Text

Amendment 3 to Updated Final Safety Analysis Report, Chapter 7, Instrumentation and Controls
	ML20323A301
Person / Time
Site:	Watts Bar
Issue date:	10/29/2020
From:	; Tennessee Valley Authority
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML20323A313	List: ML20323A300; ML20323A301; ML20323A303; ML20323A305; ML20323A306; ML20323A308; ML20323A309; ML20323A310; ML20323A311; ML20323A312; ML20323A314; ML20323A315; ML20323A316; ML20323A317; ML20323A318; ML20323A319; ML20323A320; ML20323A322;
References
	WBL-20-047
	Download: ML20323A301 (292)
	v • d • e

WBN TABLE OF CONTENTS Section Title Page 7.0 INSTRUMENTATION AND CONTROLS 7.1-1

7.1 INTRODUCTION

7.1-1 7.1.1 Identification of Safety-Related Systems 7.1-4 7.1.1.1 Safety-Related Systems 7.1-4 7.1.1.1.1 Reactor Trip System 7.1-4 7.1.1.1.2 Engineered Safety Features Actuation System 7.1-4 7.1.1.1.3 Vital Instrumentation and Control Power Supply System 7.1-4 7.1.1.1.4 Auxiliary Control Air System 7.1-5 7.1.1.2 Safety-Related Display Instrumentation 7.1-5 7.1.1.3 Instrumentation and Control System Designers 7.1-5 7.1.1.4 Plant Comparison 7.1-5 7.1.2 Identification of Safety Criteria 7.1-6 7.1.2.1 Design Bases 7.1-9 7.1.2.1.1 Reactor Trip System 7.1-9 7.1.2.1.2 Engineered Safety Features Actuation System (ESFAS) 7.1-10 7.1.2.1.3 Vital Control Power Supply System 7.1-10 7.1.2.1.4 Standby Power 7.1-11 7.1.2.1.5 Interlocks 7.1-11 7.1.2.1.6 Bypasses 7.1-11 7.1.2.1.7 Equipment Protection 7.1-11 7.1.2.1.8 Diversity 7.1-12 7.1.2.1.9 Trip Setpoints 7.1-12 7.1.2.2 Independence of Redundant Safety-Related Systems 7.1-14 7.1.2.2.1 General 7.1-15 7.1.2.2.2 Specific Systems 7.1-15 7.1.2.2.3 Fire Protection 7.1-17 7.1.2.3 Physical Identification of Safety-Related Equipment 7.1-17 7.1.2.4 Process Signal Isolation Relays 7.1-19 References 7.1-20 7.2 REACTOR TRIP SYSTEM 7.2-1 7.2.1 Description 7.2-1 7.2.1.1 System Description 7.2-1 7.2.1.1.1 Functional Performance Requirements 7.2-2 7.2.1.1.2 Reactor Trips 7.2-2 7.2.1.1.3 Reactor Trip System Interlocks 7.2-10 7.2.1.1.4 Reactor Coolant Temperature Sensor Arrangement and Calculational Methodology 7.2-12 7.2.1.1.5 Pressurizer Water Level Reference Leg Arrangement 7.2-15 7.2.1.1.6 Process Protection System 7.2-15 7.2.1.1.7 Solid State Logic Protection System 7.2-16 7.2.1.1.8 Isolation Devices 7.2-16 7.2.1.1.9 Energy Supply and Environmental Variations 7.2-16 7-i

WBN TABLE OF CONTENTS Section Title Page 7.2.1.1.10 Setpoints 7.2-16 7.2.1.1.11 Seismic Design 7.2-16 7.2.1.2 Design Bases Information 7.2-17 7.2.1.2.1 Generating Station Conditions 7.2-17 7.2.1.2.2 Generating Station Variables 7.2-17 7.2.1.2.3 Spatially Dependent Variables 7.2-17 7.2.1.2.4 Limits, Margins and Levels 7.2-17 7.2.1.2.5 Abnormal Events 7.2-18 7.2.1.2.6 Minimum Performance Requirements 7.2-19 7.2.1.3 Final Systems Drawings 7.2-19 7.2.2 Analyses 7.2-19 7.2.2.1 Evaluation of Design Limits 7.2-21 7.2.2.1.1 Trip Setpoint Discussion 7.2-21 7.2.2.1.2 Reactor Coolant Flow Measurement 7.2-22 7.2.2.2 Evaluation of Compliance to Applicable Codes and Standards 7.2-23 7.2.2.3 Specific Control and Protection Interactions 7.2-33 7.2.2.3.1 Neutron Flux 7.2-33 7.2.2.3.2 Reactor Coolant Temperature 7.2-33 7.2.2.3.3 Pressurizer Pressure 7.2-34 7.2.2.3.4 Pressurizer Water Level 7.2-35 7.2.2.3.5 Steam Generator Water Level 7.2-36 7.2.2.4 Additional Postulated Accidents 7.2-37 7.2.3 Tests and Inspections 7.2-38 References 7.2-39 7.3 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 7.3-1 7.3.1 Description 7.3-1 7.3.1.1 System Description 7.3-1 7.3.1.1.1 Function Initiation 7.3-2 7.3.1.1.2 Process Protection Circuitry 7.3-4 7.3.1.1.3 Analog Instrumentation (Unit 2Only) 7.3-5 7.3.1.1.4 Logic Circuitry 7.3-5 7.3.1.1.5 Final Actuation Circuitry 7.3-5 7.3.1.1.6 Support Systems 7.3-6 7.3.1.2 Design Bases Information 7.3-7 7.3.1.2.1 Generating Station Conditions 7.3-7 7.3.1.2.2 Generating Station Variables 7.3-7 7.3.1.2.3 Spatially Dependent Variables 7.3-7 7.3.1.2.4 Limits, Margins and Levels 7.3-8 7.3.1.2.5 Abnormal Events 7.3-8 7.3.1.2.6 Minimum Performance Requirements 7.3-8 7.3.1.3 Final System Drawings 7.3-9 7.3.2 Analysis 7.3-9 7.3.2.1 System Reliability/Availability and Failure Mode and Effects Analyses 7.3-9 7-ii

WBN TABLE OF CONTENTS Section Title Page 7.3.2.2 Compliance with Standards and Design Criteria 7.3-9 7.3.2.2.1 Single Failure Criteria 7.3-9 7.3.2.2.2 Equipment Qualification 7.3-10 7.3.2.2.3 Channel Independence 7.3-10 7.3.2.2.4 Control and Protection System Interaction 7.3-10 7.3.2.2.5 Capability for Sensor Checks and Equipment Test and Calibration 7.3-11 7.3.2.2.6 Manual Initiation, Reset and Blocks of Protective Actions 7.3-16 7.3.2.3 Further Considerations 7.3-18 7.3.2.4 Summary 7.3-18 7.3.2.4.1 Loss-of-Coolant Protection 7.3-19 7.3.2.4.2 Steam Line Break Protection 7.3-19 References 7.3-20 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4-1 7.4.1 Description 7.4-1 7.4.1.1 Monitoring Indicators 7.4-1 7.4.1.2 Controls 7.4-2 7.4.1.2.1 General Considerations 7.4-2 7.4.1.2.2 Pumps and Fans 7.4-2 7.4.1.2.3 Diesel Generators 7.4-3 7.4.1.2.4 Valves and Heaters 7.4-3 7.4.1.3 Equipment and Systems Available for Cold Shutdown 7.4-4 7.4.2 Auxiliary Control Room (ACR) 7.4-5 7.4.3 Analysis 7.4-6 References 7.4-7 7.5 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5-1 7.5.1 Post Accident Monitoring Instrumentation (PAM) 7.5-1 7.5.1.1 System Description 7.5-1 7.5.1.2 Variable Types 7.5-1 7.5.1.3 Variable Categories 7.5-2 7.5.1.4 Design Bases 7.5-3 7.5.1.4.1 Definitions 7.5-3 7.5.1.4.2 Selection Criteria 7.5-4 7.5.1.4.3 Design Criteria for Category 1 Variables 7.5-4 7.5.1.4.4 Design Criteria for Category 2 Variables 7.5-5 7.5.1.4.5 Design Criteria for Category 3 Variables 7.5-6 7.5.1.5 General Requirements 7.5-6 7.5.1.5.1 Display Requirements 7.5-6 7.5.1.5.2 Identification 7.5-7 7.5.1.6 Analysis 7.5-7 7.5.1.7 Tests and Inspections 7.5-8 7.5.1.7.1 Programs 7.5-8 7.5.1.7.2 Removal of Channels from Service 7.5-8 7.5.1.7.3 Administrative Control 7.5-8 7.5.1.8 Post Accident Monitoring System (PAMS) 7.5-8 7-iii

WBN TABLE OF CONTENTS Section Title Page 7.5.2 Plant Computer System 7.5-9 7.5.2.1 Safety Parameter Display System 7.5-9 7.5.2.1.1 System Description 7.5-9 7.5.2.1.2 Design Bases 7.5-10 7.5.2.2 Bypassed and Inoperable Status Indication System (BISI) 7.5-11 7.5.2.3 Technical Support Center and Nuclear Data Links 7.5-13 7.5.2.3.1 Technical Support Center 7.5-13 7.5.2.3.2 Communication Data Links 7.5-13 References 7.5-14 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6-1 7.6.1 120V AC and 125V DC Vital Plant Control Power System 7.6-1 7.6.2 Residual Heat Removal Isolation Valves 7.6-1 7.6.2.1 Description 7.6-1 7.6.2.2 Analysis 7.6-2 7.6.3 Refueling Interlocks 7.6-2 7.6.4 Deleted 7.6-2 7.6.5 Accumulator Motor-Operated Valves 7.6-2 7.6.6 Spurious Actuation Protection for Motor Operated Valves 7.6-3 7.6.7 Loose Parts Monitoring System (LPMS) System Description 7.6-4 7.6.8 Interlocks for RCS Pressure Control During Low Temperature Operation 7.6-8 7.6.8.1 Analysis of Interlock 7.6-10 7.6.9 Switch over from Injection to Recirculation Mode Following a LOCA 7.6-10 References 7.6-11 7.7 CONTROL SYSTEMS 7.7-1 7.7.1 Description 7.7-1 7.7.1.1 Control Rod Drive Reactor Control System 7.7-1 7.7.1.1.1 Reactor Control Input Signals 7.7-2 7.7.1.1.2 Rod Speed Control Program 7.7-3 7.7.1.2 Rod Control System 7.7-3 7.7.1.2.1 Rod Control System Function 7.7-3 7.7.1.2.2 Rod Control System Failures 7.7-5 7.7.1.3 Plant Control Signals for Monitoring and Indicating 7.7-10 7.7.1.3.1 Monitoring Functions Provided by the Nuclear Instrumentation System 7.7-10 7.7.1.3.2 Main Control Room Rod Position Indication 7.7-11 7.7.1.3.3 Control Bank Rod Insertion Monitoring 7.7-13 7.7.1.3.4 Rod Deviation Alarm 7.7-15 7.7.1.3.5 Rods at Bottom 7.7-15 7.7.1.3.6 Bypassed and Inoperable Status Indication (BISI) System 7.7-15 7.7.1.4 Plant Control System Interlocks 7.7-15 7.7.1.4.1 Rod Stops 7.7-15 7-iv

WBN TABLE OF CONTENTS Section Title Page 7.7.1.4.2 Automatic Turbine Load Runback 7.7-15 7.7.1.5 Pressurizer Pressure Control 7.7-16 7.7.1.6 Pressurizer Water Level Control 7.7-17 7.7.1.7 Steam Generator Water Level Control 7.7-17 7.7.1.8 Steam Dump Control 7.7-18 7.7.1.8.1 Load Rejection Steam Dump Controller 7.7-19 7.7.1.8.2 Reactor Trip Steam Dump Controller 7.7-19 7.7.1.8.3 Steam Header Pressure Controller 7.7-20 7.7.1.9 Incore Instrumentation 7.7-20 7.7.1.9.1 Thermocouples 7.7-20 7.7.1.9.2 Movable Neutron Flux Detector Drive System 7.7-21 7.7.1.9.3 Control and Readout Description 7.7-22 7.7.1.9.4 Power Distribution Monitoring System (PDMS) 7.7-23 7.7.1.10 Control Board 7.7-24 7.7.1.11 Boron Concentration Measurement System 7.7-24 7.7.1.12 Anticipated Transient Without Scram Mitigation System Actuation Circuitry (AMSAC) 7.7-25 7.7.2 Analysis 7.7-26 7.7.2.1 Separation of Protection and Control System 7.7-27 7.7.2.2 Response Considerations of Reactivity 7.7-27 7.7.2.3 Step Load Changes Without Steam Dump 7.7-29 7.7.2.4 Loading and Unloading 7.7-30 7.7.2.5 Load Rejection Furnished By Steam Dump System 7.7-30 7.7.2.6 Turbine-Generator Trip With Reactor Trip 7.7-31 References 7.7-32 APPENDIX 7A INSTRUMENTATION IDENTIFICATIONS AND SYMBOLS 7A.1 Identification System 7A-1 7A.1.1 Functional Identification 7A-1 7A.1.1.1 Principal Function 7A-1 7A.1.1.2 Measured Variable 7A-2 7A.1.1.3 Readout or Passive Functions 7A-2 7A.1.1.4 Modifying Letters 7A-2 7A.1.1.5 Tagging Symbols 7A-2 7A.1.1.6 Special Identifying Letters 7A-2 7A.1.1.7 Pilot Lights 7A-3 7A.1.2 System Identification 7A-3 7A.1.2.1 Identification Numbers 7A-3 7A.1.2.2 Instruments Common To Multiple Process Systems 7A-3 7A.1.3 Loop Identification 7A-3 7A.1.3.1 Instruments Common To Multiple Control Loops 7A-3 7A.1.3.2 Multiple Instruments With A Common Function 7A-3 7A.2 Symbols 7A-3 7A.2.1 Instrument Symbols 7A-4 References 7A-4 7-v

WBNP-7 LIST OF TABLES Number Title 7.1-1 Watts Bar Nuclear Plant NRC Regulatory Guide Conformance 7.2-1 List of Reactor Trips 7.2-2 Protection System Interlocks 7.2-3 Reactor Trip System Instrumentation 7.2-4 Reactor Trip Correlation 7.3-1 Instrumentation Operating Condition for Engineered Safety Features 7.3-2 Instrumentation Operating Condition for Isolation Functions 7.3-3 Interlocks for Engineered Safety Features Actuation System 7.5-1 Post Accident Monitoring Instrumentation Component Qualification Matrix 7.5-2 Regulatory Guide 1.97 Post Accident Monitoring Variables List 7.7-1 Plant Control System Interlocks 7-vi

WBN LIST OF FIGURES Number Title 7.1-1 Protection System Block Diagram 7.1-2 Powerhouse-Units 1 and 2 Wiring Diagrams - Control Boards Critical Wiring Braid Installation 7.1-3 Train A and Train B Process Interlocks 7.2-1 Powerhouse Unit 1 Electrical Logic Diagrams - Reactor Protection System 7.2-2 Setpoint Reduction Function for Overpower and Overtemperature T Trips 7.3-1 ESF Test Circuits (Typical) 7.3-2 Deleted 7.3-3 Sh1 Powerhouse Logic Diagram for Feedwater System 7.3-3 Sh 2 Powerhouse Logic Diagram for Auxiliary Feedwater System 7.3-3 Sh 3 Powerhouse Logic Diagram for Safety Injection System 7.3-3 Sh 4 Powerhouse Logic Diagram for Containment Isolation 7.6-1 Deleted 7.6-2 Deleted 7.6-3 Powerhouse Unit 1Electrical Logic Diagram for Safety Injection System 7.6-4 Auxiliary Building Units 1 and 2 Wiring Diagram for Safety Injection System 7.6-5 Reactor Building Unit 1 Variable Processing for Low Temperature Interlocks for RCS Pressure Control 7.6-6 Powerhouse Logic Diagram for Safety Injection System and Residual Heat Removal System (3 sheets) 7.7-1 Simplified Block Diagram of Reactor Control System 7.7-2 Control Bank Rod Insertion Monitor 7.7-3 Rod Deviation Comparator 7.7-4 Block Diagram of Pressurizer Pressure Control System 7.7-5 Block Diagram of Pressurizer Level Control System 7.7-6 Block Diagram of Steam Generator Water Level Control System 7-vii

WBN LIST OF FIGURES Number Title 7.7-7 Block Diagram of Main Feedwater Pump Speed Control System 7.7-8 Block Diagram of Steam Dump Control System 7.7-9 Basic Flux-Mapping System 7.7-10 Typical Location of Control Board Systems 7.7-11 Simplified Block Diagram Rod Control System 7.7-12 Control Bank D Partial Simplified Schematic Diagram Power Cabinets 1BD and 2BD 7A-1 Instrumentation Symbols and Tabulation 7A-2 Mechanical System Identification Numbers 7A-3 Mechanical Flow and Control Diagram Symbols 7A-4 Mechanical Basic Instrumentation and Radiation Symbols 7A-5 Mechanical Application of Basic Instrumentation Symbols 7A-6 Mechanical Digital Logic Symbols (and/or) 7-viii

WBN 7.0 INSTRUMENTATION AND CONTROLS

7.1 INTRODUCTION

This chapter presents the various plant instrumentation and control systems by relating the functional performance requirements, design bases system descriptions, design evaluations, and tests and inspections for each. The information provided in this chapter emphasizes those instruments and associated equipment which constitute the protection system as defined in IEEE Std. 279-1971 "IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations."

The primary purpose of the instrumentation and control systems is to provide automatic protection against unsafe and improper reactor operation during steady state and transient power operations (Condition I) and to provide initiating signals to mitigate the consequences of faulted conditions (Conditions II, III, IV). For a discussion of the four conditions see Chapter 15.

The information presented in this chapter emphasizes those instrumentation and control systems which are essential to assuring that the reactor can be operated to produce power in a manner that ensures no undue risk to the health and safety of the public.

It is shown that the applicable criteria and codes, such as the General Design Criteria and IEEE Standards, concerned with the safe generation of nuclear power are met by these systems.

Definitions The definitions below establish the meaning of words in the context of their use in Chapter 7.

Channel - An arrangement of components and modules or software as required to generate a single protective action signal when required by a plant condition. A channel loses its identity where single action signals are combined.

DNBR - (Departure from Nucleate Boiling Ratio) - The ratio of the critical heat flux (defined as the transition from nucleate boiling, to film boiling) to the actual local heat flux.

Module - An assembly of interconnected components which constitutes an identifiable device, instrument, or piece of equipment. A module can be disconnected, removed as a unit, and replaced with a spare. It has definable performance characteristics which permit it to be tested as a unit. A module could be a card or other subassembly of a larger device, provided it meets the requirements of this definition.

Software - The entire set of programs, procedures, and related documentation associated with a system, especially a computer system.

7.1-1

WBN Components - Items from which the system is assembled (e.g., resistors, capacitors, wires, connectors, transistors, tubes, switches, springs, etc.).

Single Failure - Any single event which results in a loss of protective function of a component or components of a system. Multiple failures resulting from a single event will be treated as a single failure.

Protective Action - A protective action can be at the channel or the system level. A protective action at the channel level is the initiation of a signal by a single channel when the variable sensed exceeds a limit. A protective action at the system level is the initiation of the operation of a sufficient number of actuators to effect a protective function.

Protective Function - A protective function is the sensing of one or more variables associated with a particular generating station condition, signal processing, and the initiation and completion of the protective action at values of the variable established in the design basis.

Type Tests - Tests made on one or more units to verify adequacy of design.

Degree of Redundancy - The difference between the number of channels monitoring a variable and the number of channels which, when tripped, will cause an automatic system trip.

Minimum Degree of Redundancy - The degree of redundancy below which operation is prohibited or otherwise restricted by the Technical Specifications.

Reproducibility - This definition is taken from SAMA Standard PMC-20.1-1973. Process Measurement and Control Terminology; "the closeness of agreement among repeated measurements of the output for the same value of input, under normal operating conditions over a period of time, approaching from both directions." It includes drift due to environmental effects, hysteresis, long-term drift, and repeatability. Long-term drift (aging of components, etc.) is not an important factor in accuracy requirements since, in general, the drift is not significant with respect to the time elapsed between testing. Therefore, long-term drift may be eliminated from this definition. Reproducibility, in most cases, is a part of the definition of accuracy (see below).

Accuracy - This definition is derived from SAMA Standard PMC-20.1-1973. An accuracy statement for a device falls under Note 2 of the definition of accuracy, which means reference accuracy or the accuracy of that device at reference operating conditions: "Reference accuracy includes conformity, hysteresis and repeatability." To adequately define the accuracy of a system, the term reproducibility is useful as it covers normal operating conditions. The following terms, "trip accuracy," etc., will then include conformity and reproducibility under normal operating conditions. Where the final result does not have to conform to an actual process variable but is related to another value established by testing, conformity may be eliminated, and the term reproducibility may be substituted for accuracy.

7.1-2

WBN Readout Devices - For consistency the final device of a complete channel is considered a readout device. This includes indicators, recorders, isolators (nonadjustable) and controllers.

Channel Accuracy - This definition includes accuracy of primary element, transmitter and rack modules. It does not include readout devices or rack environmental effects, but does include process and environmental effects on field mounted hardware. Rack environmental effects are included in the next two definitions to avoid duplication due to dual inputs.

Indicated and/or Recorded Accuracy - This definition includes channel accuracy, accuracy of readout devices and rack environmental effects.

Trip Accuracy - This definition includes comparator accuracy, channel accuracy for each input, and rack environmental effects. This is the tolerance expressed in process terms (or % of span) within which the complete channel must perform its intended trip function. This includes all instrument errors but no process effects such as streaming. The term "actuation accuracy" may be used where the word "trip" might cause confusion (for example, when starting pumps and other equipment).

Actuation Accuracy - Synonymous with trip accuracy, but used where the word "trip" may cause ambiguity.

Cold Shutdown - The reactor is in the cold shutdown condition when the reactor is subcritical by at least 1% k/k and T(avg) is <200 ºF with T(avg) defined as the average temperature across a reactor vessel as measured by the hot and cold leg temperature detectors.

Hot Shutdown Condition - When the reactor is subcritical by an amount greater than or equal to the margin to be specified in the applicable technical specification and T(avg) is within the temperature range specified in the applicable technical specification.

Phase A Containment Isolation - Closure of all nonessential process lines which penetrate containment, initiated by the safety injection signal.

Phase B Containment Isolation - Closure of remaining process lines, initiated by containment Hi-Hi pressure signal (process lines do not include Engineered Safety Features lines).

System Response Time Reactor Trip System Response Time: The time delays are defined as the time required for the reactor trip (i.e., the time the rods are free and begin to fall) to be initiated following a step change in the variable being monitored from at least 5% below (or above) to at least 5% above (or below) the trip setpoint.

7.1-3

WBN Engineered Safety Features Actuation System Response Time: The interval required for the Engineered Safety Features sequence to be initiated subsequent to the point in time that the appropriate variable(s) exceed setpoints. The response time includes sensor (analog) and process/logic (digital) delay.

Normal Operating Conditions - For this document, these conditions cover all normal process temperature and pressure changes. Also included are ambient temperature changes around the transmitters and racks.

Control Accuracy - This definition includes channel accuracy, accuracy of readout devices (isolator, controller), and rack environmental effects. Where an isolator separates control and protection signals, the isolator accuracy is added to the channel accuracy to determine control accuracy, but credit is taken for tuning beyond this point; i.e., the accuracy of these modules (excluding controllers) is included in the original channel accuracy. It is simply defined as the accuracy of the control signal in percent of the span of that signal. This will then include gain changes where the control span is different from the span of the measured variable. Where controllers are involved, the control span is the input span of the controller. No error is included for the time in which the system is in a non-steady-state condition.

7.1.1 Identification of Safety-Related Systems 7.1.1.1 Safety-Related Systems The Nuclear Steam Supply System (NSSS) instrumentation required to function to achieve the system responses assumed in the safety evaluations and those needed to shut down the plant are given in this section.

7.1.1.1.1 Reactor Trip System The Reactor Trip System (RTS) is a functionally defined system described in Section 7.2. The equipment which provides the trip functions is identified and discussed in Section 7.2. Design bases for the reactor trip system are given in Section 7.1.2.1. Figure 7.1-1 is a block diagram of this system.

7.1.1.1.2 Engineered Safety Features Actuation System The engineered safety features actuation system (ESFAS) is a functionally defined system and is described in Section 7.3. The equipment which provides the actuation functions is identified and discussed in Section 7.3. Design bases for the Engineered Safety Features Actuation System are given in Section 7.1.2.1.

7.1.1.1.3 Vital Instrumentation and Control Power Supply System Design bases for the vital control power supply system are given in Section 7.1.2.1. Further description of the system is provided in Section 8.3.

7.1-4

WBN 7.1.1.1.4 Auxiliary Control Air System The auxiliary control air system supplies essential control air to safety-related equipment such as the auxiliary feedwater control valves, dampers in the auxiliary building gas treatment system and the emergency gas treatment system; and the Control Building HVAC system. Further description of the system is given in Section 9.3.1.

7.1.1.2 Safety-Related Display Instrumentation The Post Accident Monitoring System (PAM) provides essential information required by the operator to diagnose and monitor significant accident conditions. The accident-monitoring instrumentation is designed with redundant channels so that a single failure does not prevent the operator from determining the nature of an accident, the functioning of the engineered safety features, the need for operator action, and the response of the plant to the safety measures in operation. This system is described in Section 7.5.

Other safety-related display instrumentation is discussed in Section 7.5.

For Unit 1, the Bypassed and Inoperable Status Indication System (BISI) does not perform a safety function, nor do administrative procedures call for immediate operator action based solely on BISI indication. The BISI equipment is isolated from the associated safety-related equipment so as to preclude any abnormal or normal action of the BISI from preventing the performance of a safety function. The BISI is described in detail in Section 7.5.

7.1.1.3 Instrumentation and Control System Designers All systems discussed in Chapter 7 have definitive functional requirements developed on the basis of the Westinghouse NSSS design. TVA is responsible for the total design of the WBN instrumentation and controls systems. The RTS, ESFAS, and SSPS are generally the instrumentation and controls systems within the scope of the Westinghouse supply. Figures 7.2-1 and 7.3-3 show the logic for the Reactor Protection System (RPS).

7.1.1.4 Plant Comparison System functions for all systems discussed in Chapter 7 are similar to those of Sequoyah Nuclear Plant. Detailed comparison is provided in Section 1.3.

7.1-5

WBN 7.1.2 Identification of Safety Criteria Section 7.1.2.1 gives design bases for the systems given in Section 7.1.1.1, except for the auxiliary control air system which is described in Section 9.3.1 and the safety-related display instrumentation systems which are described in Section 7.5. Design bases for nonsafety-related systems are provided in the sections which describe the systems.

Conservative considerations for instrument errors are included in the accident analyses presented in Chapter 15. Functional requirements, developed on the basis of the results of the accident analyses, which have utilized conservative assumptions and parameters were used in designing these systems and a preoperational testing program verified the adequacy of the design. Accuracies are discussed in Sections 7.2, 7.3 and 7.5.

The documents listed below were considered in the design of the systems given in Section 7.1.1. In general, the scope of these documents is given in the document itself. This determines the systems or parts of systems to which the document is applicable. A discussion of compliance with each document for systems within its scope is provided in the referenced sections.

Because some documents were issued after design and testing had been completed, the equipment documentation may not meet the format requirements of some standards. Table 7.1-1 and Notes 1 through 20 identify the degree of conformance to applicable documents and justify exceptions. In addition to the documents listed in Table 7.1-1, the documents considered are:

Unit 1

1. "General Design Criteria for Nuclear Power Plants, "Appendix A to Title 10 CFR Part 50, July 7, 1971." (See Sections 7.2, 7.3, 7.4, and 7.6).

2. Deleted.

3. "Regulatory Guide 1.22 - Periodic Testing of Protection System Actuation Functions,"

Regulatory Guides for Water-Cooled Nuclear Power Plants, Division of Reactor Standards, Atomic Energy Commission. (See Table 7.1-1, Note 2).

4. Regulatory Guide 1.29 (Revision 1) - "Seismic Design Classification," Regulatory Guides for Water-Cooled Nuclear Power Plants," Directorate of Regulatory Standards, Atomic Energy Commission.

5. The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations," IEEE Standard 279-1971.

(See Sections 7.2, 7.3, 7.6).

6. The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations," IEEE Standard 308-1971.

7.1-6

WBN

7. The Institute of Electrical and Electronic Engineers, Inc.," IEEE Standard for Electrical Penetration Assemblies in Containment Structures for Nuclear Fueled Power Generating Stations," IEEE Standard 317-1976. (See Section 8.3.1.2.3).

8. The Institute of Electrical and Electronic Engineers, Inc., "IEEE Trial-Use Standard:

General Guide for Qualifying Class I Electric Equipment for Nuclear Power Generating Stations," IEEE Standard 323-1971. (See Table 7.1-1, Note 4).

9. The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations", IEEE Std. 323-1974.

10. Deleted in Initial UFSAR.

11. The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations," IEEE Standard 336-1971. (See Section 8.3.1.2.2).

12. The Institute of Electrical and Electronic Engineers, Inc., "IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems," IEEE Standard 338-1971. (See Sections 7.2.2.2, 7.3.2.2.5 and Table 7.1-1, Note 1).

13. IEEE-Std. 338-1987 "IEEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Safety Systems".

14. The Institute of Electrical and Electronic Engineers, Inc., "IEEE Trial-Use Guide for Seismic Qualification of Class I Electric Equipment for Nuclear Power Generating Stations," IEEE Standard 344-1971. (See Section 3.10).

15. The Institute of Electrical and Electronic Engineers, Inc, "IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations," IEEE Std. 344-1975.

16. The Institute of Electrical and Electronic Engineers, Inc, "IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations," IEEE Std. 344-1987.

17. The Institute of Electrical and Electronic Engineers, Inc, "IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Protection Systems," IEEE Std. 352-1975.

7.1-7

WBN

18. The Institute of Electrical and Electronic Engineers, Inc., "IEEE Trial-Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems," IEEE Standard 379-1972. (See Table 7.1-1, Note 3).

19. The Institute of Electrical and Electronic Engineers, Inc, "IEEE Standard Application of the Single Failure Criterion to Nuclear Power Generating Station Class 1E Systems,"

IEEE Std. 379-1988.

20. The Institute of Electrical and Electronic Engineers, Inc, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits," IEEE Std. 384-1981.

21. The Institute of Electrical and Electronic Engineers, Inc, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," IEEE Std. 603-1980.

22. "Regulatory Guide 1.53 - Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems," Regulatory Guides for Water-Cooled Nuclear Power Plant Division of Reactor Standards, Atomic Energy Commission. (See Table 7.1-1, Note 3).

23. Regulatory Guide 1.47, May 1973 "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems".

24. Regulatory Guide 1.75, September 1978 "Physical Independence of Electrical Systems".

25. Regulatory Guide 1.89, November 1974 "Qualification of Class 1E Equipment for Nuclear Power Plants".

26. Regulatory Guide 1.97, December 1980 "Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant Conditions During and Following an Accident".

27. Regulatory Guide 1.100, August 1977 "Seismic Qualification of Electrical Equipment for Nuclear Power Plants".

28. Regulatory Guide 1.105, November 1976 "Instrument Setpoints".

29. Regulatory Guide 1.118, June 1978 "Periodic Testing of Electric Power and Protection Systems".

30. Regulatory Guide 1.153, December 1985 "Criteria for Power, Instrumentation and Control Portions of Safety Systems".

- Regulatory Guide 1.153, endorses the guidance of IEEE-Std. 603-1980.

7.1-8

WBN

31. ANSI/IEEE-ANS-7-4.3.2-1982 "Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations".

ANSI/IEEE-ANS-7-4.3.2-1982 - expands and amplifies the requirements of IEEE-Std.

603-1980

32. Regulatory Guide 1.152, November 1985 "Criteria for Programmable Digital Computer System Software in Safety-Related Systems in Nuclear Plants".

Regulatory Guide 1.152, endorses the guidance of ANSI/IEEE-7-4.3.2-1982.

Unit 2

1. General Design Criteria for Nuclear Power Plants, "Appendix A to Title 10 CFR Part 50, July 7, 1971." (See Sections 7.2, 7.3, 7.4, and 7.6).

2. The Institute of Electrical and Electronic Engineers, Inc.," IEEE Standard for Electrical Penetration Assemblies in Containment Structures for Nuclear Fueled Power Generating Stations," IEEE Standard 317-1976. (See Section 8.3.1.2.3).

3. The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations," IEEE Standard 336-1971. (See Section 8.3.1.2.2).

4. The Institute of Electrical and Electronic Engineers, Inc, "IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations," IEEE Std. 344-1975. (See Section 3.10.1) 7.1.2.1 Design Bases The technical design bases for the protection systems are provided by Westinghouse equipment specifications which consider the functional requirements for these systems and applicable criteria as identified in Table 7.1-1.

7.1.2.1.1 Reactor Trip System The reactor trip system acts to limit the consequences of Condition II events by, at most, a shutdown of the reactor and turbine, with the plant capable of returning to operation after corrective action. The reactor trip system features impose a limiting boundary region to plant operation which ensures that the reactor safety limits analyzed in Chapter 15 are not exceeded during Condition II events and that these events can be accommodated without developing into more severe conditions.

The design requirements for the reactor trip system are derived by analyses of plant operating fault conditions where automatic rapid control rod insertion is necessary in order to prevent or limit core or reactor coolant boundary damage. The design bases addressed in IEEE Standard 279-1971 are discussed in Section 7.2.1. The design limits for this system are:

1. Minimum DNBR shall not be below the limiting value as a result of any anticipated 7.1-9

WBN transient or malfunction (Condition II faults).

2. Power density shall not exceed the rated linear power density for Condition II events.

See Chapter 4 for fuel design limits.

3. The stress limit of the RCS for the various conditions shall be as specified in Chapter 5.

4. Release of radioactive material shall not be sufficient to interrupt or restrict public use of those areas beyond the exclusion distance or to exceed the guidelines of 10 CFR 100 as a result of any Condition III fault.

5. For any Condition IV fault, release of radioactive material shall not result in an undue risk to public health and safety nor shall it exceed the guidelines of 10 CFR 100, "Reactor Site Criteria."

7.1.2.1.2 Engineered Safety Features Actuation System (ESFAS)

The ESFAS acts to limit the consequences of Condition III events (infrequent faults such as primary coolant spillage from a small rupture which exceeds normal charging system makeup and requires actuation of the safety injection system). The ESFAS acts to mitigate Condition IV events (limiting faults which include the potential for significant release of radioactive material).

The design bases for the ESFAS are derived from the design bases given in Chapter 6. Design bases requirements of IEEE 279-1971 are addressed in Section 7.3.1.2. General design requirements are given below.

1. Automatic Actuation Requirements The primary functional requirement of the ESFAS is to receive input signals (information) from the various on-going processes within the reactor plant and containment and automatically provide, as output, timely and effective signals to actuate the various components and subsystems comprising the engineered safety features system. These signals must assure that the engineered safety features system will meet its performance objectives as outlined in Chapter 6.

Figure 7.3-3 (Sheets 1 through 4) shows the logic associated with the ESF actuation system.

2. Manual Actuation Requirements The ESFAS has provisions for manually initiating from the main control room the functions of the engineered safety features system. Manual actuation serves as backup to the automatic initiation and provides control of selective engineered safety features service features.

7.1.2.1.3 Vital Control Power Supply System The vital control power supply system provides continuous, reliable, regulated single phase ac power to all instrumentation and control equipment required for plant safety. Details of this system are provided in Section 8.3.

7.1-10

WBN 7.1.2.1.4 Standby Power Design bases and system description for the standby power supply are provided in Chapter 8.

7.1.2.1.5 Interlocks Interlocks are discussed in Sections 7.2, 7.3, 7.6, and 7.7. The protection (P) interlocks are given on Tables 7.2-2 and 7.3-3. The safety analyses demonstrate that even under conservative critical conditions for either postulated or hypothetical accidents, the protective systems ensure that the NSSS will be put into and maintained in a safe state following an ANS Condition II, III, or IV accident commensurate with applicable technical specifications and pertinent ANS Criteria. Therefore, the protective systems have been designed to meet IEEE Standard 279-1971 and are entirely redundant and separate, including all permissives and blocks. All blocks of a protective function are automatically cleared whenever the protective function would be required to function in accordance with General Design Criteria 20, 21, and 22, and Paragraphs 4.11, 4.12, and 4.13 of IEEE Standard 279-1971. Control interlocks (C) are identified on Table 7.7-1. Because control interlocks are not safety related, they have not been specifically designed to meet the requirements of IEEE Protection System Standards.

7.1.2.1.6 Bypasses Bypasses are designed to meet the requirements of IEEE 279-1971, Sections 4.11, 4.12, 4.13 and 4.14. A discussion of bypasses provided is given in Sections 7.2 and 7.3.

7.1.2.1.7 Equipment Protection The criteria for equipment protection are given in Chapter 3. Equipment related to safe operation of the plant is designed, constructed and installed to protect it from damage. This is accomplished by working to accepted standards and criteria aimed at providing reliable instrumentation which is available under varying conditions. As an example, certain equipment is seismically qualified in accordance with IEEE 344-1971. During construction, independence and separation are achieved, as required by IEEE 279-1971, either by barriers or physical separation. This serves to protect against complete destruction of a system by fires, missiles or other natural hazards.

7.1-11

WBN-2 7.1.2.1.8 Diversity Unit 1 Functional diversity has been designed into the system. Functional diversity is discussed in WCAP 7706, "An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients."[1] The extent of diverse system variables has been evaluated for a wide variety of postulated accidents as discussed in WCAP 7306, "Reactor Protection System Diversity in Westinghouse Pressurized Water Reactors."[2] Generally, two or more diverse protection functions would automatically terminate an accident before unacceptable consequences could occur.

For example, there are automatic reactor trips based upon nuclear flux measurements, reactor coolant loop temperature and flow measurements, pressurizer pressure and level measurements, reactor coolant pump under frequency and under voltage measurements, and steam generator water level measurements, as well as manually, and by initiation of a safety injection signal.

Regarding the engineered safety features actuation system for a loss-of-coolant accident, a safety injection signal can be obtained manually or by automatic initiation from diverse parameter measurements as shown in Table 7.3-1.

Unit 2 Functional diversity has been designed into the system. Functional diversity is discussed in WCAP 7706, "An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients,"

Reference [1]. The extent of diverse system variables has been evaluated for a wide variety of postulated accidents as discussed in WCAPs 7306 and 13869, "Reactor Protection System Diversity in Westinghouse Pressurized Water Reactors," Reference [2] and Reference [8].

Generally, two or more diverse protection functions would automatically terminate an accident before unacceptable consequences could occur.

For example, there are automatic reactor trips based upon nuclear flux measurements, reactor coolant loop temperature and flow measurements, pressurizer pressure and level measurements, reactor coolant pump under frequency and under voltage measurements, and steam generator water level measurements, as well as manually, and by initiation of a safety injection signal.

Regarding the engineered safety features actuation system for a loss-of-coolant accident, a safety injection signal can be obtained manually or by automatic initiation from diverse parameter measurements as shown in Table 7.3-1.

7.1.2.1.9 Trip Setpoints Unit 1 only, Excluding Technical Specification 3.3.1 Function 14, Turbine Trip, Low Fluid Oil Pressure The reactor protection system trip setpoints have been selected to ensure that core damage and loss of integrity of the reactor coolant system are prevented during anticipated operational events. These setpoints were analytically determined in accordance with the methodology described in References [3] [5], and [6]. Both the nominal (trip setpoint) and limiting (allowable value) settings have been incorporated into the Technical Specifications. Nominal settings are 7.1-12

WBN-2 more conservative than the limiting setpoints. This allows for measurement and calibration uncertainties and instrument channel drift which may occur between periodic tests without exceeding the limiting setpoints.

Unit 1, Technical Specification 3.3.1 Function 14, Turbine Trip a. Low Fluid Oil Pressure, and Unit 2 The scope of TSTF-493 includes setpoints within the reactor protection system (RPS) which includes the Reactor Trip System (RTS) and the Engineered Safeguards Features Actuation System (ESFAS). The specific setpoints within the scope of TSTF-493 are identified in Technical Specifications 3.3.1 and 3.3.2. These trip setpoints have been selected to ensure that core damage and loss of integrity of the reactor coolant system are prevented during anticipated operational events. These setpoints were analytically determined in accordance with the methodology described in References [3] and [7]. The TVA instrument setpoint methodology is based on ISA standard 67.04 (Reference [3]) and is incorporated into TVA technical instructions. The Westinghouse setpoint methodology is described in Reference [7]. Both the nominal (trip setpoint) and limiting (allowable value) settings have been incorporated into the Technical Specifications. Nominal settings are more conservative than the limiting setpoints.

This allows for measurement and calibration uncertainties and instrument channel drift which may occur between periodic tests without exceeding the allowable value. Trip setpoint values are monitored by periodic performance of surveillance tests in accordance with Technical Specification requirements.

The setpoint calculations include the effects of both measurable and unmeasurable uncertainties to ensure the associated protective actions are performed before analytical limits are exceeded. The square root sum of the squares (SRSS) method is used for combining uncertainty terms to meet the following three criteria: random, independent, and normal distribution. The probability that all of the independent processes would simultaneously be at their maximum value (i.e., + or -) is very small. The SRSS method provides a means to combine individual random uncertainty terms to establish a net random uncertainty term. All other uncertainties that do not meet any of the three criteria are arithmetically summed. Singlesided correction factors are not used in setpoint calculations within the scope of TSTF-493. The following describes the methodology used for the setpoint calculations within the scope of TSTF-493 revision 4 as incorporated into the WBN Unit 2 Technical Specifications.

Safety Limit (SL) - A safety limit is specified to protect the integrity of physical barriers that guard against the uncontrolled release of radioactivity. The safety limit for a parameter is typically provided in the plant safety analyses in accordance with 10 CFR 50.36(c)(1)(i)(A).

Analytical Limit (AL) - The analytical limit represents the parameter value at which a safety action is assumed to be initiated to ensure that the safety limits are not exceeded during either accidents or anticipated operational occurrences.

Nominal Trip Setpoint (NTSP) - The NTSP is the nominal value at which the instrument is set when it is calibrated. Since most instruments cannot be set to an exact value, the instrument is set to the nominal setpoint within an allowed tolerance band defined as Acceptable As Left (AAL).

Operational Limit (OL) - The operational limit is a value which the operating parameter is not expected to exceed during normal operation. The NTSP is set beyond the OL so that spurious trips of the instrument do not occur.

7.1-13

WBN Acceptable As Found Tolerance (AAF) - A tolerance band on either side of the NTSP which defines the limits of acceptable instrument performance, beyond which the channel may be considered degraded and must be evaluated for operability prior to returning it to service.

Channels which exceed the AAF will be entered into the Corrective Action Program for further evaluation and trending. The Acceptable As Found tolerance is the SRSS combination of drift, maintenance and test equipment (M&TE) accuracy and readability, and calibration/reference accuracy. Other uncertainties may be included in the AAF if applicable.

Acceptable As Left Tolerance (AAL) - A tolerance band on either side of the NTSP within which an instrument or instrument loop is left after calibration or setpoint verification. The Acceptable As Left tolerance is equal to or less than the SRSS combination of reference accuracy, M&TE accuracy and M&TE readability. Other uncertainties may be included in the AAL if applicable.

The trip setpoint must be adjusted within the AAL tolerance prior to returning the channel to service.

Allowable Value (AV) - The limiting value of the as-found trip setting used during surveillance testing for the portion of the channel being tested, beyond which the channel is inoperable. The AV ensures that sufficient margin exists to the AL to account for unmeasurable uncertainties such as process effects to ensure that the protective action is performed under worst case conditions before the analytical limit is exceeded when the channel is reset to within the AAL tolerance.

Calculation of the allowable value by the Westinghouse setpoint methodology is described in Reference [7]. In the Westinghouse methodology, the AV is limited to rack surveillance testing.

Two values are calculated. The first value is the arithmetic sum of the measurable rack uncertainties. The second value is based on the total allowance between the trip setpoint and the safety analysis limit. This value is the difference between the total allowance and those uncertainties which are not present during the rack surveillance test. These uncertainties are combined in accordance with Reference [7]. The AV is the nominal trip setpoint plus or minus, dependent on the trip setpoint direction, the minimum of the two calculated values.

The TVA methodology for the allowable value calculation is described in TVA technical instructions based on Reference [3]. An upper limit of AV is determined by subtracting the unmeasurable uncertainties from the AL. A lower limit of AV is determined by adding the measurable uncertainties to the NTSP. The actual AV is set within these limits. This applies to a high setpoint with an upper Analytical Limit; the directions would be reversed for a low setpoint with a lower AL.

7.1.2.2 Independence of Redundant Safety-Related Systems The safety-related systems in Section 7.1.1.1 are designed to meet the independence and separation requirements of Criterion 22 of the 1971 General Design Criteria (GDC) (Appendix A to 10CFR50) and Paragraph 4.6 of IEEE 279-1971. The administrative responsibility and control provided during the design and installation is discussed in Chapter 17 which addresses the Quality Assurance programs applied by Westinghouse and TVA.

7.1-14

WBN The electrical power supply instrumentation and control conductors for redundant circuits of a nuclear plant have physical separation including PAM Category 1 and protection set I, II, III and IV instrumentation and control. Their cables are run in separate raceways to preserve divisional integrity and to ensure that no single credible event will prevent operation of the associated function due to electrical conductor damage. Detailed information pertaining to electrical cable for safety-related systems is given in Section 8.3.1.4. Critical circuits and functions include: power, control, and process protection channels associated with the operations of the reactor trip system or engineered safety features actuation system. Failure events are evaluated for credibility and credible events shall include, but not be limited to, the effects of short circuits, pipe rupture, missiles, etc., and are considered in the basic plant design. Control board details are given in Section 7.7.1.10. In the control board, separation of redundant circuits is maintained as described in Section 7.1.2.2.2.

Instrument sensing lines (including capillary systems) which serve safety-related systems identified in Section 7.1.1.1 are designed to meet the independence requirements of criterion 22 of the 1971 General Design Criteria and IEEE 279-1971 Section 4.6. The requirements consider the following events: (1) normal activities in the area (e.g., maintenance); (2) high and moderate energy jet streams, missiles, and pipe whip; and (3) possible damage caused by falling loads from the plant lifting systems (e.g., cranes, monorails). Exceptions to these requirements shall be evaluated for technical adequacy and documented in Design Basis Documents.

7.1.2.2.1 General Separation of cables and raceways of redundant circuits is described in Section 8.3.1 and 9.5.1.

7.1.2.2.2 Specific Systems Channel independence is carried throughout the system, extending from the sensor through to the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters. Separation of wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant channel. Each redundant channel is energized from a separate ac power feed.

Within the process protection system there are four separate protection channel sets.

Redundant protection channels are separated by locating the processing electronics of the redundant channels in different protection channel rack sets. Separation of redundant channels begins at the sensors and is maintained in the field wiring, containment penetrations, and process protection channel racks. Thus any single failure within a channel will not prevent initiation of a required protection system action.

7.1-15

WBN In the nuclear instrumentation system and the solid state protection system racks where redundant channels of protection instrumentation are physically adjacent, there are no wireways or cable penetrations which would permit, for example, a fire resulting from electrical failure in one channel to propagate into redundant channels in the logic racks.

Independence of the logic trains is discussed in Sections 7.2 and 7.3. Two reactor trip breakers are actuated by two separate logic matrices which interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all control rod drive mechanisms, permitting the rods to free fall into the core.

1. Reactor Trip System

a. Separate routing is maintained between the four reactor trip system process protection channels, including the sensor signals, comparator signals, and associated power supplies.

b. Separate routing of the reactor trip signals from the two redundant logic system cabinets is maintained. In addition, they are separated (by spatial separation, by an approved barrier, or by separate cable trays or wireways) from the four protection instrumentation channels.

2. Engineered Safety Features Actuation System

a. Separate routing is maintained for the four redundant sets of ESF actuation system process protection channels, comparator output signals, and power supplies for such systems. The separation of these four redundant and independent protection channel sets is maintained from sensors through process protection racks to logic system cabinets.

b. Separate routing of the ESF actuation signals from the two redundant logic system cabinets is maintained. The ESF actuation signals are also separated from the four process protection channels.

c. Separate routing of redundant control and power circuits associated with the operation of engineered safety features equipment is required to retain redundancies provided in the system design and power supplies.

3. Vital Control Power Supply System The separation criteria presented above also apply to the power supplies for the load centers and buses distributing power to redundant components and to the control of these power supplies. See Section 8.3.1 for the description of the system.

4. Control Board Control board switches and associated lights are generally furnished in modules.

Modules provide a degree of physical protection for the switches, associated lights and wiring. Teflon wire is used within the module and between the module and the first termination point.

7.1-16

WBN Modular train column wiring is formed into wire bundles and carried to metal wireways (gutters). Gutters are run into metal vertical wireways (risers). The risers are the interface between field wiring and control board wiring. Risers are arranged to maintain the separated routing of the field cable trays.

Wiring within control boards has been designed and installed to maintain physical independence. Design features include enclosed modular switches, metal wireways, use of metallic woven braid over approved insulation of critical wires. PVC type tubing (Tygon) has been used in some installations to insulate up to approximately 6 inches of the drain wire where signal cable is broken out to terminate the cable at termination points.

Figure 7.1-2 shows the details of the control boards critical wiring braid installation.

Wiring for each train is routed from the field to separate vertical risers, separated horizontally in enclosed horizontal wireways, and then routed from the wireway to the enclosed switch module in metallic braid. Maximum air space between cables of different trains has been maintained and in no case do cables from different trains touch nor can they migrate with time to touch.

In order to maintain separation between wiring associated with different logic trains, mutually redundant safety train wiring is not terminated on a single device. Backup manual actuation switches link the separate trains by mechanical means to provide greater reliability of operator action for the manual reactor trip function and manual engineered safety features actuations. The linked switches are themselves redundant so that operation of either set of linked switches will actuate safety trains "A" and "B" simultaneously.

Safety-related indicators, e.g., post accident monitoring indicators are separated by metallic barrier plates and/or air separation. Teflon insulated wire is used between the indicators and the first termination point. The wire routing method is similar to that used for the modules.

Reactor trip system and engineered safety features actuation system process protection channels may be routed in the same wireways provided circuits have the same power supply and channel set identity (I, II, III or IV).

7.1.2.2.3 Fire Protection Refer to Section 9.5.1 for fire protection information.

7.1.2.3 Physical Identification of Safety-Related Equipment There are four separate sets of process protection channel racks identifiable with equipment associated with the reactor trip system and with the engineered safety features actuation system. A process protection channel set may consist of more than one instrumentation rack.

The color coding of each instrumentation rack nameplate coincides with the color code established for the protection instrumentation channel of which it is a part. Redundant channels are separated by locating them in different protection channel racks. Separation of redundant channels begins at the process sensors and is maintained in the field wiring, containment penetrations, and process protection racks to the redundant trains in the logic racks. The solid state protection system input cabinets are divided into four isolated compartments, each serving 7.1-17

WBN one of the four redundant process protection channels. Horizontal 1/8-inch thick solid steel barriers, coated with fire-retardant paint, separate the compartments. Four solid steel wireways coated with fire-retardant paint enter the input cabinets vertically. The wireway for a particular compartment is open into that compartment so that flame could not propagate to affect other channels. At the logic racks the protection set color coding for redundant channels is clearly maintained until the channel loses its identity in the redundant logic trains. The color-coded nameplates described below provide identification of equipment associated with protective functions and their channel set association.

Protection Set Color Coding I Red with white lettering II Black with white lettering III Blue with white lettering IV Yellow with black lettering Post accident monitoring and train-oriented modules are identified as follows:

Color Train A Orange and white Train B Brown and White 1

Special Gold and Black Post-accident Monitoring Channel 1 Purple and White (outside MCR)

Black and White (inside MCR)

Post-accident Monitoring Channel 2 Green and Black (outside MCR)

Black and White (inside MCR)

Nondivisional White and Black (Nonsafety-related)

Normal Offsite Power Supply White and Black Alternate Offsite Power Supply White and Black All nonrack-mounted protective equipment and components are provided with an identification tag or nameplate. Small electrical components such as relays have nameplates on the enclosure which houses them. All cables are numbered with identification tags. In congested areas, such as under or over the control boards, instrument racks, etc., cable trays and conduits containing redundant circuits are identified using permanent markings. The purpose of such markings, discussed in detail in Section 8.3.1.4, is to facilitate cable routing identification for future modifications or additions. Positive permanent identification of field routed cables is provided by nameplates on the input panels of the solid state logic protection system.

1 The circuits requiring special separations are suffix S and described in Section 8.3.1.4.3.

7.1-18

WBN 7.1.2.4 Process Signal Isolation Relays Criteria for Process Signal Isolation Relays The following criteria are to be used in providing isolation between process signals and safety circuits:

1. A safety signal derived from the Solid-State Protection System (SSPS) shall override the process signal.

2. The isolation relays shall have a coil to contact rating equal to or greater than the maximum credible ac or dc potential that could be applied to the non-1E circuit at its end points or intermediate routing.

3. The isolation relays and racks designated as Train A or Train B shall be seismically qualified.

Implementation of Criteria

1. The following is a listing of the Auxiliary Relay Racks (ARR) and the cable routing scheme utilized:

AUXILIARY RELAY RACKS - UNIT 1 LOCATION TRAIN A NON-DIV TRAIN B AUXILIARY CONTROL 1-L-11A 1-L-10 1-L-11B BOP AUX INST ROOM 1-R-73,74 1-R-71,72,75,76,80 1-R-77,78 NSSS AUX INST ROOM 1-R-54 1-R-58 1-R-55 (ARl) (AR3) (AR2)

AUXILIARY RELAY RACKS - UNIT 2 LOCATION TRAIN A NON-DIV TRAIN B AUXILIARY CONTROL 2-L-11A 2-L-10 2-L-11B BOP AUX INST ROOM 2-R-73,74 2-R-71,72,75,76,80 2-R-77,78 NSSS AUX INST ROOM 2-R-54 2-R-58 2-R-55 (ARl) (AR3) (AR2) 7.1-19

WBN ROUTING SCHEME-AUXILIARY RELAY RACKS TRAIN A NON-DIV TRAIN B X * * # # O X O X

* # # O X

* # # O TR A NON- TR B DIV NON-DIV NON-DIV ROUTED WITH ROUTED WITH TRAIN A TRAIN B

2. Figure 7.1-3 (Sheets 1-4) illustrates the various isolation configurations used in the design of Watts Bar.

REFERENCES

1. W. C. Gangloff and W. D. Loftus, "An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients," WCAP-7706-L, July 1971 (Westinghouse NES Proprietary),

and WCAP-7706, July 1971.

2. T. W. T. Burnett, "Reactor Protection System Diversity in Westinghouse Pressurized Water Reactors." WCAP-7306, April 1969.

3. Setpoints for Nuclear Safety-Related Instrumentation Used in Nuclear Power Plants, ISA-DS-67.04, 1982.

4. Erin, L. E., Topical Report Eagle 21 Microprocessor-Based Process Protection system, WCAP-12374, Rev. 1, December 1991 (Westinghouse Proprietary Class 2); WCAP-12375, Rev. 1, December 1991 (Westinghouse Proprietary Class 3).

5. Reagan, J. R., "Westinghouse Setpoint Methodology for Protection Systems, Watts Bar Units 1 and 2, Eagle 21 Version, "WCAP-12096, Rev. 9 (Westinghouse Proprietary Class 2). (Unit 1 only)

6. Bass, J. C., RCS Flow Measurement Using Elbow Tap Methodology at Watts Bar Unit 1, WCAP-16067, Rev 0 (Westinghouse Proprietary Class 2).

7. Trozzo, R. W., Westinghouse Setpoint Methodology for Protection Systems - Watts Bar Unit 2, WCAP-17044-P, Revision 1, September 2012, (Unit 2 only).

8 Scherder, W. J., WCAP-13869, Functional Diversity Assessment For The Reactor Protection System/Engineered Safety Features Actuation System At Watts Bar Units 1 And 2, Revision 1, October 1993.

7.1-20

WBN TABLE 7.1-1 (Sheet 1 of 6)

WATTS BAR NUCLEAR PLANT UNIT 1 NRC REGULATORY GUIDE CONFORMANCE The extent to which the recommendations of the applicable NRC regulatory guides and IEEE standards are followed for the Class 1E instrumentation and control systems is shown below.

The symbol (F) indicates full compliance. Those which are not fully implemented are discussed in the referenced sections of the UFSAR and in the footnotes as indicated.

Regulatory Guide 1.22, "Periodic Testing of Protection System Actuation Functions" (F, see note 2).

Regulatory Guide 1.29, "Seismic Design Classification" (F).

Regulatory Guide 1.30, "Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment." (See Section 7.1 for compliance.)

Regulatory Guide 1.45, "Reactor Coolant Pressure Boundary Leakage Detection Systems" (See Note 7).

Regulatory Guide 1.47, "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems" (F, See Note 5).

Regulatory Guide 1.53, "Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems" (F, See Note 3).

Regulatory Guide 1.62, "Manual Initiation of Protective Actions" (F).

Regulatory Guide 1.63, "Electrical Penetration Assemblies in Containment Structures for Water-Cooled Nuclear Power Plants" (See Section 8.1.5.3 for compliance).

Regulatory Guide 1.68, "Preoperational and Initial Startup Test Program for Water-Cooled Power Reactors" (See Section 14.2.7, historical information).

Regulatory Guide 1.75, "Physical Independence of Electric Systems" (See Sections 7.1.2.2, 7.1.2.3, 8.1.5.3, 8.3.1.4, 8.3.2.4, and 8.3.2.5 for compliance).

Regulatory Guide 1.79, Preoperational Testing of Emergency Core Cooling Systems for Pressurized Water Reactors, ( See Section 6.3.4.1)

WBN-1 TABLE 7.1-1 (Sheet 2 of 6)

WATTS BAR NUCLEAR PLANT UNIT 1 NRC REGULATORY GUIDE CONFORMANCE (Cont'd)

Regulatory Guide 1.80, "Preoperational Testing of Instrument Air Systems" (F).

Regulatory Guide 1.89, "Environmental Qualification of Certain Electrical Equipment Important to Safety for Nuclear Power Plants" (See note 4).

Regulatory Guide 1.97, December 1980 "Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant Conditions During and Following an Accident" (See Section 7.5).

Regulatory Guide 1.100, August 1977 "Seismic Qualification of Electrical Equipment for Nuclear Power Plants" (See Note 8).

Regulatory Guide 1.105, November 1976 "Instrument Setpoints" (See Note 8).

Regulatory Guide 1.118, June 1978 "Periodic Testing of Electric Power and Protection Systems" (See Notes 8 and 11), (See Section 8.1.5.3, Note 6, for electric power systems).

Regulatory Guide 1.153, December 1985 "Criteria For Power, Instrumentation and Control Portions of Safety Systems" (See Notes 8 and 9).

ANSI/IEEE-ANS-7-4.3.2-1982 "Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations" (See Notes 8 and 10).

Regulatory Guide 1.152, "Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants" (P) (See note 6).

Regulatory Guide 1.152, Revision 3 Criteria for Use of Computers in Safety Systems of Nuclear Power Plants (P) (See note 12).

IEEE Standard 279-1971, "Protection Systems for Nuclear Power Generating Stations" (F).

IEEE Standard 308-1971, "Class 1E Power Systems for Nuclear Power Generating Stations" (See Section 8.1.5).

IEEE Standard 323-1971, IEEE Trial-Use Standard: General Guide for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, (See Note 4).

IEEE Std. 323-1974, "IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations," (See Notes 4 and 8).

IEEE Standard 338-1971, "Periodic Testing of Nuclear Power Generating Station Safety Systems" (See note 1 and Section 7.3.2.2.5 for compliance).

IEEE Standard 338-1977, "IEEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Safety Systems" (See Note 11).

IEEE-Std, 338-1987, "IEEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Safety Systems," (See Note 8).

WBN-1 TABLE 7.1-1 (Sheet 3 of 6)

WATTS BAR NUCLEAR PLANT UNIT 1 NRC REGULATORY GUIDE CONFORMANCE (Cont'd)

IEEE Standard 344-1971, "Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations" (F) (For clarification of conformance to IEEE Standard 344-1975, See Section 3.10.1).

IEEE Std. 344-1987, "IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations," (See Note 8 and 12).

IEEE Std. 352-1975, "IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Protection Systems," (See Note 8).

IEEE Std 379-1972, IEEE Trial-Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems, (See Note 3).

IEEE Std. 379-1988, "IEEE Standard Application of the Single Failure Criterion to Nuclear Power Generating Station Class 1E Systems," (See Note 8).

IEEE Std. 384-1981, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits," (See Note 8).

IEEE Std. 603-1980, IEEE Standard Criteria For Safety Systems for Nuclear Power Generating Stations," (See Note 8).

IEEE Std. 603-1991, IEEE Standard Criteria For Safety Systems for Nuclear Power Generating Stations, (See Note 12).

Note 1 Conformance to IEEE 338-1971 The periodic testing of the reactor protection systems conforms to the requirements of IEEE Standard 338-1971 with the following comments:

1. The surveillance requirements of the Technical Specifications for the protection system ensure that the system functional operability is maintained comparable to the original design standards. Periodic tests at frequent intervals demonstrate this capability for the system.

Protection systems response times from the sensor through the actuated device, as identified in the Watts Bar Technical Requirements Manual, are verified. Technical Specifications require periodic testing on at least 18-month intervals. Each test shall include at least one logic train such that both logic trains are tested at least once per 36 months and one channel per function such that all channels are tested at least once every (N times 18) months, where N is the total number of redundant channels in a specific protection function.

The measurement of response time at the specified frequencies provides assurance that the protective and Engineered Safety Features action function associated with each channel is completed within the time limit assumed in the accident analyses.

WBN TABLE 7.1-1 (Sheet 4 of 6)

WATTS BAR NUCLEAR PLANT UNIT 1 NRC REGULATORY GUIDE CONFORMANCE (Cont'd)

2. The test frequencies established for the reactor protection system, evaluated in WCAP-10271, Supplement 1 and WCAP-10271-P-A, Supplement 2, Westinghouse Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrument System, are consistent with the required reliability of the reactor protection system to provide acceptable risk results.

3. The periodic test frequency discussed in Paragraph 4.3 of IEEE Standard 338 and specified in the plant Technical Specifications is conservatively selected to assure that equipment associated with protection functions has not drifted beyond its minimum performance requirements. If any protection channel appears to be marginal or requires more frequent adjustments due to plant condition changes, the test frequency is accelerated to accommodate the situation until the marginal performance is resolved.

4. The test interval discussed in Paragraph 5.2, IEEE Standard 338, is developed primarily on past operating experience and modified if necessary to assure that system and subsystem protection is reliably provided. Analytic methods for determining reliability are not used to determine test interval.

Note 2 Conformance to Regulatory Guide 1.22 Periodic testing of the reactor trip and engineered safety features actuation systems, as described in Sections 7.2.2 and 7.3.2, complies with NRC Regulatory Guide 1.22, "Periodic Testing of Protection System Actuation Functions." There are functions which are not tested at power because to do so would render the plant in a less safe condition. These include the following:

1. Turbine trip equipment that causes a reactor trip; the trip of the turbine from this same turbine trip equipment also is taken credit for on a safety injection or reactor trip;

2. Generation of a reactor trip by use of the manual trip switch;

3. Generation of a reactor trip by use of the manual safety injection switch;

4. Closing the main steam line stop valves;

5. Closing the feedwater control valves;

6. Closing the feedwater isolation valves;

7. Reactor coolant pump component cooling water isolation valves (close);

8. Reactor coolant pump seal water return valves (close).

The actuation logic for these functions is tested as described in Sections 7.2 and 7.3. As required by Regulatory Guide 1.22, where actuated equipment is not tested during reactor operation it has been determined that:

WBN TABLE 7.1-1 (Sheet 5 of 6)

WATTS BAR NUCLEAR PLANT UNIT 1 NRC REGULATORY GUIDE CONFORMANCE (Cont'd)

1. There is no practicable system design that would permit testing of the equipment without adversely affecting the safety or operability of the plant;

2. The probability that the protection system will fail to initiate the operation of the equipment is, and can be maintained, acceptably low without testing the equipment during reactor operation; and

3. The equipment will be routinely tested when the reactor is shutdown as defined in the Technical Specification.

Where the ability of a system to respond to a bona fide accident signal is intentionally bypassed for the purpose of performing a test during reactor operation, each bypass condition is automatically indicated to the reactor operator in the main control room by a separate annunciator for the train in test. SSPS test circuitry does not allow trains to be tested at the same time so that extension of the bypass condition to redundant systems is prevented.

Note 3 Conformance to IEEE 379-1972 and Regulatory Guide 1.53 The principles described in IEEE Standard 379-1972 were used in the design of the Westinghouse protection system. The system complies with the intent of this standard and the additional requirements of Regulatory Guide 1.53. The formal analyses required by the standard have not been documented exactly as outlined although parts of such analyses are published in various documents (e.g. WCAP-7486-L, December 1970, and WCAP-7486, May 1971, W. C. Gangloff, An Evaluation of Anticipated Operational Transient in Westinghouse Pressurized Water Reactors.). Westinghouse has gone beyond the required analyses and has performed a fault-tree analysis (Section 7.1, Reference [1]).

The referenced Topical Reports provide details of the analyses of the protection systems previously made to show conformance with single failure criterion set forth in Paragraph 4.2 of IEEE Standard 279-1971. The interpretation of single failure criterion provided by IEEE-379 does not indicate substantial differences with the Westinghouse interpretation of the criterion except in the methods used to confirm design reliability. Established design criteria in conjunction with sound engineering practices form the bases for the Westinghouse protection systems. The reactor trip and engineered safeguards actuation systems are each redundant safety systems. The required periodic testing of these systems will disclose any failures or loss of redundancy which could have occurred in the interval between tests, thus ensuring the availability of these systems.

Note 4 Conformance to Regulatory Guide 1.89 Watts Bar Nuclear Power Plant 1E equipment within the scope of 10 CFR 50.49 is qualified in accordance with IEEE 323-1971 or IEEE 323-1974. (See Reference [1] of Section 3.11).

Section 7.1, Reference [4] provides additional information for the Eagle 21 process protection system.

WBN-1 TABLE 7.1-1 (Sheet 6 of 6)

WATTS BAR NUCLEAR PLANT UNIT 1 NRC REGULATORY GUIDE CONFORMANCE (Cont'd)

Note 5 Conformance to Regulatory Guide 1.47 Watts Bar Nuclear Plant will be in full compliance with the intent of Regulatory Guide 1.47 (BISI) Revision 0, as described in Section 7.5.2.2.

Note 6 Conformance to Regulatory Guide 1.152 Watts Bar Nuclear Plant process protection racks are qualified by procedures and testing to Westinghouse's interpretation of Regulatory Guide 1.152 (WCAP-13191, Watts Bar Nuclear Plant Eagle 21 Process Protection System Replacement Hardware Verification and Validation Report, April 1992). Regulatory Guide 1.152 endorses the guidance of ANSI/IEEE-ANSI 4.3.2-1982.

Note 7 Conformance to Regulatory Guide 1.45 Compliance to Regulatory Guide 1.45 is as identified in Section 5.2.7.

Note 8 These Rules, Regulations and standards are applicable to the design of the Eagle 21 process protection system cabinets. Unless stated otherwise, the revision in effect on December 1, 1983 is applicable to the design.

Note 9 Regulatory Guide 1.153 endorses the guidance of IEEE Std. 603-1980.

Note 10 ANSI/IEEE-ANS-7-4.3.2-1982 - expands and amplifies the requirements of IEEE Std.

603-1980.

Note 11 Conformance to Regulatory Guide 1.118 The design of the Eagle 21 process protection system cabinets complies with the requirements of Regulatory Guide 1.118 R2 except as follows:

Position C.6(a) - Where feasible, test switches or other necessary equipment will be installed permanently to minimize the use of temporary jumpers in testing in accordance with the requirements in IEEE Standard 338-1977.

Note 12 These Rules, Regulations and standards are applicable to the design of the Dresser Rand Terry Turbine Governor Control System used on the Turbine Driven Auxiliary Feedwater Pump Turbine.

WBN TABLE 7.1-1 (Sheet 1 of 9)

WATTS BAR NUCLEAR PLANT UNIT 2 NRC REGULATORY GUIDE CONFORMANCE The extent to which the recommendations of the applicable NRC regulatory guides and IEEE standards are followed for the Class 1E instrumentation and control systems is shown below.

The symbol (F) indicates full compliance. Those which are not fully implemented are discussed in the referenced sections of the FSAR and in the footnotes as indicated.

Regulatory Guide 1.22, Revision 0, February 1972 "Periodic Testing of Protection System Actuation Functions" (F, see note 2).

Regulatory Guide 1.29, Revision 3, September 1978 "Seismic Design Classification" (F).

Regulatory Guide 1.30, Revision 0, August 1972 "Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment." (See Section 7.1 for compliance.)

Regulatory Guide 1.45, Revision 0, May 1973 "Reactor Coolant Pressure Boundary Leakage Detection Systems" (See Note 7).

Regulatory Guide 1.47, Revision 0,May 1973 "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems" (F see note 5).

Regulatory Guide 1.53, Revision 0, June 1973 "Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems" (F see note 3).

Regulatory Guide 1.62, Revision 0, October 1973 "Manual Initiation of Protective Actions" (F).

Regulatory Guide 1.63, Revision 2, July 1978 "Electrical Penetration Assemblies in Containment Structures for Water-Cooled Nuclear Power Plants" (See Section 8.1.5.3 for compliance).

Regulatory Guide 1.68, Revision 2, August 1978 "Preoperational and Initial Startup Test Program for Water-Cooled Power Reactors" (See Section 14.2.7).

Regulatory Guide 1.75, Revision 2, September 1978 "Physical Independence of Electric Systems" (See Sections 8.1.5.3, 8.3.1.4, 8.3.2.4, and 8.3.2.5 for compliance, Note 8).

Regulatory Guide 1.75, Revision 3, February 2005, Criteria for Independence of Electrical Safety Systems (See Sections 8.1.5.3, 8.3.1.4, 8.3.2.4, and 8.3.2.5 for compliance) (See Notes 13, 14, and 15)

Regulatory Guide 1.79, Revision 1, September 1975 Preoperational Testing of Emergency Core Cooling Systems for Pressurized Water Reactors (See Section 6.3.4.1).

Regulatory Guide 1.68.3, Revision 0, April 1982"Preoperational Testing of Instrument Air Systems" (F).

WBN TABLE 7.1-1 (Sheet 2 of 9)

WATTS BAR NUCLEAR PLANT UNIT 2 NRC REGULATORY GUIDE CONFORMANCE (Cont'd)

Regulatory Guide 1.89, Revision 1, June 1984 "Environmental Qualification of Certain Electrical Equipment Important to Safety for Nuclear Power Plants" (See note 4).

Regulatory Guide 1.97, Revision 2, December 1980 "Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant Conditions During and Following an Accident" (See Section 7.5).

Regulatory Guide 1.100, Revision 1, August 1977 "Seismic Qualification of Electrical Equipment for Nuclear Power Plants" (See Note 8).

Regulatory Guide 1.100, Revision 2, June 1988, Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants (See Notes 13, and 20).

Regulatory Guide 1.100, Revision 3, September 2009,Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants (See Notes 13, 14, and 16).

Regulatory Guide 1.105, Revision 2, February 1986 November 1976 "Instrument Setpoints for Safety- Related Systems" (See Note 8).

Regulatory Guide 1.133, Revision 1, May 1981 Loose-Part Detection Program for the Primary System of Light-Water Cooled Reactors, Revision 1 (See Note 12).

Regulatory Guide 1.118, Revision 2, June 1978 "Periodic Testing of Electric Power and Protection Systems" (See Notes 8 and 11), (See Section 8.1.5.3, Note 8, for electric power systems).

Regulatory Guide 1.152, Revision 0, November 1995 Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants (See Notes 6, 8, and 14).

Regulatory Guide 1.152, Revision 3, July 2011 Criteria for Digital Computers in Safety Systems of Nuclear Power Plants: (See Note 13).

Regulatory Guide 1.153, Revision 0, December 1985 "Criteria For Power, Instrumentation and Control Portions of Safety Systems" (See Notes 8 and 9).

Regulatory Guide 1.153, Revision 1, June 1996, Criteria For Safety Systems (See Note 13).

Regulatory Guide 1.168, Revision 0, September 1997, Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants (See Note 13).

Regulatory Guide 1.209, Revision 0, March 2007, Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants (See Note 13).

WBN TABLE 7.1-1 (Sheet 3 of 9)

WATTS BAR NUCLEAR PLANT UNIT 2 NRC REGULATORY GUIDE CONFORMANCE (Cont'd)

ANSI/IEEE-ANS-7-4.3.2-1982 Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations (See Notes 8, 10, and 14).

IEEE Std. 7-4.3.2-2003 Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations (See Note 13).

IEEE Std. 279-1971, Protection Systems for Nuclear Power Generating Stations (F) (See Sections 7.2, 7.3, 7.6).

IEEE Standard 308-1971, "Class 1E Power Systems for Nuclear Power Generating Stations" (See Section 8.1.5).

IEEE Std. 323-1971, IEEE Trial-Use Standard: General Guide for Qualifying Class 1E Equipment for Nuclear Power Generating Stations (See Note 4).

IEEE Std. 323-1974, "IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations," (See Notes 4, 8, and 14).

IEEE Std. 323-2003, "IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations," (See Note 13).

IEEE Standard 338-1971, "Periodic Testing of Nuclear Power Generating Station Safety Systems" (See note 1 and Section 7.3.2.2.5 for compliance).

IEEE Standard 338-1977, "IEEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Safety Systems" (See Note 11).

IEEE-Std, 338-1987, "IEEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Safety Systems," (See Notes 8, 13, and 14).

IEEE Standard 344-1971, "Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations" (F) (For clarification of conformance to IEEE Standard 344-1975, See Section 3.10.1).

IEEE Std. 344-1987, "IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations," (See Notes 8 and 14).

IEEE Std. 344-2004, IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations, (See Notes 13 and 16).

IEEE Std. 352-1975, IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Protection Systems, (See Note 8).

IEEE Std. 379-1972, IEEE Trial-Use Guide for the application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems, (See Note 3).

WBN TABLE 7.1-1 (Sheet 4 of 9)

WATTS BAR NUCLEAR PLANT UNIT 2 NRC REGULATORY GUIDE CONFORMANCE (Cont'd)

IEEE Std. 379-1988, IEEE Standard Application of the Single Failure Criterion to Nuclear Power Generating Station Class 1E Systems, (See Note 8).

IEEE Std. 384-1981, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits," (See Note 8).

IEEE Std. 384-1992, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits, (See Notes 13 and 19).

IEEE Std. 603-1980, IEEE Standard Criteria For Safety Systems for Nuclear Power Generating Stations," (See Note 8).

IEEE Std. 603-1991, IEEE Standard Criteria For Safety Systems for Nuclear Power Generating Stations," (See Note 13).

IEEE Std. 1012-1986, IEEE Standard for Software Verification and Validation (See Note 13).

IEEE Std. 1028-1988, IEEE Standard for Software Reviews (See Note 13).

NOTES Note 1 Conformance to IEEE 338-1971 The periodic testing of the reactor protection systems conforms to the requirements of IEEE Standard 338-1971 with the following comments:

1. The surveillance requirements of the Technical Specifications for the protection system ensure that the system functional operability is maintained comparable to the original design standards. Periodic tests at frequent intervals demonstrate this capability for the system.

Protection systems response times from the sensor through the actuated device, as identified in the Watts Bar Technical Requirements Manual, will be verified. Technical Specifications require periodic testing on at least 18-month intervals. Each test shall include at least one logic train such that both logic trains are tested at least once per 36 months and one channel per function such that all channels are tested at least once every (N times 18) months, where N is the total number of redundant channels in a specific protection function.

The measurement of response time at the specified frequencies provides assurance that the protective and Engineered Safety Features action function associated with each channel is completed within the time limit assumed in the accident analyses.

2. .The test frequencies established for the reactor protection system, evaluated in WCAP 10271 Supplement 1 and WCAP 10271-P-A Supplement 2, Westinghouse Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrument System, are consistent with the required reliability of the reactor protection system to provide acceptable risk results.

WBN TABLE 7.1-1 (Sheet 5 of 9)

WATTS BAR NUCLEAR PLANT UNIT 2 NRC REGULATORY GUIDE CONFORMANCE (Cont'd)

3. The periodic test frequency discussed in Paragraph 4.3 of IEEE Standard 338 and specified in the plant Technical Specifications is conservatively selected to assure that equipment associated with protection functions has not drifted beyond its minimum performance requirements. If any protection channel appears to be marginal or requires more frequent adjustments due to plant condition changes, the test frequency is accelerated to accommodate the situation until the marginal performance is resolved.

4. The test interval discussed in Paragraph 5.2, IEEE Standard 388, is developed primarily on past operating experience and modified if necessary to assure that system and subsystem protection is reliably provided. Analytic methods for determining reliability are not used to determine test interval except for the Eagle 21 system for which a reliability study was conducted and documented in Westinghouse PCA (88)-129 Eagle 21 Process Protection System Reliability Study Rev. 1 dated June 22, 1988 (Westinghouse Proprietary Class 2).

Note 2 Conformance to Regulatory Guide 1.22 Periodic testing of the reactor trip and engineered safety features actuation systems, as described in Sections 7.2.2 and 7.3.2, complies with NRC Regulatory Guide 1.22, "Periodic Testing of Protection System Actuation Functions." There are functions which will not be tested at power because to do so would render the plant in a less safe condition. These include the following:

1. Turbine trip equipment that causes a reactor trip; the trip of turbine from this same turbine trip equipment also is taken credit for on a safety injection or reactor trip;

2. Generation of a reactor trip by use of the manual trip switch;

3. Generation of a reactor trip by use of the manual safety injection switch;

4. Closing the main steam line stop valves;

5. Closing the feedwater control valves;

6. Closing the feedwater isolation valves;

7. Reactor coolant pump component cooling water isolation valves (close);

8. Reactor coolant pump seal water return valves (close).

WBN TABLE 7.1-1 (Sheet 6 of 9)

WATTS BAR NUCLEAR PLANT UNIT 2 NRC REGULATORY GUIDE CONFORMANCE (Cont'd)

The actuation logic for the functions listed will be tested as described in Sections 7.2 and 7.3.

As required by Regulatory Guide 1.22, where actuated equipment is not tested during reactor operation it has been determined that:

1. There is no practicable system design that would permit testing of the equipment without adversely affecting the safety or operability of the plant;

2. The probability that the protection system will fail to initiate the operation of the equipment is, and can be maintained, acceptably low without testing the equipment during reactor operation; and

3. The equipment will be routinely tested when the reactor is shutdown as defined in the Technical Specification.

Where the ability of a system to respond to a bona fide accident signal is intentionally bypassed for the purpose of performing a test during reactor operation, each bypass condition is automatically indicated to the reactor operator in the main control room by a separate annunciator for the train in test. SSPS test circuitry does not allow trains to be tested at the same time so that extension of the bypass condition to redundant systems is prevented.

Note 3 Conformance to IEEE 379-1972 and Regulatory Guide 1.53 The principles described in IEEE Standard 379-1972 were used in the design of the Westinghouse protection system. The system complies with the intent of this standard and the additional requirements of Regulatory Guide 1.53. The formal analyses required by the standard have not been documented exactly as outlined although parts of such analyses are published in various documents (e.g., WCP-7486-L, December 1970, and WCP-7486, May 1971, W.C. Gangloff, An Evaluation of Anticipated Operational Transient in Westinghouse Pressurized Water Reactors). Westinghouse has gone beyond the required analyses and has performed a fault-tree analysis Section 7.1 Reference [1].

The referenced Topical Reports provide details of the analyses of the protection systems previously made to show conformance with single failure criterion set forth in Paragraph 4.2 of IEEE Standard 279- 1971. The interpretation of single failure criterion provided by IEEE-379 does not indicate substantial differences with the Westinghouse interpretation of the criterion except in the methods used to confirm design reliability. Established design criteria in conjunction with sound engineering practices form the bases for the Westinghouse protection systems. The reactor trip and engineered safeguards actuation systems are each redundant safety systems. The required periodic testing of these systems will disclose any failures or loss of redundancy which could have occurred in the interval between tests, thus ensuring the availability of these systems.

WBN TABLE 7.1-1 (Sheet 7 of 9)

WATTS BAR NUCLEAR PLANT UNIT 2 NRC REGULATORY GUIDE CONFORMANCE (Cont'd)

Note 4 Conformance to Regulatory Guide 1.89 Watts Bar Nuclear Power Plant 1E equipment within the scope of 10 CFR 50.49 is qualified in accordance with IEEE 323-1971 or IEEE 323-1974. (See Reference [1] of Section 3.11).

Section 7.1 Reference [4] provides additional information for the Eagle 21 process protection system.

Note 5 Conformance to Regulatory Guide 1.47 Watts Bar Nuclear Plant will be in full compliance with the intent of Regulatory Guide 1.47 (BISI) Revision 0, as described in Section 7.5.2.2.

Note 6 Conformance to Regulatory Guide 1.152, Revision 0 Watts Bar Nuclear Plant process protection racks are qualified by procedures and testing to Westinghouse's interpretation of Regulatory Guide 1.152 (WCAP-13191, Watts Bar Nuclear Plant Eagle 21 Process Protection System Replacement Hardware Verification and Validation Report, April 1992). Regulatory Guide 1.152 endorses the guidance of ANSI/IEEE-ANSI 4.3.2-1982.

Note 7 Conformance to Regulatory Guide 1.45, Revision 0 Compliance to Regulatory Guide 1.45 is as identified in Section 5.2.7.3.

Note 8 Eagle 21 System Applicability These Rules, Regulations and standards are applicable to the design of the Eagle 21 process protection system cabinets. Unless stated otherwise, the revision in effect on December 1, 1983 is applicable to the design.

Note 9 Regulatory Guide 1.153 Revision 0 Clarification Regulatory Guide 1.153, Revision 0 endorses the guidance of IEEE Std. 603-1980.

Note 10 ANSI/IEEE-ANS-7-4.3.2-1982 Clarification ANSI/IEEE-ANS-7-4.3.2-1982 - expands and amplifies the requirements of IEEE Std. 603-1980.

Note 11 Conformance to Regulatory Guide 1.118 The design of the Eagle 21 process protection system cabinets complies with the requirements of Regulatory Guide 1.118 Revision 2 except as follows:

Position C.6(a) - Where feasible, test switches or other necessary equipment will be installed permanently to minimize the use of temporary jumpers in testing in accordance with the requirements in IEEE Standard 338-1977.

WBN TABLE 7.1-1 (Sheet 8 of 9)

WATTS BAR NUCLEAR PLANT UNIT 2 NRC REGULATORY GUIDE CONFORMANCE (Cont'd)

Note 12 Conformance to Regulatory Guide 1.133 Conforms except as noted below. Refer to Section 7.6.7 for a discussion of the digital metal impact monitoring system (DMIMS) which is the Watts Bar Unit 2 loose part monitoring system.

Position C.5.a. states that the sensor location should be noted in the Technical Specifications.

The Watts Bar Loose-Part Detection System Technical Specifications were relocated to the Technical Requirements Manual. The Technical Requirements Manual describes the sensor locations (TRM B 3.3.6, Loose-Part Detection System).

Positions C.3.a.(3) and C.5.c. recommend a channel calibration be performed at least once per 18 months. In lieu of this recommendation, the DMIMS is calibrated at the frequency stated in subsection TSR 3.3.6.3 of TR 3.3.6 (Loose-Part Detection System) which is the 18 month frequency defined in Reg Guide 1.133 Rev 1.

Positions C.3.a.(2) (a) and (e) state that the alert levels for startup and power operation be submitted to the Commission within 90 days (60 days for subsection (e)) following the completion of the startup test program or when there is a change to the preexisting alert levels for power operation. Watts Bar Unit 2 will report changes in the alert level alarm to the Commission when they exceed the setpoint determination criteria described in Section 7.6.7.

Note 13 Common Q Post Accident Monitoring System (PAMS) Applicability These Rules, Regulations and standards are applicable to the design of the Common Q PAMS system cabinets.

Note 14 Containment High Range Radiation Monitor Applicability These Rules, Regulations and standards are applicable to the design of the digital containment high range radiation monitors.

Note 15 Conformance to Regulatory Guide 1.75 Conformance to Regulatory Guide 1.75 is limited to the internal panel wiring provided by the equipment manufacturer. Regulatory Guide 1.75 was issued after the Watts Bar design was complete. Separation criteria for external cabling for WBNP are given in Sections 8.1.5.3, 8.3.1.4, 8.3.2.4, and 8.3.2.5.

WBN TABLE 7.1-1 (Sheet 9 of 9)

WATTS BAR NUCLEAR PLANT UNIT 2 NRC REGULATORY GUIDE CONFORMANCE (Cont'd)

Note 16 Conformance to Regulatory Guide 1.100, Revision 3 and IEEE 344-2004 The Common Q new design modules used in the PAMS; and the RM-1000 radiation monitors comply with IEEE 344-2004 and with Regulatory Guide 1.100 Revision 3 with the exception of issues associated with testing above 33Hz.

Note 17 NOT USED Note 18 NOT USED Note 19 Conformance to IEEE 384-1992 Conformance to IEEE 384 is limited to the internal panel wiring provided by the equipment manufacturer. Separation criteria for external cabling for WBNP are given in Sections 8.1.5.3, 8.3.1.4, 8.3.2.4, and 8.3.2.5.

Note 20 Conformance to Regulatory Guide 1.100 Revision 2 The Common Q legacy modules used in the PAMS meet the requirements of Regulatory Guide 1.100 Revision 2.

ACTUATE ROD CONTROL MASTER Awn BOARD TRAIN 8 COROD OUTPUT SLAVE RELAYS SWITCHES SAFEGUARDS M_G TRAIN 8 ISOLATION SETS r__... _ ----- -----

PROTECTION SYSTEM I COMPUTER LOGIC SOLID STATE LOGIC LOCK TRAIN B _ __ I f]EMux PROCESS ION CHANNELS _

PROTECTrr TRIP CONTAINMENT WALL BSR $ $YPA55 INPUT BRR B PROCESS 1 II ll] IV COMPUTER SENSORS,,

CHANNEL MONITORING UV UQV IV 1 CHANNEL OR' CABLE CHANNEL Input I CHANNEL Relays COMPARATORS I

INPUT I II f[1 IV CONTROL BOARD LgNITptTHG uv TRIP BRR A w

BYPASS BXk A PROCESS PROTECTION CHANNEL RACKS CONTROL PROTECTION SYSTEM I BOARD LOGIC SOLID STATE LOGIC I LOGIC TRAIN A DEMUX L_____ ____ _~..... CABINET CONTROL ISOLATION IL4STER AND Rpp BOARD SLAVE RELAYS ACTUATE CONTROL SWITCHES OUTPUT TRAIN A SYSTEM TRAIN A SAFEGUARDS TO ROD DRIVE MECHANISMS WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Protection System Block Diagram FIGURE 7.1-1

c~

z NON DIVISIONAL WIREWAY 1.0.11 THE SHIELD DRAIN WIRES SHALL BE ROUTED TO THE GROUND BUS WITHIN THE PANEL.

THE GROUND BUS IS A GROUND,THE BEFORE THE REDUNDANT SHIELD DRAIN WIRES 6 MAY BE ROUTED TOGETHER. ER.

I.D.Z BRAIDED SHEATH MATERIAL INSTALLED ON CLASS 1E TEFLON BOARD MIRING IS AN ACCEPTABLE BARRIER A A B C A B p FOR REDUCING THE REDUNDANT CLASS 1E SPARAT ION AND THE CLASS 1E TO NON-CLASS 1E SEPARATION 70 LESS THAN SIX INCHES (FOR TEFLON BOARD MIRING ONLY). BRAID COVERED MIRING F CLASS 1E CIRCUITS p SHALL BE RESTRAINED SUCH THAT REDUNDANT CLASS 1E MIRING AND CLASS 1E TO MDN-CLASS 1E MIRING (y( DOES NOT TOUCH NOR SHALL THEY BE ABLE 70 MIGRATE WITH TIME TO TOUCH. A A B C B B Z 1.0.3 CLASS 1E TEFLON BOARD WIRING SHALL BE ENCLOSED IN METAL BRAID FROM THE DEVICE CONNECTOR OR TERMINALS TO THE HORIZONTAL WIRING DUCTS, WHERE THE REWIRED 51X INCH FREE AIR SPACE CANNOT 6 BE ACHIEVED. CLASS 1E 7EFLDN BOARD IIRING THAT TERMINATES AT A DEVICE (NOT RUN THROUGH THE RISER)

SHALL BE ENCLOSED IN METAL BRAID INSIDE THE BOARD, WHERE THE REQUIRED SIX INCH FREEE AIR SPACE A A A B B B Z CANNOT BE ACHIEVED.

H A A A B A B p TRAIN A 111REWAY G

U TRAIN A WIREWAY NOT BE ROUTED WITH ANY OTHER SUFFIX CABLE/IIRING.

DETAIL D REAR VIEW OF PANEL 1.2. IN DETERMINING THE ROUTING FOR THE BRAID COVERED WIRING ASSEMBLY AND THE NON-DIVISIONAL WIRING ASSEMBLY BETREEN THE SII TCH MODULE AND THE HORIZONTAL WIREWAY, USE DETAIL D ABOVE AND THE FOLLOW]NC INSTRUCTIONS:

1.2.1. WIRING ASSEMBLIES FROM SNITCH MODULES OF THE SAME TRAIN IN CLOSE PROXIMITY SHOULD BE BUNDLED RITH CABLE TIES INTO ONE IIRING PACK AND ROUTED 70 THE CORRECT HORIZONTAL IRESAY.

1.2.2. MAINTAIN MAXIMUM AIR SPACE BE SEEN TRAIN A AND TRAIN B WIRING ASSEMBLIES AND BUNDLES. IN NO CASE SHALL WIRING ASSEMBLIES FROM 1.0.11 'S' DESIGNATED CABLES DIFFERENT AND TOUCH OR BE ABLE 70 MIGRATE WITH TIME TO TOUCH.

'S' DESIGNATED CABLES SHALL BE KEPT SEPARATED FROM OTHER 'S' DESIGNATED CABLES AND ALL OTHER CABLES EXCEPT AS SPECIFIED ON DESIGN OUTPUT DOCUMENTS. 1.2.3. NON-DIVISIONAL WIRING SHOULD MAINTAIN MAXIMUM PRACTICABLE PHYSICAL SEPARATION FROM TRAIN A AND TRAIN B IIRING ASSEMBLIES. IN NO CASE SHALL NDN-DIVISIONAL WIRING ASSEMBLIES TOUCH OR BE ABLE 70 MIGRATE TABLE 1.1 CONTROL BOARD CRITICAL WIRING BILL DF MATERIALS (PRIOR TO CRDR) WITH TIME 70 TOUCH THE CLASS IE TEFLON WIRING ASSEMBLIES.

ITEM DESC RIPTIDN TYPE 1.3 POST ACCIDENT MONITORING THE CONCEPTS GIVEN FOR BRAID INSTALLATION ON TRAIN A AND TRAIN B CONNECTOR, 22 PIN BURNDY G6F 1B-22 SNH IIRING SHALL APPLY FOR POST ACCIDENT MONITORING (PAM 1 AND PAM 2 AND 1 (FURNISHED BY WESTINGHOUSE) PAM 3) CRITICAL WIRING.

2 CABLE CONNECTOR THOMAS AND BETTS CAT. NO. 1.3.1 PAN 1 CABLE/11R1 NC SHALL BE SEPARATED FROM PAN 2 CABLE/IIRING. PAM 3304 DR 3304 M OR EQUAL 1 CABLE/IIRING IDENTIFIED II TH SUFFIX 'J' MAY ROUTE WITH TRAIN A WIRE, TEFLON CABLES MAY SEE TABLE 2.3 (1-4511640-1) R~NN BACABLESBLP4MI3ICABLE/IINI NG SHALL BEFSEPARATED 3 WIRE, TEFLON SEE TABLE 2.3 (1-4591540-1) PAN 1, PAN 2, AND ALL OTHER CIRCUITS.

1.4 BRAID INSTALLATION INSTRUCTIONS AND SUGGESTIONS:

1/4' I.D. TUBULAR BRAID (FOR 8 DEARBORN CAT.ND. 92171 OR 4 CONDUCTORS OR LESS) EQUAL 1/2' I.D. TUBULAR BRAID (FOR MORE THAN DEARBORN CA7.ND. 92174 OR NOTE:

B CONDUCTORS) EQUAL ITEM 7 IS MOT TABLE 1.4 AND NOTES 1.4.0 THRU 1.4.12 ARE TO BE USED FOR ALL WIRING PANDUIT: TYPE PL71M, NATURAL REQUIRED IF AN CHANGES PERFORMED AS A RESULT OF CRDR DESIGN MODIFICATIONS.

COLOR; TYPE PLT1M1-M3! ]NSULA7ED CONNECTOR PLT25-M3, ORANGE; TYPE IS USED FDR ITEM 2 TABLE 1.4 CONTROL BOARD CRITICAL IIRING BILL OF MATERIALS 5 LOCKING CABLE TIES PLT 1M-M1! PLT25-M1, BROWN; AND WHITE RAYCHEM TYPE PLT1M1-MIO! PLT25-MID, TUBING IS USED FOR ITEM DESCRIPTION TYPE WHITE: OR EQUAL ITEM S.

I CONNECTOR. 22 PIN BURNDY C6F 1B-22 SHH 6 CABLE CLAMP PANDUIT TYPE SSC25. NATURAL ITCH COLOR, OR EQUAL CONTRACTED.99NLC-74B91A 7 INSULATING BUSHING ADALET CA7.ND.PE-4 OR EQUAL 2 CABLE CONNECTOR IHDMAS AND BETTS CAT. ND.

33D4 OR 33D4 M OR EQUAL JTHERMDFIT CAT ND.MS53RNF-10D-(S) IZE /9', 3/e', 1/2', 3/4', 3 TEFLON SEE TABLE 2.3 1-4511540-1 B HEAT SHRINKAGE TUBING "RE,

'1 WH17E-N0.101B3 RAYCHEM WIRE. TEFLON SEE TABLE 2.3 1-4511540-1 CORP. OR EQUAL 1/4' I.D. TUBULAR BRAID DEARBORN CAT.NO. 92171 OR 9 SOLDER SLEEVE RAYCHEM CDRP.. OR EQUAL FOR 8 COMUCT015 OR LESS) EQUAL CONTINENTAL CORDAGE 4 QU-B-575R36T250 CONTRACT 1/2' ].D. TUBULAR BRAID x89NLF-7526BA-01 FOP IDAE 1HAN 8 CpWCTORS) SEA WIRE! CABLE 1.1 BRAID INSTALLATION INSTRUCTIONS AND SUGGESTIONS: (PRIDR TO CRON) NOTE: W. REFERENCES AS SHOWN ABOVE ARE NOT APPLICABLE 1.1.1. 1 FROM CDNNECTION DIAGRAM. DETERMINE LENGTH OF SIRE AND BRAID, NUMBER DF 5 LOCKING CABLE TIES PANDU]T:TYPE PLT1M, NATURAL COLOR 70 ANY RORK PERFORMED PER CROR MODIFICATIONS.

1 RES. AND TYPE OF WIRE (SINGLE CONDUCTOR OR SHIELDED TWISTED PAIR). TYPEPIT[M-MT a PLT25-MT, ORANGE:

TYPE PLIIM-M1 a PLT25-M1. BROWN.

1.1.2. USINC A WIRE STRIPPER WITH A SHARP BLADE, STRIP APPRDX 0.3 INCHES FROM TYPE PLIIM-M10 a PLT25-MID. WHITE:

BOTH ENDS OF THE WIRE. OR EQUAL 1.1.3. USING BURNDY EXTRACTION IDOL ND. RX20-25 REMOVE SOCKETS FROM THE CABLE CLAMP PANDUIT: TYPE SSC25, NATURAL COLOR CONNECTOR. USING BURNDY CRIMPING TECH MODEL M1D5-1, SID[ DIE SET AND 6 ON EQUAL SL-39. STOP BUSHING CRIMP SOCKETS 7D ONE END OF WIRE AND INSERT ITEM 7 IS NOT REQUIRED IF AN IN CONNECTOR. USE CONNECTION DIAGRAM TO DETERMINE THE CORRECT INSERT INSULATED CONNECTOR IS USED 7 INSULATING BUSHING ADALET CAT. NO. PE-4 OR EQUAL 11 POSITIONS. FOR ITEM 2 AND SH17E RAYCHEM 1.1.4. INSTALL BRAID ON WIRE. THIS CAN BE ACHIEVED BY EXPANDING BRAID OVER TUBING IS USED FOR ITEM B. S HEAT SHRINKAGE TUBE RAYCHEM CAT ND. RNF-IDO-N07E: ITEM 1D!11 ARE FOR A ROD THE SANE DIAMETER AS THE BRAID. ENE END OF THE SIRING CAN BE SIZE) 1/4',3/9',1/2',3/4',1' CRDR MODIFICATIONS ONLY TEMPORARILY TAPED AND THREADED THROUGH THE BRAID. PULL BRAID TO TIGHTEN. RHI TE-ND. 10183 RAYCHEM CORP.

AND ARE LISTED ON TABLE 1.4 1.1.5. PROTECT ENDS OF BRAID FROM FRAYING. A. ON CONNECTER END: THIS CAN BE OR EQUAL ACHIEVED BY USING TWO PIECES OF HEAT SHRINKABLE TUBING, ONE BETIEEN RAYCHEM CORP. CONTRACT.

THE IIRE AND BRAID AND ONE ON THE OUTSIDE OF THE BRAID. ALLOT ONE END BSNLF-75268A-02 OF.TUBING TO EXTEND PAST END OF BRAID APPROXIMATELY 3/4' (SEE DETAIL A B. ON SIR EIAY END: THIS CAN BE ACHIEVED BY USING THREE PIECES DF SOLDER SLEEVE RAYCHEM CORP., DR EQUAL 9

HEAT

) SHRINKABLE TUBING OR TWO PIECES OF HEAT SHRINKABLE RE TUBING AND ONE SOLDER SLEEVE USE ONE PIECE OF TUBING BETWEEN THE VI AND BRAID. TWIST 10 TERMINAL PINS BURNDY THE ENDS OF THE BRAID TOGETHER AND ATTACH THEM TO A SHIELD DRAIN WIRE 16 CAUGE BY MEANS OF A SOLDER SLEEVE OR BY SOLDERING AND COVERING 11 TERMINAL SOCKETS BURNDY SC16A-ir.

ME NTH SHRI KABLE TUBING. USE ONE PIECE OF TUBING ON THE OUTSIDE OF THE BRAID. ALL09 ONE END OF THE TUBING 70 EXTEND PAST THE END OF THE BRAID APPROXIMATELY 3/9'. (SEE DETAIL B) FOR THE SHRINKING PROCESS. USE A HEAT SHRINKING GUN SIMILAR TO IDEAL HEAT GUN NOZZLE 46-922. 120V AC 1.4.0 FOR CONTROL BOARDS RHICH CONTAIN MORE THAN ONE TRAIN OF CRITICAL 475 WATTS. IIRING ALL TRAIN A a TRAIN B IIRING SHALL BE ENCLOSED IN METAL BRAID FROM THE DEVICE CONNECTOR OR TERMINALS 70 THE HORIZONTAL WIRING DUCTS.

1.1.6. ATTACH END OF BRAID TO BURNDY CONNECTOR CLAMP. SLIDE BRAID TOIARD ALL TRAIN A OR TRAIN B CABLES THAT TERMINATE AT A DEVICE INOT RUN CONNECTOR AND USE FILLER TAPE AS REQUIRED TO ALLOW CLAMP 70 BE TIGHTENED THROUGH THE RISER) SHALL BE ENCLOSED IN METAL BRAID INSIDE THE BOARD.

70 BRAID-WIRE ASSEMBLY.

1.1.7. INSTALL LOCKING CABLE TIES NO MORE THAN 4 INCHES APART WITH PANDUIT 1.4.1. FROM CONNECTION DIAGRAM, DETERMINE LENGTH OF WIRE AND BRAID, NUMBER OF WIRES, AND TYPE OF WIRE CABLING TOOL C52B OR SIMILAR TO INSURE THAT BRAID REMAINS RINGSECURE 70 (SINGLE CONDUCTOR OR SHIELDED TWISTED PAIR).

II INC. IT IS ACCEPTABLE TO USE ONE TIE FOR SEVERAL II ASSEMBLIES 1.4.2. USING A WIRE STRIPPER WITH A SHARP BLADE. STRIP APPROX 0.3 INCHES FROM BOTH ENDS OF THE SIRE.

70 ACHIEVE THIS PURPOSE WHILE CABLE IS BEING ROUTED 70 HORIZONTAL 1.4.3. USING BURNDY EXTRACTION TOOL ND. RX16-D11 REMOVE SOCKETS FROM THE CONNECTOR. USING BURNDY CRIMPING TOOL WIREWAY. KEEP RADIUS OF BENDS LARGE ENOUGH TO PREVENT BRAID FROM MODEL MBND II TH NIBRT-24 DIE SET CRIMP SOCKETS TO ONE END OF WIRE AND INSERT IN CONNECTOR. USE CONNECTION EXPANDING. BRAID SHALL MAINTAIN APPROXIMATELY B59 PHYSICAL COVERAGE DIAGRAM TO DETERMINE THE CORRECT INSERT POSITIONS. (SEE NOTE 3.1.11)

OF IIRING.

1.4.4. INSTALL BRAID ON WIRE. THIS CAN BE ACHIEVED BY EXPANDING BRAID OVER A ROD THE SAME DIAMETER AS THE BRAID.

ATTACH END OF BRAID TO HORIZONTAL WIREWAY WITH CABLE CLAMP. 17 IS ONE END OF THE IIR]NC CAN BE TEMPORARILY TAPED AND THREADED THROUGH THE BRAID. PULL BRAID TO TIGHTEN.

ACCEPTABLE TO EXTEND BRAID INTO WIREWAY. USE A PIECE OF PROTECTIVE TUBING BETWEEN THE BRAID AND CABLE CLAMP. (SEE DETAIL N. 1.4.5. PROTECT ENDS OF BRAID FROM FRAYING. A. ON CONNECTOR END: THIS CAN BE ACHIEVED BY USING TWO PIECES OF HEAT I.I.B. COLORED LOCKING CABLE TIES SHALL BE INSTALLED OVER THE BRAID TO INDICATE SHRINKABLE TUBING. ONE BETWEEN THE RISE AND BRAID AND ONE ON THE OUTSIDE OF THE BRAID. A LON ONE END OF TUBING 7RAIN DESIGNATIONS OF WIRING AS NOTED ON CONNECTION DIAGRAMS. THE TIES TO EXTEND PAST END OF BRAID APPROXIMATELY 3/4' ISEE DETAIL A). B. ON WIREWAY END: 7H75 CAN BE ACHIEVED BY USING THREE PIECES OF HEAT SHRINKABLE TUBING OR 710 PIECES OF HEAT SHRINKABLE TUBING AND ONE SOLDER SLEEVE.

SHALL BE SPACED SO THAT THE TRAIN DESIGNATED CAN BE EASILY IDENTIFIED. USE ONE PIECE OF TUBING BETWEEN 7HE WIRE AND BRAID. TWIST THE ENDS OF THE BRAID TOGETHER AND ATTACH THEM TO A A MAXIMUM OF 12 INCHES APART. THE FOLLOWING COLOR CODING SHALL BE USED SHIELD DRAIN WIRE 116 GAUGE) BY MEANS OF A 50L DER SLEEVE OR BY SOLDERING AND COVERING WITH SHRINKABLE TUBING.

FOR CONTROL BOARD WIRING TIES: TRAIN 'A' - ORANGE. TRAIN 'B' - BROWN. USE ONE PIECE OF TUBING ON THE OUTSIDE OF THE BRAID. ALLOW ONE END OF THE TUBING TO EXTEND PAST THE END OF THE NON-DIVISIONAL - WHITE. BRAID APPROXIMATELY 3/4'. (SEE DETAIL B) FOR SHRINKING PROCESS. USE A HEAT SHRINKING CUR SIMILAR TO IDEAL HEAT 1.1.1D. WIRING 70 'C' PINS ON ALL CONNECTORS SHALL BE TIED TD PANEL GROUND BUS GUN NOZZLE 46-922. 12DV AC 475 BETTS.

BAR. ROUTE THIS WIRE INTO THE HORIZONTAL WIREWAY SITH OTHEI WIRING AND 1.4.6. ATTACH END OF BRAID TO BURNDY CONNECTOR CLAMP. SLIDE BRAID TOWARD CONNECTOR AND USE FILLER TAPE AS REQUIRED AS CONVENIENT USE A KNOCK OUT IN THE WIREWAY 70 ROUTE SEVERAL OF THESE TO ALLOW CLAMP TO BE TICHTE NED TO BRAID-WIRE ASSEMBLY.

GROUND WIRES TO GROUND BUS THEBAR. THE SHIELD DRAIN SIRES SHALL BE ROUTED 1.4.7. INSTALL LOCKING CABLE TIES NO MORE THAN 4 INCHES AP A IT WITH PANDUIT CABLING TOOL G520 OR SIMILAR 70 ENSURE 70 THE GROUND BUS BAR IN SAME MANNER. THAT BRAID REMAINS SECURE 70 SIRING. IT IS ACCEPTABLE TO USE ONE TIE FOR SEVERAL WIRING ASSEMBLIES 70 ACHIEVE THIS PURPOSE WHILE CABLE IS BEING ROUTED TO HDRIZONTAL WIREWAY. KEEP RADIUS OF BENDS LARGE ENOUGH TO PREVENT BRAID FROM EXPANDING. BRAID SHALL MAINTAIN APPROXIMATELY 85Z PHYSICAL COVERAGE OF WIRING.

1.4.8. ATTACH ENO OF BRAID TO HORIZONTAL NIREWAY WITH CABLE CLAMP. IT IS ACCEPTABLE TO EXTEND BRAID INTO WIREWAY.

WATTS BAR USE A PIECE OF PROTECTIVE TUBING BETWEEN THE BRAID AND CABLE CLAMP. [SEE DETAIL C) 1.4.9. COLORED LOCKING CABLE TIES SHALL BE INSTALLED OVER THE BRAID TO INDICATE TRAIN DESIGNATIONS OF WIRING AS FINAL SAFETY NOTED ON CONNECTION DIAGRAMS. THE TIES SHALL BE SPACED SO THAT THE TRAIN DESIGNATED CAN BE EASILY IDENTIFIED, A MAXIMUM OF 12 INCHES APART. THE FOLLOWING COLOR CODING SHALL BE USED FOR CONTROL BOARD RISING TIES:

TRAIN 'A' - DRANGE. TRAIN 'B' - BROWN. MON-DIVISIONAL - 9HITE.

ANALYSIS REPORT IF REQUIRED 1.4.10. SIRING TO 'G' PINS ON ALL CONNECTORS SHALL BE TIED 70 PANEL GROUND BUS BAR. ROUTE THIS WIRE INTO THE HORIZ IIRE WAY RITH OTHER RISING AND AS CONVENIENT USE A KNOCK OUT IN THE IRESAY TO ROUTE SEVERAL OF THESE GROUND 1.D FOR CONTROL BOARDS WHICH CONTAIN MORE THAN ONE TRAIN OF CRITICAL WIRING:

1.D.ITHE MINIMUM SEPARATION DISTANCE BETWEEN REDUNDANT CLASS IE VINING TO NDN-CLASS IE WIRING INTERNAL 70 CONTROL BOARDS SHALL BE SIX INCHES OF FREE AIR SPACE. WHEREVER THIS SEPARATION SIRES 70 GROUND BUS BAR. THE SHIELD DRAIN WIRES SHALL BE ROUTED TO THE GROUND BUS BAR IN THE SAME MANNER.

1.4.11. THESE REPLACEMENT TERMINAL SOCKETS AND TERMINALS HAVE BEEN FURNISHED BY ELECTROSS ITCH ON CONTRACT. 89NLC- POWERHOUSE 74B91A. EXTRACTION AND CRIMPING TOOLS HAVE BEEN FURNISHED BY SCHWEBEI ELECT. ON CONTRACT. 89NLF-75269A-03.

DISTANCE IS NOT MAINTAINED A METAL BARRIER [MINIMUM 1B GAUGE), OR FLEXIBLE DR II GID CONDUIT, DR ENCLOSED IREWAYS,OR SILTEMIP (SEE NOTE 2.1.2 ON DRAWING 1-45130OD-1),OR CLASTIC BOARD 1.4.12. FDR ALTERNATE INSTALLATION FIELD MAY REMOVE THE WIRING GROMMET FROM THE BURNDY CONNECTOR 70 ALL01 THE UNITS 1 & 2 SEPARATION BRAID 70 SLIDE UNDER THE CONNECTOR CLAMP. INSTALL HEAT SHRINK TUBING OVER THE INTERNAL WIRING (MINIMUM THICKNESS 1/8') OR BRAIDED SHEATH (BELDEN BRAID)SHALL BE PROVIDED.

1). BRAIDED SHEATH (BELDEN BRAID) IS APPROVED FOR MAIN AND AUXILIARY CONTROL ROOM PANELS DNLY.

THEN INSTALL HEAT SHRINK OVER THE BRAID. SLIDE BRAID INTO THE CONNECTOR CLAMP AND TIGHTEN CLAMP TO SECURE BRAID AND WIRE.

WIRING DIAGRAMS 2). SILTEMP (SEE NOTE 2.1.2 ON DRAWING 1-4513DOD-1) IS NOT APPROVED FOR USE INSIDE CONTAINMENT.

1.5 MOVED TO 1.0.11 CONTROL BOARDS CRITICAL WIRING SHEN THE ABOVE SEPARATION 15 NOT ATTAINABLE AN ENGINEERING ANALYSIS IS REQUIRED.

1.0.1.1 THE MINIMUM SEPARATION DISTANCE BETIEEN REDUNDANT CLASS 1E DEVICES [EXCLUDING REDUNDANT LOW BRAID INSTALLATION ENERGY VOL TACE LEVEL V1 AND V2 INSTRUMENTS) SHALL BE SIX INCHES OF FREE AIR SPACE. SHE NEVER THIS SEPARATION DISTANCE IS NOT MAINTAINED, A METAL BARRIER [MINIMUM 18 GAUGE), DR CLASTIC BOARD TVA DWG NO. 45W1640 RN (MINIMUM THICKNESS 1/8') SHALL BE PROVIDED.

WHEN THE ABOVE SEPARATION IS NOT ATTAINABLE AN ENGINEERING ANALYSIS IS REQUIRED.

COMPANION DRAWING:

1-45VIS40-1 FIGURE 7.1-2 SH 1

16 GAUGE SECTION 2. CONTROL BOARD INTERNAL PANEL WIRING TYPES SECTION 3: PIN ACCEPTANCE CRITERIA HSID, I,S .20D SEE INDOORSHIDSO ..

R.

11 2 EA a CLIP 3.1 DNA RE EKLY BASIS, BURNDY IDOL TYPE #MBND 97TH DIE SET #MOOT-24 RD1 D" Cl-I 97TH #B-32x1/2' BOU TS. NUT a 2. 1-%I-79-16 MUST HAVE A SAMPLE CRIMP VERIFIED BY THE CALIBRATION LAB.

.228 5.1)D'GNYLO, SEE INDOORS 2.1 SINGLE CONDUCTOR INTERNAL WIRING IS NO.16, AND TWISTED SHIELDED (5.13) MOUNTING ~-16 CA ASTM A527 PAIR IS ND.18 UNLESS OTHERWISE SPECIFIED ON THE CONNECTION DRAWING. A) GAL IBRAT ION LAB ACCEPTANCE CRITERIA NATURALF -A TAB (TYP) ICRITERIA MUST BE MET 70 HAVE THE TOOL ACCEPTED:

TWO UL-4136-A PULL TEST -A PULL TEST IN ACCORDANCE WITH UL-486-A SHALL BE PERFORMED WITH A MINIMUM OF 3D# FORCE FOR ONE DEVICE MINUTE.

METAL BARRIER 2) DIMENSI DN CHECK -A DIMENSION OF 053' TO .DBD'IHE IGHT OF MINIMUM 1B CAGE, CROSS -SECTION OF CRIMPED SAMPLE) MUST BE VERIFIED PER ASTM 527 TABLE 21 PANELS WITH CRITICAL INTERNAL WIRING. SEE BURNDY DRAWING SCB8423 R2.

TABLE 2..3 FOR MATERIAL B) FIELD INSPECTION ACCEPTANCE CRITERIA FOR DRILL a TAP 3/B'

8-321/9 2. a PANEL CONTROLLING I E-SPEC I ASSURE WIRE IS NOT LODSE IN CONNECTOR BARREL BY PULLING ON

[MIN) DEVICE SCREW WITH PIN OR SOCKET.

METAL A-A WASHER 1-%I-74-43 <<

E-952367 (CONTRACT 71062-59119-1)

2) ASSURE THE PIN OR SOCKET HAS NO OBVIOUS DAMAGE. THE CRIMPED BARRIER ]TYP 2 PLCS) ' M-1, M-2, M-3, M-4, M-5, M-6 CONTACT SHALL EXHIBIT NO EVIDENCE OF FRACTURING, CHIPPING, FLAKING, OR PROTRUDING SHARP EDGES.

BRACE MEMBER 3 NO CONDUCTOR INSULATION SHALL BE ALLOWED UNDER THE BARREL NOTE: M-B, M-9, M-ID, D-M-12, M-15, OF THE CONNECTOR.

D1-D1 ELEVATION Cl"~ FIELD IS ALLOWED THE OPTION 3/8 O \f D-M-25, D-M-26, D-M-27 E-952719

4) CONDUCTOR MUST BE VISIBLE THROUGH INSPECTION HOLE TO ASSURE NOTE: BOLT TO BE OF FABRICATING A STRAIGHT PIECE OF METAL RATHER THAN A PROPER SEATING.

SNUC TIGHT 'L' SHAPED PIECE. 1-XI-74-45 O-L-4, L-1D, L-11A, L-110 E-952866 51 WIRE INSULATION MUST BE CLOSE TO THE BARREL; NO MORE THAN

.03D'+.OD5' OF CONDUCTOR SHALL BE VISIBLE AT THE END OF BARREL.

DRILL AND TAP SCREWS PANEL 1-M-6 -.ODO ISTRIP BACK LENGTH IS 1/4'3 1/64').

D INTO PANEL FLOOR

10 SCREW (TYP)

'* ROOF OF LOWER CONTROL BOARD

~ .l0,N-31 3A

6) ASSURE ALL CONDUCTOR STRANDS HAVE BEEN CAPTURED BY THE BARREL.

7) CONTACTS SHALL BE CLEAN, FREE OF BURRS, OXIDES, OR FILLS.

3.2 ON A MTHLI DN BASIS, BURNDY TOOL TYPE NMBND WITH DIE SET xN16RT-21 MUST BE VERIFIED BY THE CALIBRATION LAB.

[HOLE DIA) A) CALIBRATION LAB ACCEPTANCE GOITER IA 2.1.1. WIRING FOR CRDR MODIFICATIONS PROVIDED BY TELEDYNE THERMA71C5 ON CONTRACT THE CRITERIA TO HAVE THE TOOL ACCEPTED IS AS FOLLOWS:

ND. BONLB-75267A. 1) DIMENSION CHECK - A DIMENSION OF .DIS' TO .024' (HEIGHT OF 1-3/4'3 SPACE BETWEEN CRIMPING JABS WHILE IN FULLY CLOSED POSITION) 6' MUST BE VERIFIED PER BURNDY DRAWING SC51661 R2.

°vim xiw .LIGHT 2.2 INTERNAL CONTROL BOARD WIRING IS DEFINED AS THE WIRING FROM THE B) FIELD INSPECTION ACCEPTANCE CRITERIA INSTRUMENTATION ON THE BOARD 70 THE TE RNINA7ION LOCATION WHERE THE

_ L(12' MAX) CORRESPONDING EXTERNAL CABLES ARE CONNECTED. SEE EXAMPLE IN DETAIL E1 1) SAME AS 3.1.13 127.9)

LA . BELOW.

3.3 ON A WEEKLY BASIS BURNDY TOOL TYPE #MUDS-1 WITH DIE SET NS-3-1 MOST PLAN BE CALIBRATED AND VERIFIED ACCEPTABLE USING BURNDY GO-NO-GO CAGE CAT.

REPLACEMENT TERMINAL BLOCK IDENTIFICATIONS SHALL BE STYLE 45A AND NO. PG 281 OR EDAL.

DET Al NUMBER / LETTER AS SHOWN ON APPLICABLE CONNECTION DIAGRAM DRAWINGS UTILIZATION OFPAN-PDLE STANDOFF 3 1/6- BARRIER DESIGN FOR TRAY I REF DWG 471605-41)- 3.4 FOR CRIMPING OF PIN #M39D2911-16-20 DN STAYCD SWITCH MODULES, DANIELS CRIMP TOOL #M12252D/1-01 SHALL BE USED.

AS A WIRE BUNDLE SPACER TROUGH AND CONDUIT ENTRY POINTS 2M1295, TO LJ (TYPICAL) R 1 2 101 A) CALIBRATION LAB ACCEPTANCE CRITERIA C1 -c1 NOTE: PNL 2-4-137 MR-3D-241 NOTE A: (459267]-B) I 2 3 1 1) ON A WEEKLY BASIS DANIELS CRIMP TOOL MODEL M22520/1-01 FIELD MAY REMOVE THE BASE AS REQUIRED AND CONNECT THE STANDOFF 3/16' CAP ALONG ROOF 400E OF LOWER MUST BE CALIBRATED USING DANIEL CD-ND-GO GAGE AND BRACE MEMBER MAX CON7RDL BOARD BK 16 AS A SPACER BETWEEN SIRE BUNDLES FOR FREE AIR INSTALLATIDNS. DET Cl 3 SP M22520/3-1.

CONNECTION SHALL BE MADE USING ONLY CABLE TIE WRAPS. A MAXIMUM METAL BARRIER INSTALLATION 3 AMU NT OF MATERIAL SHALL BE RETAINED DN ALL SIDES OF THE TIE 1/4-2D NUT,LDCK a /3'x3 4x3/16 PLATE I INSPECTION ACCEPTANCE CRITERIA B) FIELD

'RAP SLOTS USED WHEN THE STANDOFF BASE IS TRIMMED. FLAT WASHER 1-1/2' D]A / SEE DOTE A 2M1289, TO R 5 2 /1 D2 ASSURE WIRE 15 NOT LOOSE IN CDNNEC70R BARREL BY PULLING ON CENTERED DN 1/ EDGES TO BE SMOOTH PNL 2-4-137 5 3 1 MR-3D-240 PIN OR SOCKET.

PLATE E%]ST OPENING PANEL 1-M-6 (4592673-B) 7 1B 21 ASSURE THE PIN OR SOCKET HAS NO OBVIOUS DAMAGE. THE CRIMPED B SP CONTACT SHALL EXHIBIT NO EVIDENCE OF FRACTURING, CHIPPING.

UPSIDE DOWN ELEVATION 9 FLAKING, OR PROTRUDING SHARP EDGES.

(TYPICAL) AS REQUIRED FULL DEPTH ROOF OF CONTROL BOARD 0 THESE TWO CABLES III 1

3) NO CONDUCTOR INSULATION SHALL BE ALLOWED UNDER THE BARREL OR 'C' CONFIGURATION 4 TO TO 1-2J OF THE CONNECTOR.

ARE EXTERNAL WIRING. ALL OTHER 12 4) CONDUCTOR MUST BE VISIBLE THROUGH THE INSPECTION HOLE TO ASSURE Al 61- ~ s WIRING IS INTERNAL PROPER SEATING.

EXISTING 5) WIRE INSULATION MUST BE CLOSE TO THE BARREL: NO MORE THAN METAL .03D'+.OD5' OF CONDUCTOR SHALL BE VISIBLE AT THE END OF BARREL.

COMPARTMENT DETAIL TRAIN CRATE DET E1 Doo (STRIP BACK LENGTH IS 3/16'3 1/69').

A FUSE 6) ASSURE ALL CONDUCTOR STRANDS HAVE BEEN CAPTURED BY THE BARREL.

1/4' DIA ALLTHREAD DEVICE ROD LENGTH AS 1-1/2' DIA EXISTING 7) CONTACTS SHALL BE CLEAN, FREE DF BURRS, OXIDES, OR FILMS.

REAR OF OPENING ITYP)

[TYPICAL) REWIRED PANEL , 3.5 FOR CRIMPING OF PIN #BOO-CT2O DN MASTER SPECIALITIES SWITCH/LIGHT

~~ C 1 2.3 ORIGINAL INTERNAL WIRE FOR PANELS LISTED IN TABLE 2.1 IS CLASS 1E TEFLON TYPE E OR K. 600V, STRANDED, SILVER COATED, PER MIL SPEC MODULES USE CRIMPING TOOL ND.MS3191.

1/4-20 NUT LOCK A NIL-1-16878-D. ACCEPTABLE REPLACEMENT WIRE TYPES ARE AS LISTED BELOW 1/4-2D NUT I/WASHER _ FLAT WASHER A) FIELD INSPECTION ACCEPTANCE CRITERIA IN TABLE 2.3. SPECIFIC EXCEPTIONS 7D THIS ARE STATED ON CONNECTION OUTSIDE ONLY TERN BLKS (TYPICAL) CLASTIC RED DRAB INGS. 1) SAME AS 3.4.B (TYPICAL BOTH BOARD 1/B' OUTSIDE ENDS) ITYP) i,0*

SNUC TIGHT -CABLE TIE SUPPORT WINE SIZE AND

- SEE DETAIL BELOW 3'.3/4.3/16 PLATE TYP BARRIER WIDTH MARK NUMBERS REPLACEMENT LARK LETTERS SEE NOTE A SEE NOTE A 5'31/9' CONDUCTORS FLOOR--, TRAIN ND.1D SINGLE CDNDUCTOR IJJ-2 JJ-5D RISER 1/4-20 ALL THREAD ROD B Al~ B1~ CUT TO LENGTH WITH FUSE 1/4-2D NUT '/WASHER RAYCHEM ICSF-2OD-N ND.12 SINGLE CDNDUCTOR IJH-2 JH-5D NOTES BOTH SIDES COVERING END 70 END REAR VIEN FDR INTERMEDIATE E%ISTINC 1. METHOD FDR TERMINATING BRAIDED SHIELD TO TERMINAL LUG SHALL BARRIERS (TYP) BRACE ND.14 SINGLE CDNDUCTOR 9JM-1 JG-5D BE AS FDLLDIS. BRAID SHALL BE SPLIT. TV]STED. AND PROTECTED REAR OF CONTROL PANEL SNUG TIGHT RISER DETAIL CLIP ANGLE NOT SHOWN FROM FRAYING IN ACCORDANCE WITH E%ISTINC 451164D REQUIREMENTS.

DRILL 5/16*p HOLE CARE SHALL BE TAKEN 70 PREVENT NICKING. CUTTING. OR FRAY INC DET B1 TERMINAL SECTION (TYPICAL) 1/4-20 ALLTHREAD ROD CUT TO LENGTH NOTE:

ND.16 SINGLE CONDUCTOR BIN JD-5D OF INDIVIDUAL STRANDS OF BRAIDED SHIELD. NOTE TOOLING SHALL RED BOARD BARRIER INSTALLATION 1/4-20 NUT,LOCK a A. PLATE MAY BE POSITIONED IN ANY DIRECTION. BE UTILIZED 70 DETERMINE EQUIVALENT WIRE GAUGE DISPLACEMENT FLAT WASHER B. BARS (RODS) MAY BE ADDED AS NECESSARY FOR ND.18 SINGLE CONDUCTOR 1I0 JE-5D OF TWISTED COMPACTED SHIELD. SELECTION AND INSTALLATION OF CABLE BUNDLE SUPPORT TO PREVENT MIGRATION. APPRDPRIATELY SIZED (BARREL AND STUD) LUC SHALL BE MADE IN ACCORDANCE WITH TVA' CE NERAL ENGINEERING SPECIFICATION C-311 1' MIN ELEVATION ND.2D SINGLE CONDUCTOR JB-5D AND APPLICABLE MODIFICATION'S PROCEDURES.

CONTROL RAYCHEM SHRINK 9JP 3- MAX PANEL, FRONT FACE TUBE. CUT 70 TE RNINAL VIEW LOOKING NORTH LENGTH. SECTION IDA. TWISTED SHIELDED PR IVA-3 IVA-51 ICSF-2D0-N OR RISER 5/16' HOLE. TYP EQUAL PANEL 1-M-4 CONTROL ROOM 755 NOT A ES- 2.4 TABLE I.I. CONTROL BOARD CRITICAL WISING BILL OF CE DETAIL USE CLIP ANGLE 70 SECURE CLASTIC RED BOARD MATERIALS, AND ASSOCIATED NOTES 1.0 THOU 1.1.10.

B. USE #1D-32 BOLT TYP FOR INSTALLATION OF ARE NDT APPLICABLE TO ANY WORK PERFORMED PER CRDR 1/8* MAX TYPICAL TERMINAL SECTION CLIP ANGLE TO METAL CRATING OR BRACE a MODIFICATIONS.

ANGLE TO CLASTIC RED BOARD.

C. FIELD 70 LOCATE a INSTALL BARRIER TO MEET SEPARATION REQUIREMENT.

NOTE A: 2.5 LOVED TO SECTION 3. NOTE 3.4 CABLE SUPPORT ROD LOCATIONS ARE SUGGESTED.

FIBERGLASS ACTUAL QUANTITY AND LOCATION TO BE DETERMINED 2.6 MOVED TO SECTION 3. NOTE 3.5 BOARD. TYP BY FIELD CONDITIONS TO PREVENT MIGRATION.

HOLES TO BE DRILLED FOR #10 2.7 SIGNAL BIRINC (IVA-3) AT TERMINATIONS, THE OUTER JACKET, AL UAINUM FOIL AND SCREW (NOMINAL) THE DRAIN WIRE, SHALL BE STRIPPED BACK TO A MAXIMUM OF 6' FROM THE LUC AND CENTER 31/B' CUT OFF. HEAT SHRINKABLE TUBING SHALL BE POSITIONED EQUIDISTANT OVER THE CUTOFF POINT AND SHRUNK IF THE DRAIN WIRE IS CARRIED THROUGH, 17 SHALL BE INSULATED WITH TEFLON TUBING. THE USE OF PVC TYPE TUBING IS PERMITTED FOR I ELD TO DRILL TO DRILL INSTALLATIONS MADE UP TO 1-2-91 [REFER 70 CAOR WBP B913429). HOWEVER DUE TO OR #10-32 SCREW 10-32 SCREW THE HIGHER INSULATING AND FIRE RESISTANCE VALUES OF TEFLON TUBING IT SHALL TYPICAL) :AL) BE USED FOR FUTURE INSTALLATIONS.

1/2*.1/8*

Al-A1 ITYP) 2.B DUE 70 THE UNIQUE DESIGN OF INTRAPANEL JUMPERS ADDED BY CRDR MODIFICATIONS, JUMPERS MAY BE TERMINATED ON EITHER SIDE OF TERMINAL BLOCK AS DETERMINED

'C' SHAPED BARRIER BY DESIGN.

lD , 1.

4Y E~EE71DiE 1-1/2'x1/2' i16 L DET F1 5 16' HOLEN, T P 1YPlGA PLAN VIEN PLAN VIEN WATTS BAR NOTE: FIELD TO DRILL a NOTE: FIELD TO DRILL A FIBERGLASS BOARD

`i / NOTE:

FIELD NAY TRIM 1/2' TAP MOUNTING SURFACE TO MATCH BARRIER TAP MOUNTING SURFACE TO MATCH BARRIER FINAL SAFETY LIP TO CLEAR CONDUIT FLOOR FITTINGS ATTACHED TO BOTTOM ANALYSIS REPORT OF TROUGH 11 4 PL) DIG SECTION A-A 4BN1311 LATCH DRILL WITH 'C' D TO DRILL MID-J2 SCREW 16 CA SHEET 16 CA SHEET CONTROL BUILDING SHAPED BARRIER METAL n

METAL m UNIT 1 WIRING DIAGRAMS PANEL 1-M-9 CONTROL BOARDS CRITICAL WIRING B1-B1 BARRIER DETAIL ELEVATION ELEVATION BRAID INSTALLATION 2 REO'D 1. 3D'L FOR 'A' TRAIN

2. 42'L FOR 'B' TRAIN PANEL 1-M-9 PANEL 0-M-25 COMPANION DIC: TVA DWG NO. 1-45W1640-1 R2 TOLS: 31/4' UDN 3 SIDED BARRIER 70L5: 31/4' UNO 3 SIDED BARRIER TOLS: 31/9' UNO 451164D FIGURE 7.1-2 SH 2

TRAIN A CIRCUIT WITH PROCESS INTERLOCK DERIVED FROM NON-DIVISIDNAL INSTRUMENTATION CABINET WHICH HAS A 120V AC OUTPUT (SIMILAR FOR TRAIN B CK73)

MN-0IY TR A MCC TR A INST ARR rb-~

I ms ssPs II a ' I

! -T r I I

.j LEGEND

'w TRAIN A ASSOCIATED TRAIN A 00 TRAIN B

- - ASSOCIATED TRAIN B NON DIVISIONAL

2. 7 AIN A CIRCUIT WITH PROCESS Iki chi L= DERIVED FROM A NM-SEISMIC DEVICE OR A PANEL WHICH HAS INTERLOCKS IN BOTH TRAIN A AND TRAIN B CIRCUITS NON -SEISMIC, OR PROVIDES TR A INTERLOCKS 7D TR A MCC ARR TR A L TR a CICTs F- r,7 z #

j T Hs ssPs FIT d f~

IQ 1 TO TR a ARR M I INTERLDCK IN TR 5 CKT I +,^,jl ~--M i ~ ~ I WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Train A and Train B Process Interlocks FIGURE 7.1-3 (Sheet 1)

3 TRAIN A AND TRAIN 8 CIRCUIT WITH PROCESS INTERLOCK FROM ONE COMMON NON-DIYISIONAL CONTACT NON -DIV PROCESS CONTACT NON -131Y ARR TR A ARR _ J A T

_TR B ARR v w c=1 1

T }

TR A MCC TR zSSSPS

}

I _ _._._ _

WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Train A and Train B Process Interlocks FIGURE 7.1-3 (Sheet 2)

4. TRAIN A CIRCUIT WITH INTERLOCK FROM TRAIN 8 DEVICE r _ ..I Tn AlLt n CONTACT RAIN A kRR TRAIN A MCC I 55, S OKs I Z Q

I C WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Train A and Train B Process Interlocks FIGURE 7.1-3 (Sheet 3)

5. NON -DIVISIONAL CIRCUIT REQUIRING INTERLOCKS FROM BOTH "TRAIN A AND B TRAIN B CONTACT TTUIN A CONTACT 99 g ~ I NON-DIV ARR R

NON-DIV MCC S5P5 iNS I

WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Train A and Train B Process Interlocks FIGURE 7.1-3 (Sheet 4)

WBN 7.2 REACTOR TRIP SYSTEM 7.2.1 Description 7.2.1.1 System Description The reactor trip system automatically keeps the reactor operating within a safe region by shutting down the reactor whenever the limits of the region are approached. The safe operating region is defined by several considerations such as mechanical/hydraulic limitations on equipment, and heat transfer phenomena. Therefore, the reactor trip system keeps surveillance on process variables which are directly related to equipment mechanical limitations, such as pressure, pressurizer water level (to prevent water discharge through safety valves, and uncovering heaters) and also on variables which directly affect the heat transfer capability of the reactor (e.g. reactor coolant flow and temperatures). Still other parameters utilized in the reactor trip system are calculated from various process variables. In any event, whenever a direct process or calculated variable exceeds a setpoint the reactor will be shutdown in order to protect against exceeding the specified fuel design limit, gross damage to fuel cladding or loss of system integrity which could lead to release of radioactive fission products into the containment.

The following systems make up the reactor trip system:

1. Process Protection and Control System [1] and [11]

2. Nuclear Instrumentation System (NIS) [2] and [15]

3. Solid State Logic Protection System [3]

4. Reactor Trip Switchgear

5. Manual Actuation Circuit The reactor trip system consists of two to four redundant sensors and associated process protection channels, which monitor various plant variables, and two redundant logic trains, which receive input protection actuation signals from the process protection and NIS channels to complete the logical decisions necessary to automatically open the reactor trip breakers.

Each of the two trains, A and B, is capable of opening a separate and independent reactor trip breaker, RTA and RTB, respectively. The two trip breakers in series connect three phase ac power from the rod drive motor generator sets to the rod drive power cabinets, as shown on Figure 7.2-1, Sheet 1. Normally both the dc undervoltage trip coil and the shunt trip relay for each breaker are kept energized allowing power to be available at the rod control power supply cabinets. For reactor trip, a loss of dc voltage to the undervoltage coil releases the trip plunger and trips open the breaker and the shunt trip relay drops out causing the shunt trip coil to energize and also trip the breaker. When either of the trip breakers opens, power is interrupted to the rod drive power supply, and the control rods fall, by gravity, into the core. The rods cannot be withdrawn until the trip breakers are manually reset. The trip breakers cannot be reset until the abnormal condition which initiated the trip is corrected or no longer requires a reactor trip. Bypass breakers BYA and BYB are provided to permit testing of the trip breakers, as discussed in Section 7.2.2.2.

7.2-1

WBN 7.2.1.1.1 Functional Performance Requirements The reactor trip system automatically initiates reactor trip:

1. Whenever necessary to prevent fuel damage for an anticipated operational transient (Condition II),

2. To limit core damage for infrequent faults (Condition III),

3. So that the energy generated in the core is compatible with the design provisions to protect the reactor coolant pressure boundary for limiting fault conditions (Condition IV).

The reactor trip system initiates a turbine trip signal whenever reactor trip is initiated to prevent the reactivity insertion that would otherwise result from excessive reactor system cooldown and to avoid unnecessary actuation of the engineered safety features actuation system.

The reactor trip system provides for manual initiation of reactor trip by operator action.

7.2.1.1.2 Reactor Trips The various reactor trip circuits automatically open the reactor trip breakers whenever a condition monitored by the reactor trip system reaches a preset level. To ensure a reliable system, high quality design, components, manufacturing, quality control and testing are used.

In addition to redundant channels and trains, the design approach provides a reactor trip system which monitors numerous system variables, therefore providing protection system functional diversity. The extent of this diversity has been evaluated for a wide variety of postulated accidents and is detailed in References [4] and [5].

Table 7.2-1 provides a list of reactor trips which are described below. Protection system interlocks are described in Table 7.2-2. The functional logic for reactor trips is shown on Figure 7.2-1.

1. Nuclear Overpower Trips The specific trip functions generated are as follows:

a. Power Range High Neutron Flux Trip The power range high neutron flux trip circuit trips the reactor when two of the four power range channels exceed the trip setpoint.

7.2-2

WBN There are two independent bistables, each with its own trip setting used for a high and a low range trip setting. The high trip setting provides protection during normal power operation and is always active. The low trip setting, which provides protection during startup, can be manually bypassed when two out of the four power range channels read above approximately 10% power (P-10).

Three out of the four channels below 10% automatically reinstates the trip function.

b. Intermediate range High Neutron Flux Trip The intermediate range high neutron flux trip circuit trips the reactor when one out of the two intermediate range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup, can be manually blocked if two out of four power range channels are above P-10. Three out of the four power range channels below this value automatically reinstates the intermediate range high neutron flux trip. The intermediate range channels (including detectors) are separate from the power range channels. The intermediate range channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup. This bypass action is annunciated on the control board.

c. Source Range High Neutron Flux Trip The source range high neutron flux trip circuit, trips the reactor when one of the two source range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup and plant shutdown, can be manually bypassed when one of the two intermediate range channels exceeds the P-6 setpoint value and is automatically reinstated when both intermediate range channels decrease below the P-6 setpoint value. This trip is also automatically bypassed by two out of four logic from the power range protection interlock (P-10). This trip function can also be reinstated below P-10 by a manual action requiring simultaneous manual actuation of two control board mounted switches, one in each of the two protection logic trains. The source range trip point is set between the P-6 setpoint and the maximum source range power level. The channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup. This bypass action is annunciated on the control board.

d. Power range High Positive Neutron Flux Rate Trip This circuit trips the reactor when a sudden abnormal increase in nuclear power occurs in two out of four power range channels. This trip provides DNB protection against rod ejection accidents of low worth from midpower and is always active.

7.2-3

WBN Figure 7.2-1, Sheet 2, shows the logic for all of the nuclear overpower and rate trips.

Detailed functional descriptions of the equipment associated with these functions are given in References [2] and [15].

2. Core Thermal Overpower Trips The specific trip functions generated are as follows:

a. Overtemperature T trip This trip protects the core against low DNBR and trips the reactor on two out of four coincidence with one set of temperature measurements per loop. The setpoint for this trip is continuously calculated by the Eagle-21 process protection circuitry for each loop by solving the following equation:

1 + 1 s OTT Setpoint = T 0 K1 - K 2 1+ s ( T - T' ) + K 3 (P- P' ) - f 1 ( I) 2 An overtemperature T reactor trip occurs when 1 + t4 s T > OTT Setpoint 1 1 + t5 s where: T = Measured temperature difference between hot and cold leg, °F To = Indicated loop T at rated thermal power (RTP), °F K1 = Reference trip setpoint K2 = Penalty or benefit multiplier for deviation from indicated Tavg , /ºF K3 = Penalty or benefit multiplier for deviation from reference pressure, /psig 1, 2 = Lead/lag time constants for Tavg compensation, seconds 4, 5 = Lead/lag time constants for T compensation, seconds

-1 S = Laplace transform operator, sec T = Measured RCS average temperature (Tavg), ºF 1

T = Indicated loop Tavg at RTP, °F P = Measured pressurizer pressure, psig P' = Nominal RCS operating pressure, psig f1(I) = Power shaped penalty - function of the indicated difference between the top and bottom detectors of the power range neutron ion chambers.

7.2-4

WBN Values of these parameters are provided in the Technical Specification or are controlled by plant procedures (i.e., loop specific values of To and T determined at the beginning of each fuel cycle are controlled by plant procedures).

Note: Additional information on associated tau values (6 and 7) are provided in Section 7.2.1.1.4.

A separate long ion chamber unit supplies the flux signals for each overtemperature T trip channel.

Increases in I beyond a predefined deadband result in a decrease in trip setpoint.

Refer to Figure 7.2-2.

The required one pressurizer pressure parameter per loop is obtained from separate sensors connected to three pressure taps at the top of the pressurizer. Four pressurizer pressure signals are obtained from the three taps by connecting one of the taps to two pressure transmitters. Refer to Section 7.1.2.2 for a discussion of independence of redundant sense lines.

The logic for this function is shown on Figure 7.2-1, Sheet 3. A detailed functional description of the process equipment associated with this function is contained in Reference [11].

b. Overpower T Trip This trip protects against excessive power (fuel rod rating protection) and trips the reactor on two out of four coincidence with one set of temperature measurements per loop. The setpoint for each channel is continuously calculated by the process protection circuitry using the following equation:

s OPT Setpoint = To K 4 K 5 3 T K 6 (T T" ) f 2 (I) 1 + 3s An overpower T reactor trip occurs when:

1 + t4 s T > OP T Setpoint 2 1 + t5 s where: T, To , T, 4, 5, s are defined in Section 7.2.1.1.2(2)(a) Overtemperature T Trip and K4 = Reference Trip setpoint K5 = Penalty multiplier for rate of change in Tavg,/°F K6 = Penalty or benefit multiplier for deviation from reference Tavg,/°F 3 = Lag time constant for Tavg compensation, seconds T = Indicated loop Tavg at RTP, °F f2 (I) = Power shape penalty function, typically set to 0 for all I 7.2-5

WBN Values of these parameters are provided in the Technical Specifications or are controlled by plant procedures (i.e., loop specific values of To and T' determined at the beginning of each fuel cycle are controlled by plant procedures).

Note: Additional information on associated tau values (6 and 7) is provided in Section 7.2.1.1.4.

The source of temperature and flux information is identical to that of the overtemperature T trip and the resultant overpower T setpoint is compared to the same T. The trip logic for this function is shown on Figure 7.2-1, Sheet 3.

A detailed functional description of the process equipment associated with this function is contained in Reference [11].

3. Reactor Coolant System Pressurizer Pressure and Water Level Trips The specific trip functions generated are as follows:

a. Pressurizer Low Pressure Trip The purpose of this trip is to protect against low pressure which could lead to DNB. The parameter being sensed is reactor coolant pressure as measured in the pressurizer. Above P-7 the reactor is tripped when two out of four pressurizer pressure measurements (compensated for rate of change) fall below preset limits. This trip is blocked below P-7 to permit startup. The trip logic and interlocks are given in Table 7.2-1.

The trip logic is shown on Figure 7.2-1, Sheet 2. A detailed functional description of the process equipment associated with the function is contained in References [5] and [11].

b. Pressurizer High Pressure Trip The purpose of this trip is to protect the reactor coolant system against system overpressure. The same sensors and transmitters used for the pressurizer low pressure trip are used for the high pressure trip except that separate comparators are used for trip. These comparators trip the reactor when two out of four uncompensated pressurizer pressure signals exceed preset limits as listed in Table 7.2-1. There are no interlocks or permissives associated with this trip function.

The logic for this trip is shown on Figure 7.2-1, Sheet 2. The detailed functional description of the process equipment associated with this trip is provided in References [5] and [11].

7.2-6

WBN

c. Pressurizer High Water Level Trip This trip is provided as a backup to the high pressurizer pressure trip and serves to prevent water relief through the pressurizer safety valves. Above P-7, the reactor is tripped when two out of three pressurizer water level measurements exceed preset limits. This trip is blocked below P-7 to permit startup. The coincidence logic and interlocks of pressurizer high water level signals are given in Table 7.2-1.

The trip logic for this function is shown on Figure 7.2-1, Sheet 2. A detailed description of the process equipment associated with this function is contained in References [5] and [11].

4. Reactor Coolant System Low Flow Trips These trips protect the core from DNB in the event of a loss of coolant flow situation.

The means of sensing the loss of coolant flow are as follows:

a. Low Reactor Coolant Flow Trip Reactor coolant flow measurements are derived from elbow taps in each coolant loop. The basic function of these devices is to provide information as to whether or not a reduction in flow has occurred. An output signal from two out of the three comparators in a loop would indicate a low flow in that loop. Above P-8, low flow in one loop will trip the reactor. Between P-7 and P-8, low flow in two out of four loops will result in a reactor trip. This trip is blocked below P-7 to permit startup.

The coincidence logic and interlocks are given in Table 7.2-1. The logic for this trip is shown on Figure 7.2-1, Sheet 3. A detailed functional description of the process equipment associated with the trip function is contained in References

[5] and [11].

b. Reactor Coolant Pump Undervoltage Trip This trip is required in order to protect against low flow which can result from loss of voltage to more than one reactor coolant pump motor (e.g., from plant loss of voltage or reactor coolant pump breakers opening). This trip is blocked below P-7 to permit startup.

7.2-7

WBN There is one undervoltage sensing relay for each pump motor connected at the load side of each reactor coolant pump breaker. These relays provide an output signal when the pump voltage goes below setpoint. Signals from these relays are time delayed to prevent spurious trips caused by short term voltage perturbations. The coincidence logic and interlocks are given in Table 7.2-1.

The trip logic is shown on Figure 7.2-1, Sheet 3.

c. Reactor Coolant Pump Underfrequency Trip This trip provides protection against low reactor coolant flow resulting from bus underfrequency (e.g., power grid frequency transients). Above the P-7 interlock setpoint, an underfrequency condition on two out of four reactor coolant pump (RCP) motors will trip the reactor and open all of the RCP circuit breakers.

There is one underfrequency sensing relay connected to the load side of each RCP breaker. The signals from these relays are time delayed to prevent spurious trips caused by short-term frequency perturbations. The coincidence logic and interlocks are given in Table 7.2-1. The trip logic is shown on Figure 7.2-1, Sheet 3.

Westinghouse analysis of loss of flow accidents caused by power system frequency transients [Reference 6] has shown that the reactor is adequately protected by the underfrequency reactor trip for frequency decay rates of less than 6.8 Hz/sec without taking credit for the RCP breaker trip. A grid analysis of the TVA power system determined the maximum system frequency decay rate to be less than 5 Hz/sec. Consequently, no credit is taken for underfrequency trip..

5. Low-Low Steam Generator Water Level Trip (including Trip Time Delay)

This trip protects the reactor from loss of heat sink in the event of a loss of feedwater to one or more steam generators or a major feedwater line rupture outside containment.

This trip is actuated on two out of three low-low water level signals occurring in any steam generator. If a low-low water level condition is detected in one steam generator, signals are generated to trip the reactor and start the motor-driven auxiliary feedwater pumps. If a low-low water level condition is detected in two or more steam generators, a signal is generated to start the turbine-driven auxiliary feedwater pump as well.

7.2-8

WBN-3 The signals to actuate the reactor trip and start auxiliary feedwater pumps are delayed through the use of a Trip Time Delay (TTD) system for reactor power levels below 50%

of RTP. Low-Low water level in any steam generator will generate a signal which starts an elapsed time trip delay timer. The allowable trip time delay is based upon the prevailing power level at the time the low-low level trip setpoint is reached and the number of steam generators that are affected. If power level rises after the trip time delay setpoints have been determined, the trip time delay is re-determined (i.e.,

decreased) according to the increase in power level.

At this point the timer will continue timing from the original timer initiation. However, the trip time delay setpoints are not increased if the power level decreases after the TTD timer has started. The use of this delay allows added time for natural steam generator level stabilization or operator intervention to avoid an undesirable inadvertent protection system actuation.

There are no interlocks or permissives associated with this trip function. The logic for this protective function is shown on Figure 7.2-1, Sheet 4. A detailed functional description of the process equipment associated with this function is contained in References [11] and [14].

6. Reactor Trip on a Turbine Trip The reactor trip on a turbine trip is actuated by two out of three logic from emergency trip header pressure signals or by closed signals from all four turbine steam stop valves. A turbine trip causes a direct reactor trip above P-9.

The reactor trip on turbine trip provides additional protection and conservatism beyond that required for the health and safety of the public. This trip is included as part of good engineering practice and prudent design. No credit is taken in any of the accident analyses (Chapter 15) for this trip.

Channel separation is maintained from the sensors to the reactor protection system logic input cabinets for both the low autostop oil pressure signals and the steam stop valves closed signals. This design meets the redundancy and separation requirements identical to those for Class 1E circuits. Mounting and location is in non-seismic Category I structures.

The turbine provides anticipatory trips to the reactor protection system from contacts which change position when the turbine stop valves close or when the emergency trip header pressure goes below its setpoint.

7.2-9

WBN One of the design bases considered in the protection system is the possibility of an earthquake. With respect to these contacts, their functioning is unrelated to a seismic event in that they are anticipatory to other diverse parameters which cause reactor trip.

The contacts are closed during plant operation and open to cause reactor trip when the turbine is tripped. No power is provided to the protection system from the contacts; they merely serve to interrupt power to cause reactor trip.

This design functions in a de-energize-to-trip fashion to cause a reactor trip if power is interrupted in the trip circuitry. This ensures that the protection system will in no way be degraded by this anticipatory trip because seismic design considerations do not form part of the design bases for anticipatory trip sensors. (The reactor protection system cabinets which receive the inputs from the anticipatory trip sensors are seismically qualified as discussed in Section 3.10.). The anticipatory trips thus meet the intent of IEEE-279-1971, including redundancy, separation, single failure, etc. Seismic qualification of the contacts sensors is not required.

The logic for this trip is shown on Figure 7.2-1, Sheet 3.

7. Safety Injection Signal Actuation Trip A reactor trip occurs when the Safety Injection System is actuated. The means of actuating the Safety Injection System are described in Section 7.3. This trip protects the core against a loss of reactor coolant or heat sink.

Figure 7.3-3, Sheet 3, shows the logic for this trip. A detailed functional description of the process equipment associated with this trip function is provided in References [5]

and [11].

8. Manual Trip The manual trip consists of two switches with two outputs on each switch. One output is used to actuate the train A reactor trip breaker, the other output actuates the train B reactor trip breaker. Operating a manual trip switch removes the voltage from the undervoltage trip coil and energizes the shunt trip coil.

There are no interlocks which can block this trip. Figure 7.2-1, Sheet 2, shows the manual trip logic.

7.2.1.1.3 Reactor Trip System Interlocks

1. Power Escalation Permissives The overpower protection provided by the excore nuclear instrumentation consists of three overlapping ranges. Continuation of startup operation or power increase requires a permissive signal from the higher range instrumentation channels before the lower range level trips can be manually blocked by the operator.

7.2-10

WBN A one of two intermediate range permissive signal (P-6) is required prior to source range trip blocking. Source range level trips are automatically reactivated when both intermediate range channels are below the permissive (P-6) level. There are two manual reset switches for administratively reactivating the source range trip when between permissive P-6 and P-10 if required. Source range trip block is always maintained when above permissive P-10.

The intermediate range trip and power range (low setpoint) trip can only be blocked after satisfactory operation and permissive information are obtained from two of four power range channels. Four individual blocking switches are provided so that the low range power range trip and intermediate range trip can be independently blocked (one switch for each train). These trips are automatically reactivated when any three of the four power range channels are below permissive P-10, thus ensuring automatic activation to more restrictive trip protection.

The development of permissives P-6 and P-10 is shown on Figure 7.2-1, Sheet 2.

These permissives are derived from analog signals in the nuclear power range and intermediate range channels.

See Table 7.2-2 for the list of protection system interlocks.

2. Blocks of Reactor Trips at Low Power Interlock P-7 blocks a reactor trip below approximately 10% of full power on a low reactor coolant flow in more than one loop, reactor coolant pump undervoltage, reactor coolant pump underfrequency, pressurizer low pressure, or pressurizer high water level.

The low power block signal is derived from three out of four power range neutron flux signals below the setpoint in coincidence with two out of two turbine impulse pressure signals below the setpoint (low plant load). See Figure 7.2-1, Sheets 2 and 3, for the derivation and application of P-7.

The P-8 interlock blocks a reactor trip when the plant is below approximately 48% of full power, on a low reactor coolant flow in any one loop. The block action (absence of the P-8 interlock signal) occurs when three out of four neutron flux power range signals are below the setpoint. Thus, below the P-8 setpoint, the reactor trip will not occur until two loops are indicating low flow. See Figure 7.2-1, Sheet 3, for derivation of P-8 and applicable logic.

The P-9 interlock blocks a reactor trip on a turbine trip when the plant is below approximately 50% of full power. The block action (absence of the P-9 interlock signal) occurs when three out of four neutron flux power range signals are below the setpoint.

Thus, below the P-9 setpoint, the reactor will not trip directly from a turbine-tripped signal but will allow the reactor control system, utilizing steam dump to the condenser as an artificial load, to bring the reactor to zero power. See Figure 7.2-1, Sheet 2, for derivation of P-9, and Sheet 3 for logic applications.

See Table 7.2-2 for the list of protection system blocks.

7.2-11

WBN 7.2.1.1.4 Reactor Coolant Temperature Sensor Arrangement and Calculational Methodology The individual narrow range cold and hot leg temperature signals required for input to the reactor trip circuits and interlocks are obtained using RTDs installed in each reactor coolant loop.

The cold leg temperature measurement on each loop is accomplished with two narrow range RTDs mounted in thermowells. The cold leg sensors are inherently redundant in that either sensor can adequately represent the cold leg temperature measurement.

The hot leg temperature measurement on each loop is accomplished with three narrow range RTDs mounted in thermowells spaced 120 degrees apart around the circumference of the reactor coolant pipe for spatial variations.

These cold and hot leg narrow range RTD signals are input to the process protection system digital electronics and are processed as follows:

The two cold leg temperature signals are subjected to range and consistency checks and then averaged to provide a group value for T cold.

A consistency check is performed on the Tcold input signals. If these signals agree within an acceptance interval (DELTAC), the group quality is set to GOOD. If the signals do not agree within the acceptance tolerance DELTAC, the group quality is set to BAD and the individual signal qualities are set to POOR. The average of the two signals is used to represent the group in either case. If an input signal is manually disabled or subject to a diagnosed hardware failure, the group is represented by the active signal. DELTAC is a fixed input parameter based on operating experience. One DELTAC value is required for each loop/protection set.

The following parameters are used in conjunction with the Overtemperature T and Overpower T reactor trips:

Tc = narrow range Tcold input signal Tc f

= Filtered Tcold signal; = Tc(1/(1 + 7s))

7 = Time constant utilized in the lag compensator for Tcold. Typically set to 0.0 sec.

7.2-12

WBN f

T cave = Group average of the valid input signals i

S is defined in Section 7.2.1.1.2 Each of the three hot leg temperature signals is subjected to a range check, and utilized to calculate an estimated average hot leg temperature which is consistency checked against the other two estimates for average hot leg temperature.

Then an average of the three estimated hot leg temperatures is computed and the individual signals are checked to determine if they agree within +DELTAH of the average value. If all of the signals do agree within +DELTAH of the average value, the group quality is set to GOOD.

The group value is set to the average of the three estimated average hot leg temperatures.

If the signal values do not all agree within +DELTAH of the average, the algorithm will delete the signal value which is furthest from the average. The quality of this signal will be set to POOR and a consistency check will then be performed on the remaining GOOD signals. If these signals pass the consistency check, the group value will be taken as the average of these GOOD signals and the group quality will be set to POOR. However, if these signals again fail the consistency check (within +DELTAH), then the group value will be set to the average of these two signals; but the group quality will be set to BAD. All of the individual signals will have their quality set to POOR. If one or two input signals is manually disabled or subject to a diagnosed hardware failure, the group value is based on the unaffected signal(s). DELTAH is a fixed input parameter based on temperature distribution tests with the hot leg and operating experience. One DELTAH value is required for each loop/protection set.

The following parameters are used in conjunction with the Overtemperature T and Overpower T reactor trips:

Th = narrow range Thot input signal Filtered Thot signal; = Th (1/(1 + 6s))

f Th =

where:

6 = Time constant utilized in the lag compensator for Thot. Typically set to 0.0 sec f

T h ave = Group average of the valid Thot input signals 7.2-13

WBN The estimated average hot leg temperature is derived from each Thot input signal as follows:

Th = Thf - P B S ° Where:

PB = power fraction being used to correct the bias value being used for any power level (Tfhave - Tcf ave )

PB =

To To = the indicated loop T at rated thermal power.

Sº = manually input bias which corrects the individual Thot RTD value to the loop average.

T and Tavg are calculated as follows:

f f T = Thave Tcave f f (Thave + Tcave )

Tavg =

2.0 The calculated values for T and Tavg are then utilized for both the remainder of the Overtemperature and Overpower T protection channels and channel outputs used for control purposes.

The accuracy of the narrow range RTD loop temperature measurements is demonstrated during plant startup tests and periodically with surveillance tests. Testing compares temperature measurements from the narrow range RTDs with one another as well as with the temperature measurements obtained from the wide range RTDs located in the hot leg and cold leg piping of each loop. The comparisons are done with the reactor coolant system in an isothermal condition. The narrow range RTD signals are also compared with the core exit thermocouple signals during plant startup tests.

7.2-14

WBN During plant startup tests, T measurements obtained from the hot leg and cold leg narrow range loop RTDs are compared to plant power, and, if required, normalized to plant power.

The absolute value of T versus plant power is not important, per se, as far as reactor protection is concerned. Reactor trip system setpoints are based upon percentages of the indicated T at nominal full power rather than on absolute values of T. This is done to account for loop differences which are inherent. Therefore, the percent T scheme is relative, not absolute, and thus provides better protective action without sacrificing accuracy.

7.2.1.1.5 Pressurizer Water Level Reference Leg Arrangement The pressurizer water level instrumentation consists of three independent, redundant instrument channels which provide reactor trip and control functions. The associated high and low pressure sense lines for each level channel connect to the upper (vapor-filled) and lower (liquid-filled) regions of the pressurizer, respectively, and satisfy the independence requirements specified in Section 7.1.2.2. The high pressure sense line is called a reference leg because the line must be liquid filled and the fill elevation must be maintained at a known point which is the pressurizer process connection.. The main portion of the reference leg consists of a remote-seal/capillary system (integral to the level transmitter) which provides a mechanical seal (bellows) between the process fluid and the capillary line fill-fluid. The location of the remote seal is required to be 12-inches or less (measured vertically) below the process connection. The sense line downstream of the root valve is un-insulated to ensure the line remains filled with condensate. This remote seal location requirement minimizes the potential adverse effects of a loss of condensate between the process connection and the remote seal due to a sudden RCS depressurization event. During reactor operation, the condensate could contain a high concentration of dissolved hydrogen gas. Upon a rapid RCS depressurization event, the resulting dissolution of the hydrogen gas would force the condensate from the line segment between the remote seal and the process connection. The sense line routing without the use of a condensing chamber, will minimize the potential for hydrogen buildup. This remote seal location requirement limits the maximum head pressure loss error for this event to approximately 12-inches.

Pressuizer level channel maintenance features include transmitter/remote seal isolation and equalization capability without affecting other redundant channels.

7.2.1.1.6 Process Protection System The process protection instrumentation system is described in References [1] and [11]. The nuclear instrument system is described in References [2] and [15]. Reference [2] is applicable to the power range only.

7.2-15

WBN 7.2.1.1.7 Solid State Logic Protection System The solid state logic protection system takes binary inputs from the process protection and nuclear instrument channels and other plant equipment corresponding to conditions (normal/abnormal) of plant parameters. The system combines these signals in the required logic combination and generates a trip signal (no voltage) to the undervoltage coils and the shunt trip relays (which energize the shunt trip coils) of the reactor trip circuit breakers when the necessary combination of signals occurs. The system also provides annunciator, status light and computer input signals which indicate the condition of partial trip and full trip functions and the status of the various blocking, permissive (See Section 10.4.4.3 for exception on P-12) and actuation functions. In addition, the system includes means for semi-automatic testing of the logic circuits. A detailed description of this system is given in Reference [3].

7.2.1.1.8 Isolation Devices In certain applications, control signals and other non-protective functions are derived from individual protection channels through isolation devices contained in the protection channel, as permitted by IEEE Standard 279-1971. The isolation devices are part of the protection system and are located in the process protection racks. By definition, non-protective functions include those signals used for control, remote process indication, and computer monitoring.

Isolation device qualification type tests are described in References [7], [8], and [11].

7.2.1.1.9 Energy Supply and Environmental Variations The energy supply for the reactor trip system is described in Chapter 8. The environmental variations, throughout which the system will perform, are given in Section 3.11 and Chapter 8.

As documented in Reference [7], testing was performed on the Eagle 21 Process Protection System to demonstrate that the Eagle 21 system remained operational before, during and after applied noise, fault, surge withstand, electro-magnetic interference (EMI) and Radio Frequency Interference (RFI) operating conditions. Objectives accomplished by the test demonstrated that the physical independence of the non-class 1E and Class 1E circuitry was maintained and that the system was designed to withstand worst-case noise environment conditions.

7.2.1.1.10 Setpoints For Unit 1, the setpoints that require trip action are given in the Technical Specifications. For Unit 2, the setpoints that require trip action are given in the Technical Specifications. The methodology used to derive the setpoints is described in References [13], [16] and [18]. See Section 7.1.2.1.9 for additional discussion.

7.2.1.1.11 Seismic Design The seismic design considerations for the reactor trip system are given in Section 3.10. This design meets the requirements of Criterion 2 of the 1971 General Design Criteria (GDC).

7.2-16

WBN-3 7.2.1.2 Design Bases Information The information given below presents the design bases information requested by Section 3 of IEEE Standard 279-1971, Reference [9]. The reactor trip logic is presented in Figure 7.2-1, Sheets 1 through 4.

7.2.1.2.1 Generating Station Conditions The following are the generating station conditions requiring reactor trip.

1. DNBR approaching the limiting value.

2. Power density (kilowatts per foot) approaching rated value for Condition II events (See Chapter 4 for fuel design limits).

3. Reactor coolant system overpressure creating stresses approaching the limits specified in Chapter 5.

7.2.1.2.2 Generating Station Variables The following are the variables required to be monitored in order to provide reactor trips (see Table 7.2-1).

1. Neutron flux

2. Reactor coolant temperature

3. Reactor coolant system pressure (pressurizer pressure)

4. Pressurizer water level

5. Reactor coolant flow

6. Reactor coolant pump bus voltage and frequency

7. Steam generator water level

8. Turbine-generator operational status (emergency trip header pressure and stop valve position) 7.2.1.2.3 Spatially Dependent Variables Reactor coolant temperature is a spatially dependent variable. See Section 7.3.1.2.3 for a discussion.

7.2.1.2.4 Limits, Margins and Levels The parameter values that will require reactor trip are given in the Technical Specifications.

Chapter 15 demonstrates that the setpoints used in the Technical Specifications are conservative.

7.2-17

WBN The setpoints for the various functions in the reactor trip system have been analytically determined such that the operational limits so prescribed will prevent fuel rod clad damage and loss of integrity of the reactor coolant system as a result of any ANS Condition II incident. As such, during any ANS Condition II incident, the reactor trip system limits the following parameters to:

1. Minimum DNBR - limiting value.

2. Maximum system pressure = 2750 psia

3. Fuel rod maximum linear power - maximum rated power The accident analyses described in Section 15.2 demonstrate that the functional requirements as specified for the reactor trip system are adequate to meet the above considerations, even assuming, for conservatism, adverse combinations of instrument errors (Refer to Table 15.1-3).

A discussion of the safety limits associated with the reactor core and reactor coolant system, plus the limiting safety system setpoints, are presented in the Technical Specifications. The Technical Specifications incorporate both nominal and limiting setpoints. Nominal settings of the setpoints are more conservative than the limiting settings. This allows for calibration uncertainty and instrument channel drift without violating the limiting setpoint. Automatic initiation of protective functions occurs at the nominal setpoints (plus or minus the allowed tolerances). The methodology used to derive the setpoints is documented in References [13],

[16 - U2], [17 - U1], [18 - U2]. A further discussion on trip setpoints is given in Section 7.2.2.1.1.

7.2.1.2.5 Abnormal Events The malfunctions, accidents or other unusual events which could physically damage reactor trip system components or could cause environmental changes are as follows:

1. Earthquakes (see Sections 2.5 and 3.7).

2. Fire (see Section 9.5)

3. Explosion (hydrogen buildup inside containment) (see Section 6.2).

4. Missiles (see Section 3.5).

5. Flood (see Sections 2.4 and 3.4).

6. Wind and Tornadoes (see Section 3.3).

7.2-18

WBN The reactor trip system fulfills the requirements of IEEE Standard 279-1971 to provide automatic protection and to provide initiating signals to mitigate the consequences of faulted conditions. The reactor trip system provides protection against destruction of the system from fires, explosions, floods, wind, and tornadoes (see each item above). The discussions in Section 7.1.2.1.7 and this section adequately address or reference the Safety Analysis Report coverage of the effects of abnormal events on the reactor trip system in conformance with applicable General Design Criteria.

7.2.1.2.6 Minimum Performance Requirements

1. Reactor Trip System Response Time Reactor trip system response time is defined in Section 7.1. The maximum allowable time delays in generating the reactor trip signal are provided in the Technical Requirements Manual. These values are verified in accordance with the Technical Specifications and are consistent with the safety analyses. See Table 7.1-1 Note 1 for a discussion of periodic response time verification capabilities.

2. Reactor Trip Accuracies Accuracy is defined in Section 7.1. Reactor trip accuracies are given in References

[13], [17 - U1], and [18 - U2].

3. Protection System Ranges Typical Protection System ranges are tabulated in Table 7.2-3.

7.2.1.3 Final Systems Drawings Functional logic diagrams, electrical schematics and other drawings documenting the protection system design are listed in Table 1.7-1.

7.2.2 Analyses A reliability study for the reactor trip and engineered safety features function of the Eagle 21 process protection system hardware was performed to compare the availability of the Eagle 21 digital system with the previous implementation of the same function using analog hardware.

Availability is defined as the probability that a system will perform its intended function (e.g.,

actuate a partial trip) at a randomly selected instant in time.

7.2-19

WBN Results of the availability study determined that the Eagle 21 digital system is commensurate with an equivalent analog process protection system availability although no credit was given to the Eagle 21 process protection features of automatic surveillance testing, self calibration and self-diagnostics when the study was performed. It is expected that if credit were given to the Eagle 21 self diagnostic features, automatic surveillance testing and self calibration capabilities, system availability would be improved. Therefore, the impact on the system operation due to channel drift being corrected by the Eagle 21 self-calibration feature and the impact on system downtime because of the automatic surveillance/self-diagnostic features are minimized.

Additionally, with the MMI test unit provided with the Eagle 21 system, the amount of technician and engineering time required for maintenance and troubleshooting is minimized. Thus, large quantities of engineering time required for the review of the periodic functional tests, prior to restoring the channel to an operable condition, are eliminated because of the user-friendly printout provided from the MMI. In total, interface with the Eagle 21 process protection system is reduced, resulting in a decreased potential for technician induced error which results in improved system reliability and availability.

In the Eagle 21 process protection system design, there are failure modes which could result in the failure of an entire protection rack. During these conditions, the rack will fail to the preferred failure mode (tripped/not tripped condition) providing maximum protection for the plant. The failure of a single rack is considered to be bounded by the loss of an entire protection set, which is the existing licensing basis. This failure has been shown not to adversely impact plant safety due to the existence of redundancy, functional diversity and defense-in-depth design measures employed in the design of the process protection system. Use of these design measures ensures that in the event of a single failure, the remaining protection system channels would be available for plant protection if required. Additional discussion of the defense-in-depth, redundancy and functional diversity design measures used in the design of the Eagle 21 process protection system can be found in References [5] and [14].

A failure mode and effects analysis (FMEA) of the logic portion of the reactor trip system was performed. The basis of the FMEA is that the reactor protection system is designed to sense abnormal plant conditions and to initiate action necessary to assure that acceptable fuel design limits are not exceeded for anticipated operational occurrences. Results of this study and a fault tree analysis are presented in Reference [4]. The results of the study show that the probability of protection system failure in anticipated transients is sufficiently low that no provision need be made in plant design to accommodate such hypothetical failure.

7.2-20

WBN 7.2.2.1 Evaluation of Design Limits While most setpoints used in the reactor protection system are fixed, there are variable setpoints, most notably the overtemperature T and overpower T. All setpoints in the reactor trip system have been selected on the basis of engineering design or safety studies. The capability of the reactor trip system to prevent loss of integrity of the fuel cladding and/or reactor coolant system pressure boundary during Condition II and III transients is demonstrated in Chapter 15. These accident analyses are carried out using those setpoints determined from results of the engineering design studies. Setpoint limits are presented in the Technical Specifications. A discussion of the intent for each of the various reactor trips and the accident analyses (where appropriate) which utilize this trip is presented in Section 7.2.1.1.2, and in Table 7.2-4. The selection of trip setpoints provides for margin before protection action is actually required to allow for uncertainties and instrument errors[13], [16 - U2], [17 - U1], [18 -

U2]. The design meets the requirements of Criteria 10, 15, 20, and 29 of the 1971 GDC.

7.2.2.1.1 Trip Setpoint Discussion It has been pointed out previously that below the limiting value of DNBR there is likely to be significant local fuel cladding failure. The DNBR existing at any point in the core for a given core design can be determined as a function of the core inlet temperature, power output, reactor coolant operating pressure and flow. Consequently, core safety limits in terms of the limiting value of DNBR for the hot channel can be developed as a function of core T, Tavg, and pressure for a specified flow as illustrated by the dashed lines in Figure 15.1-1. Shown as a dashed line in Figure 15.1-1 are the loci of conditions designed to prevent exceeding 121% of power as a function of T and Tavg , thus, representing the overpower (KW/ft) limit on the fuel.

The solid lines indicate the maximum permissible setpoints (T) as a function of Tavg and pressure for the overtemperature and overpower reactor trips. Actual setpoint constants in the equation representing the solid lines are as given in the Technical Specifications. These values are conservative to allow for instrument errors. The design meets the requirements of Criteria 10, 15, 20 and 29 of the 1971 GDC.

DNBR is not a directly measurable quantity; however, the process variables that determine DNBR are sensed and evaluated. Small isolated changes in various process variables may not individually result in violation of a core safety limit, whereas the combined variations, over sufficient time, may cause the overpower or overtemperature safety limit to be exceeded. The design concept of the reactor trip system takes cognizance of this situation by providing reactor trips associated with individual process variables in addition to the overpower/overtemperature safety limit trips. Process variable trips prevent reactor operation whenever a change in the monitored value is such that a core or system safety limit is in danger of being exceeded should operation continue. Basically, the high pressure, low pressure and overpower/overtemperature T trips provide sufficient protection for slow transients as opposed to such trips as low flow or high flux which will trip the reactor for rapid changes in flow or flux, respectively, that would result in fuel damage before actuation of the slower responding T trips could be effected.

7.2-21

WBN Therefore, the reactor trip system has been designed to provide protection for fuel cladding and reactor coolant system pressure boundary integrity where: 1) a rapid change in a single variable or factor which will quickly result in exceeding a core or a system safety limit, and 2) a slow change in one or more variables will have an integrated effect which will cause safety limits to be exceeded. Overall, the reactor trip system offers diverse and comprehensive protection against fuel cladding failure and/or loss of reactor coolant system integrity for Condition II and III accidents. This is demonstrated by Table 7.2-4 which lists the various trips of the reactor trip system, the corresponding technical specification on safety limits and safety system settings and the appropriate accident discussed in the safety analyses in which the trip could be utilized.

The plant is prohibited by Technical Specifications from operating with an inactive loop for extended periods of time, and administrative procedures require that the unit be brought to a load of less than 25% of full power prior to starting the pump in the inactive loop in order to bring the inactive loop hot leg temperature closer to the core inlet temperature. The P-8 interlock acts essentially as a high nuclear power reactor trip when operating in this condition.

The reactor trip system design was evaluated in detail with respect to common mode failure and is presented in References [4] and [5]. The design meets the requirements of Criterion 23 of the 1971 GDC.

Preoperational testing was performed on reactor trip system components and systems to determine equipment readiness for startup and served as confirmation of the system design.

Analyses of the results of Condition II, III and IV events, including considerations of instrumentation installed to mitigate their consequences, are presented in Chapter 15. The instrumentation installed to mitigate the consequences of load rejection and turbine trip is given in Section 7.7.

7.2.2.1.2 Reactor Coolant Flow Measurement Elbow taps installed in each loop of the primary coolant system are used to measure reactor coolant flow. The correlation between flow and elbow tap differential pressure signal is given by the following equation:

2 P w

=( )

P0 w0 where PO is the pressure differential at the reference flow wo, and P is the pressure differential at the corresponding flow, w. Nominal full power flow is established at the beginning of each fuel cycle by either the elbow tap methodology or performance of the RCS calorimetric flow measurement, Unit 1 utilizes elbow tap methodology Reference [17]. Unit 2 utilizes the RCS calorimetric flow measurement. The results are used to normalize the RCS flow indicators and provide a reference point for the low flow reactor trip setpoint.

7.2-22

WBN 7.2.2.2 Evaluation of Compliance to Applicable Codes and Standards The reactor trip system meets the requirements of the General Design Criteria and Section 4 of

[9]

IEEE Standard 279-1971 as indicated below.

1. General Functional Requirement The protection system automatically initiates appropriate protective action whenever a condition monitored by the system reaches a preset value. Functional performance requirements are given in Section 7.2.1.1.1. Section 7.2.1.2.4 presents a discussion of limits, margins and setpoints; Section 7.2.1.2.5 discusses unusual (abnormal) events; and Section 7.2.1.2.6 presents minimum performance requirements.

2. Single Failure Criterion The protection system is designed to provide two, three, or four redundant process protection channels for each protective function and two logic train circuits. These redundant channels and trains are electrically isolated and physically separated. Thus, any single failure within a channel or train will not prevent protective system action when required. Loss of input power, the most likely mode of failure, to a channel or logic train will result in a signal calling for a trip. This design meets the requirements of Criteria 21, 22 and 23 of the 1971 GDC.

To prevent the occurrence of common mode failures, such additional measures as functional diversity, physical separation, and testing as well as administrative control during design, production, installation and operation are employed, as discussed in References [4] and [5]. The design meets the requirements of Criteria 21 and 22 of the 1971 GDC.

3. Quality of Components and Modules For a discussion on the quality of the components and modules used in the reactor trip system, refer to Chapter 17. The quality assurance applied conforms to Criterion 1 of the 1971 GDC.

4. Equipment Qualification For a discussion of the type tests made to verify the performance requirements, refer to Section 3.11. The test results demonstrate that the design meets the requirements of Criterion 4 of the 1971 GDC.

7.2-23

WBN

5. Channel Integrity Protection system channels required to operate in accident conditions maintain necessary functional capability under extremes of conditions relating to environment, energy supply, malfunctions, and accidents. The energy supply for the reactor trip system is described in Chapter 8. The environmental variations, throughout which the system will perform is given in Section 3.11. The design meets the requirements of Criteria 21 and 22 of the 1971 GDC.

6. Independence Channel independence is carried throughout the system, extending from the sensor through the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters.

Separation of wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant channel. Redundant protection channels are separated by locating the processing electronics of the redundant channels in different protection rack sets. Each redundant protection channel set is energized from a separate AC power feed. This design meets the requirements of Criteria 21 and 22 of the 1971 GDC.

Independence of the logic trains is discussed in Reference[3]. Two reactor trip breakers are actuated by two separate logic matrices which interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all control rod drive mechanisms, permitting the rods to free fall into the core. See Figure 7.1-1.

The design philosophy is to make maximum use of a wide variety of measurements.

The protection system continuously monitors numerous diverse system variables. The extent of this diversity has been evaluated for a wide variety of postulated accidents and is discussed in Reference [5]. Generally, two or more diverse protection functions would terminate an accident before intolerable consequences could occur. This design meets the requirements of Criterion 22 of the 1971 GDC.

7.2-24

WBN

7. Control and Protection System Interaction The protection system is designed to be independent of the control system. In certain applications the control signals and other non-protective functions are derived from individual protective channels through isolation devices. The isolation devices are classified as part of the protection system and are located in the process protection racks. Non-protective functions include those signals used for control, remote process indication, and computer monitoring. The isolation devices are designed such that a short circuit, open circuit, or the application of credible fault voltages on the isolated output portion of the circuit (i.e., the non-protective side of the circuit) will not affect the input (protective) side of the circuit. The signals obtained through the isolation devices are never returned to the process protection racks.

A detailed discussion of the design and testing of the protection system isolation devices is given in References [7], [8], and [11]. These reports include the results of applying various malfunction conditions on the output portion of the isolation devices. The results show that no significant disturbance to the isolation devices' input signal occurred.

Where failure of a protection system component can cause a process excursion which requires protective action and can also prevent the channel from performing its protective action, the protection system can withstand a second independent failure without loss of the protection function. The means of achieving this are provided in the discussion of specific control and protection system interactions in Section 7.2.2.3.

Typically this requirement is satisfied by utilizing 2/4 logic for the trip function or by providing a diverse trip. This design meets the requirements of Criterion 24 of the 1971

[9]

GDC and paragraph 4.7 of IEEE Standard 279-1971.

8. Derivation of System Inputs To the extent feasible and practical, protection system inputs are derived from signals which are direct measures of the desired variables. Variables monitored for the various reactor trips are listed in Section 7.2.1.2.2.

9. Capability for Sensor Checks The operational availability of each system input sensor during reactor operation is accomplished by cross checking between channels that bear a known relationship to each other and that have read-outs available. Channel checks are discussed in the Technical Specifications.

7.2-25

WBN

10. Capability for Testing The reactor trip system is capable of being tested during power operation. Where only parts of the system are tested at any one time, the testing sequence provides the necessary overlap between the parts to assure complete system operation. The testing capabilities are in conformance with Regulatory Guide 1.22 as discussed in Table 7.1-1.

The protection system is designed to permit periodic testing of the signal processing portion of the reactor trip system during reactor power operation without initiating a protective action unless a trip condition actually exists. This is because of the coincidence logic required for reactor trip. Source and intermediate range high neutron flux trips must be bypassed during testing. These tests may be performed at any plant power from cold shutdown to full power. Before starting any of these tests with the plant at power, all redundant reactor trip channels associated with the function to be tested must be in the normal (untripped) mode or bypass mode, according to the Technical Specifications, in order to avoid spurious trips.

The Protection System is also designed to permit periodic response time testing of the reactor trip system, excluding neutron detectors.

Process Protection Channel Tests The Eagle 21 process protection system accommodates automatic or manual surveillance testing of the digital process protection racks via a portable Man Machine Interface (MMI) test cart. The MMI test cart is connected to the process rack test panel with a cable/connector assembly. The rack installed test processor permits performance of operations such as channel calibration, channel response time tests, partial trip actuation tests, and maintenance activities. Administrative controls and multiple levels of security are provided to limit access to setpoint and tuning constant adjustments. The system is designed to permit testing of any protection channel during power operations without initiating a protective action at the systems level.

Individual channels can be tested in either the "Channel Trip" or "Bypass" mode:

The Channel Trip mode interrupts the individual channel comparator output. Interruption of a comparator output in this mode for any reason (test, maintenance purposes or removed from service) causes that portion of the logic to be actuated and initiates a channel trip alarm and status light in the control room. Status lights on the process rack test panel indicate when the associated comparators have tripped.

7.2-26

WBN The Bypass mode disables the individual channel comparator trip circuitry. Interruption of a comparator output in this mode effectively "bypasses" the channel in test causing the associated logic relays to remain in the non-tripped state until the "bypass" is removed. This feature of the protection system eliminates the potential for an unwarranted actuation in the event of a failure. This condition is also accompanied by an alarm in the control room.

Nuclear Instrumentation Channel Tests The power range channels of the nuclear instrumentation system are tested by using the actual detector input to the channel and injecting test currents obtained from the detector response curves at various power levels. The output of the bistable is not placed in a tripped condition prior to testing. Also, since the power range channel logic is two out of four, bypass of this reactor trip function is not required.

Testing of a power range channel requires deliberate operator action and is annunciated in the control room. Bistable operation is tested by increasing the test signal up to its trip setpoint and verifying bistable relay operation by control board annunciator and trip status lights.

It should be noted that a valid trip signal would cause the channel under test to trip at a lower actual reactor power. A reactor trip would occur when a second bistable trips. No provision has been made in the channel test circuit for reducing the channel signal below that signal being received from the nuclear instrumentation system detector.

A nuclear instrumentation system channel which can cause a reactor trip through one of two protection logic (source or intermediate range) is provided with a bypass function which prevents the initiation of a reactor trip from that particular channel during the short period that it is undergoing test. These bypasses are annunciated in the control room.

Periodic tests of the source, intermediate, and power range channels of the nuclear instrumentation system are performed in the applicable modes/power levels in accordance with the Technical Specifications.

For a detailed description of the nuclear instrumentation system see References [2] and [15].

Reference [2] is applicable to the power range only.

Solid State Logic Testing The logic trains of the reactor trip system are designed to be capable of complete testing at power. Logic matrices are tested from the Train A and Train B logic rack test panels. During this test, the logic inputs are actuated automatically in all combinations of trip and non-trip logic.

Trip logic is not maintained sufficiently long enough to permit opening of the reactor trip breakers. The reactor trip undervoltage coils are 'pulsed' in order to check continuity. During logic testing of one train, the other train can initiate any required protective functions.

Annunciation is provided in the control room to indicate when a train is in test (train output bypassed) and when a reactor trip breaker is bypassed. Details of the logic system testing are given in Reference [3].

7.2-27

WBN A direct reactor trip resulting from undervoltage or underfrequency on the pump side of the reactor coolant pump breakers is provided as discussed in Section 7.2.1.1.2 and shown on Figure 7.2-1, Sheet 3. The logic for these trips is capable of being tested during power operation. When parts of the trip are being tested, the sequence is such that an overlap is provided between parts so that a complete logic test is provided.

This design complies with the testing requirements of IEEE Standard 279-1971 and IEEE

[10]

Standard 338-1971 as discussed in Table 7.1-1. Details of the method of testing and compliance with these standards are provided in References [l], [3], and [11].

The permissive and block interlocks associated with the reactor trip system and engineered safety features actuation system are given on Tables 7.2-2 and 7.3-3 and designated protection or P interlocks. As a part of the protection system, these interlocks are designed to meet the testing requirements of IEEE Standards 279-1971 and 338-1971 as discussed in Table 7.1-1.

Testability of the interlocks associated with reactor trips for which credit is taken in the accident analyses is provided by the logic testing and semi-automatic testing capabilities of the solid state protection system. In the solid state protection system the undervoltage coils (reactor trip) and master relays (engineered safeguards actuation) are pulsed for all combinations of trip or actuation logic with and without the interlock signals. Interlock testing may be performed at power.

Testing of the logic trains of the reactor trip system includes a check of the input relays and a logic matrix check. The following sequence is used to test the system:

1) Check of input relays During testing of the process protection system and nuclear instrumentation system channels, each channel comparator/bistable is placed in a trip mode causing one SSPS input relay in train A and one in train B to de-energize except when individual channels are tested in bypass with the reactor at power. A contact of each relay is connected to a universal logic printed circuit card. This card performs both the reactor trip and monitoring functions. Each reactor trip input relay contact causes a status lamp and an annunciator on the control board to operate. Either the Train A or Train B input relay operation will light the status lamp and annunciator.

Each train contains a multiplexing test switch, one of which (either train) normally remains in the A + B position. The A + B position allows information to be transmitted alternately from each train to the control board. During testing a steady status lamp indicates that both trains are receiving a trip mode logic input for the channel being tested. A flashing lamp indicates a failure in one train. Contact inputs to the logic protection system such as reactor coolant pump bus underfrequency relays operate input relays which are tested by operating the remote contacts as described above and using the same type of indications as those provided for comparator/bistable input relays.

7.2-28

WBN Actuation of the SSPS input relays provides the overlap between the testing of the logic protection system and the testing of those systems supplying the inputs to the logic protection system. These tests are performed periodically in accordance with the Technical Specifications. Test indications are status lamps and annunciators on the control board. Inputs to the logic protection system are checked one channel at a time, leaving the other channels in service. For example, a function that trips the reactor when two out of four channels trip becomes a one out of three trip when one channel is placed in the trip mode. Both trains of the logic protection system remain in service during this portion of the test.

2) Check of logic matrices Logic matrices are checked one train at a time. Input relays are not operated during this test. Partial reactor trips to the train being tested are inhibited with the use of the input error inhibit switch on the semi-automatic test panel in the train. Details of semi-automatic tester operation are given in Reference [3]. At the completion of the logic matrix tests, closure of the input error inhibit switch contacts is checked using an appropriate test method such as verification of existing trip status lamps/computer points.

The logic test scheme uses pulse techniques to check the coincidence logic. All possible trip and non-trip combinations are checked. Pulses from the tester are applied to the inputs of the universal logic card at the same terminals that connect to the input relay contacts. Thus there is an overlap between the input relay check and the logic matrix check. Pulses are fed back from the reactor trip breaker undervoltage coil to the tester. The pulses are of such short duration that the reactor trip breaker undervoltage coil armature cannot respond mechanically.

Test indications provided are an annunciator in the control room indicating that reactor trips from the train have been blocked and that the train is being tested, and green and red lamps on the semi-automatic tester to indicate a good or bad logic matrix test.

Protection capability provided during this portion of the test is from the train not being tested.

The general design features and details of the testability of the logic system are described in Reference [3]. The testing capability meets the requirements of Criterion 21 of the 1971 GDC.

Testing of Reactor Trip Breakers Normally, reactor trip breakers RTA and RTB are in service, and bypass breakers BYA and BYB are withdrawn (out of service). In testing the protection logic, pulse techniques are used to avoid tripping the reactor trip breakers thereby eliminating the need to bypass them during this testing. Each of the reactor trip breakers is tested with the corresponding bypass breaker in service.

7.2-29

WBN Auxiliary contacts of the bypass breakers are connected into the SSPS General Warning Alarm System of their respective trains such that if either train is placed in test while the bypass breaker of the other train is closed, both reactor trip breakers and both bypass breakers will automatically trip.

Auxiliary contacts of the bypass breakers are also connected in such a way that if an attempt is made to close the bypass breaker in one train while the bypass breaker of the other train is already closed, both bypass breakers and both reactor trip breakers will automatically trip.

The Train A and Train B alarm systems operate separate annunciators in the control room. The two bypass breakers also operate an annunciator in the control room. Bypassing of a protection train with either the bypass breaker or with the test switches will result in audible and visual indications.

The complete reactor trip system is normally required to be in service. However, to permit online testing of the various protection channels or to permit continued operation in the event of a subsystem instrumentation channel failure, the Technical Specifications define the minimum number of operable channels. The Technical Specifications also define the required restriction to operation in the event that the channel operability requirements cannot be met.

11. Channel Bypass or Removal from Operation The Eagle 21 Process Protection System is designed to permit any channel to be maintained in a bypassed condition and, when required, tested during power operation without initiating a protective action at the systems level. This is accomplished without lifting electrical leads or installing temporary jumpers. Bypass of any channel in an Eagle 21 protection system rack for any purpose will be continuously indicated in the control room via the plant annunciator at the protection set level. In addition, the Eagle 21 design has provided for administrative controls and multiple levels of security for bypassing a protection channel.

The channel bypass feature of the Eagle 21 system will be used for the following purposes:

1. To allow for an inoperable Reactor Trip (RT) or Engineered Safety Features Actuation System (ESFAS) channel to be maintained in a bypassed condition up to the time limit specified in the Technical Specifications, for the purpose of troubleshooting.

2. To allow for a failed RT or ESFAS channel to be bypassed up to the time limit specified in the Technical Specifications, for the purpose of surveillance testing a redundant channel of the same function..

3. To routinely allow testing of a RT or ESFAS channel in the bypassed condition instead of the tripped condition for the purpose of surveillance testing.

7.2-30

WBN The Nuclear Instrumentation System (NIS) is designed to permit routine periodic testing of the Source Range and Intermediate Range portion of the reactor trip system during reactor power operation. To enable testing of the one-out-of-two channel logic for the NIS Source Range and Intermediate Range during reactor power operation, a channel bypass feature has been provided. Use of this feature will permit routine required surveillance testing to be completed without initiating a protective action unless a trip condition exists.

12. Operating Bypasses Where operating requirements necessitate automatic or manual bypass of a protective function (See Section 10.4.4.3 for exception on P-12), the design of the protection system is such that the bypass is removed automatically whenever permissive conditions are not met. Devices used to achieve automatic removal of the bypass of a protective function are considered part of the protection system and are designed in accordance with the criteria of this section. Indication is provided in the control room if some part of the system has been administratively bypassed or taken out of service.

Bypasses associated with the reactor trip system are identified in Table 7.2-2.

13. Indication of Bypasses Bypass of a process protection channel during testing is indicated by an alarm in the control room. This is discussed further in Section 7.2.2.2, Subsections 10 and 11.

Operating bypasses are discussed in Section 7.2.2.2, Subsection 12.

14. Access to Means for Bypassing The design provides for administrative control of access to the means for manually bypassing channels or protective functions. For details, refer to References [1] and [11].

15. Multiple Setpoints For monitoring neutron flux, multiple setpoints are used. When a more restrictive trip setting becomes necessary to provide adequate protection for a particular mode of operation or set of operating conditions, the protective system circuits are designed to provide positive means or administrative control to assure that the more restrictive trip setpoint is used. The devices used to prevent improper use of less restrictive trip settings are considered part of the protective system and are designed in accordance with the criteria of this section.

7.2-31

WBN

16. Completion of Protective Action The protection system is so designed that, once initiated, a protective action goes to completion. Normal operation is restored in accordance with established procedures.

17. Manual Initiation Switches are provided on the control board for manual initiation of protective action. A single failure in the automatic system will not prevent the manual actuation of the protective functions. Manual actuation relies on the operation of a minimum of equipment. Additional discussion of manual actuation of protective functions is provided in Section 7.3.2.2.6.

18. Access to Setpoint Adjustments, Calibration and Test Points The design provides for administrative control of access to all setpoint adjustments, processing electronics calibration adjustments, and test points. For details refer to References [1], [2], [11] and [15].

19. Identification of Protective Actions Indication and identification of protective actions is discussed in Item 20 below.

20. Information Read Out The protective system provides the operator with complete information pertinent to system status and safety. All transmitted signals (flow, pressure, temperature, etc.)

which can cause a reactor trip are either indicated, recorded, or displayed on the plant computer for every channel, including neutron flux power range currents (top detector, bottom detector, algebraic difference, and average of bottom and top detector currents).

Any reactor trip will actuate an alarm and an annunciator. Such protective actions are indicated and identified by the parameter being measured.

Alarms and annunciators are also used to alert the operator of deviations from normal operating conditions so that he may take appropriate corrective action to avoid a reactor trip. Actuation of any rod stop or trip of any reactor trip channel will actuate an alarm, except for the source and intermediate range channels which have one out of two reactor trip logic. For these two functions, a channel trip alarm is not provided since a channel trip will also initiate a reactor trip and reactor trip alarm as described above.

7.2-32

WBN

21. System Repair The system is designed to facilitate the recognition, location, replacement, and repair of malfunctioning components or modules. Refer to the discussion in Section 7.2.2.2, Subsection 10 above.

22. Identification Identification of protection system equipment is discussed in Section 7.1.2.3.

7.2.2.3 Specific Control and Protection Interactions A general discussion of control and protection system interaction criteria and compliance is provided in Section 7.2.2.2, Subsection 7.

7.2.2.3.1 Neutron Flux Four power range neutron flux channels are provided for overpower (high flux) protection.

Isolated outputs are provided to a distributed control system (DCS) for rod control. An auctioneered high signal is developed from the four channels in the DCS for automatic rod control. If any channel fails in such a way as to produce a low output, that channel is incapable of proper overpower protection but will not cause control rod movement because of the auctioneer. Two out of four overpower trip logic will ensure an overpower trip if needed even with an independent failure in another channel.

In addition, channel deviation signals in the control system will give an alarm if any neutron flux channel deviates significantly from the average of the flux signals or from the auctioneered high value. Also, the control system will respond only to rapid changes in indicated neutron flux; slow changes or drifts are compensated by the temperature control signals. Finally, an overpower signal from any nuclear power range channel will block manual and automatic rod withdrawal. The setpoint for this rod stop is below the reactor trip setpoint.

7.2.2.3.2 Reactor Coolant Temperature Reactor control is based upon signals derived from protection system channels through isolation devices such that no feedback effect from the control system can perturb the protection channels. The isolated outputs are provided to a distributed control system (DCS) where an auctioneered high signal is developed for automatic rod control.

Since control is based on the highest of the loop average temperatures, the control rods are always moved based upon the most pessimistic temperature measurement with respect to margins to DNB. A spurious low average temperature measurement from any loop temperature control channel will cause no control action. A spurious high average temperature measurement will cause rod insertion (safe direction). If a failed channel is detected by the DCS, it will not be used in the control algorithm. The 2/4 trip logic ensures that the overpower and overtemperature T trip functions can provide the required protection even if degraded by a second random failure.

7.2-33

WBN Channel deviation signals in the control system will give an alarm if any temperature channel deviates significantly from the auctioneered (highest) value. Automatic rod withdrawal blocks and turbine runback (power demand reduction) will also occur prior to reaching the reactor trip setpoint if any two of the T channels indicate an overtemperature or overpower condition.

A discussion of reactor coolant temperature measurement is provided in Section 7.2.1.1.4.

7.2.2.3.3 Pressurizer Pressure Unit 1 The pressurizer pressure protection channel signals are used for high and low pressure protection and as inputs to the over temperature T trip protection function. Isolated output signals from these channels are used for pressure control. These are used to control pressurizer spray and heaters and power operated relief valves.

With the new DCS, inputs from four pressurizer pressure channels are processed through two processor loops. Each control lop (A and B) receives two different pressurizer pressure channels each. Each processor loop (pair) passes its two pressure inputs to that loops Medial Signal Selector (MSS). The loop MSS also receives a third input from the other independent loop processor. This third signal is the average of the other loops two pressure channels (signals).

From each processor loop (A and B), the median selected pressure signal is used for control functions.

The validated pressurizer pressure signal from loop A is input to the master pressurizer pressure controller, used as the control interlock for one power operated relief valve (PORV PCV-68-334) and input to the main control room recorder. The master pressure controller then is used to control variable and back-up heaters, provide high pressure annunciation, feed pressurizer spray valves control and actuate power operated relief valve actuation (PORV PCV-68-340A).

Loop B validated pressure signal provides input for high pressure annunciation, interlock to power operated relief valve (PORV 68-340A) and actuation of the other relief valve (PORV 68-334). A validated pressure signal from both independent loops is required to open any PORV.

With DCS, the need and ability to manually select a pressure channel for control functions has been eliminated.

Additional redundancy provided by the 2/4 low pressurizer pressure reactor trip logic ensures low pressure protection in the event of a second independent failure.

Overpressure protection is based upon the positive surge of the reactor coolant produced as a result of turbine trip under full load, assuming the core continues to produce full power. The self-actuated safety valves are sized on the basis of steam flow from the pressurizer to accommodate this surge at a setpoint of 2500 psia and an accumulation of 3%. Note that no credit is taken for the relief capability provided by the power-operated relief valves during this surge.

In addition, operation of any one of the power-operated relief valves can maintain pressure 7.2-34

WBN below the high pressure trip point for most transients. The rate of pressure rise achievable with heaters is slow, and ample time and pressure alarms are available to alert the operator of the need for appropriate action.

Unit 2 The pressurizer pressure protection channel signals are used for high and low pressure protection and as inputs to the over temperature T trip protection function. Isolated output signals from these channels are provided to the DCS for pressure control. From these, two median signals are developed in independent control groups of the DCS, each with dual redundant control processors. One of the median signals is used to control pressurizer spray and heaters; both are used for pressurizer PORV actuation. A spurious high or low signal from any one channel will not cause a control action. If a failed channel is detected by the DCS, it will not be used in the control algorithm. A coincident high pressure signal from both processors is needed for the actuation of each pressurizer PORV.

Failure of a DCS processor pair could result in a high or low control signal. A spurious high pressure signal can cause decreasing pressure by turning off the heaters and actuating spray.

The two out of four low pressurizer pressure reactor trip logic ensures low pressure protection even with two independent channel failures.

Overpressure protection is based upon the positive surge of the reactor coolant produced as a result of turbine trip under full load, assuming the core continues to produce full power. The self-actuated safety valves are sized on the basis of steam flow from the pressurizer to accommodate this surge at a setpoint of 2500 psia and an accumulation of 3%. Note that no credit is taken for the relief capability provided by the power-operated relief valves during this surge.

In addition, operation of any one of the power-operated relief valves can maintain pressure below the high pressure trip point for most transients. The rate of pressure rise achievable with heaters is slow, and ample time and pressure alarms are available to alert the operator of the need for appropriate action.

7.2.2.3.4 Pressurizer Water Level Unit 1 Three independent, redundant instrument channels are provided for pressurizer high water level protection. This reactor trip condition is generated based on a 2-out-of-3 logic and serves to prevent water discharge through the pressurizer safety relief valves. The pressurizer level channels also provide isolated output signals which are used for pressurizer water level control (reference Section 7.7).

The high water level trip setpoint provides sufficient margin such that the undesirable condition of discharging liquid coolant through the safety valves is avoided. Even at full power conditions, which would produce the worst thermal expansion rates, a failure of water level control would not lead to any liquid discharge through the safety valves. This is due to the automatic high pressurizer pressure reactor trip actuating at a pressure sufficiently below the safety valve setpoint.

In addition, alarms are actuated on high or low water level and on significant deviations from 7.2-35

WBN programmed level. Channel failure can also be detected by comparison to the other two redundant level channel indicators located in the main control room. A discussion of the pressurizer water level reference leg arrangement is provided in Section 7.2.1.1.5.

Unit 2 Three independent, redundant instrument channels are provided for pressurizer high water level protection. This reactor trip condition is generated based on a 2-out-of-3 logic and serves to prevent water discharge through the pressurizer safety relief valves. The pressurizer level channels also provide isolated output signals to the DCS which are used for pressurizer water level control (reference Section 7.7). A median signal selector in the DCS selects the median of the three signals for pressurizer level control so that a spurious high or low signal from any one channel will not cause a control room action. If a failed channel is detected by the DCS, it will not be used in the control algorithm and the average of the two remaining channels will be used for control.

A DCS failure resulting in a high or low control signal output could increase or decrease pressurizer level at a slow rate. The high water level trip setpoint provides sufficient margin such that the undesirable condition of discharging liquid coolant through the safety valves is avoided. Even at full power conditions, which would produce the worst thermal expansion rates, a failure of water level control would not lead to any liquid discharge through the safety valves.

This is due to the automatic high pressurizer pressure reactor trip actuating at a pressure sufficiently below the safety valve setpoint.

In addition, alarms are actuated on high or low water level and on significant deviations from programmed level or from the median signal. Channel failure can also be detected by comparison to the other two redundant level channel indicators located in the main control room. A discussion of the pressurizer water level reference leg arrangement is provided in Section 7.2.1.1.5.

7.2.2.3.5 Steam Generator Water Level Unit 1 The basic function of the reactor protection circuits associated with low steam generator water level is to preserve the steam generator heat sink for removal of long term residual heat.

Should a complete loss of feedwater occur, the reactor would be tripped on low-low steam generator water level. In addition, redundant auxiliary feedwater pumps are provided to supply feedwater in order to maintain residual heat removal after trip. This reactor trip acts before the steam generators are dry to reduce the required capacity and increase the starting time requirements of the auxiliary feedwater pumps and to minimize the thermal transient on the reactor coolant system and steam generators.

Therefore, a low-low steam generator water level reactor trip is provided for each steam generator to ensure that sufficient initial thermal capacity is available in the steam generator at the start of the transient. It is desirable to minimize thermal transients on a steam generator for a credible loss of feedwater accident. Implementation of the control grade Median Signal Selector (MSS) feature in the feedwater control system prevents failure of a single steam generator water level channel from causing a feedwater control system disturbance requiring subsequent protective action. Isolated outputs from all three narrow range level channels are input into the Distributed Control System (DCS) which has a software MSS control block. The 7.2-36

WBN MSS selects the median signal for use by the control system and control system actions are then based on this signal. Since the high and low signals are rejected, the control system is prevented from acting on a single, failed protection system instrument channel. Upon failure of one narrow range steam generator level channel, the DCS MSS will reject that channel and average the two remaining channels on that generator to be used for control. Upon failure of two narrow range steam generator level channels that are an input into the DCS for a given steam generator, control of the associated main regulating and bypass valves for that steam generator will transfer to manual, and the operator will receive an alarm. Since no adverse control system action can the result from a failed protection channel, the potential for a control and protection system interaction is eliminated and it is not necessary to consider a second random protection system failure as would other wise be required by IEEE-Std. 279-1971. A more detailed discussion of the MSS relative to compliance with control and protection system interaction criteria is contained in References [12] and [14].

Unit 2 The basic function of the reactor protection circuits associated with low steam generator water level is to preserve the steam generator heat sink for removal of long term residual heat.

Should a complete loss of feedwater occur, the reactor would be tripped on low-low steam generator water level. In addition, redundant auxiliary feedwater pumps are provided to supply feedwater in order to maintain residual heat removal after trip. This reactor trip acts before the steam generators are dry to reduce the required capacity and increase the starting time requirements of the auxiliary feedwater pumps and to minimize the thermal transient on the reactor coolant system and steam generators.

Therefore, a low-low steam generator water level reactor trip is provided for each steam generator to ensure that sufficient initial thermal capacity is available in the steam generator at the start of the transient. It is desirable to minimize thermal transients on a steam generator for a credible loss of feedwater accident. Implementation of the Median Signal Selector (MSS) feature in the feedwater distributed control system prevents failure of a single steam generator water level channel from causing a feedwater control system disturbance requiring subsequent protective action. Isolated outputs from all three narrow range level channels are input to the MSS. The MSS selects the median signal for use by the control system and control system actions are then based on this signal. Since the high and low signals are rejected, the control system is prevented from acting on a single, failed protection system instrument channel. If a failed channel is detected by the DCS, it will not be used in the control algorithm and the average of the two remaining channels will be used for control. Since no adverse control system action can then result from a failed protection channel, the potential for a control and protection system interaction is eliminated and it is not necessary to consider a second random protection system failure as would otherwise be required by IEEE 279-1971.

7.2.2.4 Additional Postulated Accidents Loss of plant instrument air or loss of component cooling water is discussed in Section 7.3.2.

Load rejection and turbine trip are discussed in further detail in Section 7.7.

The control interlocks and permissives, called rod stops, are provided to inhibit automatic and/or manual rod withdrawal and initiate turbine runback. The rod stops indicate certain abnormal reactor operating conditions exist. The rod stop control action is used to stop positive reactivity additions due to rod withdrawal and to prevent reactor system parameters from 7.2-37

WBN reaching a condition requiring protective action (i.e., reactor trip actuation). The rod stops are not considered a protective feature. A listing of the initiating input signal and control function of each rod stop is provided in Section 7.7.1.4.1 and Table 7.7-1.

7.2.3 Tests and Inspections Unit 1 The reactor trip system meets the testing requirements of IEEE Standard 338-1971, Reference

[10], as discussed in Section 7.1.2. The testability of the system is discussed in Section 7.2.2.2. The test intervals are specified in the Technical Specifications. Written test procedures and documentation, conforming to the requirements of Reference [10], are utilized in the performance of periodic tests. Periodic testing complies with Regulatory Guide 1.22 as discussed in Section 7.1.2.

To ensure the Median Signal Selector (MSS) functions as described in Section 7.2.2.3.5, operability of the MSS is verified commensurate with the Technical Specification surveillance interval for the associated narrow range steam generator level channels.

Signal selector testing consists of monitoring the three input signals and the one output signal.

Comparison of the output signal to the input signals permits determination of whether or not the median signal is being passed and, consequently, whether the signal selector is functioning properly. With a failed input, the output signal will be the average of the two remaining steam generator narrow range level input signals. The output found to be something other than this average would indicate a failure of the DCS median signal function control block.

The Steam Generator Level Control System median selector (MSSs) may be tested either by applying analog test signals into the Distributed Control System (DCS) representing process values or by manipulating process control blocks within the DCS that provide the process signals into the MSSs by varying their process output signal values. In either case, as the test signals or applicable process block outputs are varied, the channel that represents the medial signal is verified to be the actual signal that is applied to the Steam Generator Level Control System. All combinations of high, low and median are to be tested on all of the process inputs to verify full median signal selection functionality.

Unit 2 The reactor trip system meets the testing requirements of IEEE Standard 338-1971, Reference

[10], as discussed in Section 7.1.2. The testability of the system is discussed in Section 7.2.2.2. The test intervals are specified in the Technical Specifications. Written test procedures and documentation, conforming to the requirements of Reference [10], are utilized in the performance of periodic tests. Periodic testing complies with Regulatory Guide 1.22 as discussed in Section 7.1.2.

To ensure the Median Signal Selector (MSS) functions as described in Section 7.2.2.3.5, operability of the MSS is verified commensurate with the Technical Specification surveillance interval for the associated narrow range steam generator level channels.

The steam generator level MSS is a software function in the feedwater DCS. Proper operation of the MSS can be determined by verifying that the output signal corresponds to the median of the three input signals. The MSS function is tested concurrently with the process protection 7.2-38

WBN channels which provide the inputs. Test signals are received from the protection system, as would normal process signals, when the individual protection channels are placed in the test mode. As the test signal magnitude is varied, the MSS will select a different input as the median signal, allowing proper operation of the MSS to be verified. As long as the other two channels are functioning properly and they have not been tripped or bypassed, a single steam generator level channel can be tested during power operation without causing a feedwater control system upset.

REFERENCES

1. J. A. Nay, Process Instrumentation for Westinghouse Nuclear Steam Supply Systems, WCAP 7671, April, 1971.

2. Lipchak, J. B., Nuclear Instrumentation System, WCAP-8255, January 1974.

Applicable to Power Range NIS only.

3. Katz, D. N., Solid State Logic Protection System Description, WCAP-7488-L, January 1971 (Proprietary) and WCAP-7672, June 1971 (Non-Proprietary).

4. Gangloff, W. C. and Loftus, W. D., An Evaluation of Solid State Logic Reactor Protection In Anticipated Transients, WCAP-7706-L, July 1971 (Proprietary) and WCAP-7706, July 1971 (Non-Proprietary).

5. Burnett, T. W. T., Reactor Protection System Diversity in Westinghouse Pressurized Water Reactors, WCAP-7306, April 1969.

6. Baldwin, M. S. et al., An Evaluation of Loss of Flow Accidents Caused by Power System Frequency Transients in Westinghouse PWR's, WCAP-8424, Revision 1, May 1975.

7. Doyle, J. P., Noise, Fault, Surge and Radio Frequency Interference Test Report for Westinghouse Eagle 21 Process Protection Upgrade System, WCAP-11733 June 1988 (Westinghouse Proprietary Class 2); WCAP-11896 July 1988 (Westinghouse Proprietary Class 3).

8. Lipchak, J. B. and Bartholomew, R. R., Test Report Nuclear Instrumentation System Isolation Amplifier, WCAP-7506-P-A, April 1975 (Proprietary) and WCAP-7819-Revision 1-A, April 1975 (Non-Proprietary).

9. The Institute of Electrical and Electronic Engineers, Inc., IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations, IEEE Standard 279-1971.

10. The Institute of Electrical and Electronic Engineers, Inc., IEEE Trial Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems, IEEE Standard 338-1971.

11. Erin, L. E., Topical Report, Eagle 21 Microprocessor-Based Process Protection System, WCAP-12374 Rev. 1 December 1991 (Westinghouse Proprietary Class 2);

WCAP-12375 Rev. 1 December 1991 (Westinghouse Proprietary Class 3).

12. Mermigos, J. F., Median Signal Selector for Foxboro Series Process Instrumentation 7.2-39

WBN Application to Deletion of Low Feedwater Flow Reactor Trip, WCAP-12417 October 1989 (Westinghouse Proprietary Class 2); WCAP-12418 October 1989 (Westinghouse Proprietary Class 3). Unit 1 Only

13. Reagan, J. R., Westinghouse Setpoint Methodology for Protection Systems, Watts Bar Units 1 and 2, Eagle 21 Version, WCAP-12096 Rev. 9 (Westinghouse Proprietary Class 2).

14. Summary Report Process Protection System Eagle 21 Upgrade, NSLB, MSS, and TTD Implementation, Watts Bar Unit 1 and 2, WCAP-13462, Revision 2, September 1994.

15. System Description, Neutron Monitoring System, N3-92-4003.

16. ISA-DS-67.04, 1982, Setpoints for Nuclear Safety-Related Instrumentation Used in Nuclear Power Plants.

17. Bass, J. C., RCS Flow Measurement Using Elbow Tap Methodology at Watts Bar Unit 1, WCAP-16067, Revision 0 (Westinghouse Proprietary Class 2). Unit 1 Only

18. Trozzo, R. W., Westinghouse Setpoint Methodology for Protection Systems - Watts Bar Unit 2, WCAP-17044-P, Revision 1, September 2012, (Unit 2 only).

19. Scherder, W. J., WCAP 13869, Functional Diversity Assessment For The Reactor Protection System/Engineered Safety Features Actuation System At Watts Bar Units 1 And 2, Revision 1, October 1993."

7.2-40

WBN TABLE 7.2-1 (Sheet 1 of 2)

LIST OF REACTOR TRIPS Coincidence Reactor Trip Logic Interlocks Comments

1. High neutron flux (Power 2/4 Manual block of low setting High and low settings; manual block Range) permitted by P-10 and automatic reset of low setting by P-10

2. Intermediate range neutron 1/2 Manual block permitted by P-10 Manual block and automatic reset flux

3. Source range neutron flux 1/2 Manual block permitted by Manual block and automatic reset.

P-6, interlocked with P-10 Automatic block above P-10

4. Power range high positive 2/4 No interlocks neutron flux rate 5.. Overtemperature T 2/4 No interlocks 6 Overpower T 2/4 No interlocks

7. Pressurizer low pressure 2/4 Interlocked with P-7 Blocked below P-7

8. Pressurizer high pressure 2/4 No interlocks

9. Pressurizer high water level 2/3 Interlocked with P-7 Blocked below P-7

10. Low reactor coolant flow 2/3 in Interlocked with P-7 and P-8 Low flow in one loop will cause a any loop reactor trip when above P-8 and a low flow in two loops will cause a reactor trip when above P-7. Blocked below P-7

11. Reactor coolant pump 2/4 Interlocked with P-7 Blocked below P-7.

bus under voltage

WBN-3 TABLE 7.2-1 (Sheet 2 of 2)

LIST OF REACTOR TRIPS (Cont'd)

Coincidence Reactor Trip Logic Interlocks Comments

12. Reactor coolant pump bus 2/4 Interlocked with P-7 Under frequency on 2 pumps will trip under frequency all reactor coolant pump breakers and cause reactor trip; reactor trip and pump trip blocked below P-7

13. Low-low steam generator 2/3 in any No interlocks Features Trip Time Delay (TTD) water level loop upgrade

14. Turbine-generator trip*

a) Low emergency trip 2/3 Interlocked with P-9 Blocked below P-9 header pressure b) Turbine stop valve close 4/4 Interlocked with P-9 Blocked below P-9

15. Safety injection signal Coincident No interlocks (See Section 7.3 for Engineered with Safety Features actuation conditions) actuation of safety injection

16. Manual 1/2 No interlocks

Reactor trip on turbine trip is anticipatory in that no credit is taken for it in accident analyses.

WBN TABLE 7.2-2 (Sheet 1 of 2)

PROTECTION SYSTEM INTERLOCKS Designation Derivation Function I POWER ESCALATION PERMISSIVES P-6 Presence of P-6: 1/2 neutron Allows manual block flux (intermediate range) above of source range setpoint reactor trip Absence of P-6: 2/2 neutron Defeats the block of flux (intermediate range) source range reactor below setpoint trip P-10 Presence of P-10: 2/4 neutron Allows manual block flux (power range) above set- of power range (low point setpoint) reactor trip Allows manual block of intermediate range reactor trip and intermediate range rod stops (C-1)

Blocks source range reactor trip (back-up for P-6)

Input to P-7 Absence of P-10: 3/4 neutron Defeats the block of flux (power range) below power range (low setpoint setpoint) reactor trip Defeats the block of intermediate range reactor trip and intermediate range rod stops (C-1)

Input to P-7

WBN TABLE 7.2-2 (Sheet 2 of 2)

PROTECTION SYSTEM INTERLOCKS Designation Derivation Function II BLOCKS OF REACTOR TRIPS P-7 Absence of P-7: 3/4 neutron Blocks reactor trip flux (power range) below set- on: Low reactor point (from P-10) coolant flow in more and than one loop, 2/2 turbine impulse under voltage, under-chamber pressure below frequency, setpoint (from P-13) pressurizer low pressure, and pressurizer high level P-8 Absence of P-8: 3/4 neutron Blocks reactor trip flux (power range) below set- on low reactor point coolant flow from one loop only P-9 Absence of P-9: 3/4 neutron Blocks reactor trip flux (power range) below on turbine trip setpoint Presence of P-9 Defeats block of reactor trip on turbine trip P-13 Absence of P-13: 2/2 turbine Input to P-7 impulse chamber pressure below setpoint

WBN TABLE 7.2-3 (Sheet 1 of 2)

REACTOR TRIP SYSTEM INSTRUMENTATION Reactor Trip Signal Typical Range

1. Power range high neutron flux 1 to 120% power

2. Intermediate range high 10 decades of neutron neutron flux flux overlapping source range by 2 decades and including 100% power

3. Source range high neutron 6 decades of neutron

-1 5 flux flux (10 to 2 x 10 counts/sec)

4. Power range high positive +2 to +30% of full power neutron flux rate

5. Over temperature T: TH 530 to 650°F TC 510 to 630°F Tavg 530 to 630°F PPRZR 1700 TO 2500 psig F(I) -60 to + 60%

T Setpoint 0 to 150% power

6. Overpower T TH 530 to 650°F TC 510 to 630°F Tavg 530 to 630°F T Setpoint 0 to 150% power

7. Pressurizer low pressure 1700 to 2500 psig

8. Pressurizer high pressure 1700 to 2500 psig

WBN TABLE 7.2-3 (Sheet 2 of 2)

REACTOR TRIP SYSTEM INSTRUMENTATION (Cont'd)

Reactor Trip Signal Typical Range

9. Pressurizer high water Entire cylindrical level portion of pressurizer

10. Low reactor coolant flow 0 to 110% of rated flow

11. Reactor coolant pump bus 0 to 100% rated voltage under voltage

12. Reactor coolant pump bus 50 to 65 Hz under frequency

13. Low-low steam generator + 6ft., - 12 ft. from water level nominal full load water level

14. Turbine Trip (1)

NOTES:

(1) The reactor trip on turbine trip is anticipatory in that no credit is taken for it in the accident analyses.

WBN TABLE 7.2-4 (Sheet 1 of 5)

REACTOR TRIP CORRELATION

[a]

TRIP ACCIDENT[b] TECH SPEC

1. Power Range 1. Uncontrolled Rod Cluster Control 3.3.1 High Neutron Assembly Bank Withdrawal Table 3.3.1-1 #2 Flux Trip From a Subcritical Condition (Low Setpoint) (15.2.1)

2. Excessive Heat Removal Due to Feedwater System Malfunctions (15.2.10)

3. Rupture of a Control Rod Drive Mechanism Housing (Rod Cluster Control Assembly Ejection) (15.4.6)

2. Power Range 1. Uncontrolled Rod Cluster Control 3.3.1 High Neutron Assembly Bank Withdrawal Table 3.3.1-1 #2 Flux Trip From a Subcritical Condition (High Setpoint) (15.2.1)

2. Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power (15.2.2)

3. Excessive Heat Removal Due to Feedwater System Malfunctions (15.2.10)

4. Excessive Load Increase Incident (15.2.11)

5. Rupture of a Control Rod Drive Mechanism Housing (Rod Cluster Control Assembly Ejection) (15.4.6)

3. Intermediate Range High 1. Uncontrolled Rod Cluster Control 3.3.1 Neutron Flux Trip Assembly Bank Withdrawal Table 3.3.1-1 #4 From a Subcritical Condition (15.2.1)

4. Source Range High 1. Uncontrolled Rod Cluster Control 3.3.1 Neutron Assembly Bank Withdrawal Table 3.3.1-1 #5 Flux Trip From a Subcritical Condition (15.2.1)

2. Uncontrolled Boron Dilution (15.2.4) (Modes 2, 3, 4, and 5)

3. Excessive Heat Removal Due to Feedwater System Malfunctions (15.2.10)

WBN TABLE 7.2-4 (Sheet 2 of 5)

REACTOR TRIP CORRELATION

[a]

TRIP ACCIDENT[b] TECH SPEC

5. Power Range High 1. Uncontrolled Rod Cluster Control 3.3.1 Positive Assembly Bank Withdrawal Table 3.3.1-1 #3 Neutron Flux Rate Trip From a Subcritical Condition (15.2.1)

2. Rupture of a Control Rod Drive Mechanism Housing (Rod Cluster Control Assembly Ejection) (15.4.6)

6. Over temperature 1. Uncontrolled Rod Cluster Control 3.3.1 T Trip Assembly Bank Withdrawal at Table 3.3.1-1 #6 Power (15.2.2)

2. Uncontrolled Boron Dilution (15.2.4)

3. Loss of External Electrical Load and/or Turbine Trip (15.2.7)

4. Excessive Load Increase Incident (15.2.11)

5. Accidental Depressurization of the Reactor Coolant System (15.2.12)

6. Single Rod Cluster Control Assembly Withdrawal at Full Power (15.3.6)

7. Major Rupture of a Main Feedwater Pipe (15.4.2.2) (Unit 1); Excessive Heat Removal Due to Feedwater System Malfunctions (15.2.10) (Unit 2)

8. Excessive Heat Removal Due to Feedwater System Malfunctions (15.2.10) (Unit 1); Steam Generator Tube Rupture (15.4.3)

(Unit 2)

7. Overpower T Trip 1. Uncontrolled Rod Cluster Control 3.3.1 Assembly Bank Withdrawal at Table 3.3.1-1 #7 Power (15.2.2)

2. Excessive Heat Removal Due to Feedwater System Malfunctions (15.2.10)

3. Accidental Depressurization of the Main Steam System (15.2.13)

WBN TABLE 7.2-4 (Sheet 2 of 5)

TRIP[a] ACCIDENT[b] TECH SPEC Overpower T Trip 4. Major Rupture of a Main Steam (continued) Line (15.4.2.1)

5. Excessive Load Increase Incident (15.2.11)

8. Pressurizer Low 1. Excessive Load Increase 3.3.1 Pressure Trip Incident (15.2.11) Table 3.3.1-1 #8

2. Accidental Depressurization of the Reactor Coolant System (15.2.12)

3. Accidental Depressurization of the Main Steam System (15.2.13)

4. Inadvertent Operation of Emergency Core Cooling System (15.2.14)

5. Loss of Reactor Coolant From Small Ruptured Pipes or From Cracks in Large Pipes Which Actuates ECCS (15.3.1)

6. Major Reactor Coolant System Pipe Ruptures (LOCA) (15.4.1)

7. Major Rupture of a Main Steam Line (15.4.2.1)

8. Major Rupture of a Main Feedwater Pipe (15.4.2.2)

9. Steam Generator Tube Rupture (15.4.3)

9. Pressurizer High 1. Uncontrolled Rod Cluster Control 3.3.1 Pressure Trip Assembly Bank Withdrawal at Table 3.3.1-1 #8 Power (15.2.2)

2. Loss of External Electrical Load and/or Turbine Trip (15.2.7)

3. Major Rupture of a Main Feedwater Pipe (15.4.2.2)

10. Pressurizer High Water 1. Uncontrolled Rod Cluster Control 3.3.1 Level Assembly Bank Withdrawal at Table 3.3.1-1 #9 Power (15.2.2)

2. Loss of External Electrical Load and/or Turbine Trip (15.2.7)

3. Major Rupture of a Main Feedwater Pipe (15.4.2.2)

WBN TABLE 7.2-4 (Sheet 4 of 5)

REACTOR TRIP CORRELATION

[a]

TRIP ACCIDENT[b] TECH SPEC

11. Low Reactor 1. Partial Loss of Forced Reactor 3.3.1 Coolant Flow Coolant Flow (15.2.5) Table 3.3.1-1

10

2. Complete Loss of Forced Reactor Coolant Flow (15.3.4)

3. Single Reactor Coolant Pump Locked Rotor (15.4.4).

12. Reactor Coolant Pump 1. Complete Loss of Forced 3.3.1 Bus Under voltage Trip Reactor Coolant Flow (15.3.4) Table 3.3.1-1

11

2. Partial Loss of Forced Reactor Coolant Flow (15.2.5)

13. Reactor Coolant Pump 1. Complete Loss of Forced 3.3.1 Bus Under frequency Trip Reactor Coolant Flow (15.3.4) Table 3.3.1-1

12

2. Partial Loss of Forced Reactor Coolant Flow (15.2.5)

14. Low-low Steam 1. Loss of Normal Feedwater 3.3.1 Generator Water (15.2.8) Table 3.3.1-1 Level Trip #13

2. Loss of Offsite Power to the Station Auxiliaries (LOOP)

(15.2.9)

3. Major Rupture of a Main Feedwater Pipe (15.4.2.2)

4. Loss of External Electrical Load and/or Turbine Trip (15.2.7)

15. Turbine Trip- Loss of External Electrical Load 3.3.1 Reactor Trip and/or Turbine Trip (15.2.7)[c] Table 3.3.1-1

14

16. Safety Injection 1. Accidental Depressurization of 3.3.1 Signal Actuation the Main Steam System Table 3.3.1-1 Trip (15.2.13) #15

2. Major Rupture of a Main Steam Line (15.4.2.1)

3. Major Rupture of a Main Feedwater Pipe (15.4.2.2)

17. Manual Trip Available for all Accidents 3.3.1 (Chapter 15) Table 3.3.1-1 #1

WBN TABLE 7.2-4 (Sheet 5 of 5)

NOTES:

a. Trips are listed in order of discussion in Section 7.2

b. References refer to Chapter 15 accident analyses in which the trip may be utilized, either as a primary or backup trip.

c. Reactor trip on turbine trip is an anticipatory trip and is not credited in the accident analyses.

c~

z MANUAL TRIP SIGNAL REACTOR TRIP SIGNAL 3 1-471611-99-2 FROM 50L ID STATE K PROTECT]ON SYSTEM Q SOURCE RANGE]-- TRAIN B HIGH FLUX SAME AS TRAIN A O

W IN RANGE EDIATEE Z RANGE HIGH FLUX UX NEUTRON 70 TRAIN B NOTES:

TL SOLID STATE Z RIP HIGH FLUX PROTECTION 1. FOR SYMBOLS SEE INSTRUMENTATIDN AND IDENTIFICATIDN STANDARDS, SIGNALS HIGH SETPOINT SYSTEM LATEST ISSUE.

1-471611-99-2 2. ANNUNCIATOR POINTS ON LOGIC DIAGRAMS ARE INDICATED BY GIVING THE ANNUNCIATDR PANEL NUMBER AND THE WINDOW NUMBER AS GIVEN POWER HIGH FLUX ON TVA DRAWING 1 -450655-SERIES.

RANGE RATE 3. 'DIGITAL AND ANALOG LOGIC SYMBOLS ARE USED ON LOCIC DIAGRAMS D TO FUNCTIONALLY DESCRIBE THE PROCESS CONTROL. REFER 70 THE HIGH FLUX ASSOCIATED WIRING SCHEMATIC FOR THE ELECTRICAL COMPONENTS U LOW SETPOINT USED TO IMPLEMENT THE CONTROL SCHEME.'

HIGH PRESSURE PRESSURIZER REFERENCE DRAWING:

TRIP REACTOR TRIP SIGNALS 1-451600-99-1 ---------- SCHEMATIC DIAGRAMS SINAL G S LOW PRESSURE FROM SOLID STATE 1-471611-1-2 ----------- LOGIC DIAGRAM 1-971611-99-2 PROTECT IDN SYSTEM 1-471611-3-1 ----------- LOGIC DIAGRAM TRAIN A 1-471611-63-1 ---------- LOCI DIAGRAM HIGH LEVEL 1-471511-0-1 ----------- LOGIC DIAGRAM INDEX A SYMBOLS 19124D47 -------------- SCHEMATIC DIAGRAM 5655D87, SH 2 -------- FUNCTIDNAL DIAGRAM DVERTEMPERATURE AT OVERPOWER AT T-LOW PRIRY MA PRIMARY COOLANT FLOW COOLANT 11 OUT OF 4) SYMBOLS:

SYSTEM TRIP 1-HS-63-133A OR 13313-1 OFF RETURN MEMDRY SIGNALS LOW PRIMARY SAFETY INJECTION )REF t DWG 5655D87) 471611-99-6 COOLANT FLOW MANUAL 47 L INITIATION 12 DU7 OF 9) '1-472611-63-1 1-63-1) -

UNDERVOLTAGE } 7N A SSPS 7E57 UNDERFRE13UENCY

} SIGNAL TEST STEAM GENERATOR TRIP SIGNALS 471611-3-B f L01-LOW STEAM GENERATOR WATER LEVEL BKR RTA IN TEST PDSN Frr____ SSPS GENERAL WARNING TRAIN B

413-850 55P5 GENERAL WARNING TRAIN A MANUAL SAFETY BKR BYA IN BKR BYB IN INJECTION SYS TEST PDSN TEST PDSN 1-471611-63-1 AUTO TN B N BKR BYB SSPS BKR ~I 1 TEST 7URBINE TRIP SIGNALL )SE RACK TRIP / CLOSE RACKED IN JrITRTIP ~HS~CLOSE SIGNAL 471611-99-6 I HS' BKR BYB BKR BYA RACKED IN RACKED IN TEST BKR RTA A CLOSED

413-840 RACKED IN TEST - TEST TEST TEST TEST BKR RTBR RTB RACKEDCLOj IN ST POST NORMAL 7RIP CDIL Y ENERGIZED TEST BKR RTB RACKED IN 4B-B4C 4B-85C TO PO ER FROM ON M-G SET A REACTOR TRIP REACTOR TRIP BREAKER RTA BREAKER RTB POWER FROM M-C SET B REACTOR TRIP REACTOR TRIP BYPASS BREAKER BYA BYPASS BREAKER BYB WATTS BAR FINAL SAFETY ANALYSIS REPORT F 4C-73C 4C-74C 70 STERN DUMP 7URB SAFETY FEEOWATER FEEDI~T ER SAFETY TURRB 7D STEEIM DUMP POWERHOUSE CONTROL LOGIC 1-471611-1-2 TRIP TRAIN A INJECTION BLOCK ISOLATION 1-471611-3-1 ISOLATION 1-471611-3-1 INJECTION BLOCK TRIP TRAIN B CONTROL LDGIC 1-471611-1-2 UNIT 1 TRAIN A 1-471611-63-1 TRAIN A TRAIN B 1-471611-63-1 TRAIN B TRAIN A TRAIN B COMPANION DRAWINGS:

1-471511-99-2 7HRU 4 ------ LOGIC DIAGRAM ELECTRICAL 471511-99-5, -------- LOGIC DIAGRAM LOGIC DIAGRAM REACTOR PROTECTION SYSTEM TVA DWG NO. 1-47W611-99-1 R7 FIGURE 7.2-1 SH 1

MANUAL 2-47161 INTERMEDIATE RANGE HIGH FLU%

NEUTRON NOTES FLUX TRIP HICH FLUX 1. FOR SYMBOLS SEE INSTRUMENTATION AND IDENTIFICATION STANDARDS, SIGNALS HGH SETPOIN LATEST ISSUE.

2-979611-99-2 2. ANNUNCIATOR POINTS ON LOGIC DIAGRAMS ARE INDICATED BY GIVING THE ANNUNCIATOR PANEL NUMBER AND THE WINDDW NUMBER AS GIVEN POSER HICH FLUX ON TVA DRAWING 2-45B655-SERIES.

RANGE RATE 1. 'DIGITAL AND ANALOG LOGIC SYMBOLS ARE USED ON LOGIC DIAGRAMS 70 FUNCTIONALLY DESCRIBE THE PROCESS CONTROL. REFER TO THE HICH FLUX ASSOCIATED WIRING SCHEMATIC FOR THE ELECTRICAL COMPONENTS LOS SETPOIN7 USED TO IMPLEMENT THE CONTROL SCHEME.

HIGH PRESSURE PRESSURIZER REFERENCE DRAWING:

TRIP REACTOR TRIP SIGNALS 2-459600-99-1 ---------------- SCHEMATIC DIAGRAMS SIGNALS LOW PRESSUREE FROM SOLID STATE 2-479611-1-2 ----------------- LOGIC DIAGRAM 2-479611-99-2 PROTECTION SYSTEM 2-479611-1-1 ----------------- LOGIC DIAGRAM TRAIN A 2-479611-63-1 ---------------- LOGIC DIAGRAM HICH LEVEL 2-479611-D-1 ----------------- LOGIC DIAGRAM INDEX A SYMBOLS 1 9124D47 -------------------- SCHEMATIC DIAGRAM 1 2-54114-1-5655DB7 SH 2 ----- FUNCTIONAL DIAGRAM OVERTEMPERATURE AT OVERPOWER AT }

LOS PRIMARY PRIMARY COOLANT FLOW COOLANT 11 OUT OF 9) SYMBOLS:

SYS7EN TRIP 2-HS-63 OR 1330-1 OFF RETURN MEMORY SIGNALS LOW PRIMARY SAFETY INJECTION (REF R O UR 5D87) 2-971611-99-6 COOLANT FLOW MANUAL INITIA710N 12 OUT OF 9) (2-479611-53-1) r -

UNDERVOLTACE }

UNDERFREOUENCY}

STEAM GENERATOR LOS-I- STEAM TRIP GENERATOR SIGNALS WATER LEVEL 2-471611-3-8 MANUAL SAFETY

]NJ CT ION SYS 2-471611-63-1 AUTO TURBINE TRIP SIGNALL 2-47,611-99_6 I BKR RTA RACKED IN 70 RELEASE RODS POSER FROM ON DE-ENERCIZATIDN N-C SET A REACTOR TRIP I I TOR TRIP BREAKER RTA KER RTB LOC LOG LOC ;L.

WATTS BAR POSER FROM FINAL SAFETY REACTOR TRIP BYPASS BREAKER REACTOR TRIP BYPASS BREAKER M-C SET B ANALYSIS REPORT BYA BYB POWERHOUSE 4C-73C 4C-74C F UNIT 2 F _ _

ELECTRICAL TURRB 70 STEAM DUMP CONTROL LOGIC 7URB TRIP SAFETY INJECTION FEEDWATER ISOLATION 70 PZR OVERFILL ALARM(

70 PZR OVERFILL ALARM(

FEED. ER ISOLATION SAFE7 INJECTION TRIP 7D STEa DUMP CONTROL LOGIC LOGIC DIAGRAM 2-471611-1-2 TRAIN A BLOCK 2-471511-3-1 2-971611-3-1 BLOCK TRAIN B 2-471511-1-2 TRAIN A 2-471611-53-1 TRAIN A TRAIN A 2-471611-68-2 TRAIN A 2-471611-68-2 TRAIN B TRAIN B 2-971611-63-1 TRAIN B 7RA IN B REACTOR PROTECTION SYSTEM COMPANION DRAWINGS:

2-471611-99-2 7HRU 4 AND 6 --- LOGIC DIAGRAM TVA DWG NO. 2-47W611-99-1 R9 47,611-99-5,--------- LOGIC DIAGRAM FIGURE 7.2-1 SH 1(U2)

SOURCE RANGE REACTOR TRIP INTERMEDIATE RANGE REACTOR TRIP POWER RANGE REACTOR TRIP POWER RANGE HIGH NEUTRON FLUX RATE REACTOR TRIP I ,~I MANUAL RESET II I II I II III ]Y I II III 7Y I II III 7Y I I OTHER TRAIN

-~/A BA-115C P-b, E-10 TRIP TRIP - ~Z , ^'

BYPASS BYPASS K

2/ 2/4 P'TR/ AIN P-1D. E-7 A 6A-115E LOG IN A MANUAL F I.R. CK 40-8CTD STOP CONTRLx0soD OTHERLOGIC TRAIN LO POKER A MANUAL NOD16D HIGH NEUTRON RANGETI FLUX 4A-64B BLOCK CONTROL (HIGH SETPDINT) 2/4A TRAIN B REACTOR TRIP LOG A 4A-64D 1-471611-99-1 4D-80E TRAIN A MANUAL BLOCK CONTROL TRIP TRAIN A MANUAL TRIP BYPASSHIHIGH NEUTRON FLUX RATE REACTOR TRIP LOC LOG LOC 1 471611 99 1 TRAIN B 4D-ADD F NDO340 NOD35D NDD23D TRIP ~HS~ RESET TRA]x n TRAIN B A RT t bA-11so POWER RANGE TURBINE POWER PD1ER RANGE (TURBINE IMPULSE CHAMBER PRESSURE) INTERMEDIATE RANGE RE HICH NEUTRON FLUX LOC TO I.R. L01 SET POINT I g I 7] ] II RE II III YDOD90 ~HS TI ROD STOP REACTOR TRIP 1-471611-99-1 NC NC NC NC PS PS NC TRIP 41M NC 93M 94M 1-73A 1-72A 35D 7-2 LOC LOG LOGLOG LOGLOG OTHER LDGIC TRAIN OTHER N00110 N00120 N0013D N00140YODD1D I.R. TRAIN Y02LDC]T ROD STOP TrLOG 4D-76A F NOD32D ND033D MANUAL 2/4 RER~PTOR 9A-64C LOG HS HIGH FLU%

9D-7 A 9D-79C F P-13 AT SHUTD0IN D NOD29D P-10 53 1-971611-99-1 4A-64E BLOCK 4.U.ERAN.E DISABLE ALL ENABLE ALL INTERMEDIATE A 4A-65C HIGH NEUTRON SOURCE RANGE SOURCE RANGE RANGE-HIGH FLUX REACTOR OUTPUTS OUTPUTS NEUTRON FLUX TRIP 1-471511-99-1 [BOTH LOGIC TRAINS) IBOTH LOGIC TRAINS) REACTOR TRIP A 1-471611-99-1 ON A 4A-7DE ANN65D P-6 C-2 A 9A-70D 170 SOURCE RANGE)

PRESSURIZER HIGH PRESSURE PRESSURIZER LOW PRESSURE NOTES:

(FIXED SET POINT LEAD/LAG COMPENSATION) PRESSURIZER HIGH WATER LEVEL A ANN 1D1 1. FOR SYMBOLS AND GENERAL NOTES SEE 1-471611-99-1.

L~ 9B-81C I II III IY I II III IY I II ID Y0003D PS PS PS PS PS PS PS PS LS LS LS 68-340A 68-314A 68-339A 68-315A 68-320A SC-124B O

0 0 G O 6C-129C G O ]O C-129A POWER

/,-

~

-N WATTS BAR HIGH PRESSURE REACTOR TRIP FINAL SAFETY 1-471611-99-1 ANALYSIS REPORT L01 PRESSURE HIGH LEVEL

.... RCS 'L01 FL01~ 1-471611-99-5 REACTOR TRIP 1-971611-99-1 REACTOR TRIP 1-471611-99-1 REACTOR TRIPS 1-471611-99-6 POWERHOUSE UNIT 1 ELECTRICAL LOGIC DIAGRAM REACTOR PROTECTION SYSTEM TVA DWG NO. 1-47W611-99-2 R13 FIGURE 7.2-1 SH 2

SOURCE RANGE REACTOR TRIP INTERMEDIATE RANGE REACTOR TRIP POWER RANGE REACTOR TRIP POWER RANGE HIGH NEUTRON FLUX RATE REACTOR TRIP I NANUAL RESET II I II I II III IK I II III IK I II III IK 4A-64A 4A-65A 4A-65B 6A-115C P-6, E-10 THIS SHEET 'ASS 1/N~ BLOCK 97A 2/4 (1/N 470 2/4 TRAIN B)

LOC LOC P-10 NODZSD NOD26D [

A I La 4D-BOG TO I.R.

TRA]N A MANUAL BLOCK CONTROL xD00sD F ROD STOP OTHER LOGIC TRAIN LOC LOG POWER RANGE 2/4 ND015D NOD1fiD H]GH NEUTRON FLUX 4A-640 (HIGH SETPOINT)

TRAIN A TRAIN B REACTOR TRIP A 4A-64D 2-471511-99-1 I 40-ROE F TRAIN A P01ER RANG HIGH NEUTR RATE REACT TRAIN B 4D-BOD LOG 2-471611-9 F N0010D TRAIN A I TRAIN B 6A-115D " POWER RANGE TURBINE POWER POWER RANGE [TURBINE IMPULSE CHAMBER PRESSURE) INTERMEDIATE RANGE HIGH NEUTRON FLUX TO I.R. J LOW SET POINT I II III S I 13 I II R00 STD, REACTOR TRIP 2-471511-99-1 R LOGIC TRAIN OTHER LOGIC TO I.R. TRAIN ROD STOP 4D-7 4A-64 LOG 4D-79C F P-13 NDD24D C MIM BLO 4S.DURCERANGE LALL DISABLEENABLE BLL INTERMEDIATE A 9A-65C HIGH NEUTRON SOURCE RANGE SOURCE RANGE RANGE-HIGH FLUX REACTOR OUTPUTS OUTPUTS NE UT RDN FLUX TRIP 2-471611-99-1 (BOTH LOGIC TRAINS) [BOTH LOGIC TRAINS) REACTOR TRIP ~ JI /M A 2-471611-99-1 4A-70E 4.5D P-5 4A-70D B-2 (THIS SHEET)

PRESSURIZER HIGH PRESSURE PRESSURIZER LOW PRESSURE (TO SOURCE RANGE) NOTES:

[FIXED SET POINT LEAD/LAC COMPENSATION) PRESSURIZER HIGH WATER LEVEL NOW 1. FOR SYMBOLS AND GENERAL NOTES 14B 7 -81C SEE 2-97.611-99-1.

I II III 13E I II m 13E I II III PS PS PS rp-,*N PS PS S PS LS LS LS 6C-=29B Jk3 63 0

6C-124C 8 0 O

PD4B4D

]4 P0 6P8-323PE04B6D 6

6C-124A 6B-139A LOG L04BOD 68-3]SA LOG LD9B1D 68-320A LOG L0982D I II POWER III IY WATTS BAR FINAL SAFETY 90-77D 4D-77E ANALYSIS REPORT HIGH-PRESSURE REACTOR TRIP F F LOG 2-471611-99-1 8D L D4830 POWERHOUSE PRESSRE PRESSURIZER RCP UV d OF d UNIT 2 REA PRESSURE 2-47168 TRIP HIGH LEVEL REACTOR TRIP RCS LOW FL01 REACTOR TRIPS 2-471611-99-6 ELECTRICAL 2-971611-99-1 2-471611-99-1 2-472611-99-6 LOGIC DIAGRAM REACTOR PROTECTION SYSTEM TVA DWG NO. 2-47W611-99-2 R7 FIGURE 7.2-1 SH 2(U2)

c~

z MAIN STE AM VALVE I~VAU-"LT ROOM Al FLOOD LEVEL MAIN STEAM VALVE I~VAU-"LT ROOM A2 FLOOD LEVEL 3 OVERTEMPERATURE AT OVERPOWER AT I - I I - I G

R' LDOP1 LOOP2 LOOP3 LOOP4 LOOP2 LOOP3 LDOP4 '- --A 4A-66D '~--A 4A-6BD H~--A 4A-69D H~--A 4A-66D 'y--A 4A-6BD '- --/\ 4A-69D O ]I IS TS 5 IV TS 0 5-25D II18-440 66-671 w

z Z LOG LDC LOG TD4D3D T0423D TG443D 68-123CIA D

U TURBINE TRIP F LDOO7EVEL SIGNAL FLDOD

' LEVEL SIGNAL 1-471611-3-2 1-471511-3-2 UNDERVOLTAGE RCP-BUSSES UNDERFREQUENCY RCP-BUSSES TURBINE POWER PUMPI NORIML PUMP2 NORMAL pUM3 NORMAL PUAPI NORMAL PUMP2 NORMAL PUMP3 NORMAL I TURBINE IMPULSE CHAMBER PRESSURE)

STOP VALVE B TEST FULLY CLOSED J

SEC i-73 TEST 4A-66A INOTE 2)

STOP VALVE A FULLY CLOSED PS-41-73 TB HYD OIL LO PS-47-74 7B HYD OIL LD I TO DEFEAT AUTOMATIC 1 DISPATCH SYSTEM PS-47-75 C-5 11-4516DO-47-0) TB HYD OIL LO BLOCK AUTO ROD WITHDRAWAL ' /I~

11 5655D87 SH.9) RMALF 4 7 47-74 P9 F RDM SHEET 2 TEST 30 SEC 4D-76B F

TURBINE 7RI1 4D-79E REACTOR TRIP LOC A.

VD3240 F NOTES:

UNOERFREDUE N( 1. FOR SYMBOLS AND GENERAL NDTES SEE SHEET 1 UNDERVOLTACE REACTOR TRIP REACTOR TRIP 2. THE TIME DELAY VALUES FOR THE RCP UNDERVOLTACE AND UNDERFREOUENCY SHEET 1 SHEET 1 FRIPS ARE APPROXIMATE VALUES. THE SPECIFIC SETTINGS ARE PROVIDED IN THE APPROPRIATE SETPOI NT AND SCALING DOCUMENTS.

FLOW LOOP 1 I 11 III POWER RANGE I II III IV N

N 4N5 3N~ 44N WATTS BAR FINAL SAFETY ANALYSIS REPORT POWERHOUSE UNIT 1 ELECTRICAL LOGIC DIAGRAM 4D-7 BE F REACTOR PROTECTION SYSTEM L01 FLOW AND TVA DWG NO. 1-47W611-99-6 R4 REACTOR TRIP SHEET 1 REACTOR TRIP SHEET 1 FIGURE 7.2-1 SH 3

z OVERTEMPERATURE AT OVERPOWER AT MAIN STEAM VALVE VAULT ROOM All FLOOD LEVEL MAIN STEAM VALVE VAULT ROOM A10 FLOOD LEVEL 3 LDOP1 LOOP2 LDDP3 LOOP4 LDDP1 LDDP2 LDDP3 LOOPS98-660 4A-6BD 9A-690 9A-66D 48-6BD 9A-69D FY IITSIII7S IV TS I TS IITSIIITS IV TS 8-25D B-44D 6B-67D B-2 B-25C 8-44C 68-67C HS- MDR LS- HS- NOR LS- HS- NOR LS- HS- NOB LS- HS- NDR LS 3-4D2 3-4D2 3-403 3-903 3-9D4 3-404 3-4D5 3-405 3-406 3-4D6 3-407 3-4D7 W

LOC LDC LOG LOC LOG LOG LOG LOG TD4D3D T0423D TD443D TD463D T04DDD TD420D T044DD T046DD 6B-123CIA 68-122C A D

U 3C-57C 3C-57C 3C-57C 3C-57C 3C-57C 3C-17C FF-GUY YAULI "'* TURBINE TRIP FLOOR LEVEL SICNBL FLOOD LEVEL

"'TSIGNAL 2-478611-3-2 2-471511-3-2

-.1-SHEET 1 UNDERVOLTAGE RCP-BUSSES UNDERFREOUENCY RCP-BUSSES TURBINE POWER PUMP? NORMAL PUMP2 NORMAL PUMp3 NORMAL ORVAL PUMP1 NORMAL PUMP2 NORMAL PUMP3 NORMAL I TURBINE IMPULSE CHAMBER PRESSURE)

HS 81S81 68 349 68-344346-348 68 STOP VALVE STOP VALVE C (TEST TEST TEST TEST TEST FULLY CLOSED FULLY CLOSED S J LOG LOG EC TO.1 SEC 0.1 SEC D.1 SEC SEC YDS92D YD393D 4A-66A (NOTE 2) I INDTE 2) 1 (NOTE 2) 1 (NOTE 2', INDTE 2)

STOP VALVE A STOP VALVE D FULLY CLOSED FULLY CLOSED

( 7B HYD OIL LO 6B-122E - PS-47-74 TB HYD OIL LO I TO DEFEAT AUTOMATIC DISPATCH SYSTEM PS-97-75 C-5 12-471600-47-8) TB HYD OIL LO BLOC' AUTO ROD WITHDRAWAL (j 2-54114-1-5655D87 SH.9) RMAL 97-79 P9 FROM SHEET 2 TEST P7 3D SEC FROM SHEET 2 4D-76B F

TURBINE TRIF 4D-79E REACTOR TRIP LOG V0324D F N07ES:

UNDERVDLTAGE UNDE RF REOUE N[ 1. FOR SYMBOLS AND GENERAL NOTES SEE SHEET 1.

REACTOR TRIP REACTOR TRIP 2. THE TIME DELAY VALUES FOR THE RCP UNDERVDL7AGE AND UNDERFREDUE NCY SHEET 1 SHEET 1 TRIPS ARE APPROXIMATE VALUES. THE SPECIFIC SETTINGS ARE PROVIDED IN THE APPROPRIATE SETPDINT AND SCALING DOCUMENTS.

FLOI LOOP 1 I IT III POWER RANGE III I ~I T II IV 1, /

\ 42N \ 43N 99N WATTS BAR FINAL SAFETY ANALYSIS REPORT POWERHOUSE UNIT 2 ELECTRICAL LOGIC DIAGRAM REACTOR PROTECTION SYSTEM REACTOR TRIP SHEET 1 REACTOR TRIP SHEET 1 TVA DWG NO. 2-47W611-99-6 R8 FIGURE 7.2-1 SH 3(U2)

c~

Z 3

D O

z NARROW RANGE STEAM GENERATOR LOW LOW WATER LEVEL F

H S/G 41 S/G 12 S/G 13 S/G 44 U

LS LS LS IS 3-39B 3-52B 3-990 3-107 RCS THDT / TCOLD eT T

TRIP TIME DELAY ITTO)

LOGIC TS'`

I I \ PHL E I I \ PHL 0 1, ONE COMMD ANNUNCIATOR WINDOW FOR EACH STEAM GENERATER IS SHARED WITH I NDT 5) (NOTE 5) ALARMS GENERATED IN THE OTHER PROTECTION SETS. THE ALARMS ARE DISABLED ABOVE THE POWER HIGH LIMIT (PHL).

2. THIS LOGIC IS SPECIFIC FOR PROTECTION SET III AND IS TYPICAL FOR PROTECTION SETS 11 AND IV. THE BISTABLE TAG NUMBERS ASSIGNED TO 4 1 PROTECTION SETS 11 8. IV ARE AS FOLLOWS:

S/C Y7 S/C A2 S/C *3 S/C *4 J PROTECTION SET II LS-3-30B LS-3-51B LS-3-93B LS-3-1OBB NOTE 2 PROTECTION SET IV LS-3-42B LS-3-55B LS-3-97B LS-3-11DB MIN/HOLD (NOTE 6) 3. THIS LOGIC IS REDUNDANT AND IS PERFORMED IN THE SSPS.

J 4. MT IS A SPECIAL TEMPERATURE SIGNAL USED FOR POWER INDICATIDN ONLY.

CONVERSION TO POWER IS PERFORMED PRIOR TO THE TILER FUNCTION GENERATOR.

5. THE FOLLOWING DEFINITIDNS APPLY TO THE FUNCTION GENERATER:

7M,T5 TM = ELAPSED TIME IF SETPOINT REACHED IN MULTIPLE STEAM GENERATORS.

IS = ELAPSED TIME IF SETPOINT REACHED IN ONE STEAM GENERATOR.

PHL = POWER HIGH LIMIT.

D - THE RIML POWER.

B. AFTER RECEIPT OF THE CONTROL LOGIC INPUT THE MIN/HDLD UNIT OUTPUT WILL BE ALLOWED TO DECREASE IF THE UNIT INPUT DECREASES. IF THE INPUT TO THE UNIT INCREASES, THE UNIT OUTPUT WILL HDLD THE MINIMUM VALUE, SINCE RECEIPT OF CONTROL LOGIC.

fiB-115D B-117D g_11gp 6B-I IID A JA A A 7. REFERENCE WESTINGHOUSE DRAWING 5655DB7 SHEET 17.

2/4 FOR SYMBOLS AND GENERAL NOTES SEE SHEET 1 NOTE 1 II II II II LOC LOC LOG LOC LOG LOC LOG LOC L0403D L09090 L09230 L09240 L04930 L0444D L0463D L0969D BB-11SE LOG BB-117E LDG 5 -11SE A LOG 6B-119E LOG A A A L09050 L0425D L0945D L09fi50 2/3 2/3 2/3 2/3 LOOP 1 LOOP 2 LOOP 3 LOOP 4 9D-77B 4D 79B 4D-79B LOG LOG LOG LOC 40-8OB NOTE 3 LD406D F L04260 F L0446D F L0966D F TO AUXILIARY FEEDIATER PUMP STARTUP AND FEEDWATER ISOLATION LOGIC LDW-LOW SG LEVEL 2-47IB11-3-4 (D-11)

REACTOR TRIP (2-47W611-99-1)

UFSAR AMENDMENT 1 WATTS BAR FINAL SAFETY ANALYSIS REPORT POWERHOUSE UNIT 2 ELECTRICAL LOGIC DIAGRAM FEEDWATER SYSTEM TVA DWG NO. 2-47W611-3-8 R4 FIGURE 7.2-1 SH 4(U2)

aI - KEUTP.ON FLUX DIFFERENCE BETWEEN UPPER AND LOWER LONG ION CHAMBERS A i , A2 - LIMIT OF F (bi) DEADBAND B i , B2 - SLOPE OF ROMP; DETER91NES RATE AT WKI CH FUNCTION REACHES IT'S MA INUN YALUE ONCE DEADBA?ID IS EXCEEDED C - MAGNITUDE OF MAXINUA YALUE THE FUNCTIOK MAY ATTAIN WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Setpoint Reduction Function for Overpower and Overtemperature T Trips FIGURE 7.2-2

WBN 7.3 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM In addition to the requirements for a reactor trip for anticipated abnormal transients, the facility is provided with adequate instrumentation and controls to sense accident situations and initiate the operation of necessary engineered safety features (ESF). The occurrence of a limiting fault, such as a loss-of-coolant accident (LOCA) or a steamline break, requires a reactor trip plus actuation of one or more of the engineered safety features in order to prevent or mitigate damage to the core and reactor coolant system components, and ensure containment integrity.

In order to accomplish these design objectives the engineered safety features system has proper and timely initiating signals which are supplied by the sensors, transmitters and logic components making up the various protection system channels and trains of the engineered safety features actuation system (ESFAS).

7.3.1 Description The engineered safety features actuation system uses selected plant parameters, determines whether or not predetermined limits are being exceeded and, if they are, combines the signals into logic matrices sensitive to combinations indicative of primary or secondary system boundary ruptures (Class III or IV faults). Once the required logic combination is completed, the system sends actuation signals to the appropriate engineered safety features components. The engineered safety features actuation system meets the requirements of Criteria 13, 20, 27, 28 and 38 of the 1971 General Design Criteria (GDC).

7.3.1.1 System Description The engineered safety features actuation system is a functionally defined system described in this section. The equipment which provides the actuation functions identified in Section 7.3.1.1.1 is listed below and discussed in this section and the references.

1. Process Protection and Control System (References [1] and [5])

2. Solid State Logic Protection System (Reference [2])

3. Engineered Safety Features Test Cabinet

4. Manual Actuation Circuits 7.3-1

WBN The engineered safety features actuation system consists of two discrete portions of circuitry:

1) A process protection portion consisting of three or four redundant channels per parameter or variable to monitor various plant parameters such as the reactor coolant system and steam system pressure and temperatures and containment pressures; and 2) a logic portion consisting of two redundant trains which receive inputs from the process protection channels and perform the logic needed to actuate the engineered safety features. Each logic train is capable of actuating the engineered safety features equipment required. The intent is that any single failure within the engineered safety features actuation system shall not prevent system action when required.

The redundant concept is applied to both the process protection and logic portions of the system. Separation of redundant process protection channels begins at the process sensors and is maintained in the field wiring, containment vessel penetrations and process protection racks terminating at the redundant safeguards logic racks. The design meets the requirements of Criteria 20, 21, 22, 23 and 24 of the 1971 GDC.

The variables are sensed by the process protection circuitry as discussed in References [l] and

[5] and in Section 7.2. The outputs from the process protection channels are combined into actuation logic as shown in Figure 7.3-3, Figure 7.2-1, Sheet 4, and Figure 7.6-6 Sheet 1.

Tables 7.3-1 and 7.3-2 give additional information pertaining to logic and function.

The interlocks associated with the engineered safety features actuation system are outlined in Table 7.3-3. These interlocks satisfy the functional requirements discussed in Section 7.1.2.

Controls provided on the control board for manual initiation of protective actions are discussed in Section 7.3.2.2.6.

7.3.1.1.1 Function Initiation Functions which rely on the engineered safety features actuation system for initiation are:

1. A reactor trip, provided one has not already been generated by the reactor trip system.

2. Emergency Core Cooling System (ECCS) pumps, and associated valving which provide emergency makeup water to the cold legs of the reactor coolant system following a loss-of-coolant accident.

3. Essential raw cooling water and component cooling water pumps start and heat exchanger valve realignment.

7.3-2

WBN

4. Auxiliary feedwater pumps and associated valves which maintain the steam generator heat sink during emergency or accident conditions.

5. Phase A containment isolation, whose function is to prevent fission product release (isolation of all lines not essential to reactor protection).

6. Steamline isolation to prevent the continuous, uncontrolled blowdown of more than one steam generator and thereby uncontrolled reactor coolant system cooldown.

7. Main feedwater isolation as required to prevent or mitigate the effect of excessive cooldown and the effects of main steam valve vault flooding due to a main feedwater line break.

8. Start the emergency diesels to assure backup supply of power to emergency and supporting systems components.

9. Isolate the control room intake ducts to meet control room occupancy requirements following a loss-of-coolant accident.

10. Emergency gas treatment system actuation.

11. Containment ventilation isolation.

12. Containment spray actuation to reduce containment pressure and temperature following a loss-of-coolant or steamline break accident inside containment.

13. Phase B containment isolation which isolates the containment following a loss-of-coolant accident or a steam or feedwater line break within containment to limit radioactive releases, and starts the containment air return fans to cool containment and reduce pressure following an accident. (Phase B isolation together with Phase A isolation results in isolation of all but safety injection and spray lines penetrating the containment).

14. Automatic switchover of the RHR pumps from the injection to the recirculation mode (Post-LOCA).

15. Auxiliary Building isolation.

7.3-3

WBN 7.3.1.1.2 Process Protection Circuitry The process protection system sensors and racks for the engineered safety features actuation system are described in References [1] and [5]. Discussed in these reports are the protection system parameters to be measured including pressures, flows, tank and vessel water levels, and temperatures as well as the measurement and signal transmission considerations. These latter considerations include the transmitters, flow elements, and resistance temperature detectors, as well as automatic calculations, signal conditioning/processing and location and mounting of the devices.

The sensors monitoring the primary system are located as shown on the system flow diagrams in Chapter 5, Reactor Coolant System. The secondary system sensor locations are shown on the feedwater and steam system flow diagrams given in Chapter 10, Main Steam and Power Conversion Systems.

Containment pressure is sensed by four physically separated, seismically mounted transmitters outside of the containment. The distance from penetration to transmitter is kept to a minimum, and separation is maintained.

The following is a description of those functions not included in the reactor trip or engineered safety features actuation systems which enable additional monitoring in the post loss-of-coolant accident recovery period.

1. High head and low head ECCS pumps flow.

These channels clearly show that the ECCS pumps are operating. The transmitters are located outside the containment.

2. ECCS Pumps Status ECCS pumps status is provided by red (running) and green (stopped) indicating lights on the control board. These lights are operated by pump motor circuit breaker auxiliary contacts.

3. Valve position Engineered safety features remote operated valves are provided with position indication on the control board to show proper positioning of the valves. Valve position typically is displayed by red (open) and green (closed) lights actuated by limit switches integral to the valve operator or, in some instances, by valve stem mounted limit switches which are independent of the valve operator. The RHR heat exchanger outlet flow control valves (FCV-74-16 and 28) are exceptions in that each valve has only a red light that is on when the valve is fully open. For the accumulator isolation valves, in addition to the valve position lights, annunciation is provided on the control board if the valves are not correctly positioned for ESF actuation.

7.3-4

WBN 7.3.1.1.3 Analog Instrumentation (Unit 2 only)

The miscellaneous safety-related analog process control and indication loops are made up of discrete analog modules that have been tested and qualified for use in safety related systems.

The various components have been qualified to IEEE Standard 323-1974 "IEEE Standard for Qualifying Class IE Equipment for Nuclear Power Generating Stations", and IEEE Standard 344-1975 "IEEE Standard Recommended Practices for Seismic Qualification of Class IE Equipment for Nuclear Power Generating Stations." The modules are arranged in instrument loops to provide the safety functions listed below:

Turbine driven AFW Pump Flow Control

Motor driven AFW pump differential pressure indication and recirculation valve control

Steam generator AFW flow and level indication and control

Containment Pressure indication

Upper and Lower Compartment Containment Ambient Temperature indication

RHR Heat Exchanger CCS Supply Header Flow

Sample Heat Exchanger Header CCS Differential Flow

ERCW Strainer Differential Pressure, Backwash and Flush Control

CCS Heat Exchanger B Inlet Pressure

CCS Surge Tank Level Control

CCS Heat Exchanger B Outlet Temperature

Reactor Vessel Head Vent Throttle Manual Loading Station

EGTS Annulus Differential Pressure Control The components are physically arranged in the racks to meet the requirements of IEEE-279 and Watts Bar Design Criteria WB-DC-30-4, Separation/Isolation. Two IE analog modules are used to isolate IE to Non-IE signals. These are the Contact Output Isolator and Voltage-to-Current Converter, both of which have the Input and Output signals isolated. EMI testing and acceptance by TVA of the Foxboro Spec 200 hardware is documented in Reference [8].

7.3.1.1.4 Logic Circuitry The engineered safety features logic racks are discussed in detail in Reference [2]. The description includes the considerations and provisions for physical and electrical separation as well as details of the circuitry. Reference [2] also covers certain aspects of on-line test provisions, provisions for test points, considerations for the instrument power source, and considerations for accomplishing physical separation. The outputs from the process protection channels are combined into actuation logic as shown on Figure 7.3-3, Figure 7.2-1, Sheet 4, and Figure 7.6-6, Sheet 1.

To facilitate engineered safety features actuation testing, two cabinets (one per train) are provided which enable operation, to the maximum practical extent, of safety features loads on a group by group basis until actuation of all devices has been checked. Testing of the ESFAS and actuated devices is discussed in Section 7.3.2.2.5.

7.3.1.1.5 Final Actuation Circuitry 7.3-5

WBN The outputs of the solid state logic protection system (the slave relays) are energized to actuate, as are most final actuators and actuated devices. These devices include the following:

1. ECCS pumps and valve actuators (see Chapter 6).

2. Containment isolation: Phase A signal isolates all non-essential process lines on receipt of safety injection signal; Phase B signal isolates remaining process lines (which do not include safety injection and containment spray lines) on receipt of 2/4 high-high containment pressure signal (see Chapter 6).

3. Essential raw cooling water and component cooling water pumps and valve actuators (see Chapter 9).

4. Auxiliary feedwater pumps and valve actuators (see Chapter 10).

5. Diesel generators start (see Chapter 8).

6. Feedwater Isolation (see Chapter 10).

7. Containment ventilation isolation valve and damper actuators (see Chapters 6 and 9).

8. Steamline isolation valve actuators (see Chapter 10).

9. Containment spray pump and valve actuators (see Chapter 6).

10. Control room isolation (see Chapters 6 and 9).

11. Auxiliary building isolation (see Chapters 6 and 9).

12. Auxiliary Building Gas Treatment System (See Chapter 6).

13. Emergency Gas Treatment System (See Chapter 6).

14. Motor-Operated Valve Thermal Overload Bypass (See Chapter 8).

In the event of an accident concurrent with a Loss of Offsite Power (LOOP), the engineered safety features loads are sequenced onto the diesel generators to prevent overloading them.

This sequence is discussed in Chapter 8. The design meets the requirements of Criterion 35 of the 1971 GDC.

7.3.1.1.6 Support Systems The following systems are required for support of the Engineered Safety Features:

1. Essential Raw Cooling Water System - heat removal (see Chapter 9).

2. Component Cooling Water System - heat removal (see Chapter 9)

3. Electrical Power Distribution Systems (see Chapter 8).

7.3-6

WBN

4. Auxiliary Control Air System (see Chapter 9).

5. Heating, Ventilating and Air Conditioning Systems (see Chapter 9).

7.3.1.2 Design Bases Information The functional diagrams presented in Figure 7.3-3, Figure 7.2-1, Sheet 4, and Figure 7.6-6, Sheet 1 provide the functional logic associated with requirements for the engineered safety features actuation system. Requirements for the engineered safety features systems are given in Chapters 6, 9, and 10. Given below is the design bases information required in IEEE

[3]

Standard 279-1971 .

7.3.1.2.1 Generating Station Conditions Chapter 15 identifies the generating station conditions which require protective action. These conditions include primary system breaks, such as LOCA and steam generator tube rupture, and secondary system breaks such as steamline rupture and feedwater line break.

7.3.1.2.2 Generating Station Variables The generating station variables that are monitored by the ESFAS for the automatic initiation of protective actions for the events identified in Chapter 15 include the following:

a. Pressurizer pressure

b. Containment pressure

c. Steamline pressures

d. Steamline pressure rate

e. Steam generator level

f. Reactor coolant temperature (Tavg)

g. Containment Purge air exhaust radiation monitors (Unit 2)

h. Main steam valve vault level switches (Unit 2)

i. Containment sump level (Unit 2)

Post accident monitoring requirements and variables are given in Tables 7.5-1 and 7.5-2.

(Unit 1) 7.3.1.2.3 Spatially Dependent Variables The only variable sensed by the engineered safety features actuation system which has spatial dependence is reactor coolant temperature. The effect on the measurement is negated by taking multiple samples from the reactor coolant hot and cold legs and electronically averaging these samples in the process protection system.

7.3-7

WBN 7.3.1.2.4 Limits, Margin and Levels Prudent operational limits, available margins and setpoints before onset of unsafe conditions requiring protective action are discussed in Chapter 15 and the Technical Specifications. See Section 7.1.2.1.9 for additional discussion.

7.3.1.2.5 Abnormal Events The malfunctions, accidents, or other unusual events which could physically damage protection system components or could cause environmental changes are as follows:

1. Loss-of-Coolant Accident (see Section 15.3 and 15.4)

2. Steamline and feedwater line Breaks (see Sections 15.3 and 15.4)

3. Earthquakes (See Sections 2.5 and 3.7)

4. Fire (See Section 9.5.1)

5. Explosion (Hydrogen buildup inside-containment) (See Section 6.2.5)

6. Missiles (See Section 3.5)

7. Flood (See Sections 2.4 and 3.4)

8. Wind and tornadoes (See Section 3.3) 7.3.1.2.6 Minimum Performance Requirements Minimum performance requirements are as follows:

1. System Response Times:

The ESFAS response time is defined in Section 7.1.

The maximum allowable engineered safety features response times are provided in the Technical Requirements Manual. These values are verified in accordance with the Technical Specifications and are consistent with the safety analyses. See Table 7.1-1, Note 1, for a discussion of periodic response time verification capabilities.

2. System accuracies:

Accuracies required for generating the required ESFAS signals for mitigation of the design basis events considered in Chapter 15 are provided in References [6] and [7 -

U2].

3. Ranges of sensed variables to be accommodated until conclusion of protective action is assured:

Typical ranges of instrumentation used in generating the required ESFAS signals for protection against the postulated events given in Chapter 15 are as follows:

a. Pressurizer pressure 1700 to 2500 psig

b. Containment pressure -2 to 15 psig

c. Steamline pressure 0 to 1300 psig 7.3-8

WBN

d. Steam generator level 0 to 100% (See Table 7.2-3)

e. Tavg 530 to 630°F 7.3.1.3 Final System Drawings The functional logic diagrams, electrical schematic diagrams and other drawings for the systems discussed in this section are referenced in Table 1.7-1.

7.3.2 Analysis 7.3.2.1 System Reliability/Availability and Failure Mode and Effect Analyses A discussion on the reliability/availability of the Eagle 21 process protection system is provided in Section 7.2.2.

A failure mode and effects analysis (FMEA) was performed [Reference 4] on a generic ESFAS similar to the Watts Bar ESFAS, including sensors, signal processing equipment and Solid State Protection System (SSPS) logic. The results of the FMEA show that the ESFAS complies with the single failure criterion of IEEE 279-1971. No single failure was found which could prevent the ESFAS from generating the proper actuation signal on demand for an engineered safety feature. Failures are either in the safe direction, or a redundant channel or train ensures the necessary actuation capability. The actuation functions are essentially the same for the Watts Bar Nuclear Plant as for the generic system analyzed. The Watts Bar ESFAS has been designed to safety design criteria equivalent to the generic system analyzed. This ESFAS FMEA applies to all Watts Bar engineered safety features, both NSSS and BOP related, that are automatically actuated by the dry contacts of the slave relays in the output cabinets of the SSPS.

7.3.2.2 Compliance With Standards and Design Criteria Discussion of the General Design Criteria (GDC) is provided in various sections of Chapter 7 where a particular GDC is applicable. Compliance with certain IEEE Standards and Regulatory Guides is presented in Section 7.1, Table 7.1-1. The discussion given below shows that the engineered safety features actuation system complies with IEEE Standard 279-1971, Reference [3].

7.3.2.2.1 Single Failure Criterion Unit 1 The discussion presented in Section 7.2.2.2 (item 2) is applicable to the ESFAS, with the following exception.

7.3-9

WBN-1 In the ESFAS, a loss of instrument power will call for actuation of ESF equipment controlled by the specific comparator that lost power (except containment spray and switchover from injection to recirculation following a safety injection). The actuated equipment must have power to comply. The power supply for the protection systems is discussed in Chapter 8. For the noted exceptions, the final comparators are energized to trip to avoid spurious actuation. In addition, manual containment spray requires a simultaneous actuation of two manual controls. Two sets of manual containment spray controls are provided (2 switches/set). Simultaneous operation of both switches in either set will actuate containment spray in both trains. (Section 7.3.2.2.6 provides a discussion of protective action manual initiation capability.) This is considered acceptable because spray actuation on high-high containment pressure signal provides automatic initiation of the system via protection channels meeting the criteria in Reference [3].

Moreover, most ESF equipment (valves, pumps, etc.) can be individually manually actuated from the control board. Hence, a third mode of containment spray initiation is available. The design meets the requirements of Criteria 21 and 23 of the 1971 GDC.

Unit 2 The discussion presented in Section 7.2.2.2 (item 2) is applicable to the engineered safety features actuation system, with the following exception.

In the ESFAS, a loss of input power to a channel or logic train will result in a signal calling for a trip (except containment spray and switchover from injection to recirculation following a safety injection). The ESFAS slave relay outputs are energized to actuate the ESF equipment. In the event of a loss of instrument power to one ESFAS train, an independent, redundant train is available to actuate the required ESF equipment. The power supply for the protection systems is discussed in Chapter 8. For the noted exceptions, the final comparators are energized to trip to avoid spurious actuation. In addition, manual containment spray requires a simultaneous actuation of two manual controls. Two sets of manual containment spray controls are provided (2 switches/set). Simultaneous operation of both switches in either set will actuate containment spray in both trains. (Section 7.3.2.2.6 provides a discussion of protective action manual initiation capability.) This is considered acceptable because spray actuation on high-high containment pressure signal provides automatic initiation of the system via protection channels meeting the criteria in Reference [3]. Moreover, most ESF equipment (valves, pumps, etc.) can be individually manually actuated from the control board. Hence, a third mode of containment spray initiation is available. The design meets the requirements of Criteria 21 and 23 of the 1971 GDC.

7.3.2.2.2 Equipment Qualification Equipment seismic qualification is discussed in Section 3.10. Environmental qualification for the equipment located in a harsh environment is discussed Section 3.11.2.1 and Sections 3.11.3 through 3.11.7. Environmental qualification for the equipment located in a mild environment is discussed in Section 3.11.2.2 and emphasizes the site preventative maintenance, testing and surveillance programs as supporting activities.

7.3.2.2.3 Channel Independence The discussion presented in Section 7.2.2.2 (Item 6) is applicable. The ESF slave relay outputs from the solid state logic protection cabinets are redundant, and the actuations associated with each train are energized up to and including the final actuators by the separate ac power supplies which power the logic trains.

7.3-10

WBN 7.3.2.2.4 Control and Protection System Interaction The discussions presented in Section 7.2.2.2 (Item 7) are applicable.

7.3.2.2.5 Capability for Sensor Checks and Equipment Test and Calibration The discussions of system testability in section 7.2.2.2 (Items 9,10, and 11) are applicable to the sensors, process protection system circuitry, and logic trains of the ESFAS.

The following discussions cover those areas in which the testing provisions differ from those for the reactor trip system.

Testing of ESFAS The ESF systems are tested to provide assurance that they will operate as designed and will be available to function properly in the unlikely event of an accident. The testing program meets the requirements of Criteria 21, 37, 40, and 43 of the 1971 GDC and RG 1.22 as discussed in Table 7.1-1. The tests described in this section and further discussed in Section 6.3.4 meet the requirements on testing of the ECCS as stated in GDC 37 except for the operation of those components that will cause an actual safety injection. The test, as described, demonstrates the performance of the full operational sequence that brings the system into operation, the transfer between normal and emergency power sources and the operation of associated cooling water systems. The safety injection and RHR pumps are started and operated and their performance verified in a separate test discussed in Section 6.3.4. When the pump tests are considered in conjunction with the ECCS test, the requirements of GDC 37 on testing of the ECCS are met as closely as possible without causing an actual safety injection.

Testing as described in Sections 6.3.4, 7.2.2.2 (Item 10) and this section provides complete periodic testability during reactor operation of all logic and components associated with the ECCS. The program is as follows:

1. Prior to initial plant operation, ESF system tests were conducted. (See Chapter 14

2. Subsequent to initial startup, periodic ESF system tests are conducted in accordance with Technical Specification surveillance requirements.

3. During on-line operation of the reactor, all of the ESFAS process protection and logic circuitry are fully tested. ESFAS slave relays and ESF final actuators are tested in accordance with Technical Specification Surveillance requirements. The final actuators whose operation is not compatible with continued on-line plant operation are checked by means of continuity testing.

Performance Test Acceptability Standard for the Safety Injection Signal and the Automatic Demand Signal for Containment Spray Actuation During reactor operation the basis for ESFAS acceptability is the successful completion of the tests performed on the initiating system and the ESFAS. Checks of process indications verify operability of the sensors. Protection system checks and tests verify the operability of the circuitry. Solid state logic testing also checks the signal path from logic input relay contacts through the logic matrices and master relays and performs continuity tests on the coils of the 7.3-11

WBN output slave relays. Final actuator testing operates the output slave relays and verifies operability of those devices which require safeguards actuation and which can be tested without causing plant upset. A continuity check is performed on the actuators of the untestable devices. Operation of the final devices is confirmed by control board indication and visual observation that the appropriate pump breakers close and automatic valves have completed their travel.

The basis for acceptability for the ESF interlocks is control board indication of proper receipt of the signal upon introducing the required input at the appropriate setpoint.

Maintenance checks (performed in accordance with the plant procedures) such as resistance to ground of signal cables in radiation environments, are based on qualification test data which identifies what constitutes acceptable radiation, thermal, etc., degradation.

Frequency of Performance of Engineered Safety Features Actuation Tests Testing is performed on a periodic basis in accordance with the Technical Specifications.

Engineered Safety Features Actuation Test Description The following sections describe the testing circuitry and procedures for the on-line portion of the testing program. The guidelines used in developing the circuitry and procedures are:

1. The test procedures must not involve the potential for damage to any plant equipment.

2. The test procedures must minimize the potential for accidental tripping.

3. The provisions for on-line testing must minimize complication of engineered safety features actuation circuits so that their reliability is not degraded.

Description of Initiation Circuitry Several systems comprise the total engineered safety features system, the majority of which may be initiated by different process conditions and be reset independently of each other. The remaining functions are initiated by a common signal (safety injection) which in turn may be generated by different process conditions. In addition, operation of all other vital auxiliary support systems, such as auxiliary feedwater, component cooling and essential raw cooling water, is initiated by the safety injection signal. Each function is actuated by a logic circuit which is duplicated for each of the two redundant trains of engineered safety features initiation circuits. The output of each of the initiation circuits consists of a master relay which drives slave relays for contact multiplication as required. The logic, master, and slave relays are mounted in the SSPS cabinets designated Train A and Train B, respectively, for the redundant counterparts. The master and slave relay circuits operate various pump and fan circuit breakers or starters, motor operated valve contactors, solenoid operated valves, emergency generator starting, etc.

Process Protection System Testing Process protection system testing is identical to that used for reactor trip circuitry and is described in Section 7.2.2.2 (Item 10). Exceptions to this are containment spray and switchover from injection (RWST) to recirculation (containment sump), which are energized to 7.3-12

WBN actuate (2/4) and reverts to 2/3 when one channel is in test.

Solid State Logic Testing Except for the channels which actuate containment spray and switchover from the refueling water storage to the containment sump, solid state logic testing is the same as that discussed in Section 7.2.2.2 (Item 10). Logic matrices are tested from the Train A and Train B logic rack test panels. During this test, each of the logic inputs is actuated automatically in all combinations of trip and non-trip logic. Trip logic is not maintained sufficiently long enough to permit master relay actuation; master relays are "pulsed" in order to check continuity. Following the logic testing, the individual master relays are actuated electrically to test their mechanical operation. Actuation of the master relays during this test will apply low voltage to the slave relay coil circuits to allow continuity checking but not slave relay actuation. Annunciation is provided in the control room to indicate when a train is in test. During logic testing of one train, the other train can initiate the required engineered safety features function. Additional details of the logic system testing are given in Reference [2].

Actuator Testing At this point, testing of the initiation circuits through operation of the master relay and its contacts to the coils of the slave relays has been accomplished. Slave relays do not operate because of reduced voltage.

The ESFAS final actuation device or actuated equipment testing is performed from the engineered safeguards test cabinets, which are located near the SSPS logic cabinets. One test cabinet is provided for each of the two protection Trains A and B. Each cabinet contains individual test switches necessary to actuate the slave relays. To prevent accidental actuation, test switches are of the type that must be rotated and then depressed to operate the slave relays. Assignments of contacts of the slave relays for actuation of various final devices or actuators have been made such that groups of devices or actuated equipment can be operated individually during plant operation without causing plant upset or equipment damage. In the unlikely event that an ESFAS signal is initiated during the test of the final device that is actuated by this ESFAS signal, the device will already be in its safeguard position.

During this last procedure, close communication between the main control room operator and the operator at the test panel is required. Prior to the energizing of a slave relay, the main control room (MCR) operator assures that plant conditions will permit operation of the equipment that will be actuated by the relay. After the tester has energized the slave relay, the MCR operator observes that all equipment has operated as indicated by appropriate indicating lamps, monitor lamps, and annunciators on the control board, and, using a prepared check list, records all operations. He then resets all devices and prepares for operation of the next slave relay actuated equipment.

By means of the procedure outlined above, ESF devices actuated by ESFAS initiation circuits are operated by the test circuitry, except those devices which cannot be operated at power without causing plant upset (reference Table 7.1-1, Note 2).

7.3-13

WBN Actuator Blocking and Continuity Test Circuits Those few final actuation devices that cannot be actuated during plant operation (discussed in Section 7.1) have been assigned to slave relays for which additional test circuitry has been provided to individually block actuation of a final device upon operation of the associated slave relay during testing. Operation of these slave relays, including contact operations, and continuity of the electrical circuits associated with the final devices' control are checked in lieu of actual operation. The circuits provide for monitoring of the slave relay contacts and the devices' control circuit cabling, control voltage, and actuation solenoids. These continuity test circuits for components that cannot be operated online are verified by proving lights on the safeguards test cabinets. Interlocking prevents blocking the output from more than one output relay in a protection train at a time. Interlocking between trains is also provided to prevent continuity testing in both trains simultaneously; therefore the redundant device associated with the protection train not under test will be available in the event protection action is required.

Time Required for Testing It is estimated that testing of a process protection system channel can be performed within one hour. Logic testing of either Train A or B can be performed in less than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Testing of actuated components (including those which can only be partially tested) requires the involvement of a control room operator. It is expected to require several shifts to accomplish these tests. During this procedure automatic actuation circuitry will override testing, except for those few devices associated with a single slave relay whose outputs must be blocked. It is anticipated that continuity testing associated with a blocked slave relay could take several minutes. During this time the redundant devices in the other train would be functional.

Summary of On-Line Testing Capabilities The procedures described provide capability for checking completely from the process signal to the logic cabinets and from there to the individual pump and fan circuit breakers or starters, valve contactors, pilot solenoid valves, etc., including all field cabling actually used in the circuitry called upon to operate for an accident condition. For those few devices whose operation could adversely affect plant or equipment operation, the same procedure provides for checking from the process signal to the logic rack. To check the final actuation device a continuity test of the individual control circuits is performed.

The procedure requires testing at various locations:

1. Process protection system testing and verification of comparator setpoints are accomplished at protection system racks. Verification of comparator relay operation is done at the MCR status lights, except for those channels which may be tested in bypass.

2. Logic testing through operation of the master relays and low voltage application to slave relays is done at the logic racks test panels.

7.3-14

WBN

3. Testing of pumps, fans and valves is done at the safeguards test cabinets located near the logic racks in combination with actions initiated by the control room operator.

4. Continuity testing for those circuits that can not be operated is also done at the safeguards test cabinets.

Testing During Shutdown Emergency core cooling system tests are performed as described in Section 6.3 and in accordance with the Technical Specifications at each major fuel reloading with the reactor coolant system isolated from the emergency core cooling system by closing the appropriate valves. A test safety injection signal will then be applied to initiate operation of active components (pumps and valves) of the emergency core cooling system. This is in compliance with Criterion 37 of the 1971 GDC.

Containment spray system tests are performed as described in Section 6.2 and in accordance with the Technical Specifications at each major fuel reloading. The tests will be performed with the isolation valves in the spray supply lines at the containment blocked closed and are initiated by tripping the normal actuation instrumentation.

Periodic Maintenance Inspections The maintenance procedures which follow may be accomplished in any order. The frequency will depend on the operating conditions and requirements of the reactor power plant. If any degradation of equipment operation is noted, either mechanically or electrically, remedial action is taken to repair, replace, or readjust the equipment. Optimum operating performance must be achieved at all times.

Typical maintenance procedures include the following:

1. Check cleanliness of accessible exterior and interior surfaces.

2. Check fuses for corrosion.

3. Inspect for loose or broken control knobs and burned out indicator lamps.

4. Inspect for moisture and condition of cables and wiring.

5. Mechanically check connectors and terminal boards for looseness, poor connection, or corrosion.

6. Inspect the components of each assembly for signs of overheating or component deterioration.

7. Perform complete system operating check.

7.3-15

WBN The balance of the requirements listed in Reference [3] (paragraphs 4.11 through 4.22) are discussed in Sections 7.2.2.2 and 7.3.2.2.6.

7.3.2.2.6 Manual Initiation, Reset and Blocks of Protective Actions Unit 1 Capability is provided at the system level for manual initiation of reactor trip, safety injection, Phase A containment isolation and containment spray (along with Phase B containment isolation and containment ventilation isolation). Manual reset capability of these protective actions is also provided. This design meets the requirements of IEEE 279-1971, Section 4.17 and Regulatory Guide 1.62.

However, the manual initiation of both steamline isolation, and switchover from injection to recirculation following a loss of primary coolant accident are performed at the component level only, so that the initiation of these two systems is not specifically designed to meet Section 4.17 of IEEE 279-1971.

The main steam isolation valves are included in the plant design to mitigate the consequences resulting from steam line breaks, and protection logic is provided in the plant design to automatically close the valves when necessary. There are four individual main steam isolation valve control switches (one per loop) mounted on the control board. Each switch when actuated will isolate one of the main steam lines.

The inadvertent manual closure of any single MSIV or the simultaneous closure of all MSIVs both create Condition II events. If all valves are closed simultaneously when the plant is operating at full power, a loss-of-load accident will result with a consequent primary and secondary side pressure increase, reactor trip and secondary side safety valve release (refer to Section 15.2.7). In the event that only one valve closes on inadvertent manual actuation when the plant is operating at full power, the steam flow in the other loops will increase in an attempt to restore full power steam flow. The non-symmetric steam flow can cause an increase in reactor power due to the non-symmetric loop temperatures and to the moderator temperature coefficient of reactivity. Consequently margins to DNB are reduced.

Since remote individual closure of the steam line isolation valves from the control room is required for operational reasons, additional manual capabilities which could result in the inadvertent closure of all steam isolation valves would not improve reactor safety.

The manual operations performed at the component level for switchover from safety injection to cold leg recirculation following a loss of primary coolant accident are described in Table 6.3-3.

An evaluation of the associated time sequences is presented in Table 6.3-3a.

7.3-16

WBN These manual operations cause multiple valve realignments to ensure the proper flow paths.

An inadvertent manual actuation of these valves at the system level prior to the conditions required for switchover would cause multiple valve misalignments, which would result in serious consequences to plant safety. The consequences of an inadvertent manual actuation of a single device at the component level would be significantly less serious and more easily recoverable. System level actuation of switchover from injection to recirculation is not considered to be a safety enhancement.

The manual block features associated with pressurizer and steam line safety injection signals provide the operator with the means to block initiation of safety injection during plant startup or shutdown/cooldown. These block features meet the requirements of Paragraph 4.12 of IEEE Standard 279-1971 in that automatic removal of the block occurs when plant conditions require the protection system to be functional.

Unit 2 Capability is provided at the system level for manual initiation of reactor trip, safety injection, Phase A containment isolation and containment spray (along with Phase B containment isolation and containment ventilation isolation). Manual reset capability of these protective actions is also provided. This design meets the requirements of IEEE 279-1971, Section 4.17 and Regulatory Guide 1.62.

However, the manual initiation of both steamline isolation, and switchover from injection to recirculation following a loss of primary coolant accident are performed at the component level only, so that the initiation of these two systems is not specifically designed to meet Section 4.17 of IEEE 279-1971.

The main steam isolation valves are included in the plant design to mitigate the consequences resulting from steam line breaks, and protection logic is provided in the plant design to automatically close the valves when necessary. There are four individual main steam isolation valve control switches (one per loop) mounted on the control board. Each switch when actuated will isolate one of the main steam lines.

The inadvertent manual closure of any single MSIV or the simultaneous closure of all MSIV's both create Condition II events. If all valves are closed simultaneously when the plant is operating at full power, a loss-of-load accident will result with a consequent primary and secondary side pressure increase, reactor trip and secondary side safety valve release (Refer to Section 15.2.7). In the event that only one valve closes on inadvertent manual actuation when the plant is operating at full power, the steam flow in the other loops will increase in an attempt to restore full power steam flow. The nonsymmetric steam flow can cause an increase in reactor power due to the nonsymmetric loop temperatures and to the moderator temperature coefficient of reactivity. Consequently margins to DNB are reduced.

Since remote individual closure of the steam line isolation valves from the control room is required for operational reasons, additional manual capabilities which could result in the inadvertent closure of all steam isolation valves would not improve reactor safety.

The manual operations performed at the component level for switchover from safety injection to cold leg recirculation following a loss of primary coolant accident are described in Table 6.3-3.

An evaluation of the associated time sequences is presented in Table 6.3-3a. The manual block features associated with pressurizer and steam line safety injection signals provide the operator 7.3-17

WBN with the means to block initiation of safety injection during plant startup or shutdown/cooldown.

These block features meet the requirements of Paragraph 4.12 of IEEE Standard 279-1971 in that automatic removal of the block occurs when plant conditions require the protection system to be functional.

7.3.2.3 Further Considerations In addition to the considerations given above, a loss of one train of auxiliary control air or loss of a component cooling water train to vital equipment has been considered. Neither the loss of an auxiliary control air train nor the loss of one component cooling water train can cause safety limits as given in the Technical Specifications to be exceeded. Likewise, loss of either one of the two trains will not adversely affect the core or the reactor coolant system nor will it prevent safe shutdown if this is necessary. Furthermore, in general, pneumatically operated valves and controls will assume a preferred failure position upon loss of control air.

The reactor coolant pumps are not tripped on a loss of component cooling water. However, indication in the control room is provided whenever component cooling water is lost. The reactor coolant pumps can run about 10 minutes after a loss of component cooling water. This provides adequate time for the operator to correct the problem or trip the plant if necessary.

In regards to the auxiliary feedwater system, there are two motor driven pumps and one turbine driven pump. Starting of these pumps and closing of blowdown isolation and sampling valves for all steam generators are initiated automatically by any of the signals listed in Table 7.3-1, Item 3, Auxiliary Feedwater.

7.3.2.4 Summary The effectiveness of the engineered safety features actuation system is evaluated in Chapter 15, based on the ability of the system to contain the effects of Condition III and IV faults, including loss of coolant and steam break accidents. The engineered safety features actuation system parameters are based upon the component performance specifications which are given by the manufacturer or verified by test for each component. Appropriate factors to account for uncertainties in the data are factored into the constants characterizing the system.

The engineered safety features actuation system must detect Condition III and IV faults and generate signals which actuate the engineered safety features. The system must sense the accident condition and generate the signal actuating the protection function reliably and within a time determined by and consistent with the accident analyses in Chapter 15.

Much longer times are associated with the actuation of the mechanical and fluid system equipment associated with engineered safety features. This includes the time required for switching, bringing pumps and other equipment to speed and the time required for them to take load.

Operating procedures require that the complete engineered safety features actuation system normally be operable. However, redundancy of system components is such that the system operability assumed for the safety analyses can still be met with certain protection channels out of service. Channels that are out of service are to be placed in the tripped mode or bypass mode in accordance with the Technical Specifications.

7.3-18

WBN 7.3.2.4.1 Loss-of-Coolant Protection By analysis of the loss-of-coolant accident and in system tests it has been verified that except for very small coolant system breaks which can be protected against by the charging pumps followed by an orderly shutdown, the loss-of-coolant accident is reliably detected by the low pressurizer pressure signal; the emergency core cooling system is actuated in time to prevent or limit core damage. (Refer to Section 15.3.1.)

For large coolant system breaks the passive accumulators inject first because of the rapid pressure drop. This protects the reactor during the unavoidable delay associated with actuating the active emergency core cooling system phase. (Refer to Section 15.4.1.)

High containment pressure also actuates the emergency core cooling system. Therefore, emergency core cooling actuation can be brought about by sensing this other direct consequence of a primary system break; that is, the engineered safety features actuation system detects the leakage of the coolant into the containment. The generation time of the actuation signal of about 1.5 seconds, after detection of the consequences of the accident, is adequate.

Containment spray will provide additional emergency cooling of containment and also limit fission product release upon sensing elevated containment pressure (high-high) to mitigate the effects of a loss-of-coolant accident.

The delay time between detection of the accident condition and the generation of the actuation signal for these systems is assumed to be about 1.0 second; well within the capability of the protection system equipment. However, this time is short compared to that required for startup of the fluid systems.

The analyses in Chapter 15 show that the diverse methods of detecting the accident condition and the time for generation of the signals by the protection systems are adequate to provide reliable and timely protection against the effects of loss-of-coolant.

7.3.2.4.2 Steam Line Break Protection The emergency core cooling system is also actuated in order to protect against a steam line break. About 2.0 seconds elapses between sensing low steam line pressure and generation of the actuation signal. Analysis of steam break accidents assuming this delay for signal generation shows that the emergency core cooling system is actuated for a steam line break in time to limit or prevent further core damage for steam line break cases. There is a reactor trip but the core reactivity is further reduced by the borated water injected by the emergency core cooling system.

Additional protection against the effects of steamline break is provided by feedwater isolation which occurs upon actuation of the emergency core cooling system. Feedwater line isolation is initiated in order to prevent excessive cooldown of the reactor vessel and thus protect the reactor coolant system boundary.

Additional protection against a steamline break accident is provided by closure of all steam line isolation valves in order to prevent uncontrolled blowdown of all steam generators. The generation of the protection system signal is short compared to the time to trip the fast acting steam line isolation valves.

7.3-19

WBN In addition to actuation of the engineered safety features, the effect of a steamline break accident also generates a signal resulting in a reactor trip on overpower or following emergency core cooling system actuation. However, the core reactivity is further reduced by the borated water injected by the emergency core cooling system.

The analyses in Chapter 15 of the steam break accidents and an evaluation of the protection system design shows that the Engineered Safety Features Actuation Systems are effective in preventing or mitigating the effects of a steam break accident.

REFERENCES

1. Nay, J., "Process Instrumentation for Westinghouse Nuclear Steam Supply System (4 Loop Plant)" WCAP-7671, April 1971 (Non-Proprietary).

2. Katz, D. N., "Solid State Logic Protection System Description," WCAP-7488-L, January 1971 (Proprietary) and WCAP-7672, June 1971 (Non-Proprietary).

3. The Institute of Electrical and Electronics Engineers, Inc., IEEE Standard: Criteria for Protection System for Nuclear Power Generating Stations, IEEE Standard 279-1971.

4. Mesmeringer, J. C., "Failure Mode and Effects Analysis (FMEA) of the Engineered Safety Features Actuation System," WCAP-8584 Revision 1, February 1980 (Proprietary) and WCAP-8760, February 1980 (Non-Proprietary).

5. Erin, L. E., "Topical Report, Eagle 21 Microprocessor-Based Process Protection System," WCAP-12374 Rev. 1, December 1991 (Westinghouse Proprietary Class 2);

WCAP-12375 Rev. 1, December 1991 (Westinghouse Proprietary Class 3).

6. Reagan, J. R., "Westinghouse Setpoint Methodology for Protection Systems, Watts Bar Units 1 and 2, Eagle 21 Version," WCAP-12096 Rev. 9, May 1993 (Westinghouse Proprietary Class 2). (Unit 1 Only)

7. Trozzo, R. W., Westinghouse Setpoint Methodology for Protection Systems - Watts Bar Unit 2, WCAP-17044-P, Revision 1, September 2012, (Unit 2 only).

8. Invensys Process Systems Document No. 800063-1830, Electromagnetic Compatibility Test Reports, dated August 21, 2008, Rev. 0 7.3-20

WBN TABLE 7.3-1 INSTRUMENTATION OPERATING CONDITION FOR ENGINEERED SAFETY FEATURES NO. OF CHANNELS NO. FUNCTIONAL UNIT NO. OF CHANNELS TO TRIP

1. SAFETY INJECTION 1a. Manual 2 1 1b. Containment 3 2 Pressure High 1c. Pressurizer 3 2 Pressure Low (1) 1d. Steamline Pressure Low (Lead- 12 (3/steamline) 2/3 in any Lag compensated) (1) steamline

2. CONTAINMENT SPRAY 2a. Manual (2) 4 2 2b. Containment Pressure 4 2 High-High

3. AUXILIARY FEEDWATER 3a. Manual 3 1/pump 3b. Safety Injection See Item No. 1 3c. Steam Generator Level Low- 12 (3/SG) 2/3 in any SG (motor-driven Low pumps); 2/3 in 2/4 SG (turbine-driven pumps) 3d. Loss of Offsite Power 16 (4/6.9 kV shutdown 1/2 twice on any shutdown board) board/

3e. Trip of Both Turbine-Driven 2 2 Main Feedwater Pumps

4. SWITCHOVER FROM INJECTION TO RECIRCULATION AFTER SI (3) 4a. Safety Injection AND See Item No. 1 4b. Refueling Water Storage Tank 4 2 Level Low AND 4c. Containment Sump Level High 4 2 (1) Interlocked with Permissive P-11; see functional description of P-11 in Table 7.3-3 (2) Manual actuation of containment spray is accomplished by actuating either of two sets (two switches per set). Both switches in a set must be actuated to obtain a manually initiated spray signal. The sets are wired to meet separation and single failure requirements of IEEE Standard 279-1971. Simultaneous operation of two switches is desirable to prevent inadvertent spray actuation.

(3) All of the identified conditions (4a, 4b, 4c) must be present concurrently to satisfy the switchover logic.

WBN TABLE 7.3-2 INSTRUMENTATION OPERATING CONDITION FOR ISOLATION FUNCTIONS NO. OF CHANNELS NO. FUNCTIONAL UNIT NO. OF CHANNELS TO TRIP

1. CONTAINMENT ISOLATION 1a. Safety Injection See Item No. 1 of (Phase A) Table 7.3-1.

1b. Containment Pressure 4 2 High-High (Phase B) 1c. Manual Phase A 2 1 Manual Phase B See Item No. 2a of Table 7.3-1.

2. STEAMLINE ISOLATION 2a. Steamline Pressure Low* 12 (3/Steamline) 2/3 in any Steamline (Lead-lag compensated) 2b. High Steamline Pressure Negative 12 (3/Steamline) 2/3 in any Steamline Rate (Rate-Lag compensated)*

2c. Containment Pressure 4 2 High-High

3. FEEDWATER LINE ISOLATION 3a. Safety Injection See Item No. 1 of Table 7.3-1.

3b. Steam Generator 12 (3/Steam 2/3 in any Steam Level High-High Generator) Generator 3c. Main Steam Valve Vault 6 (3/MSVV) 2/3 in any MSVV High Flood Level 3d. Low Tavg ** 4 2

4. CONTAINMENT VENTILATION ISOLATION 4a. Manual Containment Isolation Phase A See Item No. 1c above Containment Spray See Item No. 2a of Table 7.3-1.

4b. Containment Purge Air Exhaust 2 1 Gas Monitor Radioactivity High***

4c. Safety Injection See Item No. 1 of Table 7.3-1

Interlocked with Permissive P-11; see functional description of P-11 in Table 7.3-3.

- Interlocked with Permissive P-4; see functional description of P-4 in Table 7.3-3.

- - During refueling operations, a CVI may also be initiated by High Radiation Detection from the Spent Fuel Pool Monitors, Containment Isolation Phase A (SI signal) from the operating unit, or high temperature from the Unit 1 or Unit 2 Auxiliary Building (AB) air intake, or manual Auxiliary Building Isolation (ABI) in addition to the Containment Purge Exhaust Monitors. The Spent Fuel Pool Monitor has 2 channels and requires only 1 channel to trip.

WBN TABLE 7.3-3 (Sheet 1 of 2)

INTERLOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEM Designation Input Function Performed P-4 Reactor trip Actuates turbine trip Closes main feedwater valves on Tavg below low setpoint Prevents opening of main feedwater valves which were closed by safety injection or High-High steam generator water level Allows manual block of the automatic reactuation of safety injection Reactor not tripped Defeats the block preventing automatic reactuation of safety injection P-11 2/3 Pressurizer pressure Allows manual block of safety injection below setpoint actuation on low pressurizer pressure signal.

Allows manual block of safety injection and steamline isolation on low steamline pressure.

Steamline isolation on high negative rate steamline pressure is permitted when this manual block is accomplished.

2/3 Pressurizer pressure Defeats manual block of safety injection above setpoint actuation. Defeats manual block of safety injection and steamline isolation on low steamline pressure and defeats steamline isolation on high negative rate steamline pressure.

P-12 2/4 Tavg below low-low Blocks steam dump condenser dump valves setpoint Allows manual bypass of steam dump block for the cooldown valves only (Note: For the use of additional steam dump valves below the P-12 interlock, refer to Section 10.4.4.3) 3/4 Tavg above Defeats the manual bypass of steam low-low setpoint dump block

WBN TABLE 7.3-3 (Sheet 2 of 2)

INTERLOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEM (Cont'd)

Designation Input Function Performed P-14 2/3 steam generator Closes all feedwater control valves and water level above isolation valves setpoint on one or more steam generators Trips all main feedwater pumps which closes the pump discharge valves.

Actuates turbine trip.

Trips condensate booster pumps and condensate demineralizer pumps

PROTECTION INSTRUMENTATION MASTER RELAY TESTING w.l LOGIC TESTING FINAL DEVICE OR ACTUATOR TESTING COMPARATOR/ SOLENOID LOGIC CIRCUIT MASTER RELAY SLAVE RELAY BISTABLE INPUT VALVES

~MOTOR OPER MOTOR STARTERS VALVES SLAVE RELAY SOLENOID VALVES MOTOR STARTERS MOTOR OPER

' I VALVES SLAVE RELAY I BREAKER 1 " PUMP MOTORS SLAVE RELAY ACTUATORS SLAVE RELAY ACTUATORS WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT ESF Test Circuit (Typical)

FIGURE 7.3-1

FIGURE 7.3-2 Deleted

0 Z

OPEN I/ HS \' CLOSE II III 73L II III 8 II III 1Y INJECTION WATER PRESSURE NORMAL PS-54-108 3

Q MFPT 18 BRG OIL PRESS. > 10 PSIG PS-46-39A Q MFP 1B R. OIL PRESS. > 10 PSI. PS-46-71 OSE 0

LLI 68-1178 6B-1188 6B-1198-Z

/

F OPEN / HS CLOSE 84 Z 2-2 4A BYPASSTOCLOSE 2/3 S.G. 42 2/3 S.C. #3 2/3 S.G. #4 HI-HI LEVEL HI-HI LEVEL HI-HI LEVEL CONDENSER Q SAFETY INJECTION OPEN/~ HS ~ CLOSE SIGNAL LOW T AVG

'2 12248 p 4C-74D FM3-84E U STOP OSE ISTS TS TS 68-2K 8-25K 8-44K 8-67K FOXBORO DCSFROM CONDENSATE SYSTEM 1-00063673-OBF734235-FD-1002 TSEE A 4C-73D X SEE 47W611-2-2, C-11 LOOP 2 LOOP 3 FILLING R FEEDWATER LOOP 1 LOOP 4 MSV VAULT PUMP BYPASS VALVE 2/3 ROOM Al 4C-72D FLOOD LEVEL OPEN ~ HS ~ CLOSE O OPEN /

' HS CLOSE HS\ RESET REACTOR A ISOLATION SIGNAL TRIP 3-8 A TO EXTRACTION 3-1 A 3-99 1 47W611-99-1, O STEAM VALVES 2/4 N-5 OPEN STOP CLOSE SEE 47W611-5-1 4C-71D MSV VAULT ;

A 2/3 ROOM A2 MOV CONTROL si FLOOD LEVEL =

OPEN//HS ~ CLOSE ~ OPEN" HS CLOSE FOXBORO DCS 1-00063673-OBF734235-1D-1103 HIGH-HIGH LEVEL J

a ~r 5 TRIP #7 HTR DRAIN PUMPS A SEC G B. 1-47W611-6-2, E-3 I EAZILE EAZILE TRIP STANDBY I EVEL > SP MAIN FEED PUMP OPEN STOP MOV CONTROL CLOSE r I CONTROLS SAME jA5 FCV-3-10 1

L OPEN STOP AqV CONTROL CLOSE FT I I FT TRIP 1 TRIP FEEDWATER CONDENSATE 3-35A 3-358 PS POOMOPSER FT 1U47W811-3-1, FEEDWATER PUMP 6 TURBINE 1B I MFP 1B 3-84A C-5 47W611-2-2 COORDIF9 C-7 a SEE 1-47WB11-3-11 FCV CV N ND DEMIN 3-81 LOC LOC PUMPS OPEN CLOSE i-35 F Y2417D Y24070 47W611-2-3 TRB IRA B-9 3C-SBC A TURBINE X TRIP TO #3 HTR HIGH PRESSURE DRAIN PUMP SUCTION HEATER 1A (SAME AS MFP 1A)

TEST / HS FT LOOPS 2, 3 R4 TRA TRB TRIP #3 HTR DRAIN PUMPS A. B.

FROM INJ. WATER 3-7 a C. 1-47W811-6-1. D-4 PUMPS DISCH. 3-84B INTERLOCK LOC LOC TO STEAM LEN'S (SAME AS MFP 1A) 2, 3, a 4 SD9006 SD9007 F____ (SAME AS STEAM GEN 1)

WPT 1A r---------i TRIPPED I TO #3 a #7 HTR CONTROLS SAME 1-47W611-3-1 1 DR PUMP LOGIC AS FCV-2-224 C_R 147W611-6-1. D-6 BB-1188 PT NOR. A 3-1A I

I HS\ RESET __ LT LS PT L FOXBORO DCS FOXBORO DCS 3-99A2 3-38 3-38A 3-1B r 1-00063673-OBF734235-FD-1004 1-00063673-08F734235-FD-1101 I } LT LS 2 FROM r C3_39 STEAM /3 47W611-2-2 3-39A PT LOOP 1 TRAIN A NOENERATOR CONDENSATE _J F.W. ISOLATION TYP. i 3-1D I W, I I FOR LOOPS 2,3,a 4 I LS L----____ _- EAGLE _

J ~_ LT 3-42A SAME AS ,- ~ ---------------------

FCV-3-81 / FT L----------- -- 21 ----------------------

3-42 FEEDWATER PUMP TURBINE 1A MFP 1A oov SEE 1-47W611-3-1 I TRAIN B FW ISOLATION

~FCV-33 EXCEPT AS NOTED TO FCV-3-70 1-47WG11-3-6 (SAME AS FT-3-84A)

FROM MFP 1B NOTE:

(SAME AS MFP 1A) 0 1. FOR SYMBOLS AND GENERAL NOTES, SEE SHEET 1.

2. THIS FEEDWATER ISOLATION (FWI) SIGNAL IS USED AS A PROCESS SIGNAL LOW DIFFERENTIAL AND IS NOT PART OF THE SAFFETY-RELATED FWI SYSTEM.

PRESSURE SWITCHES:

Pd IS-54-SA NO. 3 HTR FOR MFP-1B (SAME AS DRAIN PUMP PdI5-54-4A) SUCTION START 7 HS \ STOP TO 54- Al PULL TO INJECTION LOCK WATER PUMP 1B (SAME AS 1A)

RESET Pd15 54-4B r HS PdIC REFERENCE DRAWINGS:

1-47W610-46-1, 2, a 3- - -CONTROL DIAGRAM, FEEDWATER 54-1 47W610-54 - - - - - - -CONTROL DIAGRAM, INJECTION WATER 45W760-2-3, 5- - - -CONDENSATE SYSTEM SCHEMATIC DIAGRAMS UFSAR AMENDMENT 2 1-45W760-3-9, 10, a 11 - -MAIN AND AUX FEEDWATER SCHEMATIC DIAGRAMS FROM HOTWELL 45W760-6 - - - - - - -HEATER DRAINS AND VENT SYSTEM SCHEMATIC DIAGRAMS 45W760-54 - - - - - - -INJECTION WATER SCHEMATIC DIAGRAMS PUMP DISCHARGE 47W611-2-1 jPCV Y DWG 10BD408 SHEETS 13-17, 19, 20, a 33 - - - PROCESS CONTROL BLOCK DIAGRAMS WATTS BAR 54_1 FROM x DWG 5655087 SHEETS 5, 7, a 12 - - - - - -FUNCTIONAL DIAGRAMS FINAL SAFETY oSTBYMFP l<

47W611-3-5 ANALYSIS REPORT PS POWERHOUSE TO MFP 1B UNIT 2 a STBY MFP (SAME AS MFP 1A)

ELECTRICAL INJECTION WATER PUMP 1A LOGIC DIAGRAM FEEDWATER SYSTEM TVA DWG NO. 1-47W611-3-2 R28 FIGURE 7.3-3 SH 1

c~

z 3

G

~ AUTO NOTES:

D 1. FOR SYMBOLS AND GENERAL NOTES, SEE SHEET 1.

Q HS 2. SOLENOID DPE TRIP OPERATES AT 11DI SPEED AND RESETS AUTOMATICALLY. MECHANICAL 46-. ACCIDENT SIGNALS: OVERSPEED RATES AT 1251 SPEED AND MUST BE RESET MANUALLY.

Ld 2/3 LG-LO LEVEL ANY STM GEN; 3. MANUAL CNTL WHEN IN AUX CNTL MODE ISA COMPLISHED AT THE CONTROLLER.

Z SAFTEY INJECTION; LOSS BOTH MAIN FEED PUMPS; BLACKOUT 4. ACCIDENT SIGNAL TO TRAIN A VALVES IS TRAIN-B BUFFERED TRAIN-B VALVES WILL BE TRAIN-B WITH TRAIN-A BUFFERED.

O H

Z AUX XS NOR

< 46-57 n 6. LIC/FIC-X-XXX-A IN MANUAL MODE WILL CAUSE OUTPUT OF LC/FC-X-XXX-B TO 7 ACK OUTPUT OF LC/FC-X-XXX-A.

G ~g

7. WHEN C IS PRESENT, INPUT A IS ALLOWED TO PROCEED (ISB WHEN C IS A T NOT PRESENT INPUT D IS ALLOWED TO PROCEED (B-D, A IS BLOCKED).

I M 8. TRAM FER FROM AUTO 70 MAN. OR MAN TO AUTO IS BUMPLESS. WHEN TRANSFER IS I ~ psiYl MADE FROM AUTO TO MAN. LAST OUTPUT IS MAINTAINED UNTIL IT IS MANUALLY V U V CHANGED. WHEN TRANSFER IS MADE FROM MAN TO AUTO. OUTPUT CHANGES SLOWLY FLOW > TO AUTO OUTPUT.

SET POINT A J J o:rc 9. SEE CONTRACT NO. 89NLC-75514A VENDOR DOCUMENTS FOR INFO. ON LIC'S, LC'S, Fs-46-57 I Aux XS MOR I I w CLOSE FCV-3-193, 194 3-164 AU XS NOR I I I LOC HS NOR 1-472511-3-5 9b-S7A T I I 4b-S7A I I FCV-3-191, 192 PUMP 971611-}-6 RUNNING LC-3-172A L B I I ' LC-3-174A 11B S ACCID IGNA~ ENT ~__________

L ENERGIZE 70 I LC-}-175A

B I I CLOSE DE-ENERGIZE HS-46-570 TO MODULATE TRAIN A I I I I I I LM LCV II START SIGNAL TO I I l-- --- 3-164A 3-169A TOR RI I I I FMO EEDIA7E RVPUMPUTA-A I -- -------- ------J ,

I SEE 1-47,611-3-3 A _7 I I I I

TRA II I I LDC __ IJ I SD900B I I L FM HS \ CLOSE 4 I 3-192D = py {6-S6B x X rTOP NN 1-472611-3-4A COORD 0-3 I SD90D9 u I AUX B1 r--.j o (FROM 3 J ISo-LO2( VE L7 STEAM GEN 1 47.611-3-e I 5 S ENG TO CLOSE L ICN3-174 icEE3As73~------ , 3-, 6 --~ I

/ 1 DEENG TO MOD `f HS HS 1 VALVE i r ~Lrt = TRIP 46- 5A 46- 5B TRIP HALFI PEN LLML L:NIT SWITCH Jm TO BLOWOOWN I I I D I 3-179A ~J3-174 3-1]9 L72/9p j xal /xs Aux o r----- I

-,!5;;5,7 p I FROM STEAM GEN 2 (SAME AS GEN 1)

I I I I I I TRIP HS 46- 5B X I FROM STEAM GEN)3

____________________1 FROM START UP I (SAME AS GEN 1)

FE EDWATER SEE II I 7 21-463 H/ I CI I FROM STEAM GEN 4 (SAME AS GEN 1)

I PULL I

I TO I I I I I LOCK NDTE 4 /V 3-156 STEAM GEN 2 I ~ I LM ---- I i n START SIGNAL TO FCV 3U MOOR DRIVEN AUX 1-51 FE EDWATER PUMP 1B-B 1 I I I CLOSE I SEE 1-972611-3-3, E-9 LT I TRAIN B AUX XS NOR t I 3-17 I (SANE AA))

I I L------ POS FBK MVOP I I 3-173 I I START SIGNAL TO TURBINE DRIVEN AUX i TRAIN 1-52 I ISISHEETP^M5 IA-S -----J II OR NOTE FEEDTH

-- qFCV PUMP oA 138B A (NOTE 2 I FROM MAIN I I NOTE 6 STEAM m I SEE DIG p FRDN START UP y GOVERNOR TRIP s 1-471611-1-2 F2 LC-}-173B FEEDIA7ER SEE VALVE THROTTLE o 1-472611-}_2 VALVE _, O 3-142A r ERSPEED TRIP rr REFERENCE DRAII NGS:

NKAGE :SAME AS 471610-3-3----------CONTROL DIAGRAM AUX FEEDWATER 1 FT n

f LCV-3 T764~ I 47:61 D-46-1---------CONTROL DIAGRAM FEEDIATER 45N60D-3-2.3 R 5----WIRING DIAGRAM MAIN R AUX FEEDWATER NOTE: 4516OD-46-6---------II RI NC DIAGRAMS FEEDIATER PUMP R 7 TURBINE SCHEMATICS AUX F1 PUMP OVER SPEED 7URBI NE lA-S TRIP MECHANISM MIN p5 TURBINE gUNNI NC FLOW J-138A SIGNAL 7D FCV-3-172, FCV-3_175 AUXILIARY FEEDIATER TURB DRIVEN STEAM SUPPLY AME AS UFSAR AMENDMENT 1 PS ..V-33-164A FROM CONDENSATE AUX FW PMP RUNNING TRANSFER STORAGE TANK 3-138B FCV-3-173 CIRCUIT SEE 1-471611-3-3 FCV-3-179 Ll-471611-1-1(T-2)

'LN1,1'/I WATTS BAR

--- FINAL SAFETY AUXILIARY F EED:ATER FR.

MOTOR DRIVEN X ANALYSIS REPORT AUX F2 PUMP IA-A SEE 1-471611-3-3 j POWERHOUSE UNIT 1 ELECTRICAL UXILIARY FEEDWATER FROM LOGIC DIAGRAM DAF PMP IA-S TO SCW 3 d 4

-471611-3-4A AUXILIARY FEEDWATER SYSTEM TVA DWG NO. 1-47W611-3-4 R21 FIGURE 7.3-3 SH 2

NOTES:

U Z 1. FOR SYMBOLS AND GENERAL NOTES, SEE 2-47W611-3-1, ACCIDENT SIGNALS:

3 LO LO LEVEL ANY STM GEN: 2. SOLENOID TRIP OPERATES AT 110% SPEED AND RESETS AUTOMATICALLY.

Q AUTO 2/3 SAFTEY INJECTION:LOSS BOTH MAIN FEED PUMPS:BLACKOUT CLOSE MECHANICAL OVERSPEED OPERATES AT 125% SPEED AND MUST BE RESET CC BLOCKED XS NORMAL FCV-3-191,192,186,188

_2 MANUALLY.

2-47W611-3-6 (HS-3-164A ONLY) CLOSEIAHSll 3. MANUAL CNTL WHEN IN AUX CNTL MODE IS ACCOMPLISHED AT THE p 46-57 PULL LOCK I -1 4A1 CONTROLLER.

TO CLOSED L*--~

Z LOCK 4. ACCIDENT SIGNAL TO TRAIN A VLVS IS TR-B BUFFERED. TR-B VLVS WILL 7- 561 BE TR-B WITH TR-A BUFFERED.

Q F 5. THE LOGIC SHOWN INSIDE THE DASHED LINES IS APPLICABLE TO LCV-3-174 FLOW > AU XS NOR AND LCV-3-175 ONLY. STEAM GENERATORS 2 a 3 DO NOT HAVE PIPE BREAK SET POINT 164 DETECTION.

Q FS-46-57 i r N5 HEADER 6. NOT USED I I I I (NOTE 13) 7. NOT USED AUX XS NOR I I U 6-57A I I B. LIC/FIC-X-XXX-A IN MANUAL MODE WILL CAUSE OUTPUT OF LC/FC-X-XXX-B T I I TO TRACK OUTPUT OF LC/FC-X-XXX-A.

I I 0

9. ~A WHEN C IS PRESENT, INPUT A IS ALLOWED TO PROCEED (B=A).

A T WHEN C IS NOT PRESENT INPUT D IS ALLOWED TO PROCEED I I I (B-0, A IS BLOCKED).

I I I 11 I 10. TRANSFER FROM AUTOMATIC TO MANUAL OR MANUAL TO AUTOMATIC IS HS-46-578 r---------J r BUMPLESS. WHEN TRANSFER IS MADE FROM AUTOMATIC TO MANUAL LAST

J OUTPUT IS MAINTAINED UNTIL IT IS MANUALLY CHANGED. WHEN TRANSFER

.. .. I/V IS MADE FROM MANUAL TO AUTOMATIC OUTPUT CHANCES SLOWLY TO AUTOMATIC I ------ --- OUTPUT.

I I I --

A I

I 1

I o N

? PUMP RUNNING AU XS NI SO I

I I~ L

11. SEE CONTRACT NO. 0069016 VENDOR DOCUMENTS FOR INFORMATION ON LIC'S, LC - S. FIC'S a FC'S.

I I

I v

FM 3-1420

_ 46--

57D

_ FM 142A TTII2-47W611-3-8 o CLOSE FCV-3-193,194 (NOTE 12) I I

I I

I I I J

I ENERGIZE TO CLOSE LSV I

12. WHEN TRANSFER SWITCH IS OPEN, A/M CARD IS TRANSFERRED TO AUTOMATIC MODE.

13. PLACING HS-3-164A IN THE CLOSE PULL TO LOCK POSITION WILL ENERGIZE FSV-77-2561 TO ISOLATE THE NITROGEN HEADER USED FOR THE BACKUP CONTROL AIR SOURCE TO ALL MDAFW PUMP LCVS/PCVS.

I I DE-ENERGIZE 3-164A I ! I LC-3-172 !

!NOTE 9 TO MODULATE I 14. PLACING HS-3-174A IN THE CLOSE PULL TO LOCK POSITION WILL I ! LC-3-173 ACCIDENT TO LC-3-174 SIGNAL ENERGIZE FSV-77-2562 TO ISOLATE THE NITROGEN HEADER USED FOR THE I ! BACKUP CONTROL AIR SOURCE TO ALL TDAFW PUMP LCVS (SEE HS-3-164A I + LC-3-175 NOTE 8 FOR SOLENOID LOGIC CONNECTION DETAIL).

L-------- -- --------------------------I rr--Il I r--- ti I OPEN ~H CLOSE R TRAIN A REFERENCE DRAWINGS:

NOR ! 2-47W610-3-3. 7 --------- CONTROL DIAGRAM AUX FEEDWATER I I I sm START SIGNAL TO

! 2-47W610-46-1 ----------- CONTROL DIAGRAM FEEDWATER OPEN // HS~ CLOSE 6-5 STOP

~I x

1 PS 3-164 In, r __ __ -L-I SAME AS X

I I

MOTOR DRIVEN AUX FEEDWATER PUMP 2A-A 2-471811-3-3,A-7 TR A i

I

~ 2-451600-3-2, 3, 5 ------ WIRING DIAGRAM MAIN a AUX FEEDWATER 2-451600-46-6 ----------- WIRING DIAGRAM FEEDWATER PUMP a TURBINE SCHEMATICS

~I ROMI LCV-3-173 1 1 TVA CONTRACT: 0069016

____ w-3-I 4 ~ I DWGS OBF 800063-FD-1103-1.-1104-1.-1108-1,-1105-1.-1105-2. a -1107-1 TRIP 6- SA 6- 5B TRIP THRM T NOTE 14 AUX FW ENERGIZE TO 1 I TR B NOR /'~XS OVLD I CSE LM V/I 1 w 46l57 2--164DEPENERGIZE TO lfi I VALVE FULLY MODULATE I OPEN L---------- -J s 6 "B

46- 5B I

c L I LT rF 2/3 I LO-LO LEVEL

-1 12-471111-3-5 !

I STEAM GEN 1 i COORO H-3 I

I I I rAu7o, I FROM START UP FEED WATER SEE L 1 I !

I I I L- I 1 2-471611-3-Z I CLOSE HS~

1 51 I PULL -17JA

POS FBK TO L--J OPEN CLOSE I 2/a 5 LOCK I I I NOTE 4 IN L S LM r---J L

------------1 r 3-173D~

' I I LT I I EE FROM MAIN !

NOTE 2 ! STEMI STEAM GEN 2 AUX XS NOR SEE DWG i FROM STEAM C 2

! 2-471611-1-2 -173 I r 1 GOVERNOR TRIP a IL LT I (SAME AS GEN 1)j, VALVE THROTTLE F2 F 1 VALVE SCVE3A564 I FROM STEAM GEN 3 !

SE L__ __J ! (SAME AS GEN 1) 46- 7 MECHANICAL OVERSPEED TRIP FROM STEAM GEN 4 !

LCV L(SAME AS GEN 1)----_---J LINKAGE -156 START SIGNAL TO

~ Tl2 H MOTOR DRIVEN AUX FROM START UP FEEDWATER PUMP 2B-0 2-471611-3-3,E-9 I TRAIN B OVER SPEED FEED WATER SEE I (SAME AS TURB DRIVEN 2-47N611-3-2 START SIGNAL TO TRAIN A)

TRIP TURBINE DRIVEN AU% FW PMP MECHANISM AU%ILIARY LCV TURBINE DRIVEN AUX --J PS RUNNING FEEDWATER PUMP 2A-S]

-1 BA -15 rFEDWATR SAME AS SIGNAL TO 2-471811-3-4,8-5 PUMP 2A-S FCV-3-172 FCV-3-175 LCV-3164A F FLOmi.W X

CONDENSATE ISF -173A STORAGE TANK E TO CLOSE SEE TURB DRIVEN DEENG TO MOD PS AUX FW PMP RUNNING N2 2-47W611-3-3 3- 38B FCV-3-173 AUXILIARY FCV-3-174 FEEDWATER FROM MOTOR DRIVEN AUX FW PUMP ZA-A SEE DWC 2-471611-J-3 STEAM SUPPLY TRANSFER X CIRCUIT 2-471611-1-1 (7-2)

UFSAR AMENDMENT 2 WATTS BAR AUXILIARY FEEDWATER FROM FINAL SAFETY TDAFW PAP 2A-S TO SG 3 a 4 DWG 2-47W611-3-4A ANALYSIS REPORT POWERHOUSE UNIT 2 COMPANION DRAWINGS: ELECTRICAL 2-47"611-3-1'2 '3' 5 a 5 LOGIC DIAGRAM AUXILIARY FEEDWATER SYSTEM TVA DWG NO. 2-47W611-3-4 R10 FIGURE 7.3-3 SH 2(U2)

(~ NORMAL 1-HS REFUEL 4 -69D 4A-6BD 4A-67D 4A-56D 9D-910 1Z-1 a

Q' D

4 I 4 4 I 0-HS 90-1}6A1 NOTE 1 11-471611-30-5)

EON RAIATI N OTHE IR F.ELI TErMG I AREA AU% BLDG ISOLATION 1-130 TRAIN-A BUS TEST BYPASS TEST BYPASS TEST BYPASS (TRAIN-B BUS 7YP.)

Ld 7E'T Z (PULL) 1-RE

/

a ACTUATE / 90-130 NOTES H TRAIN A B 1-HS 1! B

_pd _Pd _Pd _Pd Z ACTUATE 1-HS / 3D-698

]D-42A 10-43A 10-44A 30-45A ACTUATE 1 -HS 1--1 TRAIN A/B 3D-b3B TRAIN A/B }0-64A G

RESET 7 -HS ACTUATE AUTO TRAIN A B 1-HS A 515 MANUAL TRAIN A 3D-6]D SO-6B0 0 NOTE 5 ACTUATE 1H a 1-471611-61-1 TRAIN A/B 3D-67A

//_

U ACTUATE 'HS 7-HS RESET 6C-125A A -_ _ TRAIN A/B 30-68A

}O-65A TRAIN A PHASE A d CNTMT VENT HIGH-HIGH CONTA INMENT 2/4 NOTE 5 ISOLATION PRESSURE /

PHASE B d CNTMT VENT ISOLATION RESET 1-HS 7RAIN A 30-640 NOTE 5 0D D O D O N F N F N F D O O D 00 O0 F F F N F N F N F N F F F F F TRAIN B 7R B SD91 509073 BC-125C LDC A CONTAINMENT SD9010 TRAIN A 7R A VENT ISOLATION I NOTES:

509012 CONTAINMENT SPRAY PUMP A N VA SPRAY 1. FOR TRAIN B. 1-RE-90-131, 1-HS-90-415, AND 0-HS-90-136A2 ARE USED.

DISCHARGE VALVE CONPAI LAMENT SPRAY PUMP AND VALVES CNTMT PHASE A PUMP 1-471511-72-1 PHASE B O-HS-90-176A1

136A2 ARE MOLT] SELECT 51'5 USED TO TEST ONE 1 FCV 71 2 1 471611 72 1 CHANNEL A7 A TIME.

I ]SOLA71ON 1-471511-72-1 MAIN STEAM LINE I CNTMT ISOLATION SYSTEM SHE E7 ISOLATION VALVES 1-471611-1-1 J 1-471611-30 1. 5 1-471611 -BB 1 3. ALL ON SIGNALS AND CIRCUITRY THAT ARE PART OF ENGINEERED SYSTEM SHEET SYSTEM SHEET SAFEGUARDS ARE REDUNDANT.

1-471511-30 1, 5 1-471511-30 3, 4 4. NOTE DELETED.

1-471611-61 2 1-471611-70 3 5. EACH TRAN I A RESET HAS AN ASSOCIATED 7RA IN B RESET. SEE TVA 1-471611-62 1 DRAM NG -471510-3D-1 FOR TRAIN B 'RESET' HANDSWITCH NUMBERS.

1-471611-63 3. 5, 6. B 1-471611-32 2 S.VALVES 1-FCV-41-22 AND 1-FCV-43-23 MAY BE NORMALLY OPEN WITH 1-471511-65 1, 2, 3 1-471611-67 3 1-FSV-43-23 ENERGIZED TO ALLOW CONTINUOUS RCS FLOW DUE TO THERMAL 1-471611-68 1 CYCLING CONCERNS (REF. EDC-51134).

1-471611-7D 3 1-471611-77 1, 5 B. 1-RE-90-13D &131, WHICH HOUSE GAS RADIATION DETECTORS. MONITOR 1-971611-81 1 HIGH RAD IN REFUEL TRAIN A (1-471611-30-5) THE CONTAINMENT PURGE EXHAUST.

1-471611-1 3 ITRAIN B 7YP) 1-471611-31 7 AUX BLDG ISOLATION TRAIN A (1-471611-30-6)

[TRAIN B 7YP) 9. DIGITAL AND ANALOG LOGIC SYMBOLS ARE USED ON LOGIC DIAGRAMS 1-471611-BB 1 CONTAINMENT VENT ISOLATION SSPS TRAIN A TO FUNCTIONALLY DESCRIBE THE PROCESS CONTROL. REFER 70 THE 1-471511-26 3 [TRAIN B 7YP) ASSDCIATED WIRING SCHEMATIC FOR THE ELECTRICAL COMPONENTS FUSED TO IMPLEMENT THE CONTROL SCHEME.

11. FOR SYMBOLS SEE INSTRUMENTION !IDENTIFICATION STANDARDS, LATEST ISSUE.

12. FOR TRAIN B. 1-HS-90-415 IS USED.

NORMAL 1 -HS REFUEL 90-410 NOTE 12 REFERENCE DRAWINGS:

1-471611-0-1 ---------- LOGIC INDEX! SYMBOLS r 47B6D1-SERIES ------- INSTRUMENT TABULATION ABI/HRRA 1-451BOD-43-2 --------- SAMPLING AND WATER QUALITY SYSTEM SCHEMATIC DIAGRAM ISOLATION 1-451SOD-90-1 --------- RADIATION MONITORING SYSTEM SCHEMATIC DIAGRAM 1-451600-57-8 --------- SEPARATION!MISC AUX RELAYS SCHEMATIC DIAGRAMS 1-471610-3D-1 D_ THRU 6 -- CONTAINMENT VENTILATION SYSTEM 1-47161 9D_THRU 3 -- RADIATION MONITORING SYSTEM CONTROL DIAGRAM 1-HS OPEN SYSTEM SHEET 1-47161 D-43-3. -5. _5 - SAMPLING

! WATER QUALITY SYSTEM CONTROL DIAGRAM RESET 1-HS CLOSE 1-471511-1 -- MAIN STEAM SYSTEM LOGIC DIAGRAM 41-2A CONTAINMENT 43-23 1-472611-30 1 1-471611-63-1 --------- SAFETY INJECTION SYSTEM LDCIC DIAGRAM A-AUTD 1-471611-72-1 --------- CONTAINMENT SPRAY SYSTEM LOGIC DIAGRAM ISOLATION SIGNAL PHASE A CONTAINMENT ISOL A7ION SIGNAL PHASE A 1-FCV-90-107 CLOSE 1-HS OPEN THIS SHEET (C-7) FULLY OPEN 9D-107 1-FCV-43-3 TYPICAL 1-FCV-43-12 A-AUTO FDR 1-FCV-43-35 1-FCV-43-77 CONTAINMENT VENT ISOLATION TRAIN B COORD C-11 CLOSE 1-HS OPEN -FS P-AUTO S aaaa 43-2 -HI-43 202A 43_2

// I-HS-43-2O7A A-AUTO CLOSE 1-HS OPEN 4 1-HS-43-2O8A 93-2O1A -FC TYPICAL FOR 43_23 NOTE 6 UFSAR AMENDMENT 1 PUMP RUNNING N; ~1-HS-43-2028 1-HS-43-207. X OPEN 1 -HS CLOSE 1-HS-43-2O8B TYPICAL SAMPLING SYSTEM ISOLATION VALVES WATTS B A R TYPICAL 43-2018 FOR ADNO ACOUN TANOU KSDL A(P2RPTRAINRASENOTEO ON 1-972610-41-1, -] s -5

1-952600-9]-2).

1-FCV-90-108 FINAL SA F E T Y 1 FCV-43-202 1-FCV-90-109 1-FCV-90-110

-FS S ANALYSIS REPORT 1-FCV-43-267 1-FCV-43-434 1-FCV-90-111 90-107 1-FCV-43-208 ~1.FCV-43-435 FOR 1-FCV-90-113 1-FCV-43-436 1-FCV-90-119 TYPICAL 1-FCV-97-11 F 1-FCV-97-22 9]-2 TYPICAL FOR

-F 43-201

-F 43-433 FORICAL 1-FCV-90-115 1-FCV-90-116 1-FCV-90-117

-FC 90-1W POWERHOUSE NOTE 6 FOR j_FCV-43-75 5 5 5 UNIT 1 X X ELECTRICAL TYPICAL SAMPLING SYSTEM ISOLATION VALVES FOR REACTOR COOLANT, PRESSURIZER LIO d GAS, TYPICAL CONTAINMENT BLDC UPPER!LWR COMPARTMENT AIR MONITOR ISOL VLV IP1R TRAIN AS NOTED ON 1-472610-90-3 !

LOGIC DIAGRAM AND ACCUM TANKS. (PIR TRAIN AS NOTED ON 1-47161 D-43-1. -7 d -5

! 1-45W6DD-43-2). 1-452600-90-1) CONTAINMENT ISOLATION CONTAINMENT H2 SAMPLE SYSTEM TVA DWG NO. 1 -47W611 1 R28 IPIR TRAIN AS NOTED ON 1-471510-43-6 A 1-4516OU-43-2) FIGURE 7.3-3 SH 4

WBN-3 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN The functions necessary for safe shutdown are available from instrumentation channels associated with major systems in both the primary and secondary of the nuclear steam supply system (NSSS). These channels normal alignment to serve a variety of operational functions, including startup and shutdown as well as protective functions. There are no systems identified strictly as safe shutdown systems. However, procedures can institute appropriate alignment of selected systems to secure and maintain the plant in a safe condition. Other sections of the UFSAR contain discussions of these systems with applicable codes, criteria and guidelines.

Discussions in Chapter 6 and Section 7.3 involve alignment of shutdown functions associated with engineered safety features under postulated limiting fault situations.

Discussed in this section is the instrumentation and control (I&C) functions required for maintaining safe shutdown of the reactor. These functions permit the necessary operations that will:

1. Prevent the reactor from achieving criticality in violation of the technical specifications and

2. Provide an adequate heat sink such that design and safety limits are not exceeded.

7.4.1 Description The designation of systems that can be used for safe shutdown depends on identifying those systems which provide the following capabilities for maintaining a safe shutdown:

1. Boration

2. Adequate supply for auxiliary feedwater (AFW)

3. Residual heat removal These systems are identified in the following sections together with the associated (I&C) provisions. The sections identify those monitoring indicators (Section 7.4.1.1) and controls (Section 7.4.1.2) necessary for maintaining hot standby. The equipment required for cold shutdown is identified in Section 7.4.1.3.

7.4.1.1 Monitoring Indicators Indicators for the following process functions are provided both inside and outside the main control room (MCR). The indicators satisfy monitoring the four capabilities for maintaining a safe shutdown.

1. Water level indicator for each steam generator

2. Pressure and saturation temperature indicator for each steam generator 7.4-1

WBN-3

3. Pressurizer water level indicator

4. Pressurizer pressure indicator

5. Source range neutron flux

6. Reactor coolant system hot leg temperature

7. Auxiliary feedwater flow to each steam generator

8. Essential raw cooling water header flow*

9. Charging pumps discharge header pressure* and flow

10. Letdown heat exchanger outlet temperature

11. Emergency boration flow*

12. Component Cooling System (CCS) flow to miscellaneous equipment*

13. CCS surge tank level*

14. CCS pumps discharge header pressure*

15. Volume control tank level

These instruments are available to provide diagnostic information to aid in achieving and maintaining safe shutdown (hot standby), but are not required. See Reference 1.

7.4.1.2 Controls Controls provide the hardware and logic to shutdown the reactor and to maintain the plant in shutdown condition.

7.4.1.2.1 General Considerations The following lists actions (including possible locations) and considerations that are prerequisities to alignment of systems for safe shutdown.

1. The turbine is tripped (this can be accomplished at the turbine as well as in the MCR).

2. The reactor is tripped (this can be accomplished at the reactor trip switchgear as well as in the MCR).

3. Automatic systems continued functioning (discussed in Sections 7.2 and 7.7).

4. Equipment listed in Sections 7.4.1.2.2, 7.4.1.2.3 and 7.4.1.2.4 have motor controls outside the MCR. These controls have a selector switch which transfers control of the switchgear from the MCR to its auxiliary control station(s). Placing the local selector switch in the auxiliary operating position will give an alarm in the MCR.

7.4.1.2.2 Pumps and Fans The following pumps and fans provide safe shutdown functions:

1. Auxiliary feedwater pumps In the event of a main feedwater pump stoppage due to a loss of electrical power, the AFW pumps, which are powered from the emergency diesel generator (EDG), start automatically or can be started manually from inside the MCR. Additionally, the turbine driven AFW pump starts automatically or can be started manually from either the MCR or locally.

7.4-2

WBN

2. Charging and boric acid transfer pumps Start/stop motor controls provided for both the centrifugal charging pumps (CCP) and the boric acid transfer pumps are located in the MCR and at the pump switchgear for the CCP and at the pump for the boric acid transfer pumps.

3. Essential raw cooling water pumps These pumps, which are powered by the EDGs, sequence automatically following a loss of normal electrical power. Start/stop motor controls are located in the MCR and at the electrical switchgear.

4. Component cooling water pumps These pumps, energized from the EDGs, start automatically following a loss of normal electrical power. Start/stop controls are located in the MCR and at the electrical switchgear.

5. Auxiliary control air compressors These compressors start automatically on low air pressure.

6. Reactor containment fan cooler units Start/stop motor controls with a selector switch are provided for the fan motors. The controls are located in the MCR and at the electrical switchgear.

7.4.1.2.3 Diesel Generators These units start automatically following a loss of normal AC power. However, manual controls for diesel startup are provided locally (normal start only not emergency start) at the EDGs as well as in the MCR and auxiliary control room (ACR).

7.4.1.2.4 Valves and Heaters The following valves and heaters provide safe shutdown actions:

1. Charging flow control valves Manual control for the charging line flow control valves are provided in both the MCR and the ACR.

7.4-3

WBN

2. Letdown orifice isolation valves Open/close controls with a selector switch for the letdown orifice isolation valves are provided both in the MCR and the ACR.

3. AFW control valves Automatic and manual control for the AFW control valves are located in both the MCR and the ACR for valves associated with the motor driven pumps or at the turbine pump room for valves associated with the turbine driven pump.

4. Steam dump/atmospheric steam dump Automatic and manual control for the condenser steam dump is provided in the MCR.

Condenser steam dump is blocked on high condenser pressure. Atmospheric steam dump (ASD), in the form of SG PORVs, has automatic and manual control in both the MCR and ACR. Additionally, ASD has manual pneumatic controls locally located.

5. Pressurizer heater control On-off control with selector switch is provided for two backup heater groups. The heater groups are connected to separate buses, such that each can be connected to separate diesels in the event of loss of outside power. The control is both in the MCR and at the switchgear.

Instrumentation and controls listed in Sections 7.4.1.1 and 7.4.1.2, used to achieve and maintain safe shutdown (hot standby), can also be used for an evacuation of the MCR.

Through the use of suitable procedures, these I&C channels together with the equipment identified in Section 7.4.1.3, available for the hot standby and cold shutdown, constitute the body of equipment potentially available to achieve cold shutdown after a MCR evacuation.

7.4.1.3 Equipment and Systems Available for Cold Shutdown

1. Reactor coolant pumps (See Chapter 5)

2. Auxiliary feedwater pumps (See Chapter 10)

3. Boric acid transfer pumps (see Chapter 9) 7.4-4

WBN

4. Charging pumps (See Chapter 9)

5. Essential raw cooling water pumps (See Chapter 9)

6. Containment fans (See Chapter 9)

7. Control room ventilation (See Chapter 9)

8. Component cooling pumps (See Chapter 9)

9. Residual heat removal pumps (see Chapter 5)

10. Class 1E power systems (See Chapter 8)

11. Controlled steam release and feedwater supply (See Section 7.7 and Chapter 10)

12. Boration capability (See Chapter 9)

13. Nuclear instrumentation system (source range or intermediate range) (See Section 7.2 and 7.7)

14. Reactor coolant inventory control (charging and letdown) (See Chapter 9)

15. Pressurizer pressure control including opening control for pressurizer relief valves (PORVs Heaters and Spray valves) (See Chapter 5)

To achieve cold shutdown, the safety injection signal trip circuit must be defeated and the accumulator isolation valves closed.

7.4.2 Auxiliary Control Room (ACR)

The ACR is designated as the central control point for operation of the Auxiliary Control System. The Auxiliary Control System (ACS) contains those instruments and controls necessary to establish and maintain the plant in a safe shutdown condition external to the Main Control Room (MCR). The ACS meets the following regulatory requirements:

GDC 19 of 10CFR Part 50, Appendix A the ACS is physically independent from the MCR. ACS instrumentation and controls are electrically separated from their counterparts in the MCR. For GDC 19, damage to the control room and electrical circuits therein is not postulated since the MCR evacuation is due to some non-mechanistic event.

As required by 10CFR50, Appendix R fire damage considerations, the ACS is both physically and electrically independent of the control building.

The ACS provides controls and instrumentation in locations remote from the MCR which may be used so as to be capable of achieving and maintaining a safe shutdown condition and to subsequently achieve cold shutdown of the reactor through the use of suitable procedures. The ACS shall be operable in the unlikely event that the MCR must be evacuated due to smoke, toxic gas, etc., within the MCR. The design requirements for the ACR and ACS are contained in Design Criteria Document WB-DC-40-58 (Reference 1).

7.4-5

WBN 7.4.3 Analysis Hot standby is a stable plant condition, automatically attained following a plant shutdown. The hot standby condition can be maintained safely for an extended period of time. In the unlikely event that access to the MCR is restricted, the plant can be safely kept at hot standby until the control room can be reentered by the use of the indicators and controls listed in Sections 7.4.1.1 and 7.4.1.2 until the MCR can be reentered. These indicators and controls are provided outside as well as inside the MCR.

The safety evaluation for maintaining shutdown with these systems and associated instrumentation and controls includes consideration of the accident consequences that might jeopardize safe shutdown conditions. The germane accident consequences are those that would tend to degrade the capabilities for boration, adequate supply for auxiliary feedwater, or residual heat removal.

Instrumentation and controls for these systems may require some realignment in order that their functions may be performed from outside the MCR. Procedures for realignment of these controls and instruments are prepared in advance, upgraded as necessary, and available when needed. Note that the reactor plant design does not support attaining the cold shutdown condition from outside the MCR. An assessment of plant conditions can be made on the long term basis to establish the necessary physical realignment to I&C equipment in order to attain cold shutdown. During such time the plant could be safely maintained at hot standby condition.

The I&C functions which are required to be aligned for maintaining safe shutdown of the reactor are discussed above and are the minimum number of I&C functions under non-accident and nontransient conditions. Some of the equipment that provides some of these I&C functions are control systems discussed in Section 7.7 that are not part of the protection system. Proper operation of the control systems will allow a safe shutdown to be attained and maintained by preventing a transient. In considering more restrictive conditions than Section 7.4 examines, certain accidents and transients are postulated in Chapter 15.0 safety analyses which take credit for safe shutdown when the protection system's reactor trip terminates the transient and the engineered safety features system mitigates the consequences of the accident. In these transients, in general, no credit is taken for the operation of control systems listed in Section 7.7 should such operation mitigate the consequences of a transient. Should such operation not mitigate the consequences of a transient, no penalties are taken in the analyses for incorrect control system actions over and above the incorrect action of the control system whose equipment failure was assumed to have initiated the transient. The Chapter 15.0 analyses show that safety is not adversely affected when a limited number of such transients are postulated. Such transients include the following:

1. Uncontrolled boron dilution

2. Loss of normal feedwater

3. Loss of external electrical load and/or turbine trip

4. Loss of offsite power to the station auxiliaries (LOOP).

7.4-6

WBN-3 REFERENCES

1. Design Criteria Document WB-DC-40-58 Auxiliary Control System -- Watts Bar Nuclear Plant - Unit 1 / Unit 2, Revision 7, January 2016 7.4-7

WBN 7.5 INSTRUMENTATION SYSTEMS IMPORTANT TO SAFETY 7.5.1 Post Accident Monitoring Instrumentation (PAM) 7.5.1.1 System Description Post Accident Monitoring (PAM) instrumentation is required to monitor plant and environs conditions during and following design basis Condition II, III and IV faults as described in UFSAR Chapter 15. PAM instrumentation will enable the Main Control Room (MCR) operating staff (operator) to take preplanned manual actions, provide information on whether critical safety functions are being accomplished, provide information for potential or actual breach of the barriers to fission product release, provide information of individual safety systems, and provide information on the magnitude of the release of radioactive materials.

Table 7.5-2 lists the process information required at the initiation of an accident. The variables' descriptions were selected through a systematic evaluation of parameters required for the mitigation of design basis events at Watts Bar, a comprehensive review of the Emergency Instructions (EIs), Function Restoration Guidelines (FRGs), and Condition II, III and IV faults in Chapter 15 of the UFSAR. In some cases, the EIs and FRGs address mitigation of events which may extend beyond the design of the plant. Instrumentation used for beyond design basis events may be exempted from being PAM instrumentation. Table 7.5-2 furnishes the appropriate variable classification types/categories for each variable description. PAM variable types/categories were determined using the guidance given in U.S. NRC Regulatory Guide

[1] [12]

1.97, R2 and General Design Criteria for Nuclear Power Plants .

7.5.1.2 Variable Types Five (5) classifications of variable types, A, B, C, D and E, were identified to provide the PAM instrumentation. These classifications meet the PAM classifications contained in Regulatory Guide 1.97, R2. These five classifications are not mutually exclusive, in that a given variable (or instrument) may be included in one or more types. When a variable is included in one or more of the five type classifications, the equipment monitoring this variable meets the most stringent category qualification requirements as noted in Table 7.5-1. Type A variables provide primary information to the operators to allow them to take preplanned manually controlled actions to mitigate the consequences of a Chapter 15 design basis event. Types B, C, D and E are variables for following the course of an accident and are to be used (1) to determine if the plant is responding to the safety measures in operation and (2) to inform the operator of the necessity for unplanned actions to mitigate the consequences of an accident should plant conditions evolve differently than predicted by Chapter 15.

7.5-1

WBN Type A Variables Regulatory Guide 1.97 defines Type A variables as those variables that provide primary information to the MCR operators to allow them to take preplanned manually controlled actions for which no automatic action is provided and that are required for safety systems to accomplish their safety functions for Chapter 15 design basis events. Primary information is information that is essential for the direct accomplishment of specified safety functions. In addition to the Regulatory Guide 1.97 requirements previously stated, TVA calculation WBNOSG4047 "PAM Type A Variables Determination" includes certain variables used for event identification and monitoring as Type A variables even though no direct operator action is required.

Type B Variable Those variables that provide information to monitor the process of accomplishing critical safety functions. Critical safety functions are those safety functions which are essential to prevent a direct and immediate threat to the health and safety of the public. These are defined as reactivity control, core cooling, maintaining reactor coolant system integrity, and maintaining containment integrity (including radioactive effluent control).

Type C Variable Those variables that provide information to indicate the potential for breaching or the actual breach of the barriers to fission product release (including high level radioactive release through identifiable release points, i.e., plant vents). The barriers to fission product release are fuel cladding, reactor coolant pressure boundary and primary reactor containment.

Type D Variable Those variables that provide information to indicate the operation of individual safety systems and other plant systems. These variables are to help the operator make appropriate decisions in using the individual systems in mitigating the consequences of an accident.

Type E Variable Those variables used in determining the magnitude of the release of radioactive materials and for continuously assessing such releases.

7.5.1.3 Variable Categories The five types of variables are functionally classified into three (3) qualification categories (1, 2, and 3) according to the safety function provided by the variable. Descriptions of the three categories are given below. Table 7.5-1 briefly summarizes the qualification criteria of the three designated categories.

7.5-2

WBN The differentiation in the 3 categories was made in order that importance of information hierarchy could be recognized in specifying accident monitoring instrumentation. Category 1 instrumentation has the highest pedigree and should be utilized for information which is essential to the main control room operating staff in order for them to determine if the plant critical safety functions are being performed. Category 2 and 3 instruments are of lesser importance in determining the state of the plant and do not require the same level of operational assurance.

The primary differences between category requirements are in the qualification, application of single failure, power supply, and display requirements.

7.5.1.4 Design Bases 7.5.1.4.1 Definitions Primary Information Primary information is information that is essential for the direct accomplishment of the specified functions; it does not include those variables that are associated with contingency actions that may also be identified in written procedures.

Key Variable A key variable is that single variable (or minimum number of variables) that provides primary information and most directly indicates the accomplishment of a safety function (in the case of Types B and C) or the operation of a safety system (in the case of Type D) or radioactive material release (in the case of Type E).

Backup Variable Additional variables beyond those classified as key that provide diagnostic or confirmatory information.

Diverse Variable Where failure of a Category 1 channel results in information ambiguity that can lead the operator to defeat or fail to accomplish a required safety function, a second variable shall be identified to allow the operators to deduce the actual condition in the plant. The second variable, qualified identically to the first, is called a diverse variable and bears a known relationship to the multiple channels of the key variable.

Diverse variables are identified in Table 7.5-2.

7.5-3

WBN 7.5.1.4.2 Selection Criteria Type A variables are key variables and are designated Category 1.

Type B and C variables are determined to be either key or backup variables depending on their particular usage. Those variables determined to be key shall be classified as Category 1 except for those classified as Category 2 in accordance with the specific guidance presented in Regulatory Guide 1.97, R2, Table 2. Backup variables are considered Category 3.

The Type D and E variables determined to be key are classified as Category 2 except for those classified as Category 1 in accordance with the specific guidance presented in Regulatory Guide 1.97, R2, Table 2. Backup variables are considered Category 3.

The variable types were determined through (1) the guidance given in Regulatory Guide 1.97 R2, Table 2, (2) a review of the Emergency Instruction and Function Restoration Guidelines and, (3) a safety analysis performed for the UFSAR Chapter 15 design basis accidents. These three steps insure that sufficient instrumentation is available to the operator to keep the plant in a safe condition under accident scenarios.

7.5.1.4.3 Design Criteria For Category 1 Variables A. Redundant Class 1E qualified continuous indication of these variables has been provided. Qualification applies from the sensor to the display. The variables have been provided with a minimum of two independent channels (PAM 1 and PAM 2) for monitoring each variable. These two redundant channels allow the operator to deduce actual plant conditions.

Where failure of a channel would present ambiguous or confusing information to the operator, preventing the operator from taking action or misleading the operator, an additional redundant (PAM 3) channel has been provided. The PAM 3 channel has been qualified to the same requirements as the first two channels. Table 7.5-2 lists the redundancy requirements for each Category 1 variable.

B. PAM instrumentation has components and cables environmentally qualified and installed to function in plant conditions for which they are expected to operate. Qualification is in accordance with 10 CFR 50.49 requirements.

C. PAM instrumentation continues to function after a design basis seismic event in accordance with Watts Bar Nuclear Plant Design Criteria.

D. Transmission of signals from PAM Category 1 devices to non-qualified equipment is only through an isolation device qualified to Category 1 requirements. No credible failure at the output of the isolation device prevents the monitoring channel from meeting its minimum performance requirements.

7.5-4

WBN E. Category 1 instrumentation supplied from Class 1E standby power sources is capable of operating independently of offsite power, and backed up by batteries. The physical separation between redundant channels has been preserved in field wiring by combining outputs from Train A or channels from instrumentation cabinets I or III into the PAM 1 channels. The redundant PAM 2 channels are from Train B or channels from instrumentation cabinets II or IV. PAM 3 channels are physically separated from both PAM 1 and PAM 2 channels.

F. Category 1 analog variables have at least one of the redundant instrument loops recorded on the Plant Computer System. In addition to the Plant Computer System, a hardwired recorder for at least one instrument loop of the variable has been provided when trending of the Category 1 variable enhances the operator's ability to cope with mitigating various design basis events.

G. Category 1 variables follow quality assurance requirements as described in UFSAR Chapter 17 for safety related devices.

7.5.1.4.4 Design Criteria For Category 2 Variables A. Redundant or Class 1E circuitry is not required for Category 2 variables. However, the parent system may require the instrumentation to be classified Class 1E for non-PAM functions. Where this instrumentation has been used to provide PAM Category 2 indication, the Class 1E qualification applies from the sensor through the isolator/buffer.

The display need not meet Class 1E requirements.

B. PAM instrumentation has components and cables environmentally qualified and installed to the plant conditions for which they are expected to operate. Nondivisional and Class 1E PAM instrumentation located in a harsh environment has been qualified in accordance with 10 CFR 50.49 requirements. Mild environment Category 2 components do not have any special qualification requirements.

C. There are no specific requirements for seismic operability. However, specific system requirements above that required for post accident monitoring may exist. In those cases, the most restrictive qualification level applies. In addition, components are designed and mounted such that they do not have an adverse effect on safety systems during a seismic event.

D. Category 2 instruments are powered from highly reliable power sources, not necessarily divisional power, and are diesel generator or battery backed.

E. Potential plant release point effluent radioactivity monitors and area radiation monitors are trended on a MCR recorder or on the Plant Computer System.

F. Category 2 instrumentation located in a harsh environment follows quality assurance requirements as described in UFSAR Chapter 17 for safety related devices.

7.5-5

WBN 7.5.1.4.5 Design Criteria For Category 3 Variables A. Category 3 PAM instrumentation is high-quality commercial grade equipment. No redundancy, qualification, or signal isolation is required.

B. Category 3 PAM loops are powered from normal station power supplies, such as nondivisional power.

C. Components are designed and mounted such that they do not have an adverse effect on safety systems during design basis seismic events. Instruments that are not part of a safety related system are not seismically qualified unless the Watts Bar UFSAR specifies seismic requirements for the associated system.

D. The meteorology monitors are trended on the Plant Computer System.

7.5.1.5 General Requirements 7.5.1.5.1 Display Requirements Category 1 parameters are displayed on individual devices located in the main control room.

Category 2 and 3 devices are either displayed on individual instruments located in the main control room or processed for display by one of the computer-based systems available in the MCR except as described below.

Portable or postaccident sampling devices are not displayed in the main control room. In addition, a limited number of Category 2 and 3 devices are displayed on local panels if the following guidelines are met:

1. The information displayed is of a non-critical or non-diagnostic nature.

2. The local panel display is accessible under accident conditions.

3. The information can be retrieved in a time frame necessary to support the operator's actions.

4. The parameter changes slowly such that only infrequent updates are needed.

7.5-6

WBN Human factors principles have been used in determining the types and locations of the displays. To the extent practical, the same instruments are used for accident monitoring as are used for the normal operations of the plant. This enables the operators to use instruments with which they are most familiar during accident situations. Monitoring instrumentation is from sensors that directly measure the desired variables. Indirect measurements are made only when it can be shown by analysis to provide equivalent or unambiguous information. The PAM parameters have associated required accident ranges. The minimum required ranges are given in Table 7.5-2. The range of the instrumentation is sufficient to keep the indication on scale at all times as required for PAM. Where the required range of monitoring instrumentation results in a loss of instrumentation sensitivity or accuracy in the normal operating range by using a single instrument (such as radiation monitors), multiple instruments are used to encompass the entire required range. Where two or more instruments are needed to cover a particular range, overlapping of instrument spans and accuracies has been provided to ensure one of the two instruments will be on scale at all times.

7.5.1.5.2 Identification The Category 1 and 2 displays are uniquely identified on the main control board so that the operator can easily discern that they are intended for use under accident conditions. PAM Category 1 display devices have been identified with a nameplate with black background, white letters and the symbol "C1" inscribed on the nameplate. PAM Category 2 display devices (which are not also PAM Category 1) have been identified with a nameplate with a white background, black letters with the symbol "C2" inscribed on the nameplate.

Category 1 indicators are identified on the control diagrams as P1 and P2 (as well as P3 when a third redundant channel is required) to denote each redundant train of instrumentation.

Category 1 and 2 components are identified as such in the Instrument Tabulation drawings and category 3 components are identified as such in the Mechanical Equipment List (MEL).

Applicable Category 1 and 2 components are identified in the 10CFR50.49 List.

7.5.1.6 Analysis For Condition II, III and IV events sufficient duplication of information is provided to ensure that the minimum information required is available. The information is part of the operational monitoring of the plant which is under surveillance by the operator during normal plant operation. This is functionally arranged on the main control board to provide the operator with ready understanding and interpretation of plant conditions.

Redundant sensors are provided to develop the necessary information to enable the required manual functions to be performed following a Condition IV event. These sensors are environmentally and seismically qualified.

7.5-7

WBN Range and accuracy requirements are determined through the analysis of Condition II, III, or IV events as described in UFSAR Chapter 15. The display system meets the following requirements:

a. The range of the readouts extends over the maximum expected range of the variables being measured.

b. The combined indicated accuracies are within the errors used in the safety analysis.

Other information systems such as the Plant Computer System are integrated with the PAM instrumentation described in this section. In order to provide the operator adequate information to prevent and/or cope with events, those displays have been included in the Human Factors engineering review.

As described throughout UFSAR Section 7.5, WBN meets the intent of Regulatory Guide 1.97,

[9, 10, 11, 13, 14, 15, 16]

R2. Deviations from the Regulatory Guide have been identified to the NRC.

The deviation numbers are given in the notes column of Table 7.5-2 and correspond to the deviation numbers in the above references.

7.5.1.7 Tests and Inspections 7.5.1.7.1 Programs Services, testing and calibration programs are specified to maintain the capability of the monitoring instrumentation. For those instruments where the required interval between testing is less than the normal interval between station shutdowns, capability for testing during operation is provided.

7.5.1.7.2 Removal of Channels from Service Whenever a means for removing channels from service is included in the design, the design facilitates administrative control for such removal. The system is designed to permit at least one channel to remain operable when required during power operation. During removal from service, the active parts of the channel need not continue to meet the single failure criteria. As such, monitoring systems comprised of two redundant channels are permitted to violate the single failure criterion during channel bypass. The bypass time interval allowed for a maintenance operation is specified in the plant technical specifications.

7.5.1.7.3 Administrative Control The design facilitates administrative control of the access to all setpoint adjustments, module calibration adjustments and test points.

7.5.1.8 Post Accident Monitoring System (PAMS)

The PAMS is a computer based system that meets all requirements for Type A, Category 1 variables as previously described. The system displays three post accident variables:

(1) Core Exit Thermocouples (2) Reactor Vessel Level 7.5-8

WBN (3) Subcooled Margin Monitor The PAMS software uses inputs from plant instrumentation and core exit thermocouples to calculate subcooled margin. The PAMS variables are displayed on redundant monitors in the main control room.

7.5.2 Plant Computer System The non safety-related Plant Computer System (also referred to as the Integrated Computer System, (ICS) or plant process computer) acquires, processes, and displays all data to support the assessment capabilities of the MCR, Technical Support Center (TSC) and the Emergency Operation Facility (EOF) as stated in NUREG - 0696[2] and NUREG - 0737, Supplement 1[3].

The Plant Computer System also provides the safety parameter display system and the bypassed and inoperable status indications system for WBN.

The Plant Computer System is a real time data acquisition and analysis computer system. This computer system also drives display equipment in the Technical Support Center (TSC) and provides plant data to the off-site computer located at the Emergency Operations Facility (EOF).

The operators use a keyboard to request additional detailed information about the parameters used to determine the Critical Safety Functions (CSF) status as well as other plant conditions.

This information is provided in three formats: mimic, tabular, and trend displays.

The data undergoes several validation steps before being presented to the operators. When redundant sensors are used, the data received by the computer can be processed by software to determine if the quality of one or more points is questionable.

Sections 7.5.2.1 though 7.5.2.3.2 describe some of the key functions performed by the Plant Computer System.

7.5.2.1 Safety Parameter Display System 7.5.2.1.1 System Description The principal purpose and function of the Safety Parameter Display System (SPDS) is to aid control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing if abnormal conditions require corrective action by the operators to avoid a degraded core. During emergencies the SPDS serves as an aid to evaluating the current safety status of the plant, executing function-oriented emergency procedures, and monitoring the impact of engineered safeguards or mitigation activities. The SPDS also operates during normal operations, continuously displaying information from which the plant safety status can be readily and reliably accessed.

The Unit 1 and Unit 2 SPDSs have at least two color graphic monitors in the main control room which continuously display information on the CSF.

7.5-9

WBN 7.5.2.1.2 Design Bases Location of SPDS The SPDS is conveniently located in the control room on at least two monitors for use by the control room operating staff.

Although both of these terminals are expected to be operational, only one is required to be operational in order for the SPDS to be considered available.

Continuous and Reliable Display of Plant Safety Status Information The SPDS displays information from which the plant safety status can be readily and reliably assessed by control room personnel responsible for the avoidance of degraded and damaged core events. This is accomplished by presenting the status of each CSF on every SPDS display. The status of the CSF is indicated on all Plant Computer System displays by use of a target on each screen. Redundant sensor algorithms are used to aid the operators in determining if display information is reliable.

The quality of the information is identified as being good, poor, bad, or manually entered. Data is tagged as poor if it is inconsistent with redundant sensors. Data is tagged as bad if it is outside the process sensor limits, or data acquisition system span, or because hardware checks indicated a malfunctioning input device. Data is tagged as manually entered when the value is operator entered. If a point is not poor, bad, or manually entered, it is considered good.

Calculated-points are tagged as poor if any of their constituent points are not good.

The SPDS software and changes undergo formal verification and validation. Software changes are documented, approved, and controlled by qualified personnel and procedures.

Concise Display of Critical Plant Variables The SPDS provides a concise display of critical plant variables which provide information to plant operators about the following critical safety functions:

a. Reactivity control

b. Reactor core cooling and heat removal from the primary system

c. Reactor coolant system integrity

d. Radioactivity control

e. Containment conditions When the SPDS logic determines the plant may not be in a safe condition, the operator is informed of the problem. After the SPDS indication is verified to be correct, the operator is directed to follow appropriate recovery procedures.

Human Factors Human factors are taken into account in the design of the SPDS. Flashing is used to draw operator attention to new alarm conditions. Page keys or mouse commands are used for screen navigation. Alarms are acknowledges with keystrokes at the Plant Computer System work stations located in the MCR.

7.5-10

WBN-2 Additional information is presented to control room personnel in numeric format, numeric displays, deviation barcharts, and trend displays.

Additional information is presented to control room personnel in numeric format, numeric displays, deviation bar charts, and trend displays.

Electrical and Seismic Qualification The SPDS is not class 1E qualified and is not powered from a class 1E power source. As such, the SPDS is electrically isolated from equipment and sensors used in safety systems.

The SPDS equipment including display hardware has three power sources:

Normal: Auxiliary Building Common board AC power rectified and inverted to 120V AC Alternate: Station battery 250V DC inverted to 120V AC Maintenance (Unit 1): Regulated 120V AC from 480V AC Turbine Building MOV Board Maintenance (Unit 2): Regulated 120 VAC from 480 VAC Turbine Building MOV Unit Board The hard copy equipment does not have to be powered by uninterruptable power.

The SPDS is not required to operate during or after a seismic event. SPDS equipment is designed so that it will not adversely affect any equipment important to safety, either during or after a seismic event.

7.5.2.2 Bypassed and Inoperable Status Indication System (BISI)

WBN fully complies with the intent of RG 1.47, Revision 0[5].

The Bypassed and Inoperable Status Indication System (BISI) does not perform a safety function, nor do administrative procedures call for immediate operator action based solely on BISI indication. The BISI equipment is isolated from the associated safety-related equipment so as to preclude any abnormal or normal action of the BISI from preventing the performance of a safety function.

The BISI system is a function of the Plant Computer System that provides automatic indication and annunciation of the abnormal status of each ESFAS actuated component of each redundant portion of a system that performs a safety-related function. The determination of the bypassed or inoperable status of a system is left up to the reactor operator.

Abnormal status indication may be applied administratively by the control room operators or automatically from monitored equipment.

Compliance with Regulatory Guide 1.47 is described below:

1. An abnormal indication is provided for each safety system. Abnormal includes any deliberate action which renders a protection system inoperable. The following systems are monitored:

main and auxiliary feedwater safety injection residual heat removal 7.5-11

WBN containment spray emergency gas treatment essential raw cooling water chemical and volume control heating, ventilation, and air conditioning component cooling control air (including auxiliary control air) standby diesel generator

2. Support system indication is provided for each safety system that requires auxiliary or support system(s) operation to perform its safety function.

3. The indicators are at the system level with separate indication for each train.

4. Sublevel information is provided to the control room operator for determination of the abnormal condition at the component level.

5. The abnormal indicators are operated automatically by actions which meet all of the following criteria:

a. The action is deliberate. It is not the intent of the system to show operator errors or component failures.

b. The action is expected to occur more often than once a year.

c. The action is expected when the protection system must be operable per technical specifications.

d. The action renders the system inoperable, not merely potentially inoperable.

e. The deliberate action has taken place in the safety system or a necessary supporting system.

6. The abnormal indication is separate from other plant indicators.

7. A manual capability is provided to operate each safety system abnormal indication. This allows the operator to activate abnormal indication for an event that renders a safety system inoperable but does not automatically operate the BISI.

8. Abnormal indication is accompanied by an audible alarm.

9. There is no capability to defeat an automatic operation of an abnormal indication.

(However audible alarms may be silenced.)

7.5-12

WBN

10. The indication system is mechanically and electrically isolated from the safety system to avoid degradation of the safety system. The BISI is not safety-related; i.e., it is not

[6]

designed to safety system criteria such as IEEE Standard 279-1971 .

[6]

11. In accordance with IEEE-279-1971, Paragraph 4.20 , the operator must be able to determine why a system level abnormal status is indicated. This information can be accessed by the operator for display.

12. Essential raw cooling water and diesel generator systems abnormal status indication are provided. These (support) systems are unique and important enough to warrant abnormal status indication.

[8]

13. The system design meets the recommendations of ICSB-21 as follows:

a. Each safety system has a Train A and Train B bypass indicator. Support systems are arranged together with the associated train of bypass indicators.

Safety system indicators are lit whenever any support subsystem is abnormal.

b. Means by which the operator can cancel erroneous bypassed indications are not provided.

c. The BISI system does not perform functions essential to safety. No operator action is required based solely on the abnormal status indication.

d. The BISI system has no effect on plant safety systems.

e. The abnormal status indicating and annunciating function can be tested during normal plant operation.

7.5.2.3 Technical Support Center and Communication Data Links 7.5.2.3.1 Technical Support Center The information available includes the SPDS displays as well as special displays for use in the TSC. The displays are similar to the main control room and the software and man/machine interface is the same.

7.5.2.3.2 Communication Data Links The Plant Computer System provides a means of acquiring data from and supplying data to computer based systems both on and off site. The communications data links interconnect the following computer systems:

7.5-13

WBN

1. Emergency Operations Facility (EOF)

For Watts Bar Nuclear Plant, the Central Emergency Control Center (CECC) is the

[3]

EOF. In response to NUREG 0737 Supplement 1 , all data (real and calculated) along with status and quality information is available for transmission by data link to a compatible processor capable of displaying the information in the CECC. Upon request the Plant Computer System will send the CECC computer a dynamic data base snapshot (a maximum of 200 process variables) every 15 seconds over a high speed communications link. This data meets the requirements of NUREG-1394, Emergency

[7]

Response Data System .

2. Nuclear Data Link The CECC processor transmits data to the NRC over the Nuclear Data Link.

3. Environmental Data Station (EDS)

Communications between the Plant Computer System and the EDS Computer allows the Plant Computer System to access variables that are input to the EDS computer. All

[4]

EDS data required by RG 1.23 and required to support the TSC functions can be transmitted at a rate of once per minute and displayed with the radiation release data.

REFERENCES

1. U. S. NRC Regulatory Guide 1.97, Rev. 2 (December 1980) and Rev. 3 (May 1983) "Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident".

2. NUREG 0696, Functional Criteria for Emergency Response Facilities, dated February 1981.

3. NUREG-0737, Supplement 1, Requirements for Emergency Response Capability, Generic Letter 82-33, dated December 17, 1982.

4. Regulatory Guide, 1.23, Onsite Meteorological Programs (Safety Guide 23) Revision 0.

5. Regulatory Guide 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems, Revision 0.

6. IEEE-Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations (ANSI-N42.7-1972).

7. NUREG-1394, Emergency Response Data System Implementation.

7.5-14

WBN

8. Branch Technical Position ICSB-21, Guidance for Application of Regulatory Guide 1.47.

9. TVA letter to NRC dated August 31, 1990, Watts Bar Nuclear Plant (WBN)

Conformance to Regulatory Guide (RG) 1.97 Revision 2. (RIMS L44 900831 804)

10. TVA letter to NRC dated October 29, 1991, Watts Bar Nuclear Plant WBN-Emergency Response Capability, Regulatory Guide 1.97, Revision 2 - Request for Additional Information Response. (RIMS T04 911029 848)

11. NUREG-0847, Supplement 9, "Safety Evaluation Report Related to the Operation of Watt Bar Nuclear Plant, Unit 1 and 2," June 1992.

12. "General Design Criteria for Nuclear Power Plant," Appendix A to Title 10 CFR 50, Criterion 13, 19, and 64.

13. TVA letter to NRC dated May 9, 1994, Watts Bar Nuclear Plant (WBN) - Regulatory Guide (RG) 1.97, Revision 2, Postaccident Monitoring System (PAM) - Supplemental Response (RIMS T04 940509 901).

14. TVA Letter to NRC dated April 21, 1995, Watts Bar Nuclear Plant (WBN) Units 1 & 2 -

Regulatory Guide (RG) 1.97, Revision 2, Post-Accident Monitoring System (PAM) -

Supplemental Response (RIMS T04 950421 117).

15. TVA Letter to NRC dated July 18, 1995, Watts Bar Nuclear Plant (WBN) Units 1 and 2 -

Regulatory Guide (RG) 1.97, Revision 2, Post-Accident Monitoring System (PAM) -

Supplemental Response (RIMS T04 950718 165)

16. TVA Letter to NRC dated October 12, 1995, Watts Bar Nuclear Plant (WBN) Units 1 & 2

- Regulatory Guide (RG) 1.97, Revision 2, Post-Accident Monitoring System (PAM) -

Supplemental Response (T04 951012 228)

17. 10 CFR 50.59 Safety Assessment and Safety Evaluation, WBPLEE-98-010.

18. U.S. NRC Regulatory Guide 1.7, Rev. 3 Control Of Combustible Gas Concentrations in Containment, March 2007.

19. Nuclear Regulatory Commission 10 CFR Parts 50 and 52 RIN 3150-AG76 Combustible Gas Control in Containment AGENCY: Nuclear Regulatory Commission. ACTION: Final rule.

7.5-15

WBN TABLE 7.5-1 POST ACCIDENT MONITORING INSTRUMENTATION COMPONENT QUALIFICATION MATRIX (See Note)

Criteria Category 1 Category 2 Category 3 Redundancy At least 2 channels required Not Required Not Required EQ Qualify Per WB-DC-40-54, Qualify per Not Required (10 CFR 50.49) components placed in WB-DC-40-54, 10CFR50.49 program components placed in 10CFR50.49 program Seismic Must function after seismic Not Required Not Required event per WB-DC-40.31.2 QA Yes Yes-Equipment in harsh Not required environment same as Category 1 Power Supply Class-IE Non-Class 1E, diesel or Non-Class 1E Per WB-DC-30-27 battery-backed Physical Required per WB-DC-30-4 Not required Not Required Separation Electrical Non-IE circuit interfaces are Not required Not Required Separation through qualified isolation devices. (See WB-DC-30-4)

Indication Hardwired indicator (RVLIS Meter, indicator light, Meter, indicator and CET use plasma display computer display, or light, computer and recorder), light annunciator window display, or annunciator window Special Labeling C1 engraved on MCR label or C2 engraved on MCR Not Required on MCR Board window label or window.

Testing and Required Required Required Maintenance Isolation Device Required Required for loops with Not required Accessibility isolation devices Recording At least 1 channel per analog Effluent and area Recorder or variable is recorded as radiation monitors are computer for indicated in Table 7.5-2. recorded. Not required meteorology; not Recording is qualified to for others. required for others Category 2 requirements. The Plant Computer System has at least 1 channel per analog variable trended.

Note: These are only post accident monitoring requirements. Normal system requirements may impose more stringent qualification requirements on components selected for PAM use and in those cases the most stringent requirements are met.

WBN TABLE 7.5-2 (Sheet 1 of 43)

VARIABLES LIST LEGEND The following table of variables provides a listing of specific design requirements for the PAM instruments. The table represents the minimum required to conform to Regulatory Guide (RG) 1.97, Revision 2. Additional qualification may be provided as a result of other plant, system, or design requirements. The topics described are:

N Variable Name N Type and Category N Redundant Channels N Range, Range Units N Notes Type and Category The variable's type(s) and associated category are identified. Entries in this column are derived from the Type selection analyses and RG 1.97.

Redundancy - The number of instrument channels required to monitor the variable. For Category 1 variables, the number of channels is determined from the PAM single failure analysis. Diverse indication used to supplement or replace redundant information is also identified in Note 1.

Range - The required range and engineering units of the instrumentation are developed in the Type selection analyses or the required range and accuracy analysis. The radiation monitor ranges may reflect the interpreted range and not the equipment's scale.

Notes - Additional information is provided for clarification including any deviations from R.G. 1.97 R2.

The deviations are included in table 7.5-2.

WBN TABLE 7.5-2 (Sheet 2 of 43)

VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 1 Auxiliary Feedwater Flow A1 D2 P1 P2 0 700 GPM (Note 1) 2 Channels Per Loop 2 Containment Lower A1 D2 P1 P2 0 350 Deg F Deviation #8 Compartment 2 Channels Atmosphere Temperature 3 Containment Pressure A1 B1 C1 D2 4 Channels -2 15 PSIG Deviation #24 (Narrow Range) Note 9 4 Containment Radiation A1 C3 E1 P1 P2 1 1.0E7 R/hr Deviation #36 2 Upper Note 14 (Unit 2 only) 2 Lower 5 Containment Sump Level A1 B1 C1 D2 P1 P2 0 200 Inches Deviation #32 (Wide Range) 6 Core Exit Temperature A1 B1 C1 D2 P1 P2 200 2300 Deg F Minimum of 16 Operable 8 PAM 1 Thermocouples, 4 from 8 PAM 2 each quadrant (Note 1, 9, 10)

Deviation #30 (Unit 1 only)

& #37 7 Main Steam Line Radiation C2 E2 1 Channel 1.0E-1 1.0E3 µCi/cc Note 7 Per SG

WBN TABLE 7.5-2 (Sheet 3 of 43)

VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 8 Nuclear Instrumentation A1 B1 D2 P1 P2 1.0E-1 2.0E5 CPS Note 9 (Source Range) 9 RCS Pressurizer Level A1 D1 P1 P2 P3 0 100 % Note 9 & 12 10 RCS Pressure Wide Range A1 B1 C1 D2 P1 P2 P3 0 3000 PSIG Note 9 & 12 11 RCS Temperature T Cold A1 B1 C1 D2 4 Channels 50 700 Deg F Note 1 & 9 1 Per Loop Deviation #1 12 RCS Temperature T Hot A1 D2 4 Channels 50 700 Deg F Note 1 & 9 1 Per Loop Deviation #1 13 Refueling Water Storage A1 D2 P1 P2 0 100 % Note 9 Tank Level 14 Steam Generator Level A1 B1 P1 P2 P3 0 100 % Note 1, 9, 12 (Narrow Range) 3 Channels Per Steam Generator 15 Steam Generator A1 B1 D2 P1 P2 0 1300 PSIG Deviation #3 Pressure 2 Channels Notes 1 & 9 Per SG

WBN TABLE 7.5-2 (Sheet 4 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 16 Subcooling Margin A1 B2 C1 D2 P1 P2 200 35 Deg F 200 Deg. Subcooling Monitor to 35 Deg. Superheat Notes 9 & 10 17 Auxiliary Building B1 C1 P1 P2 12.5 72.5 Inches Note 6 (Unit 1)

Passive Sump Level Note 9 (Unit 2) 18 Containment Isolation B1 D2 1 Per Valve Closed Not N/A Deviation #20 Valve Position Indication Closed 19 Containment Hydrogen B1 C1 D2 (Unit 1) P1 P2 (Unit 1) 0 10 % Deviation #2 Concentration C3 D3 E3 (Unit 2) 1 Channel (Unit 2) 20 Control Rod Position D3 1 Channel 0 235 Steps Deviation #35 Per Bank 21 Nuclear Instrumentation B1 D2 P1 P2 1.0E-8 200 % Power Note 9 (Intermediate Range) 22 REACTOR VESSEL LEVEL B1 C1 D2 P1 P2 See below (See Notes 5, 9, & 10) 22a Static Mode 0 100 % 0% represents reactor (Pumps Not Running) vessel empty. 100%

represents reactor vessel full.

WBN TABLE 7.5-2 (Sheet 5 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 22b Dynamic Mode 20 100 % 100% represents (Pumps Running) reactor vessel full 23 Containment Pressure C1 P1 P2 -5 60 PSIG (Wide Range) 24 Shield Building Vent C2 E2 1 Channel 1.0E-6 1.0E4 µCi/cc (Noble Gas Activity) 25 ABGTS High Pressure D2 1 Channel NA -0.2 inch H20 Alarm Per Fan 26 ACAS Pressure D2 1 Channel 0 150 PSIG Per Train 27 AFW Valve Status D1 1 Channel Open Closed NA Per Valve 28 Accumulator Flow D3 1 Channel Open Closed NA Deviation #16 Isolation Valve Status Per Valve 29 Accumulator Tank Level D3 1 Channel 7450 8080 GAL Deviation #15 Per Tank

WBN TABLE 7.5-2 (Sheet 6 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 30 Accumulator Tank D3 1 Channel 0 700 PSIG Deviation #6 Pressure Per Tank 31 Annulus Pressure D2 1 Channel -10 0 inch H20 32 Aux. Feed Pump Turbine D3 1 Channel Open Closed NA Steam Supply Isolation Per Valve Valve Status 33 Battery Current (125V D2 1 Channel -200 +600 AMPS dc Vital) Per Battery 34 Bus Voltage D2 1 Channel 75 150 VOLTS (125V dc Vital) Per Battery 35 Bus Voltage (480V D2 1 Channel 0 600 VOLTS Shutdown) Per Train 36 Bus Voltage D2 1 Channel 6400 7400 VOLTS Analog Scale (6.9KV Shutdown) Per Train & Digital Display 37 CCS Surge Tank Level D3 1 Channel 0 100 %

Per Train

WBN TABLE 7.5-2 (Sheet 7 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 38 Centrifugal Charging Pump D2 1 Channel 0 1000 GPM Total Flow 39 Charging Header Flow D3 1 Channel 0 110 GPM Deviation #17 40 Component Cooling Water D2 1 Channel 0 5561 GPM To ESF Flow Per Hx 41 Component Cooling Water D2 1 Channel 30 150 Deg F Deviation #7 Supply Temperature Per Train 42 Condensate Storage Tank D3 1 Channel 0 385,000 GAL Not Primary - Source of AFW Water Level Per Tank See Variable 27.

43 Containment Air Return Fan D2 1 Channel On Off N/A (Breaker Status Per Fan Status) 44 Containment Cooling Valve D3 1 Channel Open Closed NA Status Per Valve 45 Containment Spray Flow D2 1 Channel 0 4400 GPM Per Train 46 Containment Spray HX D2 1 Channel 0 200 Deg F Outlet Temperature Per HX

WBN TABLE 7.5-2 (Sheet 8 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 47 Containment Sump Water D3 1 Channel 2 66 Inches Deviation #12 Level (Narrow Range) 48 Containment Sump Water D2 1 Channel 50 400 Deg F Used RHR Inlet Temperature Temperature Loop 49 Diesel Generator Power D2 1 Channel 0 4.84 MWATTS Per DG 50 Diesel Generator Volts D2 1 Channel 0 6900 VOLTS Per DG 51 ECCS Valve Status D2 1 Channel Open Closed NA Per Valve 52 ERCW Header Flow D2 1 Channel 0 20,000 GPM Per Header 53 ERCW Supply Temperature D2 1 Channel 32 200 Deg F Per Header 54 Emergency Gas Treatment D2 1 Channel Open Closed NA Damper Position Per Damper 55 Emergency Ventilation D2 1 Channel Open Closed NA Damper Status Per Damper

WBN-2 TABLE 7.5-2 (Sheet 9 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 56 DELETED 57 Igniter Group Status D3 1 Channel On Off NA Per Group 58 Inverter Current D2 1 Channel 0 167 AMPS Local (120V ac Vital) Per Inverter Indication Note 8 59 Inverter Voltage D2 1 Channel 115 125 VOLTS Local (120V ac Vital) Indication Note 8 60 Letdown Flow D3 1 Channel 0 144 GPM Deviation #18 61 MCR Pressure D3 1 Channel 0 0.50 inch H20 62 MCR Radiation Level D2 1 Channel 1E-1 1E4 mR/Hr 63 Main Feedwater Flow D3 1 Channel 0 4,372,720 lb/hr Per Loop

WBN TABLE 7.5-2 (Sheet 10 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 64 Normal Emergency Boration D2 1 Channel 0 150 GPM Deviation #4 Flow 65 THIS LINE INTENTIONALLY LEFT BLANK 66 Pressurizer Heater Status D2 1 Channel 0 50.5 AMPS (See Note 3)

(Electric Current) Per Group 67 Pressurizer Pressure D2 1 Channel Closed Not N/A Relief Valve Position Per Valve Closed (PORV, Block, and Code) 68 Pressurizer Relief Tank D3 1 Channel 0 100 %

Level 69 Pressurizer Relief Tank D3 1 Channel 0 100 PSIG Pressure 70 Pressurizer Relief Tank D3 1 Channel 50 400 Deg F Deviation #11 Temperature 71 RCP Seal Injection Flow D3 1 Channel 0 13.2 GPM Per RCP

WBN TABLE 7.5-2 (Sheet 11 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 72 RCS Head Vent Valve D2 1 Channel Closed Not NA Status Per Valve Closed 73 RHR Heat Exchanger Outlet D2 1 Channel 50 400 Deg F Deviation #9 Temperature Per HX 74 RHR Pump Flow (RHR D2 1 Channel 0 5500 GPM System Flow) Per Pump 75 RHR Valve Status D3 1 Channel Open Closed NA Per Valve 76 Reactor Coolant Pump D3 1 Channel 0 712 AMPS Status (Motor Current) Per Pump 77 Safety Injection Pump D2 1 Channel 0 715 GPM Flow Per Pump 78 Safety Injection System D3 1 Channel Open Closed NA Valve Status Per Valve 79 Spent Fuel Pool Level D2 1 Channel 748'11.5 749'2.5 ft,in Range Reflects Low and Alarm High Alarm Setpoints

WBN TABLE 7.5-2 (Sheet 12 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 80 Spent Fuel Pool D2 1 Channel NA 127 Deg F Upper Range Is Temperature Alarm Alarm Setpoint 81 Steam Generator Blowdown D2 1 Channel Closed Not NA Isolation Valve Status Per Valve Closed 82 Steam Generator Level D1 4 Channels 0 100 % Deviation #10 (Wide Range) 1 Per SG Notes 1 & 9 83 Main Steam Flow D2 1 Channel 0 4,500,000 lb/hr.

Per SG 84 Tritiated Drain Collector D3 1 Channel 4 96 % Local Indication Tank Level Per Train Deviation #25 85 Volume Control Tank Level D3 1 Channel 0 100 % Deviation #19 86 Waste Gas Decay Tank D3 1 Channel 0 150 PSIG Local Pressure Per Tank Indication Deviation #23 87 Radiation Exposure Meters E3 NA NA NA NA Deviation #22 88 Airborne Radiohalogens E3 Portable 1.0E-9 1.0E-3 µCi/cc Airborne I-131 And Particulates and particulates

WBN TABLE 7.5-2 (Sheet 13 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 89 Plant and Environs E3 Portable 1.0E-3 1.0E4 Rad/hr.

Radiation 90 Plant and Environs E3 Portable NA NA NA Multi Channel Radioactivity Gamma Ray Spectrometer 91 Auxiliary Building Vent E2 1 Channel 1.0E-6 1.0E-2 µCi/cc Deviation #13 (Noble Gas) 92 Auxiliary Building Vent E2 1 Channel 0 250,800 CFM (Flow Rate) 93 Auxiliary Building Vent E3 1 Channel ----See Note 11---- µCi/cc Sampling With (Particulates and Onsite Halogens) Analysis Capability Deviation

14 94 Condenser Vacuum Pump E2 1 Channel 0 45 SCFM Exhaust Vent (Flow Rate) 95 Condenser Vacuum Pump C3 E2 1 Channel 4.0E-7 2.4E+3 µCi/cc Deviation #33 Exhaust Vent (Noble Gas)

WBN TABLE 7.5-2 (Sheet 14 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 96 ERCW Radiation Monitors E2 1 Channel 3.3E-4 1.65E-2 µCi/cc Per Discharge Point 97 Post Accident Sample E3 1 System See below Sampling With Onsite System (Unit 1 Only) (Unit 1 Only) Analysis Capability (Unit 1 Only)

Unit 2 - Post Accident Sampling Grab sample with onsite analysis capability (See Note 13)

(Unit 2 Only) 97a Reactor Coolant E3 NA 1 20 ppm Deviation #29 Chloride Concentration 97b Reactor Coolant E3 NA 10 2000 cc/kg Deviation #21 Dissolved Hydrogen (STP) (Unit 1 Only) 97c Reactor Coolant E3 NA 1 20 ppm Deviation #34 Dissolved Oxygen 97d Reactor Coolant E3 NA 100 2000 cc/kg Deviation #34 Total Dissolved Gas (STP) 97e Reactor Coolant Boron E3 NA 50 6000 ppm Deviation #26 97f Reactor Coolant pH E3 NA 1 14 (Unit 1) pH 13 (Unit 2) 97g Reactor Coolant C3 E3 NA 10µCi/ml 10Ci/ml Ci/ml Deviation #5 Sample Activity

WBN TABLE 7.5-2 (Sheet 15 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 97h Reactor Coolant Gamma E3 NA NA NA NA Isotopic Spectrum Analysis 98 CONTAINMENT AIR 98a Containment Air E3 NA 0 10 % by Also Measured by Hydrogen volume Hydrogen Analyzer Deviation #2 98b Oxygen Content NA NA NA NA Deviation #27 98c Gamma Spectrum Sample E3 NA NA NA NA Isotopic Analysis 99 Shield Building Vent E2 1 Channel 0 28,000 CFM Flow Per Unit 100 Shield Building Vent E3 1 Channel 1.0E-3 1.0E2 µCi/cc Sampling With Monitor (Particulate Per Unit Onsite And Iodine) Analysis Capability 101 Steam Generator E2 1 Channel Note 4 Note 4 Note 4 Discharge Vent (Flow Per Release Rate and Noble Gas) Point

WBN-1 TABLE 7.5-2 (Sheet 16 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST VAR Redundant Minimum Minimum Range NUM Variable Name Type/Category Channels Range From Range To Units Notes 102 METEOROLOGY 102a Vertical Temperature E3 1 Channel -9 +18 Deg F Difference 102b Wind Direction E3 1 Channel 0 360 Deg 102c Wind Speed E3 1 Channel 0 50 MPH Deviation #28 1 103 Radiation Exposure E3 Portable 1.0E-3 1.0E4 R/hr Deviation #31 Rate

1. The capacity of the wind speed instrument supports the Radiological Emergency Plan and reads out from 0 - 100 mph.

WBN TABLE 7.5-2 (Sheet 17 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST Notes:

1. The following parameters are identified as diverse.

Parameter Diverse Parameter T (Hot) Core Exit Temperature Core Exit Temperature T (Hot)

T (Cold) SG Pressure Auxiliary Feedwater Flow SG NR/WR Level

2. Deleted.

3. Pressurizer Heater Status required only for safety-related heater banks (backup heater 1A-A and 1B-B). Range is given in amps per element.

4. Recorder shall be provided for duration of release from all discharge points.

Noble Gas Activity (See Main Steam Line Radiation, Variable No. 7)

Steam Flow Rate 0 to 4,945,200 lb/hr PORV and Safety Valves 0 to 63,375 lb/hr To Aux. Feedwater Pump Turbine

5. Vessel level on the plasma display is the compensated actual vessel level derived from a microprocessor algorithm using the upper range, lower range, dynamic range differential pressure, wide range temperature, and wide range pressure. (Unit 1)

Vessel level on the CQ PAMS Flat Panel display is the compensated actual vessel level derived from a controller algorithm using the upper range, lower range, dynamic range differential pressure, wide range temperature, and wide range pressure. (Unit 2)

6. Deleted (Unit 1) At least on redundant loop is able to trend on the plant computer system. (Unit 2)

7. Also monitors steam generator discharge vent noble gas activity. Required range of sensitivity specified is met by indication displaying in units of dose rate. Conversion to required range is performed using conversion factor specified in Calc. WBNAPS3-048.

8. The 120V AC vital Inverter has a trouble alarm in the MCR which notifies of trouble on the bus.

9. At least one of the redundant loops is trended on a non-divisional trend recorder qualified to meet Category 2 requirements.

10. The Core Exit T/C Temperature (hottest), reactor vessel level, and Saturation Margin are trended on redundant Class 1E plasma displays (the last 30 minutes trending only) in the main control room. (Unit 1) The Core Exit T/C Temperature, reactor vessel level, and Saturation Margin are trended on redundant Class 1E flat panel displays (The trend duration is user selectable) in the main control room. (Unit 2)

WBN TABLE 7.5-2 (Sheet 18 of 43)

REGULATORY GUIDE 1.97 POST ACCIDENT MONITORING VARIABLES LIST Notes (cont.):

-10 -5

11. The range for the Auxiliary Building particulate is 5 x 10 to 10 µCi/cc and the range

-9 -4 for halogens (Iodine) is 10 to 10 µCi/cc.

12. The requirements for Category 1 variables which require a third independent channel to resolve ambiguity resulting when redundant displays disagree are being implemented at WBN as follows:

The requirements for each channel are assigned to a redundant protection set (I, II, III, and IV) and electrical independence is maintained from sensor to the isolator in the Auxiliary Instrument Room. From the isolator to the indicator in the Main Control Room, third channel (PAM 3) cables may be routed with either PAM 1 or PAM 2 cables (but not both) depending on its associated protection set.

13. Unit 2 Only Reg. Guide 1.97 Rev. 2 requires the capability to sample both the reactor coolant and the containment sump. This capability exists by obtaining a sample off the RHR pump discharge after the suction has transferred to the containment sump following a LOCA. When this occurs the sample will be both the containment sump and the reactor coolant. For this reason, all samples are referred to as reactor coolant samples.

14. Containment radiation does not meet the requirements of Regulatory Guide 1.97 for a Type A variable. It is identified as a Type A variable for event identification as defined in TVA calculation WBNOSG4047.

WBN TABLE 7.5-2 (Sheet 19 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION 1 VARIABLES (11 AND 12)

Reactor coolant system (RCS) Cold- and Hot-Leg Water Temperatures DEVIATION FROM REGULATORY GUIDE (RG) 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 50 to 750°F; the recommendation for WBN is 50 to 700°F.

JUSTIFICATION The reactor coolant system description, N3-68-4001, states that the design temperature of the RCS is 650°F. RG 1.97, Revision 2 recommended range is 50-750°F. However, NRC has revised its position on this range and RG 1.97, Revision 3, now recommends a range of 50-700°F which will provide a 50°F margin over the design limit for both temperatures, which should provide the operator with adequate information for all transients. NRC concurs with WBN that an upper limit of 700°F is acceptable.

(

Reference:

NRC letter to TVA dated July 24, 1986)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that the RCS hot-leg water temperature (Variable 12) parameter be a B1 variable. WBN recommends that this be an Al and D2 variable.

JUSTIFTCAT70N Type B variables provide information to indicate whether plant safety functions are being accomplished. WBN's position is that RCS pressure (Type A1, B1, C1 and D2), core exit temperature (Type A1, B1, C1, and D2), reactor vessel level (Type B1, C1, and D2),

and subcooling margin (Al, B2, C1, and D2) are sufficient to monitor for adequate core cooling and the approach to superheat conditions in order to determine the margin by which the core cooling safety function is being accomplished. Therefore, it is WBN's position the RCS hot leg water temperature be required only as a Type A1 and D2 variable.

WBN-2 TABLE 7.5-2 (Sheet 20 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION 2 VARIABLE (19)

Containment Hydrogen Concentration DEVIATTON FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 0 to 30%, whereas WBN has provided instrumentation for this variable with a range of 0 to 10%.

JUSTIFICATION Regulatory guidance from 10 CFR 50.44 Final Rule and RG 1.7, Rev. 3 indicates that hydrogen concentrations in the post-LOCA environment are non risk-significant and will always be below the lower flammability limit of 4% by volume. The Combustible Gas Control System (CGCS) handles degraded core hydrogen releases in the beyond design-basis accident environment as specified in 10 CFR 50.44 and will keep hydrogen concentration below 10% for these events. Therefore, the instrumentation will always be on scale.

DEVIATION 3 VARIABLE (15)

Steam Generator (SG) Pressure DEVIATION FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 0 psig to 20% above the lowest safety valve setting (corresponding to 1422 psig at WBN); the recommended range for WBN is 0-1300 psig.

WBN TABLE 7.5-2 (Sheet 21 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

JUSTIFICATION The design pressure for the main steam system at WBN is 1185 psig. The main steam safety valves are designed to maintain system pressure less than 110% of design pressure, which is 1303.5 psig. RG 1.97, Revision 2, recommends a range of 0 psig to 20% above the lowest safety valve set pressure, which corresponds to a range of 0 to 1422 psig. The highest main steam safety valve set pressure is 1224 psig and the accumulation pressure for each of the highest pressure safety valves is 1284 psig.

Therefore, since the accumulation pressure is below 1300 psig and the 110% design pressure of approximately 1300 psig, the WBN recommended range of 0-1300 psig is adequate to cover the design range. The RG 1.97, Revision 2 range is well above the design requirements for the system and the ASME Code requirements for relief valves.

Thus it is concluded that the WBN SG pressure range provides adequate feedback to the operator on SG pressure response to accidents or transients, and should be acceptable.

DEVIATION 4 VARIABLE (64)

Normal/Emergency Boration Flow (Boric Acid Charging Flow)

DEVIATION FROM RG 1.97 GUIDANCE WBN recommends that this variable not be environmentally qualified (as required by RG 1.97, Revision 2, Category 2 variables) since other variables perform the required emergency boration monitoring function.

JUSTIFICATION The flow path monitored by this variable is a normally isolated path that requires operator action to utilize. This path is used for manual boration of the RCS. This path is not required for mitigation of any event. Postaccident reactivity control is accomplished by the Emergency Core Cooling System (ECCS) injecting borated water from the refueling water storage tank (RWST) into the RCS. Manual boration is not utilized. The ECCS flow is monitored by the centrifugal charging pump total flow (high pressure injection flow), the safety injection (SI) pressure injection flow), and the residual heat removal (RHR) pump flow (RHR System flow). These three variables are in the environmental qualification program and meet the 110% design flow measurement requirement.

WBN TABLE 7.5-2 (Sheet 22 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION 5 VARIABLE 97g Radiation Level in Circulating Primary Coolant (Reactor Coolant Sample Activity).

DEVTATION FROM RG 1.97 GUIDANCE This variable has been identified in RG 1.97, Revision 2, as Type C, Category 1, here as WBN has identified this variable as Type C, Category 3.

JUSTIFICATION For the fuel cladding integrity safety function, RG 1.97 recommends core exit temperature and RCS activity as key variables and gamma spectrum analysis of the reactor coolant as a Category 3 variable. Core-exit temperature provides primary indication of a significant breach or potential breach of fuel throughout the emergency instructions (Els), functional restoration guidelines (FRGs), and Final Safety Analysis Report (FSAR). Therefore, this variable was included as the Category 1 or key indication. Radiation level in circulating primary coolant was considered; however, it indicates conditions following fuel damage and provides less timely information. Thus, this variable is considered to be less useful to the operators and was included as a backup variable. TVA meets the intent of the RG 1.97 recommended range by monitoring this variable using the gross activity analysis of primary coolant samples taken in the post accident sampling facility. Samples are obtained from the post accident sampling system in Unit 1 only.

DEVIATION 6 VARIABLE (30)

Safety Injection (Cold-Leg) Accumulator Tank Pressure DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that the pressure instruments meet the D2 criteria with a range of 0 to 750 psig. WBN recommends retaining this variable as D3, with a range of 0 to 700 psig.

WBN TABLE 7.5-2 (Sheet 23 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

JUSTIFICATION The primary function of these instruments is to monitor the pre-accident status of the accumulators to ensure the passive safety function of the system. By design these instruments do not perform any safety function post-accident. Other seismically and environmentally qualified instruments such as RCS pressure can be monitored to determine if a cold-leg accumulator injection has occurred.

The design pressure of the cold-leg accumulator tanks is 700 psig. The precautions, limitations, and setpoints (PLS) limit the nitrogen cover gas to a maximum pressure of 632 psig. Therefore, WBN's position is that monitoring of the tanks to pressures higher than the relief setpoints is not needed. WBN considers the existing range of 0 to 700 psig to the acceptable.

DEVIATION 7 VARIABLE (41)

Component Cooling Water (CCW) Temperature to Engineered Safety Features (ESF)

Equipment DEVIATTON FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 32 to 200°F; the recommendation for WBN is 30 to 150°F.

JUSTIFICATION WBN analysis has determined that the highest expected CCW temperature (post-LOCA safety injection) is 120°F. An upward trend of the CCW temperature above 120°F could be readily detected and would be expected to be slow moving. Thus, there would be sufficient time well within the 150°F upper range to alert the operator to the condition and the need to check other PAM-related variables for potential manual actions.

DEVIATION 8 VARIABLE (2)

Containment atmosphere Temperature (Containment Lower Compartment Atmosphere Temperature)

WBN TABLE 7.5-2 (Sheet 24 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION FROM RG 1.97 GUIDANCE The range for this variable is recommended to be 40 to 400°F in accordance with RG 1.97, Revision 2. WBN recommends the range to be 0 to 350°F.

JUSTIFICATION WBN is an ice condenser plant and, therefore, has a lower containment temperature post-accident than dry containments. The maximum temperature expected post-LOCA at WBN is 250°F as compared to 275 to 290°F for dry containments. The maximum temperature expected at WBN after a steam line break is 327°F as compared to 380 to 450°F for dry containments. The minimum expected containment atmospheric temperature will be 60°F. This minimum temperature is due to the minimum allowable RWST water temperature which could be sprayed into containment by inadvertent operation of the containment spray; therefore, it is WBN's position that a range of 0 to 350°F is adequate.

DEVIATION 9 VARIABLE (73)

Residual Heat Removal (RHR) Heat Exchanger Outlet Temperature DEVIATION FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 32 to 350°F; the recommendation for WBN is 50 to 400°F.

JUSTIFICATION NRC letter to TVA dated July 24, 1986, states that RG -1.97, Revision 3, increased the minimum required range of this variable to 40°F and that WBNs range of 50 to 400°F was acceptable due to the minor deviation.

DEVIATION 10 VARIABLE (82)

SG Level Wide Range

WBN TABLE 7.5-2 (Sheet 25 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends this variable as a Type D, Category 1 variable, which requires redundancy in the instrumentation. WBN recommends this variable be Category 1, Type D, but utilizing only one wide range transmitter per SG.

JUSTIFICATION SG wide range level indication is utilized as a diverse variable to auxiliary feedwater (AFW) flow for gross indication of flow to the SGs. The WBN AFW monitors are Types Al and D2. WBN's position is that since SC wide range level is only used as a backup to redundant AFW flow monitors, it does not require redundancy.

DEVIATION 11 VARIABLE (70)

Quench Tank (Pressurizer Relief Tank [PRT]) Temperature DEVIATION FROM RG 1. 97 GUIDANCE The range for this variable is recommended to be 50 to 750°F in accordance with RG 1.97, Revision 2. WBN recommends the range to be 50 to 400°F.

JUSTIFICATION The purpose of this variable is to monitor operation. The PRT rupture disk is designed to operate between 86-100 psig. Assuming that the rupture disk operates at 100 psig and the pressurizer is at 2500 psig at saturated conditions, the maximum temperature during discharge when all valves in the line are open could be approximately 350°F.

High temperature due to discharges or leakage into the tank from the pressurizer or other sources would produce an early upward trend in PRT temperature above normal.

Temperatures far below the RG 1.97 recommended temperature of 750°F or the 400°F WBN recommended temperature would be sufficient to alert the operator to an abnormal condition and the potential need to check related PAM variables. Therefore, the recommended range of 50 to 400°F is sufficient to permit the operator to monitor plant operation.

WBN TABLE 7.5-2 (Sheet 26 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION 12 VARIABLE (47)

Containment Sump Water Level (Narrow Range)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends this variable as Types B and C, Category 2. WBN recommends this variable as Type D, Category 3.

JUSTIFICATION The operator does not monitor this variable to perform any required safety function. In addition Chapter 15 of the UFSAR takes no credit for monitoring this variable for any design bases event. This variable is used primarily to monitor RCS leakage. This variable, along with the lower containment atmosphere particulate radioactivity monitoring systems are used to detect RCS leakage. These small leakages do not cause plant perturbations or detect RCS leakage. These small leakages do not cause plant perturbations or transients that would cause a reactor trip or SI signal to be generated.

Therefore, the operator does not enter the emergency procedures to detect or mitigate these leakages and corrective actions based on the emergency procedures and the use of PAM equipment are inappropriate. However, for the purpose of monitoring gross leakage, this variable is designated as a Type D3 variable.

The containment sump water level (wide range) is a Type A1, B1, C1, and D2 variable and is used at WBN to monitor the containment water level for the mitigation of accidents.

DEVIATION 13 VARIABLE (91)

Auxiliary Building Exhaust Vent Radiation Level - Noble Gas Release DEVIATION FROM RG 1.97 GUIDANCE

-6 3 The range recommended in RG 1.97, Revision 2, is 10 to 10 microcuries/cubic

-6 -2 centimeter (cc). The recommendation for WBN is 10 to 10 microcuries/cc.

WBN TABLE 7.5-2 (Sheet 27 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

JUSTIFICATION The Auxiliary Building vent monitor is provided to continuously monitor the airborne radioactivity released through the Auxiliary Building exhaust vent. An accident causing Auxiliary Building radiation level to be high will cause all ventilation paths exhausting into the Auxiliary Building vent duct to automatically close and the Auxiliary Building gas treatment system to be activated. Because the isolation function occurs before accident range activity is reached, a normal range monitor only is employed to monitor activity in

-6 -2 the Auxiliary Building exhaust vent. Therefore, the recommended range of 10 to 10 microcuries/cc is adequate for detecting and measuring noble gas concentrations.

DEVIATION 14 VARIABLE (93)

Auxiliary Building Exhaust Vent Radiation Level - Particulates and Halogens DEVIATION FROM RG 1.97 GUIDANCE

-3 2 The range recommended in RG 1.97, Revision 2, is 10 to 10 microcuries/cc. The

-10 -5 -9 -4 recommendation for WBN is 5 x 10 to 10 for particulates and 10 to 10 microcuries/cc for halogens (iodine).

JUSTIFICATION The Auxiliary Building exhaust vent monitor is provided to continuously monitor the radioiodine and particulate radioactivity released through the Auxiliary Building vent. A design basis fuel handling accident* in the Auxiliary Building or a design basis LOCA in the Reactor Building will cause all ventilation paths exhausting into the Auxiliary Building vent duct to automatically close and the Auxiliary Building Gas Treatment system to be activated. Because the isolation function occurs before accident range activity is reached, a normal range monitor only is employed to monitor activity in the Auxiliary Building vent.

-10 -5 Therefore, the recommended range of 5 x 10 to 10 microcuries/cc for particulates

-9 -4 and 10 to 10 microcuries/cc for halogens is adequate for detecting and measuring normal operation particulate and radioiodine concentrations. Laboratory analysis of collected samples allows measurement over a wide range.

Although the ABGTS and ABSCE are available to minimize the consequences of a Fuel Handling Accident, they are not required to function in order to meet the control room and offsite dose limits of 10CFR50.67 based on the use of Regulatory Guide 1.183 (Alternate Source Terms) methodology.

WBN TABLE 7.5-2 (Sheet 28 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION 15 VARIABLE (29)

Safety Injection (Cold-Leg) Accumulator Tank Level DEVIATION FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is 10 to 90% volume using a D2 variable. For Unit 1, WBN recommends a range of 75 to 82% volume, using a D3 variable. For Unit 2, WBN recommends a range of 73 to 80% volume, using a D3 variable.

JUSTIFICATION For Unit 1, the present accumulator tank level indication range of 7632 to 8264 gallons corresponds to 75 to 82% of volume. For Unit 2, the present accumulator tank level indication range of 7450 to 8080 gallons corresponds to 73 to 80% of volume.

Postaccident level does not serve any safety function since the passive injection of the cold-leg accumulators (CLA) into the RCS would be observed through other qualified instrumentation such as RCS pressure. Hence, level instrumentation which meets the requirements of a D3 variable is appropriate.

DEVIATION 16 VARIABLE (28)

Cold-Leg Accumulator Isolation Valve Position Indication DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that the position indication of the CLA isolation valve be qualified to D2 requirements. WBN recommends designating this variable as D3.

JUSTIFICATION The CLA isolation valves do not need to change from their normally open position in the event of an accident which requires CLA injection. These valves will already have been opened during startup soon after the RCS pressure sufficiently exceeds the CLA normal operating pressure. Then the associated motive power will be removed.

WBN TABLE 7.5-2 (Sheet 29 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

There is no accident event in which instantaneous emptying of all four CLAs could cause inadequate core cooling or cold overpressurization of the RCS. The steam line break is the only Condition IV event other than a LOCA that causes a rapid depressurization of the RCS. However, even for that accident the RCS depressurizes rapidly down to 900 psi where the pressure stabilizes or rises. Further depressurizations are at a much more controlled rate, giving the operator time to react.

For a Condition III event, such as a 4- or 6-inch break (small break LOCA), the depressurization of the RCS may cause emptying of the CLA. Even under such cases, emptying the CLAs will not cause inadequate core cooling or cold overpressurization of the RCS.

Furthermore, closing the CLA isolation valves is not a safety function for accident mitigation that necessitates environmentally qualified valve position indication. Hence, there is no need to environmentally qualify these valves.

WBN recommends designating the position indication of the CLA isolation valve as a D3 variable.

DEVIATION 17 VARIABLE (39)

Chemical and Volume Control system (CVCS) Makeup Flow-In (Charging Header Flow)

DEVIATION FROM RG 1.97 GUIDANCE The RG 1.97, Revision 2, recommends that the design flow should be monitored using a D2 variable. WBN recommends designating this variable as D3.

JUSTIFICATION This variable is used to monitor operation. The charging flow is isolated on an SI signal.

While certain events may produce a harsh environment for the flow instruments, makeup flow is not required to mitigate these events. Thus, the installed instrumentation qualified to D3 requirements is appropriate for the intended monitoring function at WBN.

WBN TABLE 7.5-2 (Sheet 30 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION I8 VARIABLE (60)

CVCS Letdown Flow-Out (Let Down Flow)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends 0 to 110% design flow monitoring using D2 variables to monitor flow. TVA recommends this variable as D3.

JUSTIFICATION This variable is used to monitor normal operation. The letdown flow isolation valves close on a SI signal, low pressurizer level, or Phase A isolation signal. While certain events may produce a harsh environment for the flow instruments, letdown flow is not required to mitigate these events. Thus, the installed instrumentation qualified to D3 requirements is appropriate for the intended monitoring function at WBN.

DEVIATION 19 VARIABLE (85)

Volume Control Tank (VCT) Level DEVIATION FROM RG 1.97 GUIDANCE The RG 1.97, Revision 2, recommends that the VCT level be monitored from top to bottom h a D2 variable. TVA recommends using a D3 variable and a range slightly less than to bottom.

JUSTIFICATION The VCT is isolated on a SI signal. While certain events may produce a harsh environment for the level instruments, the VCT itself is not required to mitigate the events. Hence the D3 type and category variable is appropriate for its performance requirements.

The present VCT indication reads from 0 to 100% over a range of 70 inches which is entirely within the approximately 80-inch cylindrical portion of the tank. Extending the range to include the top and bottom hemispherical portions of the tank would result in nonlinear readings at the extreme ends of the scale. Including the hemisphere and the remaining 10 inches of the vertical cylinder would not add significantly to monitoring capability.

WBN TABLE 7.5-2 (Sheet 31 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION 20 VARIABLE 18 Containment Isolation Valve (CIV) Position DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that the CIV position indication should meet the requirements of a B1 variable (which encompasses position indication for the duration of the event). WBN's reactor coolant system (RCS) letdown CIVs flow control valves (FCV)-62,-72, -73, -74, and -76 will be submerged postaccident inside containment.

These valves' limit switches are not qualified for operation during post submergence.

In addition, safety relief valves which are also designated as CIVs are not monitored for position.

JUSTIFICATION The RCS letdown CIVs close on an SI signal, Phase A signal, or a low pressurizer level signal. The valves and associated position indication limit switches are qualified to perform their intended safety functions prior to being submerged. The limit switch for the valve position indication is located on the valve and hence subject to submergence. The limit switch is not qualifiable for submergence. The limit switch performs its intended safety function well before submergence. Valve positions are indicated both in the Main Control Room and the Technical Support Center.

Once the limit switches are flooded, it must be assumed that the control circuit fuses will be blown and position indication will be lost. This indication circuit, however, is isolated from the other CIV indication circuits.

The solenoids for these valves are included in WBN's environmental qualification (EQ) program and will vent to automatically close the FCVs as required under accident conditions. An analysis in WBN's EQ binder demonstrates that once closed, a submergence failure of the solenoid will not cause the FCV to change position. Hence the valves are considered closed and no further indication is required.

For safety relief valves, position indication is not necessary since these valves are constantly in their containment isolation position (i.e., closed). Verification that these valves have accomplished their containment isolation function is not necessary since they do not change position to provide this function.

DEVIATION 21 VARIABLE (97B)

Reactor Coolant Dissolved Hydrogen

WBN TABLE 7.5-2 (Sheet 32 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION FROM RG 1.97 GUIDANCE The RG 1.97, Revision 2 (refer to Table 2, Type E variables), recommends that primary coolant grab sample capability exists for hydrogen analysis.

JUSTIFICATION The WBN postaccident sampling facility (PASF) will have two independent methods for measuring dissolved hydrogen in the RCS. It will have the capability to measure dissolved hydrogen in the range from 10-2000 cc/kg with an inline ion chromatograph. In addition, it will have a total dissolved gas analyzer to measure the total dissolved gas in the pressurized coolant in the range from 100-2000 cc/kg. Dissolved oxygen will be separately measured with a dissolved oxygen analyzer. These latter two measurements provide another determination of the dissolved hydrogen. The two available methods provide sufficient backup monitoring capability for dissolved hydrogen and will eliminate the need for handling highly radioactive, undiluted, pressurized reactor coolant grab samples. Diluted, unpressurized reactor coolant grab samples may be obtained as necessary at the PASF for other analyses.

DEVIATION 22 VARIABLE (87)

Radiation Exposure Meters DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that Type E radiation exposure meters with continuous indication be available at fixed locations. No category is specified. WBN recommends not classifying these meters as a RG 1.97 variable.

WBN TABLE 7.5-2 (Sheet 33 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

JUSTIFICATION RG 1.97, Revision 2, was issued with an outstanding question regarding the practicality of deploying radiation monitors at fixed locations. A study (NUREG/CR-2644) concluded that it is unlikely that a few fixed-station area monitors could provide sufficiently reliable information to be of use in detecting releases from unmonitored containment release points. NRC agreed with this conclusion and in Revision 3 of RG 1.97 deleted the environs radiation monitors from. the pressure water reactor (PWR) table of variables.

DEVIATION 23 VARIABLE (86)

Waste (Radioactive) Gas Holdup Tank Pressure (Waste Gas Decay Tank Pressure)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that waste (radioactive) gas holdup tank pressure be monitored from 0 to 150% of design pressure. WBN recommends that the pressure be monitored from 0 to 100% of design pressure (150 psig).

JUSTIFICATION The design pressure of the waste gas decay tanks is 150 psig. The waste gas decay tanks are equipped with pressure relief valves set at 150 psig. Therefore, WBN's position is that monitoring of the tanks to pressures higher than the relief setpoints is not necessary. WBN considers the existing range of 0 to 100% of design to be acceptable.

DEVIATION 24 VARIABLE (3)

Containment Pressure (Narrow Range)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends Type B and Type C variable which covers a range of

-5 psig to the design pressure. WBN recommends a lower range of -2 psig using a Type Al, B1, C1, and D2 variable (with no deviation to the upper range).

WBN TABLE 7.5-2 (Sheet 34 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

JUSTIFICATION The WBN containment vessel design net external pressure is 2 psig. Inadvertent containment spray initiation will cause rapid depressurization inside containment.

However, for this event the pressure will drop below the minimum design pressure.

Another event that can cause a depressurization inside containment is continuous inadvertent air return fan operation. However, this will occur slowly enough to allow the operators sufficient time to observe trending of containment depressurization and afford ample opportunity to terminate the air fan operation and manually open the lower compartment pressure relief line.

In addition, the containment pressure wide range instrumentation (-5 to 60 psig) overlaps the -2 psig lower range instrumentation. The -2 psig value is the lower design limit and is consistent with the use of upper range design limit of 15 psig. Hence, a lower range value of -2 psig is appropriate for WBN.

DEVIATION 25 VARIABLE (84)

High Level Radioactive Liquid Tank Level (Tritiated Drain Collector Tank)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends a range for this variable from top to bottom. WBN recommends a range from 11 to 133 inches from the bottom of the tank.

JUSTIFICATION The capacity of the tank is approximately 24,700 gallons. The quantity of water that is excluded from the range of the indication is approximately 1000 gallons at the bottom and an equal amount at the top. Thus, the present range is capable of monitoring approximately 22,700 gallons which is about 92% of the total capacity of the tank. TVA thereby considers the proposed range for the existing level taps (11 to 133 inches from the bottom of the tank) to be sufficient for indicating postaccident storage volume for this tank.

WBN TABLE 7.5-2 (Sheet 35 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION 26 VARIABLE (97E)

Reactor Coolant Boron DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that the analysis range for boron content in the primary coolant and sump be between 0 to 6,000 parts per million (ppm) and be monitored with a Type B3 and E3 variable. WBN recommends that the range be between 50 to 6,000 ppm and be monitored with a Type E3 variable.

JUSTIFICATION For boron concentrations below 500 ppm, the tolerance for WBN's instrumentation would be limited to plus or minus 50 ppm. This tolerance band is considered by WBN to be acceptable for ensuring that postaccident shutdown margin is maintained. WBN's position is that the current range capability for boron analysis (50 to 6,000 ppm) is sufficient.

RCS boron concentration used in conjunction with control rod position indication and RCS cold-leg temperature only provides indirect indication. These are backup variables for monitoring reactivity control. Neutron flux is a direct variable that allows the operator to determine if reactivity is under control (i.e., the reactor has tripped and the core is in a subcritical condition). Neutron flux is a Type B1 and D2 variable at WBN. Therefore, the boron concentration is not required for direct reactivity control determination. It is available as a Type E3 variable for backup verification of reactivity control.

DEVIATION 27 VARIABLE (98b)

Containment Air Oxygen Content DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2 recommends a measurement range of 0-30% volume for containment air oxygen content. WBN recommends that the measurement of this variable should not be required.

WBN TABLE 7.5-2 (Sheet 36 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

JUSTIFICATION The measurement of containment air oxygen content is not required by NUREG-0737.

Following a design basis LOCA at WBN, the combustible gas control system will maintain the hydrogen concentration in containment below the lower flammability limit of 4% volume. Therefore, the oxygen concentration in containment is not important for combustion control. A measurement of the containment oxygen concentration is not needed for any other reason after an accident.

DEVIATION 28 VARIABLE (102c)

Meteorology (Wind Speed)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends that the wind speed measurement range be 0 to 67 mph. WBN recommends that the range be 0 to 50 mph.

JUSTIFICATION RG 1.97, Revision 3, recommends that the wind speed measurement range be 0 to 50 mph. Also, NRC letter to TVA dated July 24, 1986, states that since WBN meets the range recommended in RG 1.97, Revision 3, the 0 to 50 mph range is acceptable.

DEVIATION 29 VARIABLE 97a Reactor Coolant Chloride Concentration DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, recommends a range of 0 to 20 ppm for reactor coolant chloride concentration. WBN recommends a range of 1 to 20 ppm.

JUSTIFICATION The WBN recommended range of 1 to 20 ppm accurately represents TVA's commitment to the NRC.

WBN TABLE 7.5-2 (Sheet 37 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION 30 (Unit 1 Only)

VARIABLE 6 DEVIATION FROM RG 1.97 GUIDANCE The two channels/trains of the core thermocouple system at the bundling at the common reactor vessel refueling cavity wall penetration do not meet the separation requirement of RG 1.97.

JUSTIFICATION The design and the installation of the mineral insulated cables used for the core thermocouples within the reactor cavity were completed prior to upgrading the system to satisfy RG 1.97 requirements. The design within the refueling cavity is acceptable because:

1. Only a small self-generated signal exists in the cabling from the thermocouples to the Incore Instrument Room and, therefore, no chance exists for a postulated propagating fault.

2. Due to the interference provided by the rod control mechanisms and rod position indicator stack, no likelihood exists for rendering all thermocouples inoperable.

DEVIATION 31 VARIABLE (103)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2, includes exposure rate monitors as Type E (Category 2) variables.

These monitors are required to have a range of 1.0E-1 Rem per hour (R/hr) to 1.0E4 R/hr and are to be located inside buildings or areas where access is required to service equipment important to safety. The area monitors are intended for use in detection of significant releases, release assessment, and long-term surveillance.

RG 1.97, Revision 2, also included radiation exposure rate monitors, with ranges of 1.0E-1 R/hr to 1.0E4 R/hr as Type C variables (these monitors were to be installed inside buildings or areas in direct contact with primary containment where penetrations and hatches were located). This variable was removed from RG 1.97 in Revision 3 and will not be addressed further.

WBN TABLE 7.5-2 (Sheet 38 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

WBN RG 1.97 monitoring instrumentation does not include installed high-range exposure rate monitors as Type E variables. The intended objectives of such instrumentation will be achieved in a different manner than that described in RG 1.97.

The following paragraphs describe how WBN's program is designed to monitor radiation exposure rates.

A large number of useful missions outside the MCR during accident conditions may be postulated. These missions would be for activities, such as equipment maintenance, grab sample acquisition, and laboratory analyses of grab samples that might enhance accident mitigation. Exposure rates encountered on these missions would vary over a wide range. This variability arises from the fact that most high exposure outside the containment during accident conditions would be attributable to contained sources and, therefore, be strong functions of distance from the sources. Because of the wide exposure rate variability, the installation of even a large number of high-range exposure rate monitoring instruments at selected locations on projected mission routes might not contribute substantially, either to the planning of missions for accident mitigation purposes or to the minimization of dose equivalent to personnel performing the missions.

Based on the above considerations, the WBN radiation monitoring system design uses portable high-range exposure rate instruments in lieu of installed high-range exposure rate monitors. Crews attempting missions outside the MCR following an accident would include Radiation Protection personnel provided with high-range exposure rate instrumentation. The range of the Type E portable instrumentation available for this purpose is 1.0E-3 R/hr to 1.0E4 R/hr, which is consistent with the range required for area exposure rate monitoring.

Additionally, the TVA radiation monitoring system presently includes normal-range area monitors, each with a range from 1.0E-1 MR/hr to 1.0E4 MR/hr. These monitors are located throughout the plant in areas where personnel access is common. Although, the area monitors are not required to be within the scope of the environmental qualification program and they are not included in the PAM program, monitors located outside the primary containment and other locations of high postaccident exposure rates can be expected to remain on scale and to continue to provide exposure rate indication with required accuracy during accident conditions. The monitors that remain on scale will provide useful input to MCR personnel for assessment of plant exposure rate levels during accident conditions. Based upon this assessment and WBN Radiological Emergency Plan dose limitations, a decision will be made as to whether or not missions outside the MCR would be attempted.

WBN TABLE 7.5-2 (Sheet 39 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

In summary, the WBN position on high-range accident monitoring is that high-range exposure rate instrumentation will not be installed and that high-range monitoring will be provided by portable monitoring instrumentation that meets the RG 1.97 required range.

DEVIATION 32 VARIABLE (5)

Containment Sump Level (Wide Range)

DEVIATION FROM RG 1.97 GUIDANCE The range recommended in RG 1.97, Revision 2, is "Bottom of containment to 600,000 gallon level equivalent." Watts Bar recommends a range from 0-200 inches (with the "0" level starting at six inches above the reactor floor) (see Note).

JUSTIFICATION Watts Bar utilizes a containment sump level monitoring system that starts measuring at six inches above the containment floor (level tap located at elevation 703 ft.-3-3/8 inches). The range of the instrument is 200 inches (719 ft. 11-3/8 inches). The total volume of water available to flood containment post-LOCA is 844,000 gallons, which equals approximately equivalent to 717 ft 2-2/5 inches steady state maximum flood level. Therefore, the recommended range is fully adequate to monitor the maximum equilibrium flood level that would be experienced.

Note: The containment sump level monitoring system is utilized only during an accident.

During normal operation reactor coolant leakage is monitored by the Reactor Building floor and equipment drain pocket sump. For post accident monitoring, the operator is aware that the "0" level actually begins at 6 inches above the floor and will realize that there is extra water inside containment when the sump monitor begins to indicate.

WBN TABLE 7.5-2 (Sheet 40 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION 33 VARIABLE 95 Condenser Vacuum Pump Exhaust Vent (Noble gas)

DEVIATION FROM RG 1.97 GUIDANCE The RG 1.97, Revision 2, required range for the condenser vacuum Pump exhaust monitors is 1.0 E-6 to 1.0 E+5uCi/cc.

JUSTIFICATION TVA has determined the total gas required range of the condenser vacuum pump exhaust monitors to be less than the 1.0E-6 value in RG for the low end of the range and 2.4E+3uCi/cc at the upper end of the range.

The steam generator tube rupture (SGTR) is the only credible accident monitored by the condenser vacuum pump exhaust monitor. NUREG-0800, Revision 2 requires that the SGTR accident be analyzed using the highest isotope concentrations allowed by the Watts Bar Technical Specifications. The specific activity of the reactor coolant is limited to a) Less than or equal to 1 microcurie per gram dose equivalent Iodine-131, and b) Less than or equal to 100/µCi/gm The dose equivalent I-131 is more than 4 times more restrictive that the 100/ limit.

The 100/ is more conservative and is selected to demonstrate that the monitor will remain on scale during the most severe accident. The highest concentration of mixed noble gas isotopes that can be present under the 100/ limit is 1.45E+3 uCi/cc. For the SGTR source spectrum, the maximum measurable concentration for the condenser vacuum pump exhaust monitors is 3.53E+4. Therefore, the Watts Bar required range for the condenser vacuum pump exhaust monitors meets the intent of RG 1.97, Revision 2 based on either the-mixed gas or the SGTR specific source spectrum.

WBN TABLE 7.5-2 (Sheet 41 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION 34 VARIABLE (97c) and (97d)

Primary Coolant Dissolved Total Gas (97d) and Dissolved Oxygen (97c)

DEVIATION FROM RG 1.97 GUIDANCE RG 1.97, Revision 2 indicates the range for Variable (97d) is from 0 to 2000 cc/Kg and the range from Variable (97c) is 0 to 20 ppm. The TVA required range for Variable (97d) is 100 to 2000 cc/Kg, and 1 to 20 ppm for Variable (97c).

JUSTIFICATION The TVA required ranges for Variables (97c) and (97d) permit adequate assessment of the system for these dissolved gases, and therefore, meets the intent of RG 1.97.

DEVIATION 35 VARIABLE (20)

Control Rod Position DEVIATION FROM RG 1.97 GUIDANCE RG 1.97 recommends that control rod position indication be a Type B. Category 3 variable (B3) to monitor for reactivity control. Watts Bar recommends that this variable be a Type D, Category 3 variable (D3).

JUSTIFICATION Control rod position indication is an indirect variable. It provides backup indication for monitoring reactivity control. Neutron flux (Category 1) is a direct variable that allows the operator to determine if reactivity is under control (i.e., the reactor has tripped and the core is in a subcritrical condition). Since this provides backup indication, utilizing it as a Type D variable is sufficient.

DEVIATION 36 VARIABLE 4 Containment Area Radiation, High Range

WBN TABLE 7.5-2 (Sheet 42 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

DEVIATION FROM RG 1.97 GUIDANCE Note 7 of RG 1.97, Revision 2 for the subject variable states, "detectors should respond to gamma photons within any energy range from 60 KeV to 3 MeV with an energy response accuracy of 20% at any specific photon energy from 0.1 MeV to 1 MeV.

Overall system accuracy should be within a factor of 2 over the entire range. TVA meets the requirements of RG 1.97, Revision 3 Note 7 for the subject variable, which states, "Detectors should respond to gamma radiation photons within any range from 60 KeV to 3 Mev with a dose rate response accuracy within a factor of 2 over the entire range."

JUSTIFICATION It is acceptable to meet the requirements of RG 1.97, Revision 3.

DEVIATION 37 VARIABLE 6 Core Exit Temperature DEVIATION FROM RG 1.97 R2 GUIDANCE This Type A, Category 1 variable has been provided with a minimum of two independent channels (PAM 1 and PAM 2) for monitoring core exit temperature. Where failure of a channel would present ambiguous or confusing information to the operator, preventing the operator from taking action or misleading the operator, RG 1.97 recommends that an additional redundant (PAM 3) channel be provided. One channel of the WBN core exit temperature indication is subject to direct failure as a result of a specific pipe break jet impingement and/or pipe whip impact on the cable/conduit routed near the safety injection (SI) accumulator cold leg injection line in Loop 1. The WBN design does not include a third redundant channel for this variable.

JUSTIFICATION The core exit thermocouples were added to the plant design to provide direct indication of degrading core cooling conditions following transient events similar to that experienced at Three Mile Island (TMI). These events typically develop gradually over time and involve a great deal of operator action and control. The core exit temperature indication was intended to prevent erroneous operator termination of emergency core cooling system (ECCS) flow to the RCS after small breaks or transients that do not rapidly depressurize the RCS.

WBN TABLE 7.5-2 (Sheet 43 of 43)

REGULATORY GUIDE 1.97 VARIABLE LIST (DEVIATION AND JUSTIFICATION FOR DEVIATIONS)

The challenge to the channel redundancy in this case is due to a specific primary loop, pipe break at the cold leg injection check valve. The injection line is 10-inches diameter, schedule 140 pipe and the postulated break is a full guillotine rupture which results in a 2 2 blowdown flow area from the primary loop side of the break of 60. in or 0.4176 ft . This break is included in the LOCA size, spectrum and is considered an intermediate size break. UFSAR Chapter 15 analyses show that breaks in this range rapidly depressurize the primary system, causing automatic ECCS response which refloods the core and terminates the core heatup transient. However, should such a break occur, the affected channel is expected to fail open and not give erroneous indication that could confuse the operators.

It is the WBN position that the RG 1.97 Revision 2 indication provided by reactor vessel level. RCS pressure, RCS temperatures Thot, and Tcold, and containment pressure and temperature will enable the operators to compensate for a loss of one channel of CET due to this specific pipe break plus a single failure of the redundant channel. The operators will be able to correctly assess the accident scenario and determine the effectiveness of postaccident core cooling system response during performance of the Emergency Operating Procedures.

WBN 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6.1 120V ac and 125V dc Vital Plant Control Power System This system is described in Section 8.3.

7.6.2 Residual Heat Removal Isolation Valves 7.6.2.1 Description There are two motor-operated gate valves (FCV 74-1 (8702) and FCV 74-2 (8701) as shown in control diagram, Figure 5.5-4) in series in the inlet line from the Reactor Coolant System (RCS) to the Residual Heat Removal (RHR) System. They are normally closed and are only opened for residual heat removal after RCS system pressure is below RHR system design limits. (See Chapter 5 for details of the RHR system.)

The RHR system inlet isolation valves are interlocked with a pressure signal to prevent them from being opened whenever the RCS system pressure approaches the RHR system design pressure limit.

Should either or both of these valves fail to open when required, a letdown path can be established via bypass valves which have been provided around valves FCV 74-2 (8701) and FCV 74-1 (8702). The bypass valves are FCV 74-8 (8703) and FCV 74-9 (8704). A given set of two of these parallel valves is provided with trained power, so that failure of one power train will not defeat the establishment of the necessary letdown flow path.

Whenever the RHR isolation inlet and/or bypass valves are open and RCS pressure rises to a value near the RHR system design pressure limit, an alarm in the main control room (MCR) alerts the operator to the RHR system alignment. The isolation valves should be closed before the pressure reaches the RHR suction line pressure relief valve setpoint but only if there is a steam bubble in the pressurizer or the charging pump has been stopped.

The motor-operated bypass valves are located in bypass lines paralleling the normal RHR suction isolation valves FCV 74-1 and FCV 74-2 which are in series in the flowpath. Valves FCV 74-8 and FCV 74-9 are normally closed and remain closed with power locked out unless one of the two main isolation valves (FCV 74-1 or FCV 74-2) cannot be opened and the plant must be cooled down. Then, the redundant flowpath through the appropriate bypass valve is used to provide RHR cooling flow. Valves FCV 74-8 and FCV 74-9 are interlocked with signals from RCS pressure transmitters PT 68-63 and PT 68-64, respectively, as shown in Figure 7.6-6, Sheet 3. These interlocks prevent inadvertent opening when RCS pressure is above the RHR system design pressure limit. The bypass valves are monitored by the integrated plant computer system with an alarm generated on the computer alarm list in the main control room if either of the valves is not in its fully closed position.

7.6-1

WBN 7.6.2.2 Analysis Based on the scope definitions presented in Reference [2] (IEEE 279-1971) and Reference [3]

(IEEE 338-1971), it is considered that these criteria do not apply to the residual heat removal isolation valve interlocks. However, in order to meet NRC requirements and because of the possible severity of the consequences of loss of function, the requirements of IEEE 279-1971 will be applied with the following comments.

1. For the purpose of applying IEEE 279-1971 to this circuit the following definitions will be used.

a. Protective System The two valves in series and all components of their interlocking and closure circuits.

b. Protective Action (1) The automatic initiation of interlocks to prevent opening of inlet isolation and bypass valves to maintain residual heat removal system isolation from the reactor coolant system for reactor coolant system pressure at or above the RHR system design pressure limit.

(2) Initiation of an alarm in the MCR to alert the operator to the RHR system alignment whenever the RHR inlet isolation and/or bypass valves are open and the RCS pressure is at or above the RHR system design pressure limit. Operator action in response to the alarm is required to close the valves in accordance with NRC Generic Letter 88-17 and References [4] and [5].

2. IEEE Standard 279-1971, Paragraph 4.15: This requirement does not apply, since the setpoints are independent of mode of operation and are not changed.

The environmental qualification program is discussed in Section 3.11.

7.6.3 Refueling Interlocks Electrical interlocks (i.e., limit switches) as discussed in Section 9.1.4 are provided for minimizing the possibility of damage to the fuel during fuel handling operations.

7.6.4 Deleted 7.6.5 Accumulator Motor-Operated Valves The design of the interconnecting of the signals to the cold leg accumulator isolation valve meets the following criteria established in previous NRC positions on this matter (see Figure 7.6-3):

1. Automatic opening of the accumulator valves when (a) the primary coolant system pressure exceeds a preselected value (to be specified in the Technical Specifications) or (b) a safety injection signal has been initiated. Both signals are provided to the valves.

7.6-2

WBN

2. Utilization of a safety injection signal to automatically override any features that are provided to allow an isolation valve to be closed.

The valves and control circuits are discussed in Sections 6.3.2.15, 7.3.1.1.2, and 6.3.5.5.

The safety injection system accumulator discharge isolation valves are motor-operated normally open valves which are controlled from the main control board.

These valves are interlocked during normal operation such that:

1. They open automatically on receipt of an "S" signal.

2. They open automatically whenever the RCS pressure is above the P-11 permissive setpoint (See Table 7.3-3) as specified in the Technical Specifications.

3. They cannot be closed as long as an "S" signal is present. The main control board switches for these valves are three position switches which provide a "spring return to auto" from the open position and closed position.

During plant shutdown, the accumulator valves are in a closed position. To prevent an inadvertent opening of these valves during that period, the accumulator valve power will be removed.

Administrative control is again required to ensure that power to these valves is restored during the prestartup procedures. During startup the valves are manually opened prior to RCS pressure exceeding 1000 psig. After the valves are open, power is removed to prevent inadvertent valve closure. During cooldown, power is restored and the valves manually closed from the MCR before RCS pressure decreases below the cold leg accumulator pressure.

These normally open motor-operated valves have an alarm indicating a mispositioning (with regard to their Emergency Core Cooling System (ECCS) function during the injection phase).

The alarms sound in the MCR.

7.6.6 Spurious Actuation Protection for Motor Operated Valves The design of Watts Bar Nuclear Plant is such that the failure of any single valve to operate on demand cannot result in the loss of capability to perform a system safety function. However, in the case of possible inadvertent valve misalignment, the following motor operated valves have been identified as valves whose spurious operation could result in the loss of a system safety function. (Westinghouse valve numbers are in parentheses).

FCV 63-1 (8812) FCV 63-67 (8808D) FCV 63-98 (8808B)

FCV 63-3 (8813) FCV 63-72 (8811A) FCV 63-118 (8808A)

FCV 63-5 (8806) FCV 63-73 (8811B) FCV 63-156 (8802A)

FCV 63-8 (8804A) FCV 63-80 (8808C) FCV 63-157 (8802B)

FCV 63-11 (8804B) FCV 63-93 (8809A) FCV 63-172 (8840)

FCV 63-22 (8835) FCV 63-94 (8809B) FCV 62-98 (8110)

FCV 62-99 (8111)

Means have been provided to preclude such spurious misalignment. Except for FCV 62-98 and 7.6-3

WBN-1 FCV 62-99, the design consists of modified control circuits for these valves to ensure that no single failure will be able to energize the opening and/or closing coils for the valve operator.

The design utilizes separate contacts which are wired before and after each opening and closing coil as required. Figure 7.6-4 illustrates this protection scheme. In this typical schematic, isolation of the opening and closing coils is provided by contacts R11-R12, R31-R32, L2l-L22, and (L41-L42). Valves FCV 63-67, FCV 63-72, FCV 63-73, FCV 63-80, FCV 63-98, and FCV 63-118 require this protection scheme only for the closing coil.

In addition, single failure has been considered on the part of the operator. The design includes easily accessible, clear protective covers attached to the main control board panel over each respective control room switch except for FCV-62-98, FCV-62-99, and FCV-63-1. The operator would be required to open this protective cover before he operates the control switch.

For FCV 63-1, FCV 63-22, FCV 63-67, FCV 63-80, FCV 63-98, and FCV 63-118 operating instructions specify the removal of power during specific modes of plant operation. For FCV 62-98 and FCV 62-99, the motive power has been removed.

For FCV-63-8 and FCV-63-11 power will be removed and will be administratively controlled just prior to use of the RHR system for plant cooldown (<350F) to prevent inadvertent valve opening and over pressurization of the SI pump and CCP suction piping.

7.6.7 Loose Part Monitoring System (LPMS) System Description UNIT 1 The Loose Part Monitoring System (LPMS) provides the capability to detect acoustic disturbances indicative of loose parts within the reactor coolant system pressure boundary.

The loose part monitoring function of this system has two redundant sensors located at each of the six natural collection regions: the top and bottom plenums of the reactor vessel and the primary coolant inlet plenum to each steam generator. Both sensors at each of the six locations are normally automatically monitored by the LPMS. The sensor channel pairs are physically separated from each other, starting at the sensor locations and extending out to junction boxes located outside the polar crane wall except for the reactor vessel top plenum sensor loops which extends out to the containment electrical penetrations. The two sensors at each collection region are redundant to each other such that only one channel is required to monitor that area. With the failure of one sensor, the remaining operable sensor would continue to provide LPMS coverage for that collection region.

The system cabinet for Unit 1 is located in the control building at elevation 708.0 in the Unit 1 auxiliary instrument room (AIR). This cabinet contains equipment which electronically monitors the Unit 1 nuclear steam supply system. The loose part monitoring function consists of twelve active channels for the unit. These channels include signal conditioning modules and digital signal processors which determine when alarm conditions are met for a loose part event. When an alarm condition is met, an alarm is provided in the main control room and the LPMS stores the data internally for later retrieval and analysis. All twelve channels of loose part monitoring are individually analyzed and recorded. An audio monitor provides the capability to listen to the output sounds of a selected channel. An internal CPU provides the ability to perform analytical and spectral analyses of channel performance. This system provides techniques in obtaining information concerning channel performance, trend data for comparing channel behavior, and loose part impact events. The quality of data is assessed and maintained in accordance with Reference [7]. Initial channel calibration is performed by use of 7.6-4

WBN-1 a mechanical impact device to demonstrate proper channel calibration. The channel sensitivity is set to detect a loose part that impacts the reactor coolant boundary within 3 feet of the sensor having a kinetic energy of 0.5 ft-lb. Channel frequency spectra data is recorded during initial calibration for comparison to suspected loose part impact events. Channel calibration during normal refueling outages is performed by a mechanical impact device, except for sensors located in areas where plant personnel radiation exposure is considered by Plant Management to be excessive. The above described built-in capabilities of the system may be used, as an option to using a mechanical impact device, to verify proper channel calibration. Periodic online channel checks, audio checks and functional tests shall be made in accordance with References [6] and [7] to ensure that the required sensitivity is maintained during normal operation.

The anticipated major sources of internal and external noises are operation of the reactor coolant pumps, reactor coolant hydraulic excitation, and stepping of the control rod drive mechanisms. Normal background noises present during the various plant operating modes are accounted for in the signal processing circuitry.

The LPMS, although not a Class 1E system, has been designed and qualified to endure seismic events. The portion of the system inside the reactor building (sensors and cabling) will operate and remain functional through an Operating Basis Earthquake (OBE). The portion of the system outside the reactor building (cabling and instrument cabinet containing electronic indicating, alarming, recording, and analysis instrumentation) will remain structurally intact through a Safe Shutdown Earthquake (SSE) as seismic Category I(L) equipment. The audio alarm is qualified to operate and function after exposure to an OBE. The system is qualified for the normal and abnormal operating radiation, vibration, temperature, and humidity of its environment.

During preoperational testing, preliminary alert levels shall be documented to demonstrate the ability of the system to perform its functions. This is required in accordance with Reference [6].

Description of the diagnostic procedures used to confirm a loose part are addressed in Reference [7].

Maintenance procedures to minimize radiation exposure are addressed in Reference [6].

The training program scope is addressed in Reference [6].

The limiting conditions for operation of the loose parts monitoring system are addressed in Reference [8].

UNIT 2 General System Description The LPMS is designed to detect loose parts in the reactor coolant system. The system consists of sensors, preamplifiers, signal conditioners, signal processors, and a display. It contains 12 active instrument channels, each comprised of a piezoelectric accelerometer (sensor), signal conditioning and diagnostic equipment. Conformance with Regulatory Guide 1.133, Revision 1 is discussed in Table 7.1-1.

7.6-5

WBN Two redundant sensors are fastened mechanically to the RCS at each of the following potential loose parts collection regions:

Reactor pressure vessel: upper head region Reactor pressure vessel: lower head region Each steam generator: reactor coolant inlet region The output signal from each accelerometer is passed through a preamplifier and an amplifier.

The amplified signal is processed through a discriminator to eliminate noises and signals that are not indicative of loose parts. The processed signal is compared to a preset alarm setpoint.

Alarm setpoints for each channel are determined through the analysis of baseline test data taken with the system prior to plant start-up. During baseline testing, the reactor vessel and steam generator are impacted three feet from each sensor with a force of 0.5 ft-lb. Loose parts detection is accomplished at a frequency of 1 kHz to 20 kHz, where background signals from the RCS are acceptable. Spurious alarming from control rod stepping is prevented by a module that detects CRDM motion commands and automatically inhibits alarms during control rod stepping (Reference [11]).

If measured impact signals exceed the preset alarm level, audible and visible alarms in the control room are activated. Digital signal processors record the times that the first and subsequent impact signals reach various sensors. This timing information provides a basis for locating the loose part. The LPMS has a provision for audio monitoring of any channel. The audio signal can be compared to a previously recorded audio signal, if desired.

The online sensitivity of the LPMS is such that the system will detect a loose part that weighs from 0.25 to 30 Ib. and impacts with a kinetic energy of 0.5 ft-lb on the inside surface of the RCS pressure boundary within 3 ft of a sensor (References [10] and [11]).

The LPMS audio and visual alarm capability will remain functional after an Operating Basis Earthquake (OBE) (Reference [9]). All of the LPMS components are qualified for structural integrity during a Safe Shutdown Earthquake (SSE) and will not mechanically impact any safety-related equipment (Reference [9]). In addition, the equipment inside containment is designed to remain functional through normal radiation exposures anticipated during a 40-year operating lifetime (Reference [10]).

Physical separation of the two instrument channels, associated with the redundant sensors at each reactor coolant system location, exists from each sensor to the incontainment signal conditioning devices except the upper head channels which shall be physically separated, starting at the sensor location and extending out to the patch panel. The incontainment signal conditioning devices are accessible during power operation with the exception of the upper head signal conditioning modules which are mounted in junction boxes on upper head support in reactor cavity. The LPMS components outside containment located in a mild environment.

Capabilities exist for subsequent periodic online channel checks and channel functional tests and for offline channel calibrations at refueling outages.

Key Features, Components and Architecture Key features of system components and architecture are discussed in the following sections.

7.6-6

WBN Sensors (In Containment)

The sensors are piezoelectric accelerometers that convert acceleration to electric charge. The acoustic waves created by an impacting metallic object can be detected by the piezoelectric accelerometers. While the excitation of the impact produces a very wideband frequency response, the frequency range of interest for most loose parts is 1 kHz to 20 kHz. Piezoelectric accelerometers are high output impedance devices that convert acceleration to electric charge.

The flat frequency response range for the accelerometers used in the LPMS is from 10 Hz to 10 kHz, and they have a useful frequency upper limit of over 20 kHz. The resonant frequency of the accelerometers is greater than 30 kHz. The accelerometers are designed to operate at high temperature (nominally 625°F) and have high radiation capability (Reference [10]). The piezoelectric elements in the accelerometers are electrically isolated from the component to which they are attached in order to prevent unwanted noise due to ground loops. The accelerometers typically have an integral 4 foot mineral-insulated ("hardline") cable and a large triax connector. This hardline cable is also built to withstand high temperatures, while the connector allows for interfacing to lower temperature softline cables.

Softline Cable (In Containment)

Because the charge output of an accelerometer is a very low level signal, and normal cables can emit charge upon being vibrated, a special low-noise, radiation-resistant softline cable is used between the accelerometer and preamplifier.

Preamplifier (In Containment)

The remote preamplifier is mounted in a sealed metal enclosure inside containment. The charge signal from the accelerometer is converted to a voltage signal. The preamplifier operates in a "charge" amplifier mode such that the capacitance of the cable between the high-outputimpedance accelerometer and the preamplifier has very little effect on the signal or its calibration. The charge preamplifier output voltage is then a normal, low-impedance millivolt instrument signal requiring only normal cabling and shielding considerations.

Signal Conditioner The signal conditioner module provides power to the remote preamplifier, provides final amplification of the signal to a calibrated full scale range, and provides lowpass and highpass filtering.

Audio Subsystem The audio patch panel, audio amplifier, and speakers make up the audio subsystem. Listening by a trained ear can be a very effective tool for evaluation and validation of signal characteristics. The system is designed such that any channel may be selected at any time for audio monitoring. The audio subsystem features are only available locally in the LPMS cabinet.

Digital Signal Processing (DSP) Processor In the Digital Signal Processing (DSP) processor, the signals are converted from analog to digital at a high rate, and the impact detection algorithm is applied by a special microprocessor optimized for digital signal processing. The board contains a buffer memory that can store the 7.6-7

WBN complete impact signal time history for its monitored channels. Upon the detection of an impact, the data are normally transferred to the main Central Processing Unit (CPU) process for further evaluation, waveform storage, and alarm generation. However, if for some reason the CPU processor fails, the DSP processor has the capability for generating alarms on its own.

Central Processing Unit (CPU) Processor The CPU processor is a personal computer architecture device. It takes the data from the DSP processors, controls the mass storage devices, provides displays of monitoring system information, drives the printer, and generates alarms. The CPU uses a PCI bus for high speed communication with the other processor modules and drives the tape and disk peripherals by means of a parallel Small Computers System Interface (SCSI) interface. Addition of the peripherals provides for mass data storage onto high speed digital tape and writeable CDs.

Display The display is a qualified, high-resolution, color panel that is overlaid with a high resolution touch screen surface. The display shows the system and alarm statuses at a glance, presents the waveforms used in impact analysis, and shows the analysis conclusions. By means of the touch screen, which has all of the capabilities of a standard mouse, many system functions can be run without opening the keyboard drawer. The color display features are only available locally in the LPMS cabinet.

Alarm Panel The alarm panel provides continuous indication of alarm or trouble status, allowing the color display to be turned off when not being viewed. The panel contains red LEDs for alarm indication, orange LEDs for trouble indication, yellow LEDs that flash each time an impact event is detected by their respective channels, and green LEDs for indication of proper DSP operation. The alarm panel features are only available locally in the LPMS cabinet.

Printer A high-resolution laser printer is provided for printout of system status, waveform graphs, and other data for the generation of reports. The printer features are only available locally in the LPMS cabinet.

Testing The testing program scope is addressed in Reference [6].

7.6.8 Interlocks for RCS Pressure Control During Low Temperature Operation The basic function of the RCS overpressure mitigation system during low temperature operation is discussed in Section 5.2.2.4. As noted in Section 5.2.2.4, this pressure control system includes manually armed semi-automatic actuation logic for the two Pressurizer Power Operated Relief Valves (PORVs). The function of this actuation logic is to continuously monitor RCS temperature and pressure conditions, the actuation logic is manually unblocked when plant operation is at a temperature below the arming setpoint. The monitored system temperature signals are processed to generate the reference pressure limit program which is 7.6-8

WBN compared to the actual measured system pressure. This comparison will provide an actuation signal to cause the PORV to automatically open, if necessary, to prevent pressure conditions from exceeding allowable limits. See Figure 7.6-5 for the block diagram showing the interlocks for RCS pressure control during low temperature operation.

Two separated, independent sets of controls are provided for the interlocks, with the required process variables being derived from redundant protection sets as follows:

1. Protection Set I Wide Range RCS Temperature (TE-68-1, TE-68-18, TE-68-24, TE-68-41)

2. Protection Set II

a. Wide Range RCS System Pressure (PT-68-68).

b. Wide Range RCS Temperature (TE-68-43, TE-68-60, TE-68-65, TE-68-83)

3. Protection Set III Wide Range RCS System Pressure (PT-68-66).

The wide range temperature signals, as inputs to the Protection Sets I and II, continuously monitor RCS temperature conditions. In Protection Set I, the existing RCS wide range temperature channels on RCS loops 1 and 2 provide inputs to the Eagle 21 digital process protection system. Eagle 21 provides isolated analog signals to the digital process control system. An auctioneer function selects the lowest temperature signal which is then used to calculate an acceptable reference pressure limit (PORV setpoint) considering the plants allowable pressure and temperature limits. A isolated wide range RCS pressure signal is also provided from Eagle 21 Protection Set III. The calculated reference pressure is compared to the actual RCS pressure monitored by the wide range pressure channel. The auctioneered temperature signal will annunciate a main control room (MCR) alarm whenever the measured temperature approaches, within a predetermined amount, the reference temperature for arming the system. Similarly, whenever the measured pressure approaches within a predetermined amount of the programmed setpoint, another MCR alarm will be generated. When the measured RCS pressure is equal to or above the programmed setpoint (nominal values), a PORV open signal is initiated and a MCR alarm is actuated. A manually armed permissive allows this actuation signal to control the Train A PORV (PCV-68-340A). The manually armed permissive also serves to block a spurious PORV opening due to potential instrument failure whenever the RCS temperature is above the arming reference temperature.

The monitored generating station variables that generate the actuation signal for the Train B PORV (PCV-68-334) are processed in a similar manner. The RCS loops 3 and 4 wide range temperature signals and the RCS pressure signal are provided from Protection Set II.

Therefore, the generating station variables used for the Train B PORV are derived from a protection set that is independent of the sets from which generating station variables used for the Train A PORV are derived. The wide range temperature auctioneer function and the programmed pressure setpoint calculation for the Train B PORV are performed in a different group of the digital process control system than those for the Train A PORV. Each of these control groups has a fault tolerant, redundant processor pair and redundant power supplies with different power sources.

7.6-9

WBN Upon receipt of the actuation signal, the actuation device will automatically cause the PORV to open when the manually armed permissive is present. Upon sufficient RCS inventory letdown, the operating RCS pressure will decrease, clearing the actuation signal. Removal of this signal causes the PORV to close.

7.6.8.1 Analysis of Interlock Many criteria presented in IEEE 279-1971 and IEEE 338-1971 do not apply to the interlocks for RCS pressure control during low temperature operation, because the interlocks do not perform a protective function but rather provide automatic pressure control at low temperatures as a backup to the operator. However, although IEEE 279-1971 criteria do not apply, some advantages of the dependability and benefits of an IEEE 279-1971 design have occurred by including the pressure and temperature signal elements as noted above in the protection sets and by organizing the control of the two PORVs into dual channels. Either of the two PORVs can accomplish the RCS pressure control function.

The design of the low temperature interlocks for RCS pressure control is such that pertinent features include:

1. No credible failure at the output of the protection set racks, after the output leaves the racks to interface with the interlocks, will prevent the associated protection system channel from performing its protective function because such outputs that leave the racks go through an isolation device.

2. Testing capability for elements of the interlocks within (not external to) the protection sets that generate the temperature and pressure process signals for the overpressure mitigation system is consistent with the testing principles and methods discussed in Section 7.2.1.1.3.

3. A loss of offsite power will not defeat the provisions for an electrical power source for the interlocks because these provisions are through onsite power which is described in Section 8.3.

7.6.9 Switchover From Injection to Recirculation Mode Following a LOCA (Refer to Section 6.3.3 for a detailed discussion of the ECCS Injection Mode and switchover to the Recirculation Mode). During the Injection Mode, the ECCS pumps take suction from the Refueling Water Storage Tank (RWST). The RHR pumps are automatically realigned to take suction from the containment sump upon receipt of the switchover signal generated by the following coincident conditions:

- Low RWST level signal (2-out-of-4 logic)

- High Containment level signal (2-out-of-4 logic), and

- Safety Injection (S) signal UNIT 1 Thus, when these conditions exist, the containment sump isolation valves [1-FCV-63-72 (8811A) and 1-FCV-63-73 (8811B)] open and the RHR RWST isolation valves [1-FCV-74-3 (8700A) and 1-FCV-74-21 (8700B)] close. Refer to Figures 7.6-6, Sheet 1, 2, and 3 for the associated logic drawings. The containment sump isolation valve control circuit is designed to 7.6-10

WBN maintain the S signal, once received, by a latching feature. This feature ensures these valves remain open after the S signal is reset at the system level. Separate hand switches (1-HS 72D and 1-HS-63-73D) are provided in the MCR to allow the operator to unlatch the S signal.

The automatic switchover of the RHR pumps from the injection to the recirculation mode is part of the engineered safety features actuation system (ESFAS) discussed in Chapter 7.3.

UNIT 2 Thus, when these conditions exist, the Containment Sump Isolation Valves [2-FCV 63-72 (8811A) and 2-FCV-63-73 (8811B)] open and the RHR RWST Isolation valves [2-FCV 74-3 (8700A) and 2-FCV-74-21 (8700B)] close. Refer to Figures 7.6-6 Sheet 1, 2, and 3 for the associated logic drawings. The Containment Sump Isolation Valve control circuit is designed to maintain the S signal, once received, by a latching feature. This feature ensures these valves remain open after the S signal is reset at the system level. Separate hand switches (2-HS 72D and 2-HS-63-73D) are provided in the main control room (MCR) to allow the operator to unlatch the S signal. The automatic switchover of the RHR pumps from the Injection to the Recirculation Mode is part of the Engineered Safety Features Actuation System (ESFAS) discussed in Chapter 7.3.

The RWST level and containment level are each measured by four, independent, safety-related channels. Each channel is assigned a separate protection set division. The RWST low level and containment high level logic signal are interfaced to the containment sump isolation valves through the appropriate Train A and B slave relay contact outputs of the solid state protection system (SSPS). All channels provide indication in the MCR with two indicators (for each measurement) designated as post accident monitoring. (Refer to Section 7.5).

REFERENCES

1. Deleted

2. The Institute of Electrical and Electronic Engineers, Inc., "IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations," IEEE Standard 279-1971.

3. The Institute of Electrical and Electronic Engineers, Inc., "IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems," IEEE Standard 338, 1971.

4. Calculation WBN-RAG3-003, Probabilistic Analysis showing the effects of deleting the Residual Heat Removal (RHR) Auto Closure Interlock (ACI).

5. Westinghouse Nuclear Safety Evaluation Check List (SECL), SECL 91-287, Revision 1, Wiring Modifications to Implement Residual Heat Removal System Automatic Closure Interlock Deletion and Add Control Room Alarm.

6. Watts Bar Nuclear Plant Design Criteria Number WB-DC-30-31, "Loose Parts Monitoring System."

7. Plant Technical Instruction (TI) - 34 Series (Implementing Instructions for the Loose Parts Monitoring System) includes TI-34.01, TI-34.02, TI-34.03, TI-34.04, and TI-34.05.

7.6-11

WBN

8. Technical Requirements Manual Section TR 3.3.6, "Loose-Part Detection System."

9. EQ-QR-33-WBT, Revision 0, Seismic Evaluation of the Digital Metal Impact Monitoring System (DMIMS-DX')

10. 1TS3182, Revision 0, Watts Bar Unit 2 DMIMS-DX' System Validation Data Package, dated July 2010

11. DMIMS-DX' Operations and Maintenance Manual, TS3176, Revision 0, dated August 2010 7.6-12

FIGURE 7.6-1 DELETED

FIGURE 7.6-2 DELETED

NOTES

1. FOR SYMBOLS AND GENERAL NOTES SEE 1-479611-63-1.

2. FOR 1W CONTROL SEE 1-479611-63-1.

3. TO PREVENT VALVE FROM CHANGING TO A NON-SAFETY POSITION DUE TO A SPURIOUS SIGNAL. TOD CONTROL SIGNALS MUST APPEAR COINCIDENTLY FROM THE SANE SOURCE BEFORE THE VALVE VILL CHANCE POSITIONS. (SEE VALVES FCV-63-80. 98. 1181.

FROM IDS N2 SUPPLY HEADER J

AUXILIARY A-AUTO Y HS63-87C N

J AUXILIARY N HS63-115 6

PRESSURIZER PRESSL P- 7 SIGNAL JJ 1-9479611-b3-1 SAFETY INJ SIGNAL 1-479611-65-1 VENT CONTROL SAME AS FCV-63-67 INJ 1-479611-53-1 FCV 63-1D7 X 5 VENT VENT VENT

-VENT 15 ACCUMULATOR ACCUMULATOR ACCUMULATOR TANK 3 TANK 2 TANK 1 FROM ACC UMULATDR FILL LINE 1-479611-63-6. F-12 CONTROL SAME AS63-116 FROM SIS AND FCV-63-13D TO REACTOR RHR PUMPS COOLANT DRAIN --d- 1-479611-53-5 TANK CONT RDL SANE AS 1-471611-77-1. C-4 4-4 -

Ir-TO RCS LOOP 1 CDLD LEG FCV-63-13D NOTES 2 R.3L TD SIS ACCUM FROM SIS AND FILL LINE 1-471611-68-1 RHR PUMPS IF 1-471611-63-8, 1-471611-63-B I TO REACTOR TO RCS LOOP 2 COOLANT DRAIN NDTES 2-& 3 TO IS COLD LEG TD REACTOR OPEN 63-80 CLOSE TANK 1-471611-68-1 COOLANT DRAIN TEST LINE 1-471511-77-1 1-471611-63-8. B-ID TANK X 1-471611-77-1 TO RCS LOOP 3 NOTES 2 A 3 TO IS COLD LEG TEST LINE 1-471611-68-1 1-471611-63-8. C-ID WATTS BAR FINAL SAFETY ANALYSIS REPORT POWERHOUSE UNIT 1 ELECTRICAL LOGIC DIAGRAM SAFETY INJECTION SYSTEM TVA DWG NO. 1-47W611-63-7 R2 FIGURE 7.6-3

HS CLOSE e 3-B7A HS CLOSE NORMAL e 3- 15A 1

k AUXILIARY NORMAL XS

/H

' S\ CLOSE A AUTO 3-115 H

AUXILIARY HS CLOSE 3-115C H

PRESSURIZER PRESS P-11 SIGNAL 2-479611-63-1 SAFETY INJ SIGNAL 2-479611-63-1 CONTROL CONTROL SAME AS SAME AS VENT FCV-63-B7 FCV-63-67 INJ FCV 63-107 611-63-1 X X VENT VENT 'U7 D rr

~ CpUTROL SAN AS FCV-63-1 _fCONTROL SAM AS FCV-63-115 ACCUMULATOR ACCUMULATOR TANK 1 ACCUMULATOR TANK 2 TANK 3 X X FROM ACCUMULATOR FILL

LINE, 2-472611-63-6,E-11 CONTROL SAME AS FCV-63-BD FROM SIS AND RHR PANPS F 2-972611-63-B,A-9 CONTRDL SAM: TO REACTOR 3-1 B AS FCV-fi3-130 COOLANT GRAIN TANK TO RCS LOOP 1 2-972611-77-1,C-4 X COLD LEC FCV 2-472611-68-1 fi3-11D NOTES 2e3 TO SIS ACCUM FILL LINE CONTROL SAM: 611-63-8. FROM 515 AN AS FCV-63-130 BID RHR PUMPS 2-472611-63 TO RCS LOOP 2 TOR X CD LEG DRAIN N/\F- 2-479611-68-1 FCV NOTES 2!1 63-90 1-77-1 2y TO SIS FROM SIS AND TEST LINE RHR PUMPS TO REACTOR 2-479611-63-B.B-1D 2-472611-63-5; CODLANT DRA]N X C-9 TO RCS LOOP 3 TANK COLD LEC 2-472611-77-1 2-472611-68-1 NOTES 2!3

1. TO SIS TEST LINE 2-472611-63-5.0-10 REVISED DRAWING CATEGORY FROM 4-1 TO 1 FOR DUAL UNIT OPERATION PER ADMIN T90 XXXXXX XXX NOTES:

1. FOR SYMBOLS AND GENERAL NOTES SEE 2-472611-63-1.

2. FOR NOV CONTROL SEE 2-472611-63-1.

3. TD PREVENT VALVE FROM CHANGING TO A NDN-SAFETY WATTS BAR POSITIDN DUE TD A SPURIOUS SIGNAL.

TWO CONTROL SIGNALS MUST APPEAR FINAL SAFETY COINCIDENTLY FROM THE SAME SOURCE BEFDRE THE VALVE WILL CHANCE POSITIONS (SEE VALVES ANALYSIS REPORT FCV-63-60.99.11B).

POWERHOUSE UNIT 2 ELECTRICAL COMPANION DRAWING: LOGIC DIAGRAM 2-472611-63-1 THRU 6.8 SAFETY INJECTION SYSTEM TVA DWG NO. 2-47W611-63-7 R3 FIGURE 7.6-3(U2)

0 Z

NOTES:

i 49DV REACTOR NOV BOARD 1A1-A AID' AS 49DV REACTOR NOV BOARD 1131-B AID .._

G 1-XS-63-3 2 T

T 1-XS-63-3 A T 1-%5-63-4 1 S 1-%S-63-4 1. ALL EQUIPMENT IS LOCATED ON THE BOARD FROM WHICH ITS ASSOCIATED LOAD IS POWERED UNLESS OTHERWISE DESIGNATED.

K ___T NOR. AUX T NOR. AUX O B9* B10* B9 2. 33S IS A POSITION SWITCH MOUNTED ON THE BODY OF THE MDV AND IS 7RIPPED BY A STEM MOUNTED CONTACT ARM.

42 C 42 3. WIRE PREFIX. CONTROL SWITCH NUMBERS, RELAY NUMBERS, ECT. ARE THE 0 SAME UNLESS NOTED.

W 33 O 33 O 19 H Z 10 11 10 11 4. ALL SYSTEM ANNUNCIATION WILL APPEAR TOGETHER ON A SHEET WITHINITS APPLICABLE SYSTEM SERIES.

Do --@(FF SEAL IN co -2 ~iFF 5. FUSE NUMBERS SHOWN IN TABLES SHDULO BE COMBINED WITH B 25 25 THE APPLICABLE BOARD PREF]X LISTED BELOW TO FORMULATE H L21 co 3 ~hk3 L21 co ~ hk25 i 1-HS-63-3A R11 3 3 i 1-HS-63-4A N'1 3 3 COMPLETE UNIQUE FUSE IDENTIFICATION NUMBER:

Z 1-HS-63-3A 1-HS-63-4A CLOSE 1D.2 bo 4 INTERLOCK CLOSE 1 boOINTERLOCK REACTOR MOV BOARDS: 1-FU-213-G L22~ OPEN L22~ OPEN JRD12 ~R12 CHEMICAL AND VDLUME CONT BDS: D-FU-217-1081 bo ~~OPEN LIMIT ~iFF SEAL IN 1 OA1 bo ~~OPEN LIMIT ~iFWH SEAL IN EXAMPLE:

A11 bed ~TkF Al b.~~ ~4*0 0 F 1-HS-63-3C 1-HS-63-3C A' S A" 1-HS-63-4C 1-HS-63-4C S 1-FU-213-A11D/11N 420 5 MUN L7 ALN F 420 L) CLOSE 0 OPEN be ~(FF CLOSE OPEN be ~5_ MUN L7 ALM ~(FF U 811 1 d (1-451GDO-57-6) 811 0 131 (1-4516DO-57-6) m 6 _

0 A6 ac RED LIGHT 0 A6 ac RED LIGHT 5 1-XS-fi3-3 B 1-XS-63-9 B S. NOT USED Al2 A4 1-XS-63-3 420 NOR. °0 ~ 0 c 1-%S-63-4 IA12 A4 1-%5-63-4 5 420 NOR, °o~ e 42 96 B6 NOR. 74 C C NOR. NOR. 7~ C C 7. TORQUE AND LIMIT SWITCHES FOR ALL MOTOR OPERATED VALVES SHOULD B12 B940 IB 10806 B12 B4~ 1 DA06 BE SET ACCORDING TO THE LATEST REVISION OF GENERAL CONSTRUCTION 00 10 / 00 10 /

7 5 7 5 SPECIFICATION C-5D-TORQUE AND LIMIT SWITCH SETTINGS FOR MOTOR 1DBO2 19 SEAL IN l OAD2 11 4 SEAL IN OPERA?ED VALVES.

33 1-FCV-6J 14 1-FCV-63-B-A bo~~CREEN LICHT 4 INTERLOCK 33 bo GREEN LIGHT Al 4 33 11-45176D be B 26 1-XS-53-9 Al 4 33 11-45"'6-6]-51 LS 13 be 12 B 26 INTERLOCK 33 bo'~ AUX 33 (FOR FCV be ~a~

1DBC2 5) 13 ~Tk6H 1 DAcz 13 ~TkWH 137 be 070 B 9 B1 175) be ~a0 B c ~iFF SEAL IN 14 ~(F~

J3 15 33 17 1-L-11A Al be 1 0 1-FCV-63-B-A 33 15 33 17 1-L-1113 1 D1 be ~~ 1-FCV-63-11-13 c 1 9-15 11-4517613-53-5) ~ (1-451750-63-5) ~IkWH ac f tc 9BD4BXA ac [ tc r B8D4AXB 16131oc 1-FCV- BY-PASS 1-FCV-fi3-9-A E1 0 1Ew{f~ BY-PASS 1 ~(FF IDBC1 IDS 11 11-456-57-4) ac IDACI IDA 71 11-4516!-57-4) ac 400/12DV 17 CLOSE TORQUE 17 o CLOSE TORQUE

_ 11 33 7 33 4 tc 113 OSWITCH _ 11 33 33 3 4 tc 113 SWITCH 42b 3 426 C 7 42b 426 wa r bo oc to ~% wa ir bo r oc p ~ to~~

U n pry 10BG IDBR tAt IDAG IDAR IBI 97 53 C C REFERENCE DRAWINGS as C10 C12 as CID C12 ° 531 6 4 1-%5-63-3 fl I- TATUS LON 1 -XS-63-4 ~(f~STATUS MON SINGLE LINES:

DB4 71 POINT FD2DB2 a~ 1 DASM (1-47A615-0) 4BOV REACTOR LOV BOARDS---------------1-451751-1, -2, -3, -7, -8, -9 NOR. IAI C-/ 1BI D1 Do~ ~D12 10 11-47A615-0) s~ 131 NOR.D72 4BOV CHEMICAL R VOLUME CONTROL BOB----451746-1, -2 420 413 _54- INTERNAL CONNECTION DIAGRAMS:

9 __L 450772.6 A2 A B D 11 O A5 BS 1-XS-63-3 AUX C4 I-XS-63-3 NOR.

fl*T.4TATU5 MON POINT FD2DB3 11-47A615-0)

Do A B Ft ~I DL K2

=(1-451760-270-2)11-47A615-0) f~STATUS ION 45.172.8 450798 G G a1 iI R R 1085 D9 1-%S-63-4 G G a1 iIE R R f

~ EXTERNAL CONNECTION DIAGRAMS:

B 33S OL NOR. 33S 4511766 B2 42. J OL 4511768 C I 451798 A3 9 L41 R31 O TO RE 8813% C~ O TO REL 9920%

C 1 -HS-.3-3A ~ 1-HS-63-JA (7-L-1D) C X

.__...71DBCR

1DACR \TA 11-L-1 B)

CLOSE OPEN 11-45160D-57-3) I1-451600-57-3)

L42 832 1-ZS-63-3 CI OL 1-ZS-fi3-4 1-%5-63-3 C2 ~e 1-XS-63-4 54

' SYMBOLS:

NOR. 1-XS-63-4 NOR,

~~ *D2 D2 K D2 --- ON OR NEAR LOCAL CONTROL STATION AUX 1 OAY1

= K2 1 DOG ac--- LOCAL PANEL tOL DL DL C6 (1-451760-270-2) 1 -XS-63-3 1-FCV-63-4-8 iK --- UNIT CONTROL BOARD IN 11A IN CONTROL ROOM 1-FCV-63-3-A 9 --- 07ESEL GENERATOR RELAY PANEL y y__Y 1 DBSM °f NOR.

COMPONENT VLV MD. VALVE NOMENCLATURE OVLD BOARD TIRE CONTROL STITCHES UNIT CONT RM 51 LOC STATUS MONITOR 98D4AXB CONTACT FUSE NUIBERS1AF2 COMPUTER POINTS --- NSSS RACK IN AUXILIARY INSTRUMENT ROOK 10 N0. BYPASS PREFIX RELAYS --- TVA BALANCE OF PLANT RACKS IN AUX INSTR ROOM NOR. AUX COMPONENT O VALVE NOMENCLATURE IRE BOARD pREF1X UNIT CONT FUSE NUMBERS 1-FCV-63-9-B 8819 SIS PUMP A-A DISCHARGE TO R157 SHUTOFF VLV K2 9-10 181-B 1DA 1-HS-63-4A, C. 1-XS-63-4 1-M-6 181-53. -54 D1. E1 B11D 1N 8110 224D;FD2291 ID ND. VLV NO. CONTROL STITCHES RM SW LOG NOR. AUX 1-F CV-63-175-13 8920 ISIS PUMP B-B DISCHARGE TO R1S7 SHUTOFF VLV K5 3-4 1B1-13 130 1-HS-63-175A, C, 1-XS-63-175 1-1F6 181-51, -52 Al. 01113113/3100113/31j FD223B;FD2239 1-FCV-63-3-A BB13 SIS PUMPS RECIR TO KIST 1A1-A 108 1 -HS-63-3A, C, 1-%5-63-3 1-M-6 A11D 11N A110 11A FULL FULL OPEN CLOSED oco n n n p

~O. O O VALVE POSITION INDICATION bo n n CLOUD LINES INDICATE 42 O n CLOSED CONTACT) be O O ~O, M

6 {c -------- TORQUE 51I TCH OPENS DN CLOSING MECHANICAL OVERLOAD, 1-HS-63-131 7 SEAL IN to -------- SWITCH OPENS ON OPENING MECHANICAL OVERLOAD.

A UTD OFF 191. 11 9

Tk~9F9 rtpp 4(FF e

CDNT 13 1-TS-63-131B 1 42.

THERM0 I M 12 [1-R-1211 CLOSES ON LO TEMP 7 11 i p 1-TS-63-131A 1° OPEN ON1 H] TEMP LIMIT T 1 1--. 1-TS-63-17DA/B THERMD AAA "~Y UFSAR AMENDMENT 1 WATTS BAR FINAL SAFETY ANALYSIS REPORT AUXILIARY BUILDING REFUELING STORAGE TANK IMMERSION HEATER A UNIT 1 WIRING DIAGRAMS HTR COMPONENT

]GENT. NO. BB TIRE CONTROL PREFIX SWITCH CONTROL 7HERMU NUMBER PNL LIMIT THERMID

'FUSE FUSE NO.

5)

SAFETY INJECTION SYSTEM A 1-HTR-63-131A. B A 2B 1-HS-63-131 1-TS-63-131A ! B 1-R-121 1-7S-63_17DA B A2 11 SCHEMATIC DIAGRAM B 1-HTR-63-132A. B A 30 1-HS-63-132 1-TS-63-132A d B 1-R-121 1-7S-63-1708 A A3 11 TVA DWG NO. 1-45W760-63-2 R12 FIGURE 7.6-4

TD MODULATE SPRAY VALVE 2-PCV-68-39DD SEE 2-471611-68-1. E6 RCS HL TEMP-_ D8F 80291 "ON L DON 2-TE-6B-43 ----

2-47W611-68-1, C-1 I

I ODP 2 2-TEC6876D J 2-47,611-68-1, G-1 -------

I MP RCS HL TEMP L OOP 2-TE-60-65 ---

WATTS BAR 2-47,611-68-1, E-1 FINAL SAFETY FROM RCS CL TEMP ANALYSIS REPORT LOOP 2-TE-6B-83 2-47,611-68-1. E-1

J B I REACTOR BUILDING FRDM R WIDE UNIT 2 RANGE PRE55 2-PT-68-58 ELECTRICAL 2-471611-b8-1, G-1 LOGIC DIAGRAM COMPANION DRAWINGS:

2-472611-68-1,2 REACTOR COOLANT SYSTEM TVA DWG NO. 2-47W611-68-3 R9 FIGURE 7.6-5(U2)

NOTES

1. FOR SYMBOLS AND GENERAL NOTES SEE DIG 1-479611-63-1.

2. TO PREVENT VALVE FROM CHANGING TO A NON-SAFETY POSITION DUE 7O A SPURIOUS SIGNAL, TWO CONTROL SIGNALS MUST APPEAR COINCIDENTLY FROM THE SAME SOURCE BEFORE THE VALVE WILL CHANGE POSITIONS.

(SEE FCV-63-1, 5, 11)

3. FOR NOV CONTROL SEE DWG 1-471611-63-1.

NORMAL XS fit-fi NORMAL J1 AUXILIARY xs 63-1 J1 NORMAL AUXILIARY REFERENCE DRAWINGS:

NORMAL 1 -47.1811-----------------MECHANICAL FL O.1 DIAGRAM CNTMT SUMP ISOL 1-47.161 D-53-SERIES-------ELECTRICAL CONTROL DIAGRAMS NORMAL VALVE FCV-63-73 1 -45.1760-63-SERIES-------ELECTRICAL SCHEMATIC DIAGRAMS FULLY OPEN 451600-63-2--------------ELECTRICAL SCHEMATIC DIAGRAM

%S 45BB01-63-SERIES---------INSTRUMENT TABULATOINS 63-97 i1 AUXILIARY NORMAL DPEN HS CLOSE COMPANION DRAWINGS:

63-47C 1-472611-63-3,5 OPEN HS~ CLOSE i1 w~ 63-1B n~ IS .\ S it 7 63-131B HEATER B O P

TS OPEN CLOSE 131A TS TS MDV CONTROL 63-17DA/B 63-17OB/A TE TE OPEN S70P CLOSE 63-131 63-170 FCV NOV CONTROL 63-6 T9 T9 OPEN CLOSE 63-131 63-170 FCV FCV NOTE 3 63-1 6]-1' OPEN CLOSE CONTROL SAME AS 70 RHR PUMP OPEN CLOSE FCV-63-6 1-471611-74-2, FCV NOTES 2 M: 3 F-9 NOV CONTROL NOTE 3 63-7 NTROLI SAME AS FCV-63-1 REFUELING WATER EXCEPT STORAGE TANK -HS-63-5B FCV DELETED FCV NOTE 3 FROM N]N FLOW LINE 63-5 63-97 1-472611-63-3, OPEN CLOSE E

NOTES 2 G 3 NOTE 3 TO SAFETY INJECTION PUMP A-A ONTRDLS FCV-6 SAME 1-47.1611-63-3, F-2 AS FCV-63-1 RCS PRT EXCEPT 1-HS-63-4B1 1-472611-68-1 ELETED 633-132 FCV 63-48 TE 63-132 TO CONTAINMENT SPRAY PUMPS 1-471611-72-1 TO SAFETY INJECTION NOTE 3 p TO CVCS CHARGING PUMPS PUMP B-B 1-471fi11-62-4, G-1 1-47.1611-63-3, H-2 7S 53-132A TO REFUELING WATER PURIFICATION PUMP 1-471611-78-1, C-9 RIS7 LEVEL LOOPS TS-63-17OB/A A

TRAIN A TRIP SIGNAL TO FCV-53-72 (8811A) WATTS BAR 1-471611-53-5, B-2 FINAL SAFETY ANALYSIS REPORT TRAIN B SIGNAL TO FCV-63-73 (8811B) 1-471611-63-5, D-4 REACTOR BUILDING UNIT 1 CNTMT FLOOR ELECTRICAL LEVEL LOOPS LOGIC DIAGRAM SAFETY INJECTION SYSTEM TVA DWG NO. 1-47W611-63-2 R5 FIGURE 7.6-6 SH 1

Z SAFETY INJ SIGNAL 1-471611-63-1 6NORM-AL G

0:

NOTES:

1. FOR SYMBOLS AND GENERAL NOTES SEE DIG 1-471611-63-1.

O 2. FOR NOV CONTROLS SEE DIG 1-471611-53-1.

A-AUTO 3. 70 PREVENT VALVE FROM CHANGING TO A NDN-SAFETY POS171DN DUE TO C3 D A SPURIOUS SIGNAL, TWO CONTROL SIGNALS MUST APPEAR COINCIDENTLY LJ / FROM THE SAME SOURCE BEFORE THE VALVE TILL CHANCE POSITION.

Z RESET / HS~ (SEE FCV-63-8. 72, 73. 93, 94).

OPEN

~ 63-72A H

w NORMAL 6 FCV-74-3 (8700A) SI)

CLOSED (STEM %S 53-72

(,) FCV AS)(

1 B70OA) CLOSED (GEAR 51) AUXILIARY NORMAL RIST LVL < SP NORMAL CNTMT LVL I SP TRAIN A SEE 71611-6]-Z. OPEN HS 1 G-5 AUXILIARY MIN FLOW LINE FCV-53-175 FULLY CLOSED FCV-63-4 FULLY CLOSED FCV-63-3 FULLY CLOSED CNTMT SUMP ISOLATION VALVE FCV-63-72 FULLY OPEN OPEN CLOSE NOV CONTROL r - OPEN CLOSE 70 RHR PUMP A-A NOTES 2! 3 CONTROLS SAME AS OPEN CLOSE

1 FCV-63-72 EXCEPT CONTAINMENT SUMP TO CONTAINMENT FCV-63-73 IITH FCV-79-21187008) 4-74 MDV CONTROL SPRAY 1-971611-72-1 J F TO RHR PUMP B-B TO CONTAINMENT SPRAY FCV 1-471611-72-1 63-8 NOTES 2 !3 OPEN CLOSE L J ,

_771 TO CVCS CHARGING PUMP T TO CVT VENT NOTES ;& 3 SUCTION, 1-471611-63-2, D-B I I 1-471611-52-3 CDORD G-12 I I I I FROM RHR HEAT EXCHANGER A I 1 TO RCS COLD I I NOTES 2

!3 LEG LOOP 2 1-471611-53-B, RESIDUAL HEAT B-8 REMOVAL SYSTEM TO SIS TEST LINE (DETAILS ON CONTROLS TO PRESSURIZER SAME FCV-63AS 63 B. TO RCS COLD 1-471611-74-1, 2) RELIEF TANK C-9 LEG LOOP 3 1-47693 I I 1-471611-68-1 1-471611-63-B, FCV C-9 I I 63-94 I I I I FROM RHR HEAT EXCHANGER B I t TO RCS COLD LEG LOOP 1 I I NOTES 2

!3 1-471511-63-B, L ------- A-B TO RCS COLD TD PRESSURIZER LEG LOOP 4 CNTMT ISOLATION RELIEF TANK TO SIS TEST LINE 1-47W611-63-8, 1-471611-63-B, PHASE A 1-471611-88-1 1 -471511-BB-1 E-4 D-B FCV-63-71 70 SIS PUMPS FULLY OPEN . 1.1611-63-2. E-9 TO RCS HOT LEG LOOPS 1 d 3 1-471611-63-B, H-1 WATTS BAR FINAL SAFETY ANALYSIS REPORT POWERHOUSE UNIT 1 ELECTRICAL CVCS DUP TANK 171611-52-5 LOGIC DIAGRAM SAFETY INJECTION SYSTEM HEADER 1-471611-53-3, E-4 ACCUM FILL TVA DWG NO. 1-47W611-63-5 R5 FIGURE 7.6-6 SH 2

c~

z 3

O 0

W Z

~ FCV-i Z 1 B701

)STEM FCV-1 0 1 B70[

IGEAF V REST 'LO CNTMT LVI TRAIN A 2-476611 MIN FLOW FCV-63-17 FULLY CLO FCV-53-4 FULLY CLO FCV-63-3 FULLY CLO I

I I

I I I WORD F-12 I I I I FROM RHR HEAT EXCHANGER A 70 RCS COLD LEC LOOP 2 RESIDUAL HEAT REMOVAL SYSTEM (DETAILS ON 2-471611-74-1.2) 2-471611-63-B.B-8 NOTE 2

! 3 I I TO RCS COLD LEG LOOP 3 I I TO PRESSURIZER CONTROLS SAME 2-471611-63-B,C-8 AS FCV-53-93 I I RELIEF TANK ISOLA 2-471611-68-1 A I I FCV 70 SIS TEST LINE itt-eB I I 63-94 2-471611-63-B.D-FCV-63 I I FROM RHR HEAT EXCHANGER B FULLY I ~ 70 RCS COLD LEG LODP 1 2-471611-63-8,A-8 NOTE 2 B 3 70 SIS TEST LINE TO RCS COLD LEG LOOP 4 2-471611-63-5.E- 2-471611-63-B,D-9 TO PRESSURIZER RELIEF TANK 2-471611-66-1

~TO SIS PUMPS 2-971611-63-2. D-9 NOTES:

TO RCS HST 1, FOR SYMBOLS AND GENERAL NOTES, SEE 2-471611-63-1, LEG LOOPS 1 A 3 2-471611-63-8. H-Z 2. FOR MOV CONTROL, SEE 2-471611-63-1.

3. TO PREVENT VALVE FROM CHANCING TO A NDN-SAFETY POSITION DUE 70 A SPURIOUS SIGNAL, TWO CONTROL SIGNALS MUST APPEAR COINCIDENTLY FROM THE SAME SOURCE BEFORE THE VALVE 11LL CHANCE POSITION.

(SEE FCV-63-6,72,73,93,94.) WATTS BAR FINAL SAFETY CVCS LDUP TANK ANALYSIS REPORT 471611-62-5 POWERHOUSE ACCUA FILL 2-471611-63-3,E-4 UNIT 2 ELECTRICAL LOGIC DIAGRAM SAFETY INJECTION SYSTEM COMPANION DRAWINGS:

2-471611-63-1 THRU -4.-6 THRU -B TVA DWG NO. 2-47W611-63-5 R8 FIGURE 7.6-6 SH 2(U2)

c~

DPEN 57DP CLOSE 3

O O

W Z P-AUTO P-AUTO +W LVE +W VALVE FULL DPENY VALy CLOSED

~

Z RCS PRESS. OPEN /HS~ CLOSE OPEN ~HS\ CLOSE

< SET POINT 74-1A 74-2A

~ PS-68-63A NOTEEII NORMAL NORMAL /\

A-AUTO +Y.-DERIVED FROM UNIQUE LIMIT AND TORQUE SR RED OF VLV I I . RCS PRESS. I '

U I XS PS_ 7XXS OPEN HS CLOSE 79-1 NDTEv11 74-2 I \ 79-3A TYPICAL MDV CONTROL FCV-F ROM53-72 TDNRHRNMENT NORMAL AUXILIARY I AUXILIARY SUM FCV-63-72 PUMP 1A SUCTION SUMP S TO VALVE I I I I STARTS TO OPEN FULLY CLOSED

[BRIIA)(CEAR SW) (BBIIA)

RCS PRESS. _ P-AUTO RCS PRESS. P-AUTO I

< SET POINT I < SET POINT I 74-3 IS NOTES:

PS-fiB-fi6A +W \ I PS-68-68A FCV-63-72 +W (BY NOT TVA) (BY TVA)

NOTE 7 OPEN HS CL OSE~ NOTE 7 OPEN HS CLOSE I FRUA CDNTAINMENT SUM TO RHR

1. FDR SYMBOLS OTHER THAN THDSE NOTED BELOW SEE INSTRUMENTATION AND IDENTIFICATION STANDARDS, LATEST ISSUE.

74-1C 74-2C AUXILIARY PUMP 1A SUCTION 2. FOR COMPLETE ]N57RUMEN-471 61 AND COMPONENT SEPARATION DESIGNATIONS, I # I FULLY CLOSED SEE CDNTROL DIAGRAM, 1-971610-79-1.

I 1881 IA)(A STEM 51) 3.NOTE DELETED

/ I OPEN tH CLOSE 9. NUMBERS IN PARENTHESIS ARE WESTINGHOUSE INSTRUMENT NUMBERS.

FCV 63 8 C FRHR PUMP IA 5. NOTE DELETED ORI ON SCH 70 CHARGING ' 6. VALVE IS ADMINISTRATIVELY LOCKED IN THE CLOSED POSITIDN.

PUMPS SUCTION WITH BREAKER OPEN) (APPENDIX R)

/ I / FULLY CLOSED 7. SEE APPROPRIATE INSTRUMENT TABS FOR SET POINT.

/ \~~\ / Ig8D4A)(GEAR 5W)

/ ~~~ R. DIGITAL AND ANALOG LOGIC SYMBOLS ARE USED ON LOGIC DIAGRAMS TOCI HS FUNCTIONALLY DESCRIBE THE LECCESS CONTROL. REFER TO THE ASSOCIATED I \ OPEN CLOSE TIRING SCHEMATIC FOR THE ELECTRICAL COMPONENTS USED TO IMPLEMENT FCV-63-72 FCV-53-8 SUMP ISLN I OPEN HS CLOSE FCV-63-73 SUMP ISLN I OPEN HS CLOSE I FROM RHR PUAP 1A

, 79-3B

\\

THE CONTROL SCHEME.

VLV FULLY 74-1B 9. HS-74-2B IS DISCONNECTED PER ECN 6125.

__ VALVE FULLY ` 79-2B I DISCH 7O CHARGING CLOSED(8811A)

I

\

/~

I CLEAR D(BB11B) I \ /~~ PUMPS SUCTION STOP 1D. HS-74-1B, N D 90 HAVE BEEN REMOVED PER ECN fi NC TO PREVENT ICEAR 51) FULLY LLOS T A VGO ADVERSELY AFFECTING THE SAFETY FUNCTION OF ASSOCIATED I STOP ~ I (GEAR SW) I STOP

/ I I IB8D4A)(A STEM 51) VALVES ALVES DURING AN ACCIDENT.

I I 11. FD SET POINT, SEE APPROPRIATE LOOP SCALING AND SET POINT

_--- OQUUME N7155D 1.

I SEE NOTE 10 _ / I SEE NOTE 9 FCV-63-1 `\ I / I FCV-72-4D RWST SUCTION I I ADNI N]STRATIVE I I FR RHR PUAP to VALVE FULLY I I I LOCK L^7MT MOTOR CONTROL ATI I I I SPRAY HDR CLOSED(8812) I CENTER FULLY CLOSED REFERENCE DRAWINGS:

[SEE NOTE 6) I I I I [GEAR S1) 1-471511-0-1---------LOGIC DIAGRAM INDEX d SYMBOLS I 1-471510-74-1 --------CDNTROL DIAGRAM 47RSD1-74-SERIES-----INSTRUMENTATION 7ABULATIDN

` V FCV-72-4D 1-471810-1-----------FLOW DIAGRAM FROM RHR PUMP 1A OPEN STOP CLOSE 1-451760-74-SERIES---SCHEMATC I D]AGRAMS ADMINISTRATIVE DISCH 70 CNTMT 1-451600-74----------SCHEMATC 0]ACRAM FCV-63-1 SPRAY HDR A 45B640-SERIES--------SWITCH DEVELOPMENTS INTERLOCK AT KIST SUCTION 11W CONTROL MD DR CONTROL FULLY CLOSED VALVE FULLY IA STELA SW)

CENTER NOTE 6 CLOSED1BB12)

FCV (B7DOA)

OPEN STOP CLOSE OPEN STOP CLOSE 79-3 OPEN CLOSE 1W CONTROL NOV CONTROL FROM REFUELING WATER STORAGE TANK TO RHR PUMP A-A SEE NOTE 6 SEE NOTE 1-47W611-53-2 [E-3) CONTROL SAME AS 1-471511-74-2 IBS D2) '(-F (8701) FCV-74-3 EXCEPT CQURDINATE, E-1 FCV CV INTERLOCKS ARE 74-1 FCV-72-41, FCV-63-11 (8804B),

OPEN CLOSE OPEN -2 CLOSE FCV-63-73 (8B11B)

AND HS-74-21B IS DISCONNECTED AND REMOVED FROM RCS LOOP 4 7D PREVENT SPURIOUS ACTUATION OF HOT LEG 1-FCV-74-21-0 DUE TO AN APPENDIX R FIRE.

1-471611-68-1 RHR SYSTEM RHR SYSTEM , FCV - (g7DOB)

I SDLATION VALVE ISOLATION VALVE SAFETY AND RELIEF VALVE 1~ TO RHR PUMP B-B 1-471611-74-2 COORDINATE, G-1 18708)

RHR SYS ISLN BYPASS VALVE RHR SYS ISLN BYPASS VALVE COMPANION DRAWINGS:

1-471611-74-2--------LOGIC DIAGRAM OPEN W CLOSE OPEN W CLOSE SEE NOTE 1@ 107D4) rE NOTE 6@(8703) SYMBOLS:

FCV FCV TO PRESSURIZER TEMP > SET POINT RELIEF SANK * ---LOCATED DN ELECTRICAL SWITCHGEAR 0

TO XI-74-43 M ---LOCATED IN AUXILIARY CONTROL ROOM TS MOV CONTROL NOV CONTROL ---TEST SWITCH 74-43 A ---LOCAL MOUNTED EQUIPMENT OPEN /57OPI CLOSE / CLOSE IS

\\ 79-99 TR-A A 6A-1130 TOP

/ OPEN ~HS CLOSE I ADMINISTRATIVE VNH I TSADMINRVE 74-45 INTERLOCK AT INTERLOCK AT LOTOR CONTROL 74-9B / MDTOR CONTROL 0 CENTER/ CENTER

[SEE NOTE 6) // (SEE NOTE 5) / TS RHR ISOL VALVE 74-46 FCV-74-1 NOT CLOSED TR-B TO XI-74-45

\~ \~'C`_ TEMP > SET POINT RCS PRESSURE SEE NOTE 10 RCS PRESSURE SEE NOTE 10

< SET POINT < SE7 POINT RCS TO RHR LETDOWN LINE RHR ISOL BYPASS VLV PS-6RI1 PS-6811 PIPE RUPTURE DETECTOR FCV-74-8 NOT CLOSED NOTE 11 NOTE 11 OPEN HS CLOSE OPEN HS CLOSE 74-g ISOL RHR 7 4-9 BYPASS VLV

\ 74-9 FCV-74-9 NOT CLOSED WATTS BAR P-AUTO P-AUTO RHR ISOL VALVE FCV-74-2 NOT CLOSED FINAL SAFETY FROM DIG.

1-471611-30-B BA-113E ANALYSIS REPORT RCS PRESS > SET PT POWERHOUSE PS-fiB-630 UNIT 1 ELECTRICAL RCS PRESS > SET PT PS-fiB-640 LOGIC DIAGRAM RESIDUAL HEAT REMOVAL SYSTEM TVA DWG NO. 1-47W611-74-1 R8 FIGURE 7.6-6 SH 3

OPEN STOP CLOSE P-AUTO P-AUTO iI VALVE *VALVE FULLY FULLY OPEN CLOSED RCS PRESSURE

< SETPT PS-68-63A *DERIVED FROM UREDUE LIMIT IBY 1) NOTE 7 NORMAL NORMAL AND TORQUE 58 RED OF VLV A-AUTO RCS PRESS

< SET POINT XS PS-68-64A XS TYPICAL kW CONTROL BY 1 ) 74-2 OPEN HS CLO 74-1 79-3A NOTE 7 FCV-63-72 WE FROM CONTAINMENT SUM TO RHR NORMAL FCV-63-72 AU%ILIARY AUXILIARY PUMP 2A-A SUCTION SUMP ISOL VALVE FULLY CLOSED STARTS 7D OPEN 16811A)(CEAR SI)

P-AUTO RCS PRESS. P-AUTO XS RCS PRESSURE

< SETPT < SET POINT 74-3 PS-68-SBA FCV-63-72 PS-6B-6fiA FROM CONTAINMENT WE (BY TVA) NOTE 7 HS CLOSE OPEN HS CLOSE SUMP 70 RHR 74-1C NOT ET 7A) 74-2C AUXILIARY PUMP 2A-A SUCTION WE FULLY CLOSED 16811A)IA STEM 51) SYMBOLS:

OPEN HS CLOSE WE ---LOCATED ON ELECTRICAL SIITCHGEAR FCV-63-8 74-3C M ---LOCATED IN AUXILIARY CONTROL ROOM FROM RHR PUMP .1 2A-A DISCH TO ---TEST SWITCH CHARGING PUMPS A ---LOCAL MOUNTED EUUIPMEN7 SUCTION FULLY CLOSED IBB04A)(GEAR SW)

FCV-63-73 FCV-63-B ISOL FROM RHR PUMP SUMP VLV FULLY NOTES:

zA-A o1scH 70 CLOSED1B811B) CHARGING PUMPS (GEAR SI) 1. FOR SYMBOLS OTHER THAN THOSE NOTED ABOVE SEE SUCTION FULLY CLOSED INSTRUMENTATION AND IDENTIFICATION STANDARDS, LATEST FCV-63-1 18004A )(A STEM SW) ISSUE.

KIST SUCTION VALVE FULLY 2. FOR COMPLETE INSTRUMENTATION AND COMPONENT SEPARATION CLOSED(8812) DESIGNATIONS, SEE CONTROL DIAGRAM, 2-47VBID-74-1 R 2.

ADMINISTRATIVE FCV-72-4D FROM INTERLOCK A7 RHR PUMP 2A-A 4. NUMBERS IN PARENTHESIS ARE WESTINGHOUSE INSTRUMENT MOTOR CONTROL DISCH 70 CONTAINMENT NUMBERS.

FCV-63-72 SPRAY HDR A SUMP ISOL CENTER FULLY CLOSED 6. VALVE IS ADMINISTRATIVELY LOCKED IN THE CLOSED VLV FULLY [SEE NOTE 6)

[GEAR SW) POSITION. (WITH BREAKER OPEN) (APPENDIX R)

CLOSED (8811A)

[GEAR 52)

FCV-72-40 FROM 7. SEE APPROPRIATE INSTRUMENT TABS FOR SETPOINT.

RHR PUMP 2A-A DISCH 70 CONTAINMENT OPEN CLOSE B. 'DIGITAL AND ANALOG LOGIC SYMBDLS ARE USED ON LOGIC ADMINISTRATIVE FCV-B3-1 RI57 SPRAY HOR A DIAGRAMS TO FUNCTIONALLY DESCRIBE THE PROCESS CONTROL.

INTERLOCK AT SUCTION VALVE FULLY CLOSED NOV CONTROL REFER 70 THE ASSOCIATED WIRING SCHEMATIC FOR THE MOTOR CONTROL FULLY CLOSED IA STEM 58) ELECTRICAL COMPONENTS USED 70 IMPLEMENT THE CONTROL CENTER NOTE 6 (8812) SCHEME.'

(87DOA)

OPEN STOP CLOSE OPEN STOP CLOSE NOV CONTROL NOV CONTROL FROM REFUELING WATER TO RHR PUMP 2A-A SEE NOTE 6 FCy 16702) SEE NOTE 6 16701) STORAGE TANK 2-478611-74-2,E-1 FCV 79-1 79-2 2-471611-63-2 IE-3)

OPEN CLOSE OPEN CLOSE CONTRDL SAME AS FCV-74-3 FROM RCS LOOP EXCEPT

.7 INTERLOCKS ARE HOT LEG 1 B, IBD4B A FCV-72-41 2-471611-68-1 RHR SYSTEM RHR SYSTEM (87008)

ISOLATION VALVE FCV ISOLATION VALVE SAFETY AND RELIEF VALVE TO RHR PUMP 20-B 2-971611-74-2.0-1 18708)

TO PRESSURIZER RELIEF TANK TEMP > SETPT 2-471611-68-1 RHR SYS ISOL BYPASS VALVE RHR SYS ISM BYPASS VALVE e TO XI-79-43 OPEN CLOSE OPEN CLOSE SEE NOTE 6 FCy 18704) FCy IB703) RHRISOL VALVE SEE NOTE 6 FCV-74-1 NOT CLOSED 74-9 74-8 R74-44A TR-A NOV CONTROL NOV CONTROL RHR ISOL BYPASS VALVE A 6A-35 FCV-79-8 NOT CLOSED OPEN TS CLOSE OPEN CLOSE 79-95 RHR ISOL BYPASS VALVE e FCV-74-9 NOT CLOSED TS 74-45 TR-B TO XI-79-45 RHR ISOL VALVE ADMINISTRATIVE ADMIN157RA71VE I NTERLDCK A7 TEMP > SETPT FCV-74-2 NOT CLOSED 113E INTERLOCK AT MDT R CONTROL MOTOR CONTROL CENTER CENTER RCS TO RHR LETDOWN LINE

[SEE NOTE 6) (SEE NOTE 5) PIPE RUPTURE DETECTOR RCS PRESS. > SETPOINT PS-6B-63B RCS PRESSURE < SETPT RCS PRESSURE < SETPT PS-68-64A NOTE 7 PS-68-63A NOTE 7 RCS PRESS. > SETPOINI PS-68-64B WATTS BAR OPEN HS CLOSE L OPEN HS CLOSE FINAL SAFETY

\

2_47 FROM DD'

,G-30-8 1

ANALYSIS REPORT

+I +I P-AUTO P-AUTO POWERHOUSE UNIT 2 ELECTRICAL CDMPARION DRAWINGS:

2-47:611-79-2------LOGIC DIAGRAM LOGIC DIAGRAM 2-47:611-D-1,2-----LOGIC DIAGRAM INDEX d SYMBOLS 2-47:610-74-1------CONTROL DIAGRAM RESIDUAL HEAT REMOVAL SYSTEM 2-47VBID-----------FLOW DIAGRAM TVA DWG NO. 2-47W611-74-1 R10 FIGURE 7.6-6 SH 3(U2)

WBN 7.7 CONTROL SYSTEMS The general design objectives of the Plant Control Systems are:

1. To establish and maintain power equilibrium between primary and secondary system during steady state unit operation;

2. To constrain operational transients so as to preclude unit trip and re-establish steady state unit operation;

3. To provide the reactor operator with monitoring instrumentation that indicates all required input and output control parameters of the systems and provides the operator the capability of assuming manual control of the system.

4. To reduce the likelihood of failure to shutdown the reactor following anticipated transients and to mitigate the consequences of an Anticipated Transient Without Scram (ATWS) event.

7.7.1 Description 7.7.1.1 Control Rod Drive Reactor Control System The control rod drive reactor control system consists of an automatic system designed to maintain a programmed average temperature in the reactor coolant system (RCS) by regulating the core reactivity. During steady-state operation the reactor control system maintains reactor

[10]

coolant average temperature within + 3.5 ºF of the reference temperature.

This control system is designed to automatically control the reactor in the power range between 15 and 100% of rated power for the following design transients:

- + 10% step change in load

- 5% per minute ramp loading and unloading

- 50% step load decrease (with the use of automatically initiated and controlled steam dump)

The reactor control signal consists of an error signal used to direct rod speed and position to automatically control reactor power. The two channels used to generate the total error signal are the deviation of the actual auctioneered (highest) primary coolant temperature (Tavg) from the programmed average temperature (Tref) and the mismatch between turbine load and nuclear power (see Figure 7.7-1).

7.7-1

WBN 7.7.1.1.1 Reactor Control Input Signals Average Temperature Channel - One average temperature measurement per reactor coolant loop is provided. This measurement is obtained by averaging the hot leg temperature (Th) measured at the inlet of the steam generator and the cold leg temperature (Tc) measured at the discharge side of the reactor coolant pump of the associated loop. An auctioneered high Tavg signal is generated from the four loop average temperatures. (See Section 7.2.1.1.4 for detailed discussion of Tavg calculation and equations used to derive Tavg). This auctioneered Tavg signal is conditioned by a lead/lag filter which increases the effect of the signal and by a second lag to filter out signal noise. The resultant signal:

(1 + t 3 s)

T avg where t = time constant (typical)

(1 + t 4 s) (1 + t 5 s) is then compared with a reference temperature (Tref) signal. (The reference temperature is a function of turbine load, as described previously). Because the turbine impulse pressure is approximately linear with respect to the turbine load, this pressure signal is used to generate the reference average coolant temperature (Tref). The Tref signal is represented by the median of three turbine impulse pressure signals as determined by a median signal selector in the DCS. The reference temperature signal is passed through a lag before it is compared with the compensated Tavg signal. The resultant error signal is then:

1 (1 + t 3 s)

T ref - T avg (1 + t 2 s) (1 + t 4 s) (1 + t 5 s)

Power Mismatch Channel - This channel provides fast response to a change in load (by means of the turbine load feed-forward signal) as well as control stability (by means of the nuclear power feedback signal) in cases where the moderator coefficient is zero or is only slightly negative. Turbine load (Qtu) and nuclear power (Qn) provide input to this channel. Turbine load is represented by the median turbine impulse pressure as described above. Nuclear power is represented by the auctioneered highest of the four power range nuclear power signals.

This deviation between Qtu and Qn is processed through ha rate/lag (impulse) module, thus creating the error signal:

tl s

( Qtu - Qn )

(1 + t l s) 7.7-2

WBN Because the Tavg channel provides fine control during steady-state operation, the power mismatch channel must not produce a steady-state error signal. This is accomplished by the derivative action in the numerator of the transfer function which causes the output of this unit to go to zero during steady-state operation although the nuclear power and turbine load may not match exactly. A nonlinear gain (K1) at the output of the impulse module, varies the effect of this channel with larger load changes having a correspondingly larger effect. Also, since reactivity changes at lower power levels have a smaller effect on the rate of change of the nuclear power level than reactivity changes at high power levels, a variable-gain module (K2) is provided at the output of the power mismatch channel.

The variable gain module imposes a high gain on the power mismatch error signal at lower power levels and a low gain at high power levels. This variable gain enables the mismatch channel to provide adequate control at low power levels as well as stable operation at high power levels.

7.7.1.1.2 Rod Speed Control Program Rod Speed Program - The total error signal (TE) sent to the rod speed program is the sum of the outputs of the two control channels described above. The rod speed program is a function of the total error signal (TE).

The dead band and lockup are provided to eliminate continuous rod stepping and bistable chattering. The maximum rod speed and the proportional and minimum rod speed bands are identical for rod withdrawal and rod insertion. The rod speed program produces an analog signal which is translated into actual movement by means of the rod stepping mechanism. The total error signal driving the rod speed program is represented in the following equation:

1 (1+ t 3 s) ( t 1 s)

T E = T ref - T avg + [( Qtu - Qn ) K1 K 2 ]

(1+ t 2 s) (1+ t 4 s)(1+ t 5 s) (1+ t 1 s) 7.7.1.2 Rod Control System 7.7.1.2.1 Rod Control System Function The rod control system is composed of equipment required to raise or lower the control rod and shutdown rod banks. Control rod banks can be automatically controlled from input signals generated by the reactor control system or by manual means from the unit control room.

[1]

Shutdown control rods are controlled by manual means from the unit control room.

The control scheme used to position the control rods is dependent on reactor power level.

Manual control of control rod position is used when the reactor thermal power is between 0%

and 15% nominal. Above 15% nominal reactor thermal power, automatic control may be used to position the control rods to maintain the average reactor coolant temperature Tavg within +

3.5ºF of the Tref.

7.7-3

WBN The purpose of the rod control system is to provide the means for energizing the mechanism, thus controlling the rod cluster position. This system consists of two types of rod groups: 1) shutdown and 2) control. Shutdown rods along with soluble boron provides sufficient negative reactivity to ensure the reactor remains subcritical. The shutdown banks are fully withdrawn during normal operation. Control rods are used to control the reactor core reactivity. Shutdown and control rods are raised or lowered by a prescribed set of electromechanical actions by the CRD mechanisms.

The functional control requirements of the rod control systems are as follows:

- All control drive mechanisms within a group step simultaneously.

- Two groups within the same bank step such that the relative position of the groups does not differ by more than one step.

- The control banks are controlled such that withdrawal is sequenced in the order bank A, B, C, and D. The insertion sequence is the opposite of the withdrawal.

- The control bank withdrawal is controlled such that when Bank A reaches a preset position, Bank B will begin to withdraw simultaneously with Bank A. When Bank B reaches a preset position, Bank C will begin to withdraw, etc. The reverse sequence will apply during bank insertion.

- Abnormal reactor conditions shall inhibit rod withdrawal in the automatic or manual control mode. These conditions include 1) power range nuclear overpower, 2) intermediate range overpower, 3) overpower T, and 4) overtemperature T.

- Automatic control mode shall be inhibited when turbine power is less than 15% nominal.

- Automatic withdrawal shall be stopped when Bank D rod withdrawal exceeds a preset limit.

The bank overlap feature performs two functions; 1) it automatically selects the proper control bank for movement, and; 2) it overlaps the control banks which are to be moved according to a preset pattern. Bank overlap is required to keep the incremental changes in reactivity relatively constant while the control banks are being moved. Shutdown bank overlap operation is not required.

7.7-4

WBN The bank overlap feature works as follows. Control bank A is withdrawn until it reaches a preset position near the center of the core. At this point, Control Bank B starts moving out in synchronism with Control Bank A. Control Bank A stops when it reaches the top of the core and Control Bank B continues until it reaches a preset position near the center of the core. At this point, Control Bank C moves out in synchronism with Control Bank B. Control Bank B motion stops at the top of the core and Control Bank C sequencing continues until it nears the center position where Control Bank D engagement occurs. Control Bank C and D are withdrawn together until Control Bank C reaches the top of the core. Control Bank D withdrawal then continues as required for control. In the overlap region, group 1 rods of each of the two overlapped banks are stepping simultaneously; similarly, the group 2 rods of the two overlapped banks are stepped simultaneously.

In the manual mode, control bank stepping speed and shutdown bank stepping speed are preset. In the automatic mode (control banks, only), the rod stepping speed is variable between the limits of 8 to 72 steps per minute. The rod speed program of the reactor control system adjusts rod stepping speed to maintain a programmed average temperature in the reactor coolant system. The time required to complete a single sequencing of the rod mechanism coils is fixed at 780 milliseconds. This is the maximum reliable sequencing speed of the electro-mechanical components of the mechanisms. The time interval between mechanism coil sequencing operations is varied to obtain the desired rod speed.

Two motor-generator (MG) sets are used to supply 260V 3-phase AC power to the rod drive mechanisms. Each MG set is capable of delivering the total power requirements to the rod control system. Both MG sets are normally in operation. The motor is an induction type rated at 460 volt AC, 60 hertz. The motor is sized at 150 hp to drive the generator at a speed of 1750 rpm when the set is delivering rated power of 112 KVA.

7.7.1.2.2 Rod Control System Failures Credible rod control equipment malfunctions which could potentially cause inadvertent positive reactivity insertions due to inadvertent rod withdrawal, incorrect overlap or malpositioning of the

[5],[14]

rods are the following:

1. Failures in the Manual Rod Controls The Rod Motion Control Switch is a three position lever switch. The three positions are "In," "Hold," and "Out". These positions are effective when the bank selector switch is in manual control mode. Failure of the rod motion control switch (contacts failing short or activated relay failures) would have the potential, in the worst case, to produce positive reactivity insertion by rod withdrawal when the bank selector switch is in the manual position or in a position which selects one of the banks.

7.7-5

WBN When the bank selector switch is in the automatic position, the rods would obey the automatic commands and failures in the rod motion control switch would have no effect on the rod motion regardless of whether the rod motion control switch is in "In, " "Hold,"

or " Out".

In the case where the Bank Selector switch is selecting a bank and a failure occurs in the Rod Motion switch that would command the bank "Out" even when the Rod Motion Control switch was in an "In" or "Hold" position, the selected bank could inadvertently withdraw. This failure is bounded in the safety analysis (Chapter 15) by the uncontrolled bank withdrawal from subcritical and at power transients.

A failure that can cause more than one group of five mechanisms to be moved at one time within a power cabinet is not a credible event because the circuit arrangement for the movable and lift coils would cause the current available to the mechanisms to divide equally between coils in the two groups (in a power supply). The drive mechanism is designed such that it will not operate on half current. A second feature in this scenario would be the multiplexing failure detection circuit included in each power cabinet. This circuit would stop rod withdrawal (or insertion).

The second case considered in the potential for inadvertent reactivity insertion due to possible failures is when the selector switch is in the manual position. With a failure in the rod motion control switch, such a case could produce a scenario where the rods could inadvertently withdraw in a programmed sequence. The overlap and bank sequence are programmed when the selection is in either automatic or manual. This scenario is also bounded by the reactivity values assumed in the SAR accident analysis.

In this case, the operator can trip the reactor, or the protection system would trip the reactor via Power Range Neutron Flux-High, overtemperature T, or overpower T.

A failure of the bank selector switch produces no consequences when the rod motion control switch is in the 'Hold' position. This is due to the following design feature. The bank selector switch is series wired with the in-hold-out lever switch for manual and individual control rod bank operation. With the 'in-hold-out' lever switch in the 'hold' position, the bank selector switch can be positioned without rod movement. Results of switch failures in other control positions are discussed above in conjunction with the rod motion control switch.

7.7-6

WBN

2. Failures in the Overlap and Bank Sequence Program Control The rod control system design prevents the movement of the groups out of sequence as well as limiting the rate of reactivity insertion. A feature that performs the function of preventing malpositioning produced by groups out of sequence is included in the block supervisory memory buffer and control. This circuitry accepts and stores the externally generated rod selection and motion direction command signals. When the memory buffer has accepted a command and the corresponding rod is in motion, a subsequent change in a command will not be immediately accepted. On recognition that a command change has occurred, an inhibit signal is sent to the Pulser so that no other rod motion initiation signals are generated. However, the rod in motion is allowed to complete its stepping sequence. After rod motion is ceased, the memory buffer accepts the new command and releases the Pulser so that rod motion can resume. Any detected failure that affects the ability of the rod control system to properly move the rods is considered urgent. An urgent alarm will be followed by the following actions:

- Automatic rod motion and overlapped rod motion is stopped.

- Automatic de-energizing of the lift coil and reduced current energizing of the stationary gripper coils and movable gripper coils.

- Activation of a lamp (urgent failure) located on the logic and power cabinet front panel.

- Activation of control rod urgent failure annunciation window in the main control room.

The urgent alarm is produced by the following general conditions:

- Regulation failure detector

- Phase failure detector

- Logic error detector

- Multiplexing error detector

- Circuit board interlock failure detector

- Oscillator and slave cycler failure detector.

7.7-7

WBN

a. Logic Cabinet The function of the logic cabinet is to generate the necessary signals to step the control rods during startup, continuous operation, and shutdown of the reactor.

The logic cabinet receives signals from the main control board and from the reactor control system. In response to these signals, it selects the drive mechanisms to be stepped and supplies the drive mechanism current profile orders to the power cabinet assigned to drive the mechanism.

[5]

A failure analysis was performed based on operation of the logic cabinet in the bank overlap mode with all shutdown banks and control banks, except Control Bank D, in their fully withdrawn position. The analysis indicated that postulated failure modes could result in unidirectional outward movement of Control Bank D rods when operating in the bank overlap control mode. However, when operating in this mode, the speed of the outward movement of Control Bank D would be limited by the rod speed unit of the reactor control system. In the unlikely event of such a failure, the reactor would trip (e.g., T overtemperature trip) and mitigate the consequences of the postulated component failure. In summary, no signal failures were discovered that would cause a rapid, uncontrolled withdrawal of Control Bank D. The results of the analysis indicated that all failure modes postulated are detectable through alarm monitoring internal to the logic cabinet or are terminated by a diverse means (i.e., reactor trip).

An additional failure assessment was performed to determine whether other signal point failures can occur in the rod control system logic cabinet that corrupt

[14]

the control rod drive mechanism (CRDM) coil current orders. This assessment was necessary due to an industry event where corrupt coil current orders were sent to the CRDM which caused a single rod to withdraw after IN motion was demanded. As a result of this event, the logic cabinet slave cycle decoder cards timing changes were implemented to eliminate the possibility of a single rod withdrawal due to a single failure in the rod control system when insertion or

[15]

withdrawal is commanded. These timing changes ensure that in the event of the single failure, all rods in the affected bank(s) will insert when motion (in or out) is demanded. Based on the decoder cards timing change, this failure assessment concluded that all single rod control system failures identified result in rod movement in the direction demanded and are hence limited to a finite number of steps. Also, these single failures may result in some asymmetric rod movement following a rod motion demand signal, however, the movement is in the direction demanded. These events have been evaluated and determined to result in consequences less severe than the limiting single rod control system malfunction presented in accident analysis found in Chapter 15.

7.7-8

WBN Effects of Failures on CRDM Speed of Operation The rod control system is designed to limit the rod speed control signal output to a value that causes the pulser (logic cabinet) to drive the control rod driving mechanism at 72 steps per minute. If a failure should occur in the pulser or the reactor control system, the highest stepping rate possible is 77 steps per minute, which corresponds to one step every 780 milliseconds. A commanded stepping rate higher than 77 steps per minute would result in GO pulses entering a slave cycler while it is sequencing its mechanisms through a 780 millisecond step.

This condition stops the control bank motion automatically and alarms are activated locally and in the control room. It also causes the affected slave cycler to reject further 'GO' pulses until it is reset.

Failures that cause the 780 millisecond step sequence time to shorten will not result in higher rod speeds since, assuming the pulser and rod control system have not failed, the stepping rate is proportional to the pulsing rate.

Simultaneous failures in the pulser or rod control system and in the clock circuits that determine the 780 millisecond stepping sequence could result in higher CRDM speed. However, simultaneous failures of the clock and pulser or rod control system are not considered credible.

With DCS, rod speed is limited to 72 spm maximum due to a DCS software failure by using a precision resistor to limit output to the speed control module.

This is consistent with the safety analysis in Chapter 15.

To preclude addressing failures in the rod speed signal that could cause rod stepping speeds to exceed the normal maximum speed of 72 spm, a test of the rod control system and reactor control system input signal is required. This testing of the reactor control system and the rod control system is performed at periodic intervals to detect failures that could lead to an increase in the rod

[16]

speed.

The maximum rod stepping speed of 72 spm is used in the Chapter 15 safety analyses.

b. Power Cabinet System Failures Analysis of the power cabinet disclosed no single component failures that would cause the uncontrolled withdrawal of a group of rods serviced by the power cabinet. The analysis substantiates that the design of the power cabinet is fail-preferred in regard to a rod withdrawal accident if a component fails. The end results of the failure is either that of blocking rod movement or that of dropping an individual rod or rods. No failure within the power cabinet which could cause erroneous drive mechanism operation will remain undetected.

Sufficient alarm monitoring (including 'urgent' alarm) is provided in the design of the power cabinet for fault detection of those failures which could cause erroneous operation of a group of mechanisms. As noted in the foregoing, diverse monitoring systems are available for detection of failures that cause the erroneous operation of an individual control rod drive mechanism.

7.7-9

WBN Conclusion In summary, no single failure within the rod control system can cause either reactivity insertions or malpositioning of the control rods resulting in core thermal conditions not bounded by analyses contained in Chapter 15.

7.7.1.3 Plant Control Signals for Monitoring and Indicating 7.7.1.3.1 Monitoring Functions Provided by the Nuclear Instrumentation System The Nuclear Instrumentation System (NIS) monitors neutron flux from reactor shutdown to 200% of full rated power by the use of three subsystems: 1) source range, 2) intermediate range, and 3) power range. The NIS consists of eight channels: two source range, two intermediate range, and four power range channels. The primary function of the NIS is to protect the reactor by monitoring neutron flux and generating appropriate reactor protection trips, operating permissives, indication and alarms for various phases of reactor operating and shutdown conditions. The safety function of each subsystem is to provide reactor trip input signals to the reactor protection system (RPS), provide power level permissives control signals (i.e., P-6. P-7, P-8, P-9, and P-10), and provide post accident monitoring indication. Refer to Section 7.2 for detailed description of the reactor protection features and operating permissives of the NIS. The NIS is described in References [2] and [11]. Also, refer to Section 7.5 for description of the NIS post accident monitoring features.

The NIS provides control, indication, and alarm features needed to maintain the reactor within safe operating limits. In addition to the reactor (protective) controls and permissives discussed in Section 7.2, the (non-protective) control features include the intermediate range high flux (1 of 2 logic) and power range high flux (1 of 4 logic) rod stop signals. The power range channels provide an input to the overtemperature T and overpower T rod stop/turbine runback signals.

Isolated signals from the four power range channels are input to a distributed control system (DCS) where the second highest of the four channels is determined and provided as an input to the steam generator level control system. The DCS also provides the highest of the four power range channels to the Rod Speed Program as discussed in Section 7.7.1.1.2.

Main control room alarms are provided from various NIS channels during shutdown, startup, and power operation. These alarms are used to alert the operator to conditions which requires administrative action and indicate abnormal reactor operating conditions. These alarms include reactor trip block status, control permissive status, abnormal reactor operation (e.g., high flux, flux deviation, power imbalance), rod stop status, channel bypass status, and channel trouble condition.

NIS indication on the main control board covers reactor neutron flux from shutdown to 200% of full power. The source range, intermediate range, and power range channels are designed with overlapping ranges to ensure a satisfactory transition during reactor startup and shutdown. The main control board indication includes reactor neutron flux count rate and startup rate for each of the two source range channels, flux rate and startup rate for each of the two intermediate range channels, and flux level and upper/lower detector differential flux indications for each of the four power range channels. Two channels of the total eight NIS channels may be selected for recording at any one time. Also, the four power range channels (upper and lower detector sum) flux signals are recorded. The output signals of the NIS channels are monitored by the plant computer.

7.7-10

WBN Main control room alarms are provided from various NIS channels during shutdown, startup, and power operation. These alarms are used to alert the operator to conditions which require administrative action and indicate abnormal reactor operating conditions. These alarms include reactor trip block status, control permissive status, abnormal reactor operation (e.g., high flux, flux deviation, power imbalance), rod stop status, channel bypass status, and channel trouble condition.

7.7.1.3.2 Main Control Room Rod Position Indication Two separate systems are used to indicate rod position information in the main control room.

One system measures the actual drive rod position as part of the Rod Position Indicator System (RPIS). The second system counts and displays the pulses for rod movement generated in the logic cabinet.

1. Rod Position Indication System The position of each rod (57) [Shutdown and Control banks] is displayed on main control room (MCR) displays. The RPIS receives analog signals from sensors mounted on the rod drive mechanism, calculates rod position from these signals, and displays this information on the MCR displays. The scale is in units of steps and covers the entire range of travel.

Additionally, a rod bottom indicator light for each rod (57) is shown on the MCR displays to indicate a rod is near the fully inserted position.

2. Rod Position Step Counter The position demand signal for each rod group (14) is displayed on a 3-digit, add-subtract step counter. The input signal is supplied from the logic cabinet circuitry.

The demand position and rod position indication systems are separate systems; the rod position indication system is described in detail in References [3] and [17].

Unit Operation with an Inoperable RPIS Indicator The malfunction of an indicator in the RPIS is addressed by controls established in the technical specifications. The controls include requirements to use incore power distribution (Unit 1) or the Power Distribution Monitoring System (Unit 2) measurement information to verify the position of the affected rod whenever an indicator is inoperable. This action may be periodically repeated for the duration of the period the indicator is inoperable. A second action is available in the technical specifications to address the malfunction of an indicator for an extended period of time (referred to as the extended action in this discussion). The options provided by the extended action allows for continued operation in a situation where the component causing the indicator to be inoperable is inaccessible due to operating conditions (adverse radiological or temperature environment). In this situation, repair of the indicator cannot occur until the unit is in an operating mode that allows access to the failed components.

7.7-11

WBN The primary purpose for this option is to prevent potential unnecessary wear on the incore detectors due to repeated use over an extended period. (Unit 1 Only)

Implementation of the extended action involves the monitoring of test points associated with the control rod drive mechanism (CRDM) affected by the inoperable indicator. A CRDM consists of four separate subassemblies: 1) the pressure vessel, 2) the coil stack assembly, 3) the latch assembly, and 4) the drive rod assembly. The coil stack assembly contains three operating coils: 1) the stationary gripper coil, 2) the moveable gripper coil, and 3) the lift coil. During the use of the extended action, signal cables are connected to the CRDM circuitry test points on a temporary basis to monitor the operation and timing of the lift coil and the stationary gripper coil and to provide instrumentation for the monitoring of the position of the affected rod in the MCR.

As indicated previously, the initial position of the affected rod (control or shutdown) is verified by use of incore power distribution (Unit 1) or the Power Distribution Monitoring System (Unit 2) measurement information. Once the position is known and the monitoring circuits required for use of the extended action are in place, the position of the rod is programmed into the plant computer. The program displays the position of the rod on the plant computer or on a recorder located in the MCR.

Once the extended action is implemented, the parameters of the rod control system must be monitored until the failed indicator is repaired. The monitoring function is assisted by a series of alarms controlled by the plant computer that address unintended movement of the rod.

Alarms are initiated if the affected rod steps in a direction other than what was demanded, if the affected rod stepped with no demand and/or if the monitoring circuitry fails. Receipt of any alarm requires the verification of the position of the rod by use of incore power distribution (Unit

1) or the Power Distribution Monitoring System (Unit 2) measurement information.

The technical specifications that govern the use of the extended action contain the following provisions to ensure the temporary circuit is functioning properly and the position of the affected rod is periodically verified:

1. Verification of the position of the rod every 31 days using incore power distribution (Unit

1) or the Power Distribution Monitoring System (Unit 2) measurement information.

2. Verification of the position of the rod with the inoperable analog rod position indication (ARPI) by use of incore power distribution (Unit 1) or the Power Distribution Monitoring System (Unit 2) measurement information, whenever the rod is moved greater than 12 steps in one direction.

During the period the extended action is implemented, actions required by the technical specifications that address rod group alignment limits, heat flux hot channel factor and nuclear enthalpy rise hot channel factor may serve to verify the correct operation of the temporary circuit. Provisions are also provided in the technical specifications that address operation of the unit under the extended action when reactor thermal power (RTP) is less than or equal to 50%

RTP and the unit is to be returned for full power operation.

7.7-12

WBN Implementation of the extended action and the installation of the temporary circuit include a review of the modification for impact on plant procedures and training. This ensures that changes are initiated for key issues like the monitoring requirements in the MCR, and operator training on the temporary equipment.

7.7.1.3.3 Control Bank Rod Insertion Monitoring When the reactor is critical, the normal indication of reactivity status in the core is the position of the control bank in relation to reactor power (as indicated by the RCS loop T) and coolant average temperature. RCS T is the only parameter used to determine the rod insertion limits.

Two alarms are provided for all control banks.

1. The "Rod Insertion Limit Lo" annunciation alerts the operator of an approach of one or more control bank rods to the insertion limit. This annunciation precedes the "Lo-Lo" annunciation by a preset number of steps.

2. The "Rod Insertion Limit Lo-Lo" annunciation alerts the operator that one or more Control bank rods are positioned at or below the insertion limit. Corrective measures are to be taken after verifying that rod insertion limits are violated.

The purpose of the control bank rod insertion monitor is to give warning to the operator of excessive rod insertion. The insertion limit maintains sufficient core reactivity, adequate shutdown margin (SDM) following reactor shutdown due to normal or design basis event assuming the highest worth rod remains fully withdrawn, and provides a limit on the maximum inserted rod worth in the unlikely event of a hypothetical rod ejection, and limits rod insertion such that acceptable nuclear peaking factors are maintained. Since the amount of shutdown reactivity required for the design shutdown margin following a reactor trip increases with increasing power, the allowable rod insertion limits must be decreased (the rods must be withdrawn further) with increasing power. The rod insertion monitor uses %T as a direct function of reactor power (i.e., K1 = 0) as follows:

ZLL = K1 (Tavg-557ºF) + K2 (%T) + K3 (see Reference [10])

where:

ZLL = maximum permissible insertion limit (steps withdrawn)

Tavg = highest average temperature of all loops (auctioneered)

T = highest T of all loops (auctioneered)

K1, K2, K3 = Constants based on physics calculation (K1 = 0)

The maximum permissable insertion limit is cut off at an adjustable upper limit to prevent spurious alarms due to the physical limits on the control banks full out park position. Provided the control banks are sequenced in proper overlap, the lead bank will generate the appropriate alarm(s) when the rod insertion limit is violated. The Plant Computer System generates alarms to give warning to the operator of control banks not within their sequence and overlap limits.

7.7-13

WBN The control bank position (steps withdrawn), Z, is compared to calculated ZLL as follows for alarm:

Low Alarm Z Low = ZLL + K4 Low-Low Alarm Z Low-Low = ZLL + K5 Where:

K4, K5 = Constants to allow alarms to occur prior to reaching insertion limit (steps).

(K5 = 0).

Since the highest values of Tavg and T are chosen by auctioneering, a conservatively high representation of power is used in the insertion limit calculation.

Actuation of the low alarm alerts the operator of an approach to a reduced shutdown reactivity situation. Administrative procedures require the operator to evaluate the need to add boron through the chemical and volume control system. Actuation of the low-low alarm requires the operator to initiate immediate boration procedures after verifying the rod insertion limits are violated. The value for K4 is chosen to allow the operator to follow normal boration procedures.

Figure 7.7-2 shows a block diagram representation of the control rod bank insertion monitor.

In addition to the rod insertion monitor for the control banks, an alarm system is provided to warn the operator if any shutdown rod cluster control assembly leaves the fully withdrawn position.

Rod insertion limits are established by:

1. The allowed rod reactivity insertion at full power consistent with the purposes given above.

2. The differential reactivity worth of the control rods when moved in normal sequence.

3. The change in reactivity with power level by relating power level to rod position.

4. Linearizing the resultant limit curve. Key nuclear parameters used in establishing the limit curve are measured as part of the initial physics testing program and periodic surveillance testing program.

Any unexpected change in the position of the control bank under automatic control, or a change in coolant temperature under manual control, provides a direct and immediate indication of a change in the reactivity status of the reactor. In addition, samples are taken periodically of coolant boron concentration. Variations in concentration during core life provide an additional check on the reactivity status of the reactor, including core depletion.

7.7-14

WBN 7.7.1.3.4 Rod Deviation Alarm A rod deviation annunciation is actuated in the main control room when; 1) the deviation between the actual rod position and the bank demand position (control banks rods) exceed a preset value, or 2) the deviation between any two rods within a control bank exceed a preset value.

Figure 7.7-3 is a block diagram of the rod deviation comparator and alarm system.

7.7.1.3.5 Rods At Bottom A "Rods At Bottom" annunciation is actuated in the main control room when any of the shutdown and control bank rods are near the fully inserted position. The RPIS monitors the analog signal from the rod position detectors and actuates this alarm when the rods are positioned below the setpoint. (The RPIS blocks this alarm signal for control banks B, C, and D).

7.7.1.3.6 Bypassed and Inoperable Status Indication System (BISI)

Refer to Section 7.5 for description of BISI.

7.7.1.4 Plant Control System Interlocks The listing of the plant control system interlocks, along with the description of their derivations and functions, is presented in Table 7.7-1. It is noted that the designation numbers for these interlocks are preceded by 'C'.

7.7.1.4.1 Rod Stops Rod stops are provided to inhibit control rod withdrawal under certain abnormal operating conditions. Refer to Table 7.7-1 for description of each interlock.

7.7.1.4.2 Automatic Turbine Load Runback Automatic turbine load runback is initiated by an approach to an overpower T or overtemperature T condition. This will prevent high power operation that might lead to an undesirable condition, which, if reached, will be protected by reactor trip.

Turbine load reference reduction is initiated by either an overtemperature T or overpower T signal. Two out of four coincidence logic is used.

A rod stop and turbine runback are initiated when:

T > Trod stop for both the overtemperature and the overpower condition.

7.7-15

WBN For either condition in general:

T rod stop = Tsetpoint - Bp where:

Bp = a setpoint bias Tsetpoint = the overtemperature T reactor trip value and the overpower T reactor trip value for the two conditions.

The turbine runback will continue to cycle to maintain stability until T is equal to or less than Trod stop.

This function serves to maintain an essentially constant margin to trip.

7.7.1.5 Pressurizer Pressure Control The RCS pressure is controlled by using either the heaters (in the water region) or the spray (in the steam region) of the pressurizer plus steam relief for large transients. The electrical immersion heaters are located near the bottom of the pressurizer. A portion of the heater group is proportionally controlled to correct small pressure variations. These variations are due to heat losses, including heat losses due to a small continuous spray. The remaining (backup) heaters are energized when the pressurizer pressure controlled signal demands approximately 100% proportional heater power.

The spray nozzles are located on the top of the pressurizer. Spray is initiated when the pressure controller spray demand signal is above a given setpoint. The spray rate increases proportionally with increasing spray demand signal until it reaches a maximum value.

Steam condensed by the spray reduces the pressurizer pressure. A small continuous spray is normally maintained to reduce thermal stresses and thermal shock and to help maintain uniform water chemistry and temperature in the pressurizer.

Power operated relief valves (PORVs) limit system pressure for large positive pressure transients. In the event of a large load reduction, not exceeding the design plant load rejection capability, the pressurizer PORVs might be actuated for the most adverse conditions, e.g., the most negative Doppler coefficient, and the maximum incremental rod worth. The relief capacity of the PORVs is sized large enough to limit the system pressure to prevent actuation of high pressure reactor trip for the above condition.

[9]

A block diagram of the pressurizer pressure control system is shown on Figure 7.7-4.

7.7-16

WBN 7.7.1.6 Pressurizer Water Level Control The pressurizer operates by maintaining a steam cushion over the reactor coolant. As the density of the reactor coolant adjusts to the various temperatures, the steam water interface moves to absorb the variations with relatively small pressure disturbances.

The water inventory in the RCS is maintained by the chemical and volume control system.

During normal plant operation, the charging flow varies to produce the flow demanded by the pressurizer water level controller. The pressurizer water level is programmed as a function of coolant average temperature, with the highest average temperature (auctioneered) being used.

The pressurizer water level decreases as the load is reduced from full load. This is a result of coolant contraction following programmed coolant temperature reduction from full power to low power. The programmed level is designed to match as nearly as possible the level changes resulting from the coolant temperature changes.

To control pressurizer water level during startup and shutdown operations, the charging flow is controlled from the main control room.

The pressurizer water level input to the controller is the median of the three pressurizer water level signals as determined by a median signal selector in the distributed control system.

[9]

A block diagram of the pressurizer water level control system is shown on Figure 7.7-5. .

7.7.1.7 Steam Generator Water Level Control UNIT 1 Each steam generator is equipped with independent control loops for the bypass regulating and main regulating valves. The bypass valve control loop utilizes only a single-element scheme to modulate the valve. Steam generator narrow range level provides the sole control input but wide range level and feedwater temperature can be added, if desired, to provide better level control. The main regulating valve control loop has both single and three-element capability.

When the main regulating valve control loop is placed in automatic, it uses steam generator narrow range level for control (single-element-wide range level and MFW temperature can be added for stability). When unit dynamics are stabilized, the operator can transition to three-element control. Three-element control utilizes average feed flow, average pressure compensated steam flow and median selected narrow range level. The operator can transition between single and three-element control on main valve control, as desired.

With installation of DCS, additional features have been provided. Should any single feed flow and/or steam flow channel signal fail (1-out-of-2 logic) or deviate outside allowed tolerance, it will be removed from control and the remaining channel will be used for control. If both feed flow or steam flow channel signals fail, DCS will automatically transition control from three- to single-element control. Should one steam generator level channel signal fail, the MSS will remove it from any control function. If two level channel signals fail (downstream of Eagle 21 protection), DCS will automatically transfer that control loop from automatic to manual.

Appropriate alarms are generated for any of these failures. In addition, the feedwater pump speed is varied to maintain a programmed pressure differential between the steam header and the feed pump discharge header. The speed controller continuously compares the actual P with a programmed Pref which is a linear function of steam flow. Continued delivery of feedwater to steam generators is required to remove reactor core decay heat and RCS stored heat following a reactor trip and turbine trip. An override signal closes the feedwater valves 7.7-17

WBN when the average coolant temperature is below a given temperature and the reactor has tripped. Manual override of the feedwater control system is available at all times.

Three steam generator narrow range water level signals for each steam generator are provided to Foxboro DCS which are passed through Median Signal Selector (MSS) software blocks.

These MSSs provide a median signal for each steam generator for use by the control system to initiate control system actions based on these signals. A failure of one of these steam generator level input signals to the Foxboro DCS will cause the DCS to reject the bad channel and provide an average level signal of the remaining two channels to be used for control purposes.

A block diagram of the steam generator water level control system is shown in Figures 7.7-6

[8]

and 7.7-7.

UNIT 2 Each steam generator is equipped with a three element feedwater flow controller which maintains a programmed water level which is a function of nuclear power. The three element feedwater controller regulates the feedwater valve by continuously comparing the feedwater flow signal, the steam generator water level signal, the programmed level and the pressure compensated steam flow signal. In addition, the feedwater pump speed is varied to maintain a programmed pressure differential between the steam header and the feed pump discharge header. The speed controller continuously compares the actual P with a programmed Pref which is a linear function of steam flow. Continued delivery of feedwater to steam generators is required to remove reactor core decay heat and RCS stored heat following a reactor trip and turbine trip. An override signal closes the feedwater valves when the average coolant temperature is below a given temperature and the reactor has tripped. Manual override of the feedwater control system is available at all times.

Three isolated steam generator water level signals from each steam generator are provided to a distributed control system (DCS) for feedwater control. A median signal selector (MSS) function in the DCS provides a median signal for use by the control system. Median signal selectors are also provided in the DCS for three feedwater header pressure (feed pump discharge) and three steam header pressure inputs to the feedwater pump speed controller. If the DCS detects a failed MSS input channel, the failed input will not be used in the control algorithm and the average of the two remaining channels will be used for control.

Two feedwater flow signals and two steam flow signals are provided to the DCS for feedwater control. The DCS calculates an average of the two inputs for each variable for input to the feedwater controller. If one channel of feedwater flow or one channel of steam flow fails, a voter signal will determine which channel should be used for control. The voter signal is the average of the feedwater flows for the other steam generators. The voter is not used for control.

For the evaluation of the compliance of steam generator low-low water level channels to Section 4 (Control and Protection System Interaction) of IEEE Standard 279-1971, refer to Section 7.2.

A block diagram of the steam generator water level control system is shown in Figures 7.7-6 and 7.7-7. See Reference [8].

7.7.1.8 Steam Dump Control 7.7-18

WBN The steam dump system has 40% steam dump capacity to the condenser (i.e., 40% of rated full load steam flow can be passed at full load steam pressure when all of the steam dump valves are discharging steam). This allows the NSSS to withstand an external load step reduction of up to 50% of plant rated electrical load (10% NSSS load step capability plus 40% steam dump) without reactor trip or safety valve actuation.

The automatic steam dump system is able to accommodate this abnormal load rejection and to reduce the effects of the transient imposed upon the RCS. By bypassing main steam directly to the condenser, an artificial load is thereby maintained on the primary system. The rod control system can then reduce the reactor temperature to a new equilibrium value without causing overtemperature and/or overpressure conditions.

If the difference between the reference Tavg (Tref) based on turbine impulse pressure and the lead/lag compensated auctioneered Tavg exceeds a predetermined amount, and the interlock mentioned below is satisfied, a demand signal will actuate the steam dump to maintain the RCS temperature within control range until a new equilibrium condition is reached.

The Tref input to steam dump control is the median of three turbine impulse pressure signals as determined by a median signal selector in the distributed control system. If a failed channel is detected by the DCS, it will not be used in the control algorithm and the average of the two remaining channels will be used for control.

To prevent actuation of steam dump on small load perturbations, an independent load rejection logic is provided in the DCS. The DCS calculates the rate of decrease in the turbine load as detected by the turbine chamber pressure. It is provided to unblock the dump valves when the rate of load rejection exceeds a preset value corresponding to a 10% step load decrease.

[7]

A block diagram of the steam dump control system is shown Figure 7.7-8.

7.7.1.8.1 Load Rejection Steam Dump Controller This logic within the DCS prevents a large increase in reactor coolant temperature following a large, sudden load decrease. The error signal is a difference between the lead/lag compensated auctioneered Tavg and the reference Tavg based on turbine impulse pressure.

The Tavg signal is the same as that used in the RCS. The lead/lag compensation for the Tavg signal is to compensate for lags in the plant thermal response and in valve positioning.

Following a sudden load decrease, Tref is immediately decreased and Tavg tends to increase, thus generating an immediate demand signal for steam dump. Since control rods are available, in this situation steam dump terminates as the error comes within the maneuvering capability of the control rods.

7.7.1.8.2 Reactor Trip Steam Dump Controller Following a reactor trip, the load rejection steam dump controller is defeated and the reactor trip steam dump controller becomes active (the Reactor Trip controller is sometimes referred to as the Plant Trip controller). The demand signal is the error signal between the lead/lag compensated auctioneered Tavg and the no load reference Tavg. When the error signal exceeds a predetermined setpoint the dump valves are tripped open in a prescribed sequence. As the 7.7-19

WBN error signal reduces in magnitude indicating that the RCS Tavg is being reduced toward the reference no-load value, the dump valves are modulated by the reactor trip controller to regulate the rate of removal of decay heat and thus gradually establish the equilibrium hot shutdown condition.

Following a reactor trip, only sufficient steam-dump capacity is necessary to maintain steam pressure below steam-generator relief-valve setpoint. The error signal determines whether a group is to be tripped open or modulated open. The valves are modulated when the error is below the trip-open setpoints.

7.7.1.8.3 Steam Header Pressure Controller Residual heat removal is maintained by the steam generator pressure controller (manually selected), which controls the amount of steam flow to the condensers. This controller operates a portion of the same steam dump valves to the condensers, which are used during the initial transient following turbine-reactor trip or load rejection.

7.7.1.9 Incore Instrumentation System UNIT 1 The incore instrumentation system consists of Chromel-Alumel thermocouples at fixed core-outlet positions and movable miniature neutron detectors which can be positioned at the center of selected fuel assemblies, anywhere along the length of the fuel assembly vertical axis. The basic system for insertion of these detectors is shown in Figure 7.7-9. References [4] and [12]

provide additional information on the incore instrumentation system.

The incore instrumentation system consists of Chromel-Alumel thermocouples and fixed incore neutron detectors contained within Incore Instrumentation Thimble Assemblies (IITA) which are inserted into the fuel assemblies through the Bottom-Mounted Instrumentation (BMI) guide tubes and into the fuel assemblies served by the BMI guide tubes. The fixed incore neutron detectors reside in the core during reactor operation and provide digitized flux signals to the Power Distribution Monitoring System (PDMS) for development of the incore power distribution measurements. The Incore Instrumentation System is shown in Figure 7.7-9.

7.7.1.9.1 Thermocouples UNIT 1 The incore thermocouple system is a Post Accident Monitoring (PAM) safety related monitoring system. Refer to Section 7.5.

7.7-20

WBN Chromel-Alumel thermocouples are threaded into guide tubes that penetrate the reactor vessel head through seal assemblies, and terminate at the exit-flow end of the fuel assemblies. The thermocouples are supported in guide tubes in the upper core support assembly.

The thermocouple cables, connectors, junction boxes inside the containment, and cables outside the containment up to the Inadequate Core Cooling Monitor cabinets are environmentally qualified and in compliance with 10CFR50.49. The thermocouple cables maintain adequate separation between post-accident monitoring channels I and II (PAM I and PAM II) after exiting the reactor cavity biological shield wall. Thermocouple readings will be monitored by a plasma display screen (separate for PAM I and PAM II channels) in the main control room. Two three-pen recorders and the plant computer are also available.

UNIT 2 The incore thermocouple system is a Post Accident Monitoring (PAM) safety related monitoring system. Refer to Section 7.5.

Chromel-Alumel thermocouples are contained in the tip of the IITAs which are located within the fuel assembly instrument tube. The thermocouple sensing tip is located with the fuel assembly instrument tube just below the bottom of the fuel assembly top nozzle.

The thermocouple cables, connectors, and cables outside the containment up to the Common Q Post Accident Monitoring System Cabinet are environmentally qualified and in compliance with 10CFR50.49. The thermocouple cables maintain adequate separation between post-accident monitoring channels I and II (PAM I and PAM II) after exiting the seal table area.

Thermocouple readings will be monitored by a Common Q PAMS flat panel display screen (separate for PAM I and PAM II channels) in the main control room. The plant computer is also available for monitoring the thermocouple readings.

7.7.1.9.2 Movable Neutron Flux Detector Drive System (Unit 1 Only)

The flux mapping system is a quality-related system. The portion of the system that interfaces with the RCS pressure boundary is safety related.

Miniature fission chamber detectors can be remotely positioned in retractable guide thimbles to provide flux mapping of the core. See Reference [4] for neutron flux detector parameters. The stainless steel detector shell is welded to the leading end of helical wrap drive cable and to stainless steel sheathed coaxial cable. The retractable thimbles, into which the miniature detectors are driven, are pushed into the reactor core through conduits which extend from the bottom of the reactor vessel down through the concrete shield area and then up to a thimble seal table.

The thimbles are closed at the leading ends, dry inside, and serve as the pressure barrier between the reactor water pressure and the atmosphere. Mechanical seals between the retractable thimbles and the conduits are provided at the seal table. During reactor operation, the retractable thimbles are stationary. They are extracted downward from the core during refueling to avoid interference within the core. A space above the seal table is provided for the retraction operation.

The drive system for the insertion of the miniature detectors consists basically of drive assemblies, five path rotary transfer assemblies, and ten path rotary transfer assemblies, as 7.7-21

WBN shown in Figure 7.7-9. These assemblies are described in Reference [4]. The drive system pushes hollow helical wrap drive cables into the core with the miniature detectors attached to the leading ends of the cables and small diameter sheathed coaxial cables threaded through the hollow centers back to the ends of the drive cables. Each drive assembly consists of a gear motor which pushes a helical wrap drive cable and a detector through a selective thimble path by means of a special drive box and includes a storage device that accommodates the total drive cable length.

Leakage detection of reactor coolant is discussed in Reference [4].

Manual isolation valves (one for each thimble) are provided for closing the thimbles. When closed, the valves prevent steam leakage from the core if a thimble ruptures. Thimble tubes that have been taken out of service may be capped to prevent steam leakage from the core if the thimble tube ruptures. The manual isolation valves are not designed to isolate a thimble while a detector/drive cable is inserted into the thimble. The detector/drive cable must be retracted to a position above the isolation valve prior to closing the valve. A small leak would probably not prevent access to the isolation valves and thus a leaking thimble could be isolated.

A large leak might require cold shutdown for access to the isolation valve.

Incore Instrumentation System (Unit 2 Only)

The Power Distribution Monitoring System is a quality-related system. The portion of the system that interfaces with the RCS pressure boundary is safety related.

The IITAs are pushed into the thimble seal table through the concrete shield area and through the bottom of the reactor vessel and into the fuel assembly instrumentation thimble tubes.

The thimbles are closed at the leading ends and dry inside. Mechanical seals between the retractable thimbles and the conduits are provided at the seal table and serve as the pressure barrier between the reactor water pressure and the atmosphere. During reactor operation, the retractable thimbles are stationary. They are extracted downward from the core during refueling to avoid interference within the core. A space above the seal table is provided for the retraction operation.

7.7.1.9.3 Control and Readout Description (Unit 1 Only)

The control and readout system provides means for inserting the miniature neutron detectors into the reactor core and withdrawing the detectors while plotting neutron flux versus detector position. The thimbles are distributed nearly uniformly over the core with about the same number of thimbles in each quadrant. The control system consists of two sections, one physically mounted with the drive units, and the other contained in the control room. Limit switches in each transfer device provide feedback of path selection operation. Each gear box drives an encoder for position feedback. One five-path operation selector is provided for each drive unit to insert the detector in one of five functional modes of operation. A ten-path rotary transfer assembly is a transfer device that is used to route a detector into any one of up to ten selectable paths. A common path is provided to permit cross calibration of the detectors.

The control room contains the necessary equipment for control, position indication, and flux recording for each detector. Additional panels are provided for such features as drive motor controls, core path selector switches, plotting and gain controls.

A "flux-mapping" consists, briefly, of selecting (by panel switches) flux thimbles in given fuel 7.7-22

WBN assemblies at various core quadrant locations. The detectors are driven to the top of the core and stopped automatically. An x-y plot (position versus flux level) is initiated with the slow withdrawal of the detectors through the core from top to a point below the bottom. In a similar manner other core locations are selected and plotted. Each detector provides axial flux distribution data along the center of a fuel assembly.

Various radial positions of detectors are then compared to obtain a flux map for a region of the core.

Operating plant experience has demonstrated the adequacy of the incore instrumentation in meeting the design bases stated.

Incore Instrumentation System Neutron Signal Processing (Unit 2 Only)

The Incore Instrumentation System provides a signal processing capability that digitizes the analog self-powered detector signals and transmits the data to the PDMS workstation over the plant data highway. The 58 core locations are divided between two cabinets to provide redundancy while providing coverage of the entire core. Since the Incore Instrumentation System detectors reside in the core during operation, power distribution information is available from the PDMS workstation as needed.

7.7.1.9.4 Power Distribution Monitoring System (PDMS)

UNIT 1 The PDMS can be used to obtain power distribution measurements in lieu of the movable incore detector system, although the PDMS must be calibrated periodically via a flux map. The PDMS receives on-line values for power range neutron flux, reactor power, RCS cold leg temperatures, control bank positions, and core exit thermocouple temperatures coupled with a three-dimensional analytical model to yield a continuously measured three-dimensional power distribution. The movable incore detectors are used to calibrate the PDMS.

On a once-per-minute basis, the Integrated Computer System transfers the values of computer points needed as input to the PDMS computer. The PDMS software is the Best Estimate Anlayzer for Core Operations Nuclear (BEACON), which is described in References [18], [19]

and [20]. Detailed information on the core power distribution, including trends, may be obtained from the BEACON software. Although information is fed back to the Integrated Computer System in terms of computer point values, the PDMS does not drive any control room indications or annunciators.

UNIT 2 The PDMS can be used to obtain power distribution measurements using the fixed IITAs. The PDMS receives on-line values for fixed incore detector data, reactor power, RCS cold leg temperatures, and control bank positions, coupled with a three dimensional analytical model to yield a continuously measured three-dimensional power distribution.

On a once-per-minute basis, the Integrated Computer System transfers the values of computer points needed as input to the PDMS computer. The PDMS software is the Best Estimate Analyzer for Core Operations Nuclear (BEACON), which is described in References [18].

Detailed information on the core power distribution, including trends, may be obtained from the BEACON software. Although information is fed back to the Integrated Computer System in 7.7-23

WBN terms of computer point values, the PDMS does not drive any control room indications or annunciators.

7.7.1.10 Control Board A typical control board functional layout is shown on Figure 7.7-10.

The control board layout is based on operator ease in relating the control board devices to the physical plant and in determining at a glance the status of related equipment. This is referred to as providing a functional layout. Within the boundaries of a functional layout, modules are arranged in columns of control functions associated with separation trains defined for the RPS and engineered safety features actuation system (ESFAS).

Monitor lights are provided in two places on the control board for automatically actuated valves and components for Phase A and B containment isolation and containment vent isolation, with the exception of all sampling and water quality system valves as well as those emergency gas treatment system (EGTS) valves that are not in the containment annulus vacuum fans flowpath.

Indicating circuits are paralleled to red (open) and green (closed) lights located next to the control station and to red and green split lens lights on the Containment Isolation Status Panel (CISP).

EGTS containment isolation valves not in the containment annulus vacuum fans flowpath have red and green position indication lights located on the control board at the control station.

Position indication for the sampling and water quality system containment isolation valves is provided by paralleling indicating circuits to red and green lights at the local control station in the Auxiliary Building and to red and green split-lens lights on the CISP.

For a description of separation of wiring within the control board refer to Section 7.1.

7.7.1.11 Boron Concentration Measurement System UNIT 1 The boron analyzer, as described below, is not required for Unit 1 operations, and is not used in identifying boron concentration in RCS. During full power operations, primary system sampling is conducted daily to determine boron concentration. Since periodic sampling can effectively measure boron concentration in RCS, the boron analyzer is not relied upon to provide indications of boron concentration. Periodic sampling is described in Section 9.3.2.2.

The boron concentration measurement system is a monitoring system of the boron concentration in the RCS. This system is provided by Combustion Engineering. This system provides no control function. The boron concentration in the RCS is measured in the letdown stream of the CVCS. The control room readout and recorder have been removed from the Unit 1 MCR.

7.7-24

WBN 7.7.1.12 Anticipated Transient Without Scram Mitigation System Actuation Circuitry (AMSAC) (Reference [13])

To meet the ATWS final rule, Watts Bar added equipment diverse from the existing reactor trip system. The existing reactor trip system is composed of the Westinghouse Eagle 21 process protection system, and the Westinghouse Solid State Protection System (SSPS). The AMSAC equipment consists of a freestanding panel which is installed in the auxiliary instrument room of the Control Building. This modification is diverse from sensor output to the final actuation device. The AMSAC is designed to automatically initiate auxiliary feedwater and trip the turbine under conditions indicative of an ATWS event. An ATWS event will be detected when low-low level in three out of four steam generators is coincidental with the turbine at or above 40% load.

An AMSAC actuation will ensure the RCS pressure will remain below the pressure that will satisfy the ASME Boiler and Pressure Vessel Code Level C services limit stress criteria.

A turbine trip and startup of all auxiliary feedwater system (AFW) pumps occurs upon generation of an AMSAC signal. The AMSAC signal is generated by low-low water level signals in the steam generators. The AMSAC coincidence logic is 3 out of 4 (3/4) low-low level signals with one channel per steam generator and the turbine at or above 40% load. Load is determined by two pressure transmitters measuring first stage turbine pressure for Unit 1 and turbine impulse pressure for Unit 2. When 2 of 2 transmitters sense 40% load, AMSAC is armed. Removal of the AMSAC arming signal is delayed for a specified time so that AMSAC will stay armed and be capable of performing its function after turbine trip or power reduction below 40% power. Only one of the three narrow range level channels per steam generator is used for input to AMSAC coincidence logic. AMSAC actuation is required at a setpoint that is less than the existing RPS steam generator low-low level setpoint. The requirement allows the operation of the RPS before AMSAC. AMSAC actuation is delayed for a specified time to further ensure RPS operation prior to AMSAC.

There is no AMSAC interface to the RPS. The four steam generator level signals are from isolation devices in the AFW. Signals from two dedicated turbine inlet pressure transmitters are used to indicate if the plant is at or above 40% load and then to determine the trip setpoint. The output signals to start the auxiliary feedwater pumps and trip the turbine are from interposing relays.

AMSAC is designed so that once actuated, the completion of mitigating action shall be consistent with the plant turbine trip and auxiliary feedwater circuitry. AMSAC auxiliary feedwater initiation and turbine trip goes to completion after actuation. The output relays are energized to actuate in order to prevent spurious trips and false status indication on loss of power or logic.

The blocking switch prevents inadvertent actuation by inhibiting the output relays before enabling the test function. A test status output shall inform the control room that the AMSAC is in the test mode and actuation is bypassed.

AMSAC is powered from 120V ac preferred power which is independent from the RPS power supply.

7.7-25

WBN The AMSAC system, including input comparators, logic processing and actuation output to isolation relays, is non-safety. The QA requirements are given in NRC Generic Letter 85-06, "Quality Assurance Guidance of ATWS Equipment that is not Safety-Related." The AMSAC cabinet is qualified seismic Category I(L).

The TVA Watts Bar AMSAC design generally conforms to the Westinghouse Owners Group (WOG) Topical Report WCAP-10858 P-A, "AMSAC Generic Design Packages".

7.7.2 Analysis The plant control systems are designed to assure high reliability in any anticipated operational occurrences. Equipment used in these systems is designed and constructed with a high level of reliability.

Proper positioning of the control rods is monitored in the control room on flat panel displays which show the individual position indicators for each rod cluster control assembly. A rod deviation alarm alerts the operator of a deviation of one rod cluster control assembly from the other rod assemblies in that bank position. The insertion limit monitor provides control room information on control bank rod assembly positions and calculated insertion limits and annunciation when any control bank rod assembly is inserted below the Low or Low-Low insertion limit values. Rod bottom indication is provided in the control room for each rod assembly and a common annunciation is actuated when any rod assembly is positioned below the rod bottom setpoint. Four excore long ion chambers also detect asymmetrical flux distribution indicative of rod misalignment.

Overall reactivity control is achieved by the combination of soluble boron and rod cluster control assemblies. Long term regulation of core reactivity is accomplished by adjusting the concentration of boric acid in the reactor coolant. Short term reactivity control for power changes is accomplished by the plant control system which automatically moves rod cluster control assemblies. This system uses input signals including neutron flux, reactor coolant average temperature, and turbine load.

The plant control systems are designed to prevent an undesirable condition in the operation of the plant that, if reached, will be protected by reactor trip. The description and analysis of this protection is covered in Section 7.2. Worst case failure modes of the plant control systems are postulated in the analysis of off-design operational transients and accidents covered in Chapter 15, such as, the following:

1. Uncontrolled rod cluster control assembly withdrawal from a subcritical condition

2. Uncontrolled rod cluster control assembly withdrawal at power

3. Rod cluster control assembly misalignment

4. Loss of external electrical load and/or turbine trip 7.7-26

WBN

5. Loss of offsite power to the station auxiliaries (LOOP)

6. Excessive heat removal due to feedwater system malfunctions

7. Excessive load increase incident

8. Accidental depressurization of the RCS.

These analyses will show that a reactor trip setpoint is reached in time to protect the health and safety of the public under those postulated incidents and that the resulting coolant temperatures produce a DNBR well above the limiting value. Thus, there will be no cladding damage and no release of fission products to the RCS under the assumption of these postulated worst case failure modes of the plant control system.

7.7.2.1 Separation of Protection and Control System Refer to Sections 7.2.2.2 and 7.2.2.3.

7.7.2.2 Response Considerations of Reactivity Reactor trip shutdown with control rod insertion is completely independent of the control functions since the trip breakers interrupt power to the full length rod drive mechanisms regardless of existing control signals. The design is such that the system can withstand accidental withdrawal of control groups or unplanned dilution of soluble boron without exceeding acceptable fuel design limits. The design meets the requirements of the 1971 General Design Criteria 25.

The control rod drive system is designed to minimize the effects of a single electrical or mechanical failure in the rod control system that could cause the accidental withdrawal of a single rod cluster control assembly from the partially inserted bank at full power operation. The operator could deliberately withdraw a single rod cluster control assembly in the control bank; this feature is necessary in order to retrieve a rod, should one be accidentally dropped. In the extremely unlikely event of simultaneous electrical failures which could result in single rod cluster control assembly withdrawal, rod deviation would be displayed on the plant annunciator, and the rod position displays would indicate the relative positions of the rods in the bank.

Each bank of control and shutdown rods in the system is divided into two groups (group 1 and group 2) of up to 4 or 5 mechanisms each (except for Shutdown Banks C and D which have one group each). The rods comprising a group operate in parallel through multiplexing thyristors. The two groups in a bank move sequentially such that the first group is always within one step of the second group in the bank. The group 1 and group 2 power circuits are installed in different cabinets as shown in Figure 7.7-11, which also shows that one group is always within one step (5/8 inch) of the other group. A definite schedule of actuation or deactuation of the stationary gripper, moveable gripper, and lift coils of a mechanism is required to withdraw the rod cluster control assembly attached to the mechanism. Since the stationary gripper, moveable gripper, and lift coils associated with the rod cluster control assemblies of a rod group are driven in parallel, any single failure which could cause rod withdrawal would affect a minimum of one group of rod cluster control assemblies. Mechanical failures are in the direction of insertion, or immobility.

7.7-27

WBN Figure 7.7-12 is provided for the following discussion associated with design features that minimize the effects of a single electrical failure that could cause the accidental withdrawal of a single rod cluster control assembly from the partially inserted bank at full power operation.

The Figure 7.7-12 shows the typical parallel connections on the lift, movable and stationary coils for a group of rods. Since single failures in the stationary or movable circuits results in dropping or preventing rod (or rods) motion, the discussion of single failure will address the lift coil circuits. 1) Due to the method of wiring the pulse transformers which fire the lift coil multiplex thyristors, three of the four thyristors in a rod group could remain turned off when required to fire, if for example the gate signal lead failed open at point X1. Upon "up" demand, one rod in group 1 and 4 rods in group 2 would withdraw. A second failure at point X2 in the group 2 circuit is required to withdraw one rod cluster control assembly; 2) Timing circuit failures will affect the four mechanisms of a group or the eight mechanisms of the bank and will not cause a single rod withdrawal; 3) More than two simultaneous component failures are required (other than the open wire failures) to allow withdrawal of a single rod.

The identified multiple failure involving the least number of components consists of open circuit failure of the proper two out of sixteen wires connected to the gate of the lift coil thyristors. The

-6 probability of open wire (or terminal) failure is 0.016 x 10 per hour by MILHDB217A. These wire failures would have to be accompanied by failure, or disregard, of the indications mentioned above. The probability of this occurrence is therefore too low to have any significance.

Concerning the human element, to erroneously withdraw a single rod cluster control assembly, the operator would have to improperly set the bank selector switch, the lift coil disconnect switches, and the in-hold-out switch. In addition, the three indications would have to be disregarded or ineffective. Such series of errors would require a complete lack of understanding and administrative control. A probability number cannot be assigned to a series of errors such as these.

The rod position indication system provides direct visual displays of each control rod assembly position. The plant computer alarms for deviation of rods from their banks. In addition, the RPIS provides a rod insertion limit monitor which provides an alarm to warn the operator of an approach to an abnormal condition due to dilution. The low-low insertion limit alarm alerts the operator to follow immediate boration procedures. The facility reactivity control systems are such that acceptable fuel damage limits will not be exceeded even in the event of a single malfunction of either system.

An important feature of the control rod system is that insertion is provided by gravity fall of the rods.

In all analyses involving reactor trip, the single, highest worth rod cluster control assembly is postulated to remain untripped in its full out position.

7.7-28

WBN One means of detecting a stuck control rod assembly is available from the actual rod position information displayed on the control board. The control board position indicator displays, give the plant operator the actual position of each rod in steps. The indications are grouped by banks (e.g., control bank A, control bank B, etc.) to indicate to the operator the deviation of one rod with respect to other rods in a bank. This serves as a means to identify rod deviation.

The plant computer monitors the actual position of all rods. Should a rod be misaligned from the other rods in that bank by a preset limit, the rod deviation alarm is actuated.

Misaligned rod cluster control assemblies are also detected and alarmed in the control room via the flux tilt monitoring system which is independent of the plant computer.

Isolated signals derived from the nuclear instrumentation system are compared with one another to determine if a preset amount of deviation of average power level has occurred.

Should such a deviation occur, the comparator output will operate a bistable unit to actuate a control board annunciator. This alarm will alert the operator to a power imbalance caused by a misaligned rod. By use of rod position indicator displays, the operator can determine the deviating control rod and take corrective action. The design of the plant control systems meets the requirements of the 1971 General Design Criteria 23.

The boron system can compensate for all xenon burnout reactivity transients.

The rod system can compensate for xenon burnout reactivity transients over the allowed range of rod travel. Xenon burnout transients of larger magnitude must be accommodated by boration or by reactor trip (which eliminates the burnout).

The boron system is not used to compensate for the reactivity effects of fuel/water temperature changes accompanying power level changes.

The rod system can compensate for the reactivity effects of fuel/water temperature changes accompanying power changes over the full range from full load to no load at the design maximum load uprate.

The boron system can maintain the reactor in the cold shutdown state irrespective of the disposition of the control rods.

7.7.2.3 Step Load Changes Without Steam Dump The reactor control system is designed to automatically control the reactor, without a trip, following a + 10% step load change over a 15% to 100% power range. Steam dump is blocked for load decrease less than or equal to 10%.

7.7-29

WBN The plant control system minimizes the reactor coolant average temperature deviation during the transient within a given value and restores average temperature to the programmed setpoint. Excessive pressurizer pressure variations are prevented by using spray and heaters and power relief valves in the pressurizer.

7.7.2.4 Loading and Unloading Ramp loading and unloading of 5% per minute can be accommodated over the 15 to 100%

power range under automatic control without tripping the plant. The function of the control system is to maintain the coolant average temperature as a function of turbine-generator load.

The coolant average temperature increases during loading and causes a continuous insurge to the pressurizer as a result of coolant expansion. The sprays limit the resulting pressure increase. Conversely, as the coolant average temperature is decreasing during unloading, there is a continuous outsurge from the pressurizer resulting from coolant contraction. The pressurizer heaters limit the resulting system pressure decrease. The pressurizer water level is programmed such that the water level is above the setpoint for heater cut out during the loading and unloading transients. The primary concern during loading is to limit the overshoot in nuclear power and to provide sufficient margin in the overtemperature T setpoint.

The automatic load controls are designed to adjust the unit generation to match load requirements within the limits of the unit capability and licensed rating.

7.7.2.5 Load Rejection Furnished By Steam Dump System When a load rejection occurs, if the difference between the required temperature setpoint of the RCS and the actual average temperature exceeds a predetermined amount, a signal will actuate the steam dump to maintain the RCS temperature within control range until a new equilibrium condition is reached.

The reactor power is reduced at a rate consistent with the capability of the rod control system.

Reduction of the reactor power is automatic if rod control is in AUTO. The steam dump flow reduction is as fast as rod cluster control assemblies are capable of inserting negative reactivity.

The rod control system can then reduce the reactor temperature to a new equilibrium value without causing overtemperature and /or overpressure conditions. The steam dump steam flow capacity is 40% of full load steam flow at full load steam pressure.

The steam dump flow drops proportionally as the control rods act to reduce the average coolant temperature. The artificial load is therefore removed as the coolant average temperature is restored to its programmed equilibrium value.

7.7-30

WBN The dump valves are modulated in accordance with the error signal developed by the difference between the reactor coolant average temperature and reactor coolant reference temperature.

The required number of steam dump valves can be tripped quickly to stroke full open or modulate, depending upon the magnitude of the temperature error signal resulting from loss of load.

7.7.2.6 Turbine-Generator Trip With Reactor Trip Whenever the turbine-generator trips at an operating power-level above the P-9 interlock setpoint, the reactor also trips. The unit is operated with a programmed coolant average temperature as a function of load, with the full load coolant average temperature significantly greater than the equivalent saturation pressure and temperature of the steam generator safety valve setpoint. The thermal capacity of the RCS is greater than that of the secondary system, and because the full load coolant average temperature is greater than the no load temperature, a heat sink is required to remove heat stored in the reactor coolant. This heat sink is provided by the combination of controlled release of steam to the condenser and by makeup of feedwater to the steam generators.

After a reactor trip, the steam dump controller is automatically placed in the reactor trip steam dump control mode as described in subsection 7.7.1.8.2. This control mode compares the auctioneered reactor coolant average temperature (Tavg) signal to the no-load Tavg setpoint.

This control mode opens selected dump valves based on the magnitude of the error signal in order to rapidly reduce the Tavg temperature and prevent actuation of the steam generator safety valves. As the error signal reduces below predetermined setpoints, the steam dump controller places the dump valves in the modulating mode to gradually establish the Tavg to the no-load Tavg value.

Following the reactor trip, the feedwater flow is cut off when the coolant average temperature decreases below a given temperature or when the steam generator water level reaches a given high level.

Additional feedwater makeup is then controlled manually to restore and maintain steam generator water level while assuring that the reactor coolant temperature is at the desired value. Residual heat removal is maintained by the steam header pressure controller (manually selected) which controls the amount of steam flow to the condensers or by the steam generator PORVs if the condenser is unavailable. This controller operates a portion of the same steam dump valves to the condensers which are used during the initial transient following turbine and reactor trip.

The pressurizer pressure and level decrease during the transient because of coolant contraction. The pressurizer level is programmed such that the water level is above the heater cut-out during the loading and unloading transient. If heaters become uncovered following the trip, the CVCS will provide charging flow to restore water level in the pressurizer. Heaters are used to restore pressurizer pressure to normal.

The steam dump and feedwater control systems are designed to prevent the coolant average temperature from falling below the programmed no load temperature following the trip to ensure adequate shutdown margin.

7.7-31

WBN REFERENCES

1. Blanchard, A. E. and Katz, D. N., "Solid State Rod Control System, Full Length,"

WCAP-9012-L, March, 1970 (Proprietary) and WCAP-7778, December, 1971 (Non-Proprietary).

2. Lipchak, J. B. and Stokes, R. A., "Nuclear Instrumentation System", WCAP-8255, January, 1974. (Applicable to Power Range NIS Only.)

3. Blanchard, A. E., "Rod Position Monitoring", WCAP-7571, March, 1971.

4. Loving, J. J., "Incore Instrumentation Flux-Mapping System and Thermocouples",

WCAP-7607, July, 1971. (Unit 1) Westinghouse Incore Information Surveillance &

Engineering (WINCISE) System Technical Manual, Watts Bar Unit 2 NO-WBT-002, Rev. 1. (Unit 2)

5. Shopsky, W. E., "Failure Mode and Effects Analysis (FMEA) of the Solid State Full Length Rod Control System", WCAP-8976, August 1977.

6. Mermigos, J. F., "Median Signal Selector for Foxboro Series Process Instrumentation Application to Deletion of Low Feedwater Flow Reactor Trip," WCAP-12417 October 1989 (Westinghouse Proprietary Class 2); WCAP-12418 October 1989 (Westinghouse Proprietary Class 3). (Unit 1)

7. System Description Document Number N3-1-4002, "Main Steam System."

8. System Description Document Number N3-3A-4002, "Main Feedwater, Feedwater Control, and Injection Water."

9. System Description Document Number N3-68-4001, "Reactor Coolant System."

10. System Description Document Number N3-85-4003, "Control Rod Drive System."

11. System Description Document Number N3-92-4003, "Neutron Monitoring System."

12. System Description Document Number N3-94-4003, "Incore Instrumentation System."

13. Design Criteria Number WB-DC-40-57, "Anticipated Transients without Scram Mitigation System Actuation Circuitry (AMSAC)."

14. Baker, Tony; Cassidy, Beverly; Freeland, Jim; and Fowler, Steve; Rod Control System Evaluation Program, WCAP-13864, Rev. 1-A, November 10, 1994.

15. Nuclear Regulatory Commission Generic Letter 93-04, Rod Control System Failure and Withdrawal of Rod Control Cluster Assemblies, dated June 21, 1993.

16. Westinghouse Electrical Company, Nuclear Safety Advisory Letter No. NSAL-01-001, Rod Withdrawal Speed, dated February 13, 2001.

17. CERPI System Requirement Specification, WAT-D-11014, March 2002. (Unit 1)

CERPR System Requirement Specifications WNS-DS-00001-WBT, Rev. 0. August 27, 2008. (Unit 2) 7.7-32

18. BEACON Core Monitoring and Operations Support System, WCAP-12472-P-A, August 1994. (Unit 1) Beard, C. L. and Morita, T. BEACON: Core Monitoring and Operations Support System, WCAP-12472-P-A (Proprietary), August 1994, Addendum 1-A, January 2000, Addendum 2-A, April 2002, Addendum 4-A, September 2012, and WCAP-12473-A (Non-proprietary), August 1994. (Unit 2)

19. BEACON Core Monitoring and Operations Support System, WCAP-12472-P-A, Addendum 1-A, January 2000.

20. BEACON Core Monitoring and Operations Support System, WCAP-12472-P-A, Addendum 4-A, September 2012.

7.7-33

WBN TABLE 7.7-1 PLANT CONTROL SYSTEM INTERLOCKS DESIGNATION DERIVATION FUNCTION C-1 1/2 Neutron flux (intermediate Blocks automatic and manual control rod range) above setpoint withdrawal C-2 1/4 Neutron flux (power range) Blocks automatic and manual control rod above setpoint withdrawal C-3 2/4 Overtemperature T above Blocks automatic and setpoint manual control rod withdrawal Actuates turbine runback via load reference C-4 2/4 Overpower T above Blocks automatic and manual control rod setpoint withdrawal Actuates turbine runback via load reference C-5 1/1 Turbine impulse chamber pressure Blocks automatic control below setpoint rod withdrawal. Defeats remote load dispatching C-7 1/1 Time derivation (absolute value) of Makes steam dump valves turbine impulse chamber pressure available for operation (decrease only) above setpoint C-9 2/2 condenser pressure below setpoiont, Makes steam dump valves and any condenser circulation water available for operations.

pump breaker closed C-11 1/1 Control Bank D rod position above Blocks automatic rod setpoint withdrawal

THOTLEG TCOLD LEG THOTLEG TCOLOLEG TROT LEG TCOLD LEG THOT LEG TCOLD LEG Average Average Average Average Temperature Temperature Temperature Temperature Unit Loop 1 Unit Loop 2 Unit Loop 3 Unit Loop 4 TAvG = TH + Tc TAvG = TH + Tc TAvG = TH + Tc TAvG = TH + Tc 2 2 2 2 Auctioneer Unit Highest TAvG Turbine Load To Steam Signal

- To Pressurizer Dump System Turbine Load Signal Nuclear Flux Signal Level Programmer Average Lead-Lag Power Mismatch Temperature Compensation Compensation Programmer Unit Unit Rod Speed Manual Unit Rod Control Rod Drive Redundant Sequential Rod Power Trip Signal Control Unit (Automatic Control)

Reactor Trip Breaker 1 Permissive Circuit (Rod Interlock)

Reactor Trip Breaker 2 Control Rod Actuator Control Rod Drive Mechanism WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Simplified Block Diagram of Reactor Control System FIGURE 7.7-1

ARM A

FOUR DEMAND BANK SIGNAL TYPICAL OF ONE CONTROL BANK NOTE. 1. DIGITAL CIRCUITRY IS USED FOR THE COMPARATOR NETWORK.

2. COMPARISON IS DCNE FOR ALL CONTROL BANKS.

WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Control Bank Rod Insertion Monitor FIGURE 7.7-2

ALARM A

CONTROL BANK DEMAND SIGNAL ROD POSITION INDICATION SYSTEM (RPIS)

COMPARATOR ROD POSITION SIGNAL NOTES

1. DIGITAL OR ANALOG SIGNALS MAY BE USED FOR THE COMPARATOR COMPUTER INPUTS WATTS BAR NUCLEAR PLANT

2. THE COMPARATOR WILL ACTUATE THE DEVIATION ALARM IF: 1) THE DEVIATION BETWEEN THE FINAL SAFETY ACTUAL ROD POSITION AND THE CONTROL BANK DEMAND POSITION EXCEEDS A PRESET ANALYSIS REPORT VALUE, OR, 2) THE DEVIATION BETWEEN ANY TWO RODS WITHIN A CONTROL BANK EXCEEDS A PRESET VALUE.

Rod Deviation Comparator

3. COMPARISON IS INDIVIDUALLY DONE FOR ALL CONTROL BANKS FIGURE 7.7-3

PRESSURIZER PRESSURE SIGNAL REFERENCE PRESSURE PID REMOTE MANUAL CONTROLLER POSITIONING SPRAY CONTROLLER POWER RELIEF POWER RELIEF TO BACKUP TO VARIABLE VALVE#1 VALVE#2 HEATER HEATER CONTROL CONTROL WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Block Diagram of Pressurizer Pressure Control System FIGURE 7.7-4

AUCTIONEERED TAVG PRESSURIZER LEVELSIGNAL LEVEL PROGRAMMER H

REMOTE MANUAL CONTROL PI

,,LCONTROLLER CHARGING FLOW CONTROL VALVE POSITION WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Block Diagram of Pressurizer Level Control System FIGURE 7.7-5

NARROW RANGE STEAM GENERATOR WATER LEVEL MEDIAN SIGNAL NEUTRON FLUX SELECTOR LEVEL PROGRAMMER MEDIAN STEAM FLOW FEEDWATER FLOW STEAM GENERATOR SIGNAL SIGNAL WATER LEVELSIGNAL PI CONTROLLER REMOTE MANUAL POSITIONING 7

PI CONTROLLER MAIN FEEDWATER CONTROL VALVE DYNAMICS CONTROL LOGIC PERFORMED BY THE DISTRIBUTED CONTROL SYSTEM (DCS)

MAIN FEEDWATER CONTROL VALVE POSITION WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Block Diagram of Steam Generator Water Control System FIGURE 7.7-6

MAIN FEEDWATER PUMP DISCHARGE PRESSURE TOTAL PLANT STEAM FLOW ADJUSTABLE AP STEAM HEADER PRESSURE NO-LOAD SETPOINT REMOTE MANUAL POSITIONING PI CONTROLLER REMOTE MANUAL POSITIONING (TYPICAL -EACH TURBINE PROP CONTROLLER DRIVEN PUMP HAS ITS OWN PROP CONTROLLER)

TURBINE DRIVEN MAIN FEEDWATER PUMP SPEED CONTROL LOGIC PERFORMED BY THE DISTRIBUTED CONTROL SYSTEM (DCS)

WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Block Diagram of Main Feedwater Pump Speed Control System FIGURE 7.7-7

STEAM(STEADUMPM PRECSTOUNURTBRIEONLCEOIINMTMPRAUONLLSU)EAL S T A G E P R E S R AUCTIONE RED REFERENCE COMRPAETNES/LATGION RETARCITPOR N O - L O A D TAVG I LOABDIRSETJAEBCLTEION I TAVG C O L M E P AND1 I

/

S L A T G I O N TAVG P4 EEATLOADWDUMPPLARNCETOJNTERCITRPIOLN H H (4+

STEAM HEADER F DUMP C O N T R O L PRESSUREi PRESESTURE PLANTTRIP BISTABLES BISTABLES II CONTRLOADOL ERREJECTION z )H CONT OL ER LOAD REJECTION PI CONTROL ER LOAD REJECTION CONTRTIRPOCONTROL L OR PLA T CONTRTIRPOCLOORNTRPOLA T TRIP OPEN STEAM DUMP VALVES AUTO CONTROL) PERFORMED C O N T R O L L O G I C MPREASNUARLE(CSOTNETARMOL) DSIYSTREIMB(UTDECDS)COTNHTEROL B Y (TAVG ADUMPIR SUPVALYVETSO MODUDUMPLATE CONDENSER VALVES WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Block Diagram Steam Dump Control System FIGURE 7.7-8

SAFETY SWITCHES LIMIT SWITCHES 5-PATH TRANSFERS INTERCONNECTING TUBING DRIVE UNITS ISOLATION VALVES 10-PATH TRANSFERS SEAL TABLE FLUX THIMBLES UNIT 1 CET SIGNALS RJU/PMDS IITA SPD PLANT SIGNALS COMPUTER SPS CABINET 1 OF 2 SEAL TABLE INSIDE OUTSIDE CONTAINMENT CONTAINMENT WATTS BAR NUCLEAR PLANT FINAL SAFETY BEACON ANALYSIS REPORT WORKSTATION Basic Flux Mapping System (Unit 1)

Incore Instrument System (Unit 2)

UNIT 2 FIGURE 7.7-9

1-M-4 1-M-2 1-M-6 1-M-1 RECOMMENDED LOCATION OF CONTROL BOARD SYSTEMS Unit 1 Panel No. Unit 2 Panel No.

1-M-1 2-M-1 GENERATOR & AUXILIARY POWER 1-M-2 2-M-2 TURBINE CONTROL 1-M-3 2-M-3 FEEDWATER, STEAM & CONDENSATE 1-M-4 2-M-4 REACTOR CONTROL 1-M-5 2-M-5 REACTOR COOLANT SYSTEM & AUXILARY STEAM 1-M-6 2-M-6 ENGINEERED SAFEGUARDS SYSTEMS & AUXILARY SYSTEMS NOTES

1. SYSTEMS ARE RELATED TO EACH OTHER TO OPTIMIZE OVERALL PLANT WATTS BAR NUCLEAR PLANT OPERATION WITH SECTION C ACTING FINAL SAFETY AS MAIN FOCAL POINT. ANALYSIS REPORT

2. THIS DRAWING CAN BE USED WITH THE Typical Location of STANDARD INTERCONNECTION WIRING DIAGRAMS TO FACILITATE CABLE TRY Control Board Systems LAYOUT.

FIGURE 7.7-10

CONTROL BANK B GROUP 1 SLAVE POWER CONTROL CYCLER CABINET BANK D 1 BD 1 BD GROUP 1 SHUTDOWN BANK B GROUP 1 REACTOR LIFT COIL MASTER CONTROL PULSER DISCONNECT CYCLER SWITCHES SYSTEM CONTROL BANK B GROUP 2 SLAVE POWER CONTROL CYCLER CABINET BANK D 2 BD 2 BD GROUP 2 MANUAL SWITCH SHUTDOWN BANK BANK BANK B SELECTOR OVERLAP GROUP 2 MULTIPLEX CIRCUITS t = 834 MS @ 72 S/M NOTE ONLY POWER CABINETS 1 BD t = 7500 MS @ 8 S/M AND 2 BD SHOWN FOR MORE t COMPLETE DIAGRAM

}

INCLUDING POWER CABINETS STEP 1AC, 2AC, AND SCD, SEE REF 1 TIME FOR ONE GROUP 1 IN SECTION 7.7.3 OFF STEP = 780 MS t/2 STEP OFF

} GROUP 2 WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Simplified Block Diagram Rod Control System FIGURE 7.7-11

A B C A B C A B C CONTROL BANK D GROUP 1 MULTIPLEX THYRISTORS POWER CABINET 1 BD MULTIPLEX THYRISTORS 120 VAC LIFT COIL DISCONNECT SWITCHES X2 STATIONARY MOVABLE GRIPPER GRIPPER COILS COILS CONTROL BANK D GROUP 2 POWER CABINET 2 BD 120 VAC LIFT COIL DISCONNECT SWITCHES X2 LIFT COILS WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Control Bank D Partial Simplified Schematic Diagram Power Cabinets 1BD & 2BD FIGURE 7.7-12

WBN APPENDIX 7A INSTRUMENTATION IDENTIFICATIONS AND SYMBOLS A standard set of instrumentation symbols and identifications is provided in this appendix to aid in the interpretation of the control and logic diagrams in figures reproduced from TVA drawings in this UFSAR. A figure made from a TVA drawing can be identified by the words "TVA DWG" followed by a series of numbers in the title block of the figure.

The identification and symbols include the following designation:

1. Instrument identification letters.

2. Process system numbers.

3. Flow and control diagram symbols.

4. Basic instrumentation and radiation symbols.

5. Basic digital logic symbols.

7A.1 IDENTIFICATION SYSTEM Each instrument is identified by a series of letters and numbers to designate the function, the process system, and the control loop.

7A.1.1 FUNCTIONAL IDENTIFICATION The functional identification of an instrument consists of letters from Figure 7A-l and generally includes one uppercase first letter covering the measured or initiating variable, and one or more uppercase succeeding letters covering the function of the individual instruments. The exceptions to this rule are as follows:

1. The use of chemical symbols (e.g. pH, Cu, Na) as a first letter entity to better identify some of the measured variables.

2. The use of An and Px in the succeeding letters to identify analyzer and power supply, respectively.

7A.1.1.1 Principal Function The functional identification of an instrument is made according to the principal function and not according to the construction. Thus, a differential pressure transmitter used for flow measurement is identified as an FT, not a PdT. A pressure indicator and a pressure switch connected to the output of a pneumatic level transmitter is identified as LI and LS, respectively.

(Note: An instrument identified may also have secondary purposes, e.g., a signal originating from a pressure transmitter that is proportional to pressure may also be used as an inferred measurement of temperature.)

7A-1

WBN 7A.1.1.2 Measured Variable In an instrument loop the first letter of the functional identification indicates the measured (initiating), not the inferred variable and the manipulated variable. Thus a control valve varying flow according to the dictates of a level controller is an LCV, not an FCV. Also, if two or more measured variable signals are combined to control a particular variable the instrument processing the combined signals is identified in accordance with the controlled variable (e.g.,

cascade control).

7A.1.1.3 Readout or Passive Functions The one or more succeeding letters of the functional identification designates one or more readout or passive functions, or output functions, or both. The readout or passive functional letters, such as R for recording and I for indicating, follow the first letter in sequence. The output functional letters, such as C for control and S for switch, follow these in sequence except that output letter C (control) shall precede output letter V (valve) and 0 (operator), e.g., HCV, a hand-actuated control valve. However, if these are not readout or passive functional letters, then the output functional letters follow the first letter in sequence.

7A.1.1.4 Modifying Letters Modifying letters may modify either a first letter or the succeeding letters, as applicable.

However, modifying letters, if used, are interposed so that they are placed immediately following the letter they modify except S for solenoid precedes output letter V (valve)., e.g., FSV designates a solenoid-actuated flow valve.

7A.1.1.5 Tagging Symbols An instrument tagging designation on a control diagram may be drawn with as many circular tagging symbols as there are measured variables or outputs. Thus, a recorder charting temperature and flow may be identified by two tangent circles where possible, one inscribed TR-3-31 and the other FR-3-31. The instrument then would be designated T/FR-3-31.

7A.1.1.6 Special Identifying Letters The measured variable letter X (special) has been included in Figure 7A-l to cover unlisted variables that are used to a limited extent. It may also be used for an instrument function.

Therefore, the letter may have any number of meanings as a first letter and any number of meanings as a succeeding letter.

Any first letter, if used in combination with the modifying letter, e.g., d (differential), represents, as shown on Figure 7A-1 for pressure differential, a new and separate measured variable, and the combination shall be treated as a first-letter entity. Thus, instruments PdI and PI measure two different variables, namely, differential pressure and pressure.

7A-2

WBN 7A.1.1.7 Pilot Lights A pilot light that serves only as position indication, power available, or alarm is not always identified. A pilot light that is part of an instrument loop, if numbered, is identified by a first letter Z or X (zone, position, or special) followed by a succeeding letter I or A (I - indicating.; A -

alarm).

7A.1.2 SYSTEM IDENTIFICATION The system identification of an instrument uses a number assigned to the process system of which the instrument is a part. Each process system, e.g. feedwater, extraction steam, reactor coolant system, has been assigned a system identification number.

7A.1.2.1 Identification Numbers The system identification numbers are listed in Figure 7A-2. The system identification number follows the "succeeding letters" or the functional identification letters and is separated from them by a hyphen.

7A.1.2.2 Instruments Common to Multiple Process Systems If an instrument is common to two or more process systems, it is assigned to the one for which it is performing its principal function.

7A.1.3 LOOP IDENTIFICATION The control loop identification of an instrument generally uses a number assigned to the control loop of which the instrument is a part. There may be one or many instrument control loops in a process system. However, each control loop has a unique number.

7A.1.3.1 Instruments Common to Multiple Control Loops If an instrument is common to two or more control loops, it is assigned to the loop for which it is performing its principal function.

7A.1.3.2 Multiple Instruments with a Common Function If a given loop has more than one instrument with the same functional identification, a suffix letter or number is appended to the loop number, e.g., FCV-3-10A, FCV-3-1OB.

7A.2 SYMBOLS The symbols used to depict the instrumentation on flow, control, and logic diagrams and other drawings are illustrated in the following figures:

Figure 7A Flow and Control Diagram Symbols Figure 7A Basic Instrumentation and Radiation Symbols Figure 7A Application of Basic Instrumentation Symbols 7A-3

WBN Figure 7A Digital Logic Symbols The flow diagram symbols for valves, valve operators, and miscellaneous devices most frequently used by TVA are shown in Figure 7A-3.

7A.2.1 INSTRUMENT SYMBOLS The circular symbol shown in Figure 7A-4 is the basic instrumentation symbol. It is used to depict the instrument proper and most other instrumentation items. Also, it is used as a "flag" to enclose identifications and point out items such as valves, which have their own pictorial symbols. Typical applications of the instrumentation symbols are shown in Figure 7A-5.

REFERENCES None.

7A-4

00 zjXw m r mm 000 n 00 n INDICATING n n 1X w I x 3 r- x m m O NONINDICATING O X 00 00000000 O

Z Z

< CONTROL VALVE

<<< << < << AO

~ C

'm w< SOLENOID VALVE 0 Z n n n n O CONTROL n 00 0 OOO 0 O0 O OO O OPERATOR m Z

G < VALVE T (7

m m O O~x D 0 *<~ X w x~ x x r- RECORDING x x x x A x x x ,x x x x x A x A A x 0 Z

O? N:E:5

_ Zj2<~~xr= ~mOO~ INDICATING 0 0

z 47 SIGHT GLASS O O Z O x w :E< 1 X w .x xr m m O oD m mmm m m m m m m m m m m m m2 PRIMARY ELEMENT Z 3

D O O? N< m x x x r- T m o0 1~1 11 111 1 111~~ 1 TRANSMITTER c m M

~1 A m z

G) m p m m o 03 o TOTALIZER x N:~< 1 X w x T x x r- DO=MM 3333333k3KEE 33 K MODIFIER T E3 0

W WELL m Z

w 0

Z 0? N*<-~xwxjOIxr mmO0>N wNrnnwrnnv~u~Nwu~v+N INDICATING co Z

~~ ~~~N w 0? N< x m x x x r- x m m o p N w NONINDICATING y ow wwwwwwwwwwwwwwww N n x

~DDDDD x DDD~D D DD DDD ALARM DD x

3 0 DATALOGGER w

x POWER SUPPLY m D

r F F INDICATIONG LIGHT 0 WATTS BAR NUCLEAR PLANT Instrumentation Symbols and FIGURE 7A-1 FINAL SAFETY Tabulation From TVA DS E18.3.3 ANALYSIS REPORT

CODE SYSTEM CODE SYSTEM CODE SYSTEM 0 INDEX, NP STYLES, MIMICS, MISC EQUIPMENT & LOCAL PANELS 34 67 ESSENTIAL RAW COOLING WATER SYSTEM 1 MAIN STEAM SYSTEM 35 GENERATOR COOLING SYSTEMS 68 REACTOR COOLANT SYSTEM 2 CONDENSATE SYSTEM 36 FW SECONDARY TREATMENT SYSTEM 69 3 MAIN AND AUXILARY FEEDWATER SYSTEM 37 GLAND SEAL WATER SYSTEM 70 COMPONENT COOLING SYSTEM 4 38 INSULATION OIL SYSTEM 71 5 EXTRACTION STEAM SYSTEMS 39 CO2 STORAGE,FIRE PROTECTION & PURGING SYSTEM 72 CONTAINMENT SPRAY SYSTEM 6 HEATER, DRAINS,& VENTS SYSTEM 40 STATION DRAINAGE SYSTEM 73 7 TURBINE EXTRACTION TRAPS & DRAINS SYSTEM 41 LAYUP WATER TREATMENT SYSTEM 74 RESIDUAL HEAT REMOVAL SYSTEM 8 MISCELLANEOUS TURBING CONNECTIONS 42 CHEMICAL CLEANING SYSTEM 75 9 MISCELLANEOUS_TURBINE VENTS SYSTEM 43 SAMPLING & WATER QUALITY SYSTEM 76 VOLUME REDUCTION AND SOLIDIFICATION SYSTEM 10 44 BUILDING HEATING SYSTEM 77 WASTE DISPOSAL SYSTEM 11 45 78 SPENT FUEL PIT COOLING SYSTEM 12 AUXILIARY BOILER SYSTEM 46 FEEDWATER CONTROL SYSTEM 79 FUEL HANDLING AND STORAGE SYSTEM 13 FIRE DETECTION SYSTEM 47 TURBOGENERATOR CONTROL SYSTEM 80 PRIMARY CONTAINMENT COOLING SYSTEM 14 CONDENSATE DEMINERALIZER SYSTEM 48 81 PRIMARY MAKEUP WATER SYSTEM 15 STEAM GENERATOR BLOWDOWN SYSTEM 49 BREATHING AIR SYSTEM 82 STANDBY DIESEL GENERATOR SYSTEM 16 50 HYPERCHLORITE SYSTEM 83 HYDROGEN RECOMBINATION SYSTEMS 17 51 84 FLOOD MODE BORATION MAKEUP SYSTEM 18 FUEL OIL SYSTEM 52 SYSTEM TEST FACILITY INSTRUMENTATION 85 CONTROL ROD DRIVE SYSTEM 19 53 86 20 CENTRAL LUBRICATING OIL SYSTEM 54 INJECTION WATER SYSTEM 87 UPPER HEAD INJECTION SYSTEM 21 55 ANNUNCIATOR & SEQUENTIAL EVENTS RECORDING SYSTEM 88 CONTAINMENT ISOLATION SYSTEM 22 56 TEMPERATURE MONITORING SYSTEM 89 23 57 ASSOCIATED ELECTRICAL SYSTEMS 90 RADIATION MONITORING SYSTEM 24 RAW COOLING WATER SYSTEM 58 GENERATOR BUS COOLING SYSTEM 91 25 RAW SERVICE WATER SYSTEM 59 DEMIN WATER & CASK DECON SYSTEM 92 NEUTRON MONITORING SYSTEM 26 HIGH PRESSURE FIRE PROTECTION SYSTEM 60 93 27 CONDENSER CIRCULATING WATER SYSTEM 61 ICE CONDENSER SYSTEM 94 IN-CORE FLUX DETECTORS 28 WATER TREATMENT SYSTEM 62 CHEMICAL & VOLUME CONTROL SYSTEM 95 29 POTABLE REATED WATER DISTRIBUTION SYSTEM 63 SAFETY INJECTION SYSTEM 96 30 VENTILATING SYSTEM 64 97 31 AIR CONDITIONING COOLING-HEATING SYSTEM 65 EMERGENCY GAS TREATMENT SYSTEM 98 32 CONTROL AIR SYSTEM 66 99 REACTOR PROTECTION SYSTEM 33 SERVICE AIR SYSTEM WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Instrumentation Symbols Mechanical System Identification Numbers TVA DWG NO. 30B617-20, R8 FIGURE 7A-2

VAL YES VALVE O17ERA7'0,43 SY111501-5 LltvES

-0o- 6,9to valve(Abrma%y open) Mud a/re Dicphraym operated valve Servile Calve in cabin t Alain process lines No./Z '

line (FIOw direction)

-~ Gate va/e(Norma/fyclosed) (~ service connection

. - Reverse current va/ve T Electric cooler operated r l,,e Auxiliary process I/ne Co- f,/ota ya/rs (Norma///open) io.*cc 9nd in5/rumonf ['MnC~"fi0/J

} - May valve rirs hose exposed No. Stine foprocess line Globe valve (Normally Closed) IIIJJJ Erp/osive operated vJ/ve 47+-StoP Cock Sprinkler nozz/e -7# POL-7i, pneumatic lines(Con1ml

-cam- Excess flow check va/ye Mo.41ire ors/v/ion service Pv) -

Slide or blastgale ;-a/ye Cylinder operated va/ve Fire hydrant ~s~,w-- llydrau~c fines

-~.Wrench operated va/re Nc. 4 line

-- Three way va/re Capillary lubiny sl] -IGL Reducer XX Solenoid operated valve No. 4line (Filled system)

- Air wrench operated Pale -q F Or,f e or nozzle our w.;/ ya/ye _01*_(See Note /) __ cfectncalcin/to/lead's Vacuum rerelief vv/re Na.4 line So%void operated valve Rupture disc

{~- Check va/ve Common port noted) -a Cap orplvy(screredorwe/ded, Quick opening P 9 valve-Stop check valve (See Note /)

Spring /ooded -~- Impulse leap wi/h s/vainer 170- Angle valve -f 0o 8.711 valve `' (xJDeno%s ya/ye Fv:/s closed

X.'(Loss ofac&eht y medium) ~- $ing/e strainer N Vacuum c%aninyi~/e/ valve

-¢ Relief valve (o)Oenotesvalvefails open 7-wi7 strainer

/~. ,~cuunc%eninyin/e/vlye-f/w~ -~~~(Coss ofactw/inymedium~

Angle,,,fief'valve Bucket trap

~T~ (d Oeno/psvalreremdms/~/:ooary p} ~ossolacfua/my medium) ~- A1r filter

~- F/oaf operafed valve Cam6inal:on air filler and

~Tti Denotes rd/ve posifioner +~ Pressure reyu/a for Needle valve Cr4

--Diaphragm valve (Saunders type) sir Denotes hand jack -~- Straiyht:piny vanes A/Etude valve `11 Denotes open and C/O led NOTES:

Desuperheafer

.y1~;r- limit Switches !On con tro/and logic ButterF/yafwe(Normafl),open) diagrams use,11C symbols.

1((-Eufler!/y va/m(Xrmd/lycbsedJ ,:ISele con ta/ned pressure ---I1 Blind flange

- J,=reducing va/ve -~ VL4 f- Flexible connection Contro/ai~supp/y L/

Automatic recirculation valve ~Control airaccumulator Primary Containment

~ - penetration(press. seal type)

WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT MECHANICAL FLOW & CONTROL DIAGRAM SYMBOLS BEST AVAILABLE HISTORICAL IMAGE FIGURE 7A-3

INSTRUMENTATION SYMBOLS 1?ADIA7'/O1V SYMBOLS n"O

/~(~e"Diameter C~l 1i Oenotes all locally mounted devices R Area monitor with local alarm Area monitor(wifh localindrealion and alarm Denotes in-line mounted devices i Loca/monifor eXX Denotes devices mounted on main control room L panels (Panel No. XX is M-5, etc.) or instrument room panels (Panel No. XX is R-3, etc.)

Nand and foot monitor 0x Denotes devices mounted on local instrument panels (Panel No. XX is L-22, etc.)

S Special monitor Denotes non -programmable annunciator on main eXX-YY or auxiliary control room panel (Annunciator system No. 55-assembly No. XX is 3A, etc. Air particu/ate monilor(Xiih Iocatindica)'ion and alarm and window No. YY is 102A, etc.)

f f ) Denotes local6,nrounted combination devices Indicator and alarm mounted separale from defector Denotes combination devices mounted on main control room XX or instrument room panels continuation on

-_= Denotes direction of flow and another drawing Z"Square Log Lo Denotes compulerinput~Goygeepaint No. XX X)

XxX lR l Indicating lamps XX-YY Denotes programmable system 55 annunciator on FA`NNj main control room panel (XX is Panel M-5, etc.,

YY is window 1388, etc., ZZ is multiplexer no.

L2J & AA is multiplexer channel)

WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Mechanical Basic Instrumentation and Radiation Symbols BEST AVAILABLE HISTORICAL IMAGE FIGURE 7A-4

FLOtY SYMBOLS PRESSURE SYMBOLS EXAMPLES OFCLOSED LOOP /NSTRUM£NTAT/ON SYMBOL S L -22 9 Sight fYow indicator ~4 Pressure indica>or Px L -22 910 Fz Displacement type 3-1 1A M-2 L -22 flow indicator L -22 PA _ _ _ _____ Pf3C _ _ py /5 PT 3-/9 Pressure fransmitter 9.20 i ~ 9.20 9-ZO FE orifice or nozz/e type

¢-y flow element L-22 L-22 PCY L -22 M-5 PS Pr 3-20 3 21 Orifice ornozz/e f,T pR Pressure iransmitfer with e/ectrita/ ou/put 9-ZO 9-20 type flow element 9-/3 FE wi/h transmif/er to recorder mounted 3-1/ on b1Ce pane/

x Pressure,recording,COntro/ling MOP with a/eri>>

TEMPERATURE SYMBOLS LEVEL SYMBOLS TW L-33 5C-1388 remperafure we//s ANN LG FS 39/

Gage y/ass 3/9 8-60 TI -33

//-90 InduStria/type temperature indicator in a temperature TW we//

//-90 TE __ _ Bind /ewe/ con troller CC w/lh 0,7eumatia

/-/~ Thermocoup/e in a 3-68 FC temperature wet/ ouf,out sign a/ FT TK'

/-17 Coo%gig FE xvater TE I-l9 X--X6.1,2-9 Temperature bu with Capi//aryh7 1A -20A Level switch with Flow indicating control loop with TW temperature we// LS ~ LA non-programmable alarm on annunciator window box 5C, 2-9 system 55 annunciator window 1388 in main control room on annunciator window (multiplexer 8, channel 60)

TR M-5 box )A, window 20A on MCR panel ThermO~oup/e ina temperature well WATTS BAR NUCLEAR PLANT T-g wrth temperature 15-14 recorder mounted M-5 Level indicating tranSMiffer FINAL SAFETY LIT -_ LR rw on MCR panel 43 4 3 w;lh /eve/ reco,-

on MCR pane/

mounted ANALYSIS REPORT 135-/6 Mechanical Application of Basic Instrumentation Symbols BEST AVAILABLE HISTORICAL IMAGE FIGURE 7A-5

WATTS BAR NUCLEAR PLANT FINAL SAFETY ANALYSIS REPORT Figure 2 Digital Logic Symbols (AND/OR) For Sequoyah and Watts Bar Nuclear Plants Mechanical Digital Logic This drawing is typical. Refer to General Drawing GM4 30B617-7, latest revision Symbols (AND/OR)

BEST AVAILABLE HISTORICAL IMAGE FIGURE 7A-6

ML20323A301

Contents

Text

7.1 INTRODUCTION

7.1 INTRODUCTION

Reference:

Navigation menu

ML20323A301

Text

7.1 INTRODUCTION

7.1 INTRODUCTION

Reference:

Navigation menu

Search