 for further discussions.

efer to data sheet 12.1 for a discussion of vent flow rate monitoring and wide range gas monitors.

he wide range noble gas monitors described on data sheet 12.1 include the capability to obtain grab samples for both halogens and particulates. After collection, laboratory amples will be used to quantify releases.

Rev. OL-24 11/19

DATA SHEET 13.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE Primary Coolant Grab Sample 3 5, 18 Release assessment, verification analysis

.1 Gross Activity 10 Ci/ml to 10 Ci/ml

.2 Gamma Spectrum (Isotopic Analysis)

.3 Boron Content 0 to 6,000 ppm

.4 Chloride Content 0 to 20 ppm

.5 Dissolved Hydrogen or Total Gas19 0 to 2,000 cc(STP)/kg 1.6 Dissolved Oxygen19 0 to 20 ppm 1.7 pH 1 to 13 RCS Soluble Boron Concentration 0 - 6,000 ppm 3 Verification Analysis of Primary Coolant (Gamma 10 Ci/gm to 10 Ci/gm or 3 5 Detail analysis, accomplishment of mitigation, verification, Spectrum) TID-14844 source term long-term surveillance in coolant volume Containment Air Grab Sample Release assesment, verification analysis

.2 Oxygen Content 0 to 30 percent Release assesment, verification analysis

.3 Gamma Spectrum (Isotopic Analysis) Release assesment, verification analysis Rev. OL-24 11/19

DATA SHEET 13.1 (Continued)

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E

.1 Gross Activity Not required

.2 Gamma

.3 Spectrum

.3 Boron Content

.2 Oxygen Content

.4 Chloride Content

.5 Dissolved Hydrogen

.6 Dissolved Oxygen

.7 pH EMARKS pproval of Operating License Amendment [144] eliminated the requirement for these variables. Westinghouse WCAP-14986-A, revision 2, provides the technical justification for liminating PASS criteria specified in Regulatory Guide 1.97 and NUREG-0737.

Rev. OL-24 11/19

DATA SHEET 13.2 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE Sump Grab sample 3 5, 18 Release assessment, verification analysis

.1 o Gross Activity 10Ci/ml to 10 Ci/ml 3

.2 o Gamma Spectrum (isotopic analysis) 3

.3 o Boron Content 0-6,000 ppm 3

.4 o Chloride Content 0-20 ppm 3

.5 o pH 1 to 13 3 ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E E.6.2 Sump Grab Not required Sample Containment Recirculation ECCS Pump Not required Room Sumps Auxiliary Not required Building Sumps EMARKS ampling of the containment sump is considered unnecessary. Westinghouse WCAP-14986-A, revision 2, provides the technical justification for eliminating the containment sump ampling criteria specified in Regulatory Guide 1.97 and NUREG-0737.

he ECCS pump room and auxiliary building sumps are provided with Class 1E level indication and operate as described in Section 9.3.3. Process and effluent monitors provide ndication of any airborne activity in these sumps since they are directly vented to the auxiliary building normal exhaust system.

ump sampling for the ECCS pump rooms and auxiliary building is considered unnecessary. The Class 1E level indication will detect any accumulated leakage, and the isolation alves will prevent its discharge from the auxiliary building. Should the leakage be from a line that contains fluid from the recirculation sump, the recirculation sump sample will rovide the recommended analyses, since the fluid is from the same source.

Rev. OL-24 11/19

DATA SHEET 13.3 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE C.1.2 Radioactivity Concentration or Radiation Level 1/2 Technical 1 Detection of breach in Circulating Primary Coolant Specification limit to 100 times technical specification, limit R/hr.

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E C.1.2 Radioactivity Concentration (

unnecessary variable)

EMARKS s noted in comments provided by the AIF, this variable is unnecessary, and there is no presently available means of providing this information. Also, there is no apparent need or se for this variable which would require its classification as Category I.

Rev. OL-24 11/19

DATA SHEET 14.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.9.1 High-Level Radioactive Liquid Tank Level Top to bottom 3 To indicate storage volume ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.9.1 Recycle Holdup Tank Level (Unnecessary Variable)

EMARKS he Callaway design precludes the need for this variable. The liquid radwaste system is not required following an event. It is located in the radwaste building, and is controlled from he radwaste building control room. System parameters are not provided in the main control room.

he safety grade letdown system is located within the containment, and the containment isolation system is designed to preclude inadvertent discharge from the containment.

he recycle holdup tank levels (LT-261 and LT-262) have a range from the top to bottom of the tank and indications are provided in the radwaste building control room. Since the ystem will only be operated from that room, the control room operators may obtain that status of the tanks from the radwaste building control room personnel. The liquid radwaste ystem need not be operated during an accident. It may be used during recovery, if the radwaste building is habitable.

s noted on Data Sheet 13.2, the auxiliary building and ECCS pump room sumps are provided with Class 1E sump level indication. These sumps would collect any long-term eakage from systems which recirculate fluids from the containment sump. As described in Section 9.3.3 and shown on Figure 9.3-6, Sheet 2, the discharge lines from these sumps ontain Class 1E isolation valves which close on a SIS to preclude inadvertent discharge of fluids to the floor drain tank in the radwaste building. The LOCA analysis includes an valuation of a 2 gpm leak from lines recirculating sump fluids. Refer to Section 15.6.5.4.1.2 for a discussion of the analysis and to Table 15.6-8 for the resulting radiological onsequences. Failure of this tank has been analyzed in FSAR Section 15.7.2.

he containment normal and instrument tunnel sumps and the reactor coolant drain tank discharge lines are isolated by a CIS-A signal. This signal is generated as a result of a afety injection signal or as a result of high containment pressure. These lines will be isolated subsequent to any LOCA. Refer to Section 18.2.11, which addresses NUREG-0737 em II.E.4.2, Containment Isolation Dependability. Inadvertent contamination of the radwaste or auxiliary buildings due to discharge of fluids from the containment is precluded by esign and is not postulated.

Rev. OL-24 11/19

DATA SHEET 14.2 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.9.2 Radioactive Gas Holdup Tank Pressure 0-150% design 3 To indicate storage capacity pressure4 ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.9.2 Gas Decay Tank Pressure (unnecessary variable)

EMARKS he radioactive gas holdup tank is referred to as the gas decay tank (GDT). Pressure is an unnecessary variable for the Callaway design as described in Remark 3 below; however, emark 2 describes the adequacy of the GDT design and the range of the pressure indicators.

ddition of radioactive gases to the gaseous radwaste system following an accident is precluded by design and is not postulated. Containment isolation valves on gas bearing lines om the pressurizer relief tank and the reactor coolant drain tank close upon receipt of a CIS-A. Refer to Remark 5 on Data Sheet 14.1 for a further discussion of containment solation. Since there will be no containment gases added to the gaseous radwaste system, there is no need to monitor the available storage capacity following an accident.

he design pressure of each of the eight GDTs is 150 psig. Each tank is provided with a pressure transmitter/indicator/alarm. The indicators are located in the radwaste building ontrol room and have a range of 0 to 150 psig. The alarms for the six GDTs used during normal operation are set at 100 psig. Two of the GDTs are used for shutdown and start-

p. All GDTs are provided with relief valves set at or below the tank's design pressure. The relief valves for the six GDTs discharge at design pressure to the shutdown GDTs which re normally at low pressure. Should an extended discharge to the shutdown GDT occur, a high alarm (at 90 psig) would be received prior to the lifting of the shutdown GDT relief alve at 100 psig. The discharge from the radwaste building vent is monitored by the radwaste building vent monitor described on Data Sheet 12.1. Failure of one of these tanks as been analyzed in FSAR Section 15.7.1.

ased upon the protection afforded by the installed tank relief valves and the potential eventual release to the radwaste building vent, the span of 0 to tank design pressure is dequate to provide information to the operating staff concerning the status of the GDTs.

Rev. OL-24 11/19

DATA SHEET 15.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.10.1 Emergency Ventilation Damper Position Open-closed status 2 To indicate damper status ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.10.1 Safety Related Open-closed HIS-XX Y 020 Y - - BOP Damper Position 068 019 EMARKS he safety-related dampers which receive an automatic signal to reposition after an accident (CRVIS, FBVIS, or SIS) are provided with Class 1E position indication in the control oom. The Callaway design meets all of the stated recommendations.

Rev. OL-24 11/19

DATA SHEET 16.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.11.1 Status of Standby Power Sources Important to Voltages, currents 2 11 To indicate system status Safety ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.11.1 Status of Standby Power 4160 V Class 1E Incoming Current Current 0-2000A CT-NB0109 Y RL015 N - - BOP Current 0-2000A CT-NB0111 Y RL015 N - - BOP Current 0-2000A CT-NB0212 Y RL015 N - - BOP Current 0-2000A CT-NB0209 Y RL015 N - - BOP Current 0-1200A CT-PA0201 N RL016 N - - BOP 4160 V Class 1E Bus Voltage Voltage 0-5250 V PT-101/B Y RL015 Y - - BOP Voltage 0-5250 V PT-201/B Y RL015 Y - - BOP Diesel Gen No. 1 Current 0-1500A CT-NE107 Y RL015 N - - BOP Voltage 0-5250 V PT-NE107 Y RL015 N - - -

KW 0-8MW CT/PT-NE107 Y RL015 N - - BOP Vars 0-8Mvar CT/PT-NE107 Y RL015 N - - BOP Frequency 55-65 Hertz PT-NE107 Y RL015 N - BOP Diesel Gen No. 2 Current 0-1500A CT-NE106 Y RL015 N - - BOP Voltage 0-5250 V PT-NE106 Y RL015 N - - BOP KW 0-8MW CT/PT-NE106 Y RL015 N - - BOP Vars 0-8MVar CT/PT-NE106 Y RL015 N - - BOP Frequency 55-65 Hertz PT-NE106 Y RL015 N - - BOP Rev. OL-24 11/19

DATA SHEET 16.1 (Continued)

RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E Current to Class 1E 480 V System Current 0-300A CT-NB0110 Y RL015 N - - BOP Current 0-300A CT-NB0113 Y RL015 N - - BOP Current 0-300A CT-NB0210 Y RL015 N - - BOP Current 0-300A CT-NB0213 Y RL015 N - - BOP Current 0-300A CT-NB0117 Y RL015 N - - BOP Current 0-300A CT-NB0217 Y RL015 N - - BOP Current 0-100A CT-NB0116 Y RL015 N - - BOP Current 0-100A CT-NB0216 Y RL015 N - - BOP Class 1E 125 V DC System All Panel 16 Current Battery (-)800 to (+)800A Shunt-NK11 Y Y - - BOP Current Battery (-)800 to (+)800A Shunt-NK12 Y Y - - BOP Current Battery (-)800 to (+)800A Shunt-NK13 Y Y - - BOP Current Battery (-)800 to (+)800A Shunt-NK14 Y Y - - BOP Current Battery Charger 0-500A Shunt-NK21 Y Y - - BOP Current Battery Charger 0-500A Shunt-NK22 Y Y - - BOP Current Battery Charger 0-500A Shunt-NK23 Y Y - - BOP Current Battery Charger 0-500A Shunt-NK24 Y Y - - BOP Voltage 0-150V Batt Mon-NK11 Y Y - - BOP Voltage 0-150V Batt Mon-NK12 Y Y - - BOP Voltage 0-150V Batt Mon-NK13 Y Y - - BOP Voltage 0-150V Batt Mon-NK14 Y Y - - BOP EMARKS he Callaway design meets all of the stated recommendations. All Class 1E buses are provided with voltage and current indications.

Rev. OL-24 11/19

DATA SHEET 16.2 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE D.11.1 Status of Energy Sources Important to Safety Pressures 2 11 To indicate system status (hydraulic, pneumatic)

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E D.11.1 Air Accumulator Tank Pressures AFW Control 0-800 psig PT-108 N - - - - BOP Valves and 0-800 psig PT-110 N - - - - BOP Secondary Side 0-800 psig PT-112 N - - - - BOP Atmospheric 0-800 psig PT-114 N - - - - BOP Relief Valves EMARKS he safety-related air accumulators are described in Section 9.3.1 and shown on Figure 9.3-1, Sheet 5. The Callaway design meets all of the stated requirements.

Rev. OL-24 11/19

DATA SHEET 17.1 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE E.4.1 Radiation Exposure Meters (continuous Range, location, and 3 Verification of significant release and local magnitudes indication at fixed locations) qualification criteria to be developed to satisfy NUREG-0654,Section II.H.5.b and 6.b for emergency radiological monitoring ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E (Unnecessary Variable)

EMARKS his variable has been deleted from Regulatory Guide 1.97 in Revision 3.

Rev. OL-24 11/19

DATA SHEET 17.2 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE E.4.2 Airborne Radiohalogens and Particulates -9 -3 10 to 10 Ci/cc 3 14 Release assessment; analysis (portable sampling with onsite analysis capability)

ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E See Remarks Section EMARKS adiation protection air sampling and analysis equipment will be available on site for the monitoring and assessment of airborne radioactivity concentrations. Airborne sampling apabilities for particulates and radioiodines will be provided by low flow air samplers using glass fiber filters and TEDA-impregnated activated charcoal or silver Zeolite cartridges accident conditions). Analysis of collection media will be performed by germanium gamma ray spectroscopy equipment (multichannel analyzer and HPGe detector. In the control uilding count room (auxiliary warehouse laboratory for Wolf Creek), utilization of laboratory gamma spectroscopy equipment will ensure the capability to analyze samples within the etection limits of 10-9 Ci to 103 Ci for principal gamma emitters.

Rev. OL-24 11/19

DATA SHEET 17.3 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE E.4.3 Plant and Environs -3 -4 10 to 10 R/hr photons 3 15 Release assessment; analysis Radiation (portable instrumentation) 10-3 4 to 10 rads/hr beta 315 radiations and low-energy photons ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E See Remarks Section EMARKS n accordance with Regulatory Guide 1.97 recommendation, portable radiation survey instrumentation with the capability to detect gamma radiation over the range of 10-3 to 104

/hr will be maintained in the radiation protection instrument inventory. The capability to measure beta radiation fields over the range of 10-3 to 104 R/hr will be provided by portable urvey instrumentation equipped with beta-sensitive detectors.

Rev. OL-24 11/19

DATA SHEET 17.4 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE E.4.4 Plant and Environs Radioactivity (portable Multichannel gamma-ray 3 Release assessment; analysis instrumentation) spectrometer ALLAWAY PLANT DESIGN PROVISIONS RIABLE ERFIS ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM COMPUTER INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E See Remarks 0-5E5 cpm beta-gamma Section EMARKS ortable, battery powered count rate meters equipped with a G-M pancacke detector will be used to gross count the total activity in field collected air samples. The gross activity will hen be apportioned to specific isotopes using ratios derived from conservative accident analysis activity release calculations performed for each core reload. The proportioned sotopic activity will be used for the projected dose calculations until actual laboratory analysis may be obtained for the applicable field samples.

Rev. OL-24 11/19

DATA SHEET 17.5 EGULATORY GUIDE 1.97 TABLE 2 RECOMMENDATIONS VARIABLE IDENT. NO. VARIABLE RANGE CATEGORY PURPOSE E.5.1 Wind Direction 0 to 360 degrees (+/-5 degrees accuracy 3 Release assessment with a deflection of 15 degrees).

Starting speed 0.45 mps (1.0 mph).

Damping ratio between 0.4 and 0.6, distance constant 2 meters E.5.2 Wind Speed 0 to 30 mps (67 mph) +/-0.22 mps 3 Release assessment (0.5 mph) accuracy for wind speeds less than 11 mps (24 mph) with a starting threshold of less than 0.45 mps (1.0 mph)

E.5.3 Estimation of Atmospheric Stability Base on vertical temperature 3 Release assessment difference from primary system, -5°C to 10°C (-9°F to 18°F) and +/-0.15°C accuracy per 50-meter intervals

(+/-0.3°F accuracy per 164-foot intervals) or analogous range for alternative stability estimates ALLAWAY PLANT DESIGN PROVISIONS PLANT PROCESS RIABLE COMPUTER ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM (PPC)

INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E E.5.1 Wind Direction 0-360 degrees, +/- 3 RD-ZT-50010A & B N - - - - PPC degrees RD-SY-5060A & B E.5.2 Wind Speed 0-100 mph +/-1% or 0.15 RD-ST-5010A & B N - - - - PPC mph Starting threshold = RD-ST-5060A & B 0.6 mph E.5.3 Estimate of -50 to 50°C, +/-0.1°C RD-TE-5010A & B N - - - - PPC Atmospheric RD-TE-5060A & B Stability Temperature Rev. OL-24 11/19

DATA SHEET 17.5 (Continued)

EMARKS (Continued)

ALLAWAY PLANT DESIGN PROVISIONS PLANT PROCESS RIABLE COMPUTER ENT. NO. VARIABLE RANGE SENSOR/TRANSMITTER CONTROL ROOM (PPC)

INDICATOR RECORDER IDENT.NO. CL.1E PANEL CL.1E PANEL CL.1E Temperature -50 to 50°C, +/-0.05°C RD-TE-5010A & 60A N - - - - PPC Difference RD-TE-5010B & 60B Relative 0 - 100%, +/-3% RD-AE-5010 N - - - - PPC Humidity RD-AE-5060 Precipitation 0-1 inch, +/-1% RD-QE-5002 N - - - - PPC Ground Level EMARKS he Callaway design meets all of the stated recommendations.

he meteorological information system (site related) provides inputs to the PPC via the meteorological monitoring system at the met tower.

he parameters are sampled at a frequency of 1 minute or less by the PPC.

Rev. OL-24 11/19

es to Table 7A-3 tnotes to Regulatory Guide 1.97 Table 2 - PWR Variables here a variable is listed for more than one purpose, the instrumentation requirements y be integrated and only one measurement provided.

e maximum value may be revised upward to satisfy ATWS requirements.

minimum of four measurements per quadrant is required for operation. Sufficient mber should be installed to account for attrition. (Replacement instrumentation should et the 2300°F range provision.)

sign pressure is that value corresponding to ASME code values that are obtained at elow code-allowables values for material design stress.

mpling or monitoring of radioactive liquids and gases should be performed in a nner that ensures procurement of representative samples. For gases, the criteria of SI N13.1 should be applied. For liquids, provisions should be made for sampling from l-mixed turbulent zones, and sampling lines should be designed to minimize plateout eposition. For safe and convenient sampling, the provisions should include:

a. Shielding to maintain radiation doses ALARA

b. Sample containers with container-sampling port connector compatibility

c. Capability of sampling under primary system pressure and negative pressures

d. Handling and transport capability

e. Prearrangement for analysis and interpretation nimum of two monitors at widely separated locations.

tectors should respond to gamma radiation photons within any energy range from 60 to 3 MeV with an energy response accuracy of +/-20 percent at any specific photon rgy from 0.1 MeV to 3 MeV. Overall system accuracy should be within a factor of two r the entire range.

onitors should be capable of detecting and measuring radioactive gaseous effluent centrations with compositions ranging from fresh equilibrium noble gas fission duct mixtures to 10-day-old mixtures, with overall system accuracies within a factor of Rev. OL-16 10/07

. Effluent concentrations may be expressed in terms of Xe-133 equivalents or in ms of any noble gas nuclide(s). It is not expected that a single monitoring device will e sufficient range to encompass the entire range provided in this regulatory guide and t multiple components or systems will be needed. Existing equipment may be used to nitor any portion of the stated range within the equipment design rating.

ovisions should be made to monitor all identified pathways for release of gaseous ioactive materials to the environs in conformance with General Design Criterion 64.

nitoring of individual effluent streams is only required where such streams are ased directly into the environment. If two or more streams are combined prior to ase from a common discharge point, monitoring of the combined stream is sidered to meet the intent of the regulatory guide, provided such monitoring has a ge adequate to measure worst-case releases.

esign flow is the maximum flow anticipated in normal operation.

tatus indication of all standby power ac buses, dc buses, inverter output buses, and umatic supplies.

ffluent monitors for PWR steam safety valve discharges and atmospheric steam mp valve discharges should be capable of approximately linear response to gamma iation photons with energies from approximately 0.5 MeV to 3 MeV. Overall system uracy should be within a factor of two. Calibration sources should fall within the ge of approximately 0.5 MeV to 1.5 MeV (e.g., CS-137, Mn-54, Na-22, and Co-60).

uent concentrations should be expressed in terms of any gamma-emitting noble gas lide within the specified energy range. Calculational methods should be provided for mating concurrent releases of low-energy noble gases that cannot be detected or asured by the methods or techniques employed for monitoring.

o provide information regarding release of radioactive halogens and particulates.

ntinuous collection of representative samples followed by onsite laboratory asurements of samples for radiohalogens and particulates. The design envelope for elding, handling, and analytical purposes should assume 30 minutes of integrated pling time at sampler design flow, an average concentration of 102 Ci/cc of ticulate radioiodines and particulates other than radioiodines, and an average gamma ton energy of 0.5 MeV per disintegration.

or estimating release rates of radioactive materials released during an accident.

o monitor radiation and airborne radioactivity concentrations in many areas ughout the facility and the site environs where it is impractical to install stationary nitors capable of covering both normal and accident levels.

Rev. OL-16 10/07

uidance on meteorological measurements is being developed in a Proposed vision 1 to Regulatory Guide 1.23, "Meteorological Programs in Support of Nuclear wer Plants."

he time for taking and analyzing samples should be 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months or less from the time the ision is made to sample, except for chloride which should be within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

n installed capability should be provided for obtaining containment sump, ECCS mp room sumps, and other similar auxiliary building sump liquid samples.

pplies only to primary coolant, not to sump.

Rev. OL-16 10/07

ML20209A027

Contents

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20209A027

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search