ML21294A209

From kanterella
Jump to navigation Jump to search
0 to Updated Final Safety Analysis Report, Section 7.4, Systems Required for Safe Shutdown
ML21294A209
Person / Time
Site: Susquehanna  Talen Energy icon.png
Issue date: 10/12/2021
From:
Talen Energy, Susquehanna
To:
Office of Nuclear Reactor Regulation
Shared Package
ML21294A245 List: ... further results
References
PLA-7935
Download: ML21294A209 (53)


Text

SSES-FSAR Text Rev. 61 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN This section describes instrumentation and control systems that are required to establish and maintain safe reactor shutdown conditions. Two shutdown conditions are addressed: hot shutdown and cold shutdown. In hot shutdown the reactor is in the shutdown mode and the reactor coolant temperature is greater than 212°F. In cold shutdown the reactor is also in the shutdown mode but the coolant temperature is less than 212°F and the reactor is vented.

7.4.1 Description The following systems are provided for safe shutdown of the reactor. Responsibility is noted.

x Reactor Core Isolation Cooling (RCIC) System, NSSS x Standby Liquid Control System (SLCS), NSSS x Residual Heat Removal System (RHRS) Reactor Shutdown Cooling System Mode, NSSS x Reactor Shutdown from Outside the Control Room (Remote Shutdown Panels) Non-NSSS 7.4.1.1 Reactor Core Isolation Cooling (RCIC) System - Instrumentation and Controls 7.4.1.1.1 System Identification 7.4.1.1.1.1 Function The Reactor Core Isolation Cooling System consists of a turbine, pump, piping, valves, accessories, and instrumentation designed to assure that sufficient reactor water inventory is maintained in the reactor vessel thus assuring continuity of core cooling. Reactor vessel water is maintained or supplemented by the RCIC system during the following conditions:

(1) When the reactor vessel is isolated and yet maintained in the hot standby condition; (2) When the reactor vessel is isolated and accompanied by a loss of normal coolant flow from the reactor feedwater system; (3) When a complete plant shutdown under conditions of loss of normal feedwater system is started before the reactor is depressurized to a level where the reactor shutdown cooling mode of the RHR system can be placed into operation.

7.4.1.1.1.2 Classification Electrical components for the RCIC system are classified as Safety Class 2 and Seismic Category I.

7.4.1.1.2 Power Sources FSAR Rev. 65 7.4-1

SSES-FSAR Text Rev. 61 RCIC logic and outboard RCIC isolation valve logic are powered from 125 VDC Bus A. Inboard RCIC isolation valve logic is powered from 125 VDC Bus B.

7.4.1.1.3 Equipment Design 7.4.1.1.3.1 General When actuated, the RCIC system pumps water from either the condensate storage tank or the suppression pool to the reactor vessel. The RCIC system includes one turbine-driven pump, one barometric condenser, one DC vacuum pump, one DC condensate pump, automatic valves, control devices for this equipment, sensors, and logic circuitry. The arrangement of equipment and control devices is shown in Dwgs. M-149, Sh. 1 and M-150, Sh. 1.

Pressure and level switches used in the RCIC system are located on instrument panels outside the drywell and locally at the CST. The only operating components of the RCIC system that are located inside the drywell are the inboard steamline isolation valve, the steamline warm-up line isolation valve, and one of the two check valves on the feedwater line into which the turbine driven RCIC pump discharges.

The rest of the RCIC system control and instrumentation components are located in the reactor building. Cables connect the sensors to control circuitry in the control structure.

A design flow functional test of the RCIC system may be performed during normal plant operation by drawing suction from the condensate storage tank and discharging through a full flow test return line to the condensate storage tank. All components of the RCIC system are capable of individual functional testing during normal plant operation. The control system provides automatic return from test to operating mode if system initiation is required. There are three exceptions:

(1) The flow controller in manual mode. This feature is required for operation flexibility during system operation.

(2) Steam inboard/outboard isolation valves closed. Closure of either or both of these valves requires operator action to properly sequence their opening. An alarm sounds when either of these valves leaves the fully open position.

(3) Breakers have been manually racked out-of-service.

7.4.1.1.3.2 Initiating Circuits Reactor vessel low water level is monitored by four indicating type level switches that sense the difference between the pressure to a constant reference leg of water and the pressure due to the actual height of water in the vessel. The two pairs of sensing lines for the switches are physically separated from each other and tap off the reactor water vessel at widely separated points.

The RCIC system is automatically initiated only by low water level utilizing a one-out-of-two twice logic.

The RCIC system is initiated automatically after the receipt of a reactor vessel low water level signal and produces the design flow rate within 30 seconds. The system then functions to provide FSAR Rev. 65 7.4-2

SSES-FSAR Text Rev. 61 design makeup water flow to the reactor vessel until the amount of water delivered to the reactor vessel is adequate to restore vessel level, at which time the RCIC system automatically shuts down. The controls are arranged to allow remote-manual startup, operation, and shutdown.

The RCIC turbine is functionally controlled as shown in Dwgs. M1-E51-80, Sh. 1, M1-E51-80, Sh. 2, M1-E51-80, Sh. 3, and M1-E51-80, Sh. 4. The turbine governor limits the turbine speed and adjusts the turbine steam control valve so that design pump discharge flow rate is obtained. The flow signal used for automatic control of the turbine is derived from a differential pressure measurement across a flow element in the RCIC system pump discharge line.

The turbine is automatically shut down by tripping the turbine trip and throttle valve closed if any of the following conditions are detected:

(1) Turbine overspeed (2) High turbine exhaust pressure (3) RCIC isolation signal from logic "A" or "B" (4) Low pump suction pressure (5) Manual trip actuated by the operator.

Turbine overspeed indicates a malfunction of the turbine control mechanism. High turbine exhaust pressure indicates a condition that threatens the physical integrity of the exhaust line. Low pump suction pressure warns that cavitation and lack of cooling can cause damage to the pump which could place it out of service. A turbine trip is initiated for these conditions so that if the causes of the abnormal conditions can be found and corrected, the system can be quickly restored to service.

The trip settings are selected far enough from normal values so that a spurious turbine trip is unlikely, but not so far that damage occurs before the turbine is shut down. Turbine overspeed is detected by a standard turbine overspeed mechanical device. Two pressure switches are used to detect high turbine exhaust pressure; either switch can initiate turbine shutdown. One pressure switch is used to detect low RCIC system pump suction pressure.

The turbine is automatically shut down by closing the steam supply valve if reactor vessel high water level is detected. High water level in the reactor vessel indicates that the RCIC system has performed satisfactorily in providing makeup water to the reactor vessel. Further increase in level could result in RCIC system turbine damage caused by gross carry-over of moisture. To prevent this, a high water level trip is used to initiate closure of steam supply valve to shut off the steam to the turbine and halt RCIC operation. The system will automatically re-initiate if the water level decreases to the reactor water level trip point. Two level switches that sense differential pressure are arranged to require that both switches trip to initiate a turbine shutdown.

7.4.1.1.3.3 Logic and Sequencing The scheme used for initiating the RCIC system is shown in Dwgs. M1-E51-80, Sh. 1, M1-E51-80, Sh. 2, M1-E51-80, Sh. 3, and M1-E51-80, Sh. 4.

FSAR Rev. 65 7.4-3

SSES-FSAR Text Rev. 61 7.4.1.1.3.4 Bypasses and Interlocks To prevent the pump overheating at reduced flow, a pump discharge bypass is provided to route the water from the pump back to the suppression pool.

The bypass is controlled by an automatic, DC motor-operated valve whose control scheme is shown in Dwgs. M1-E51-80, Sh. 1, M1-E51-80, Sh. 2, M1-E51-80, Sh. 3, and M1-E51-80, Sh. 4.

At RCIC high flow, the valve is closed; conversely, at low flow, the valve is opened. A switch actuated by the pressure difference across a flow element in the RCIC pump discharge pipeline provides the signals.

To prevent the RCIC steam supply pipeline from filling up with water and cooling excessively, a drain pot, steamline drain, and appropriate valves are provided in a drain pipeline arrangement just upstream of the turbine supply valve. The control scheme is shown in Dwgs. M1-E51-80, Sh. 1, M1-E51-80, Sh. 2, M1-E51-80, Sh. 3, and M1-E51-80, Sh. 4. The controls position valves so that during normal operation steamline drainage is routed to the main condenser. Upon receipt of an RCIC initiation signal, the drainage path is isolated. The water level in the steamline drain pot is controlled by a level switch and a direct acting solenoid valve which energizes to allow condensate to flow out of the drain pot.

During test operation, the RCIC pump discharge is routed to the condensate storage tank. Two DC motor-operated valves are installed in the pump discharge to condensate storage tank pipeline.

The piping arrangement is shown in Dwg. M-149, Sh. 1 and Dwg. M-150, Sh. 1. The control scheme for the valves is shown in Dwgs. M1-E51-80, Sh. 1, M1-E51-80, Sh. 2, M1-E51-80, Sh. 3, and M1-E51-80, Sh. 4. Upon receipt of an RCIC initiation signal, the valves close and remain closed. The pump suction and discharge to condensate storage tank valves are interlocked closed if the suppression pool suction valve is fully open. Numerous indications pertinent to the operation and condition of the RCIC are available to the main control room operator. Dwgs. M1-E51-80, Sh. 1, M1-E51-80, Sh. 2, M1-E51-80, Sh. 3, and M1-E51-80, Sh. 4 show the various indications provided.

7.4.1.1.3.5 Redundancy & Diversity On a network basis, the RCIC is redundant to HPCI for the safe shutdown function. Therefore, RCIC as a system by itself is not required to be redundant, although the instrument channels are redundant for operational availability purposes.

Diversity of initiating signals for RCIC is not required for the RCIC system.

The RCIC is actuated by reactor low water level. Four level sensors in a one-out-of-two twice circuit supply this signal.

7.4.1.1.3.6 Actuated Devices All automatic valves in the RCIC are equipped with remote-manual test capability, so that the entire system can be operated from the control room. For control room operation, all required components of the RCIC controls operate independently of ac power.

FSAR Rev. 65 7.4-4

SSES-FSAR Text Rev. 61 To assure that the RCIC can be brought to design flow rate within 30 seconds from the receipt of the initiation signal, the following maximum operating times for essential RCIC valves are provided by the valve operation mechanisms:

RCIC turbine steam supply valve 20 seconds (opening)

RCIC pump discharge valves 15 seconds RCIC pump minimum flow bypass valve 5 seconds The operating time is the time required for the valve to travel from the fully closed to the fully open position, or vice versa. The two RCIC steam supply line isolation valves are normally open and they are intended to isolate the RCIC steam line in the event of a break in that line. A normally closed dc motor-operated valve is located in the turbine steam supply pipeline just upstream of the turbine stop valve. The control scheme for this valve is shown in Dwgs. M1-E51-80, Sh. 1, M1-E51-80, Sh. 2, M1-E51-80, Sh. 3, and M1-E51-80, Sh. 4. Upon receipt of a RCIC initiation signal this valve opens approximately 40%, then after a seven (7) second time delay, opens fully and remains open until closed by operator action from the main control room, or by reactor vessel high water level.

Two isolation valves are provided in the steam supply line to the turbine. The valve inside the primary containment is normally open and is controlled by an ac motor. The valve outside the primary containment is normally open and is controlled by a dc motor. The bypass line is used to equalize and preheat the steamline, and is normally closed in standby. The three (3) valves automatically close upon receipt of an RCIC isolation signal. An isolation signal results from RCIC steam line high differential pressure (flow), RCIC turbine exhaust diaphragm high pressure, low reactor pressure (steam supply), or high temperature around the steam line. The isolation signal resulting from steamline high differential pressure incorporates a time delay to prevent inadvertent isolation due to transient events. Since the RCIC isolation signal is provided from a logic "A" or a logic "B", the Leak Detection System isolation function meets the intent of IEEE-279-1971, "Protection System Criteria."

The instrumentation for isolation consists of the following:

Outboard RCIC Turbine Isolation Valve (1) Ambient temperature switches-RCIC equipment area high temperature.

(2) Ambient temperature switch-RCIC pipe routing area high temperature.

(3) Differential pressure switches-RCIC steam line high flow or instrument line break.

(4) Two pressure switches-RCIC turbine exhaust diaphragm high pressure. Both switches must activate to isolate.

(5) Pressure switch-RCIC steam supply pressure low.

(6) Manual isolation if the system has been initiated.

FSAR Rev. 65 7.4-5

SSES-FSAR Text Rev. 61 Inboard RCIC Turbine Isolation Valve (1) A similar set of instrumentation causes the inboard valve to isolate except for the manual isolation feature.

Two pump suction valves are provided in the RCIC system. One valve lines up pump suction from the condensate storage tank; the other from the suppression pool. The RCIC is normally aligned to the CST, therefore upon receipt of a RCIC initiation signal, the CST suction valve is found to be open. If the water level in the CST falls below a predetermined level, the suppression pool suction valve automatically opens. The CST and suppression pool suction valves are interlocked in such a manner that when the suppression pool suction valve automatically opens, the CST suction valve automatically closes. Both valves are operated by dc motors. The control arrangement is shown in Dwgs. M1-E51-80, Sh. 1, M1-E51-80, Sh. 2, M1-E51-80, Sh. 3, and M1-E51-80, Sh. 4.

One dc motor-operated RCIC pump discharge valve and one dc motor operated injection shutoff valve in the pump discharge pipeline are provided. The control scheme for these valves is shown in Dwgs. M1-E51-80, Sh. 1, M1-E51-80, Sh. 2, M1-E51-80, Sh. 3, and M1-E51-80, Sh. 4. These valves are arranged to open upon receipt of the RCIC initiation signal. The injection shutoff valve closes automatically upon receipt of a turbine trip signal.

7.4.1.1.3.7 Separation As in the ECCS, the RCIC system is separated into Divisions 1 and 2. The RCIC system is a Division 1 system, but the inboard steamline valve is in Division 2. The inboard valve is an ac powered valve. The rest of the valves are dc powered valves. Division 1 logic is powered by the 125 VDC Division 1 bus A, and the Division 2 logic is powered by the 125 VDC Division 2 bus B.

In order to maintain the required separation, RCIC logic relays, cabling, instruments and manual controls are mounted so that physical separation of Division 1 and Division 2 is maintained.

The auxiliary systems which support the RCIC system are: the barometric condenser system which prevents turbine leakage, and the lube oil cooling water system. An initiation signal starts the condenser vacuum pump and opens the cooling water valve which initiates the barometric condenser and oil cooling action. The condenser vacuum pump remain on until manually turned off.

The method used for identifying power and signal cables and raceways as safety-related equipment, and the scheme used to distinguish between redundant cables and raceways are discussed in Section 3.12. Instrument panels are identified in accordance with the requirements of IEEE 279-1971.

FSAR Rev. 65 7.4-6

SSES-FSAR Text Rev. 61 7.4.1.1.3.8 Testability The RCIC system may be tested to design flow during normal plant operation as discussed in Subsection 7.4.1.1.3.1. Water is drawn from the condensate storage tank and discharged through a full flow test return line to the condensate storage tank. The discharge valve from the pump to the feedwater line remains closed during the test and reactor operation remains undisturbed.

Design of the control system is such that the RCIC system returns to the operating mode from test if systems initiation is required with the exceptions discussed in Subsection 7.4.1.1.3.1.

Testing of the initiation transducers which are located outside the drywell is accomplished by valving out each transducer and applying a test pressure source. This verifies the operability of the sensor as well as the calibration range. Observation of relay contact closure of the relays directly coupled to the initiation transducers verifies the operability of the instrument channel.

7.4.1.1.4 Environmental Considerations The only RCIC control components located inside the drywell that must remain functional in the environment resulting from a LOCA are the control mechanisms for the inside isolation valve and the steamline warm-up line isolation valve. The environmental capabilities of these valves are discussed in Subsection 7.3.1.1a.2. The RCIC control and instrumentation equipment located outside the drywell is selected in consideration of the environments in which it must operate. The safety-related RCIC instrumentation is seismically qualified to remain functional following a Safe Shutdown Earthquake (SSE).

7.4.1.1.5 Operational Considerations 7.4.1.1.5.1 General Information Normal core cooling is required in the event the reactor becomes isolated during normal operation from the main condenser by a closure of the MSIV. Cooling is necessary due to the core fission product decay heat. Steam is vented through the pressure relief/safety valves to the suppression pool. The RCIC system maintains reactor water level by providing the makeup water. Initiation and control are automatic.

7.4.1.1.5.2 Reactor Operator Information The following items are located in the main control room for operator information:

Analog Indication (1) RCIC Turbine Inlet Pressure (2) RCIC Pump Suction Pressure (3) RCIC Pump Discharge Pressure (4) RCIC Pump Discharge Flow FSAR Rev. 65 7.4-7

SSES-FSAR Text Rev. 61 (5) RCIC Turbine Speed (6) RCIC Turbine Exhaust Line Pressure Indicating Lamps (1) Position of all motor-operated valves.

(2) Position of all solenoid-operated valves.

(3) Turbine trip.

(4) All sealed-in circuits.

(5) Pump status.

(6) Division in Test.

Annunciators Annunciators are provided as shown in Figure 7.4-1 and Dwgs. M1-E51-80, Sh. 1, M1-E51-80, Sh.

2, M1-E51-80, Sh. 3, and M1-E51-80, Sh. 4.

7.4.1.1.5.3 Setpoints Instrument settings for the RCIC system controls and instrumentation are listed in technical specifications.

The reactor vessel low water level setting for RCIC system initiation is selected high enough above the active fuel to start the RCIC system in time to prevent the need for the use of the low pressure engineering safeguards. The water level setting is far enough below normal levels that spurious RCIC system startups are avoided.

7.4.1.2 Standby Liquid Control System (SLCS) - Instrumentation & Controls 7.4.1.2.1 System Identification 7.4.1.2.1.1 Function The instrumentation and controls for the SLCS are designed to initiate and continue injection of a liquid neutron absorber into the reactor when manually called upon to do so. This equipment also provides the necessary controls to maintain this liquid chemical solution above saturation temperature in readiness for injection.

FSAR Rev. 65 7.4-8

SSES-FSAR Text Rev. 61 7.4.1.2.1.2 Classification The SLCS is a backup method of manually shutting down the reactor to cold subcritical conditions by independent means other than the normal method by the control rod system. The system will also be used to buffer suppression pool pH to prevent Iodine re-evolution following a postulated design basis loss of coolant accident. The standby liquid control process equipment, instrumentation, and controls essential for injection of the neutron absorber solution into the reactor are designed to withstand Seismic Category I earthquake loads.

7.4.1.2.2 Power Sources The SLCS injection valve, pump A, and explosive valve A are powered by a different 480 VAC emergency bus than pump B and explosive valve B. The two tank heaters are also powered from a 480 VAC emergency bus.

Valve position indicating lights (non-Class 1E loads) are fed from a Division 1 120V instrument ac power supply. The pump pressure and storage tank level instruments are fed from a non-Class 1E 120V instrument ac power supply.

Heat tracing for pump suction piping is a non-Class 1E load which is fed from a Class 1E (Division 1) MCC 1B217 (2B217) for reliable power. Loads for these two MCC's are shown on drawing E9, Sh. 36 and Sh. 45 of Section 1.7. In accordance with Section 8.1.6(n), a second breaker of a two-breakers-in-series isolation system is installed near the non-Class 1E heat tracing panel to provide isolation between the Class 1E power supply and non-Class 1E load.

7.4.1.2.3 Equipment Design 7.4.1.2.3.1 General The SLCS (Dwg. M-148, Sh. 1) is a special plant capability event system. The system is identified as a safe shutdown system having a safety-related classification. Boron injection from the SCL system is required for suppression pool pH control during a DBA-LOCA. The maintenance of the suppression pool pH level above 7.0 is achieved by boron injected to the suppression pool from the SLC system via the reactor vessel to prevent re-evolution of iodine from the suppression pool water. Consequently, operation of the SLC system includes reactor modes and timing during a DBA LOCA. The SCL System will be required to be operable in Mode 3.

The special consideration evens are:

1. Plant Capability to Shutdown the Reactor Without Control Rods From Normal Operation (Refer to appendix 15A).
2. Plant Capability to Shutdown the Reactor Without Control Rods From a Transient Incident (Refer to Appendix 15A and Section 15.8).

FSAR Rev. 65 7.4-9

SSES-FSAR Text Rev. 61 Even though the SLCS has a post LOCA function, the SLCS is not required to meet single failure criteria. However, the system must meet the following criteria in lieu of the single failure criteria (Reference 7.4.3-1)

a. The SLC System should be provided with standby AC power supplemented by the emergency diesel generators.
b. The SLC system should be seismically qualified in accordance with Regulatory Guide 1.29 and Appendix A to 10 CFR Part 100.
c. The SLC system should be incorporated into the plants ASME Code ISI and IST Programs based upon the plants code of record (10 CFR 5055a).
d. The SCL System should be incorporated into the plants Maintenance Rule program consistent with 10 CFR 50.65.
e. The SLC System should meet 10 CFR 50.49 and Appendix A (GDC 4) to 10 CFR 50.
f. Non-redundant active components should have proven reliability based on historical information.
g. Components should remain functional for the appropriate environmental conditions.

7.4.1.2.3.2 Initiating Circuits The SLCS is initiated in the main control room by turning a keylocking switch to either the Start A or the Start B position. The key is removable in the STOP position. Placing the keylocking switch in either the Start A or the Start B position initiates either pump A or pump B, respectively, in the injection mode configuration.

7.4.1.2.3.3 Logic and Sequencing When the SLCS is initiated, both the explosive-operated valves fire. Simultaneously, the selected SLC pump is started and solution injection begins.

7.4.1.2.3.4 Bypasses and Interlocks There are no bypasses. When the SLCS is initiated to inject the neutron absorber into the reactor, the outboard isolation valve of the RWCU system is automatically closed.

7.4.1.2.3.5 Redundancy and Diversity Under special shutdown conditions, the SLCS is functionally redundant to the control rod drive system in achieving and maintaining the reactor subcritical. Therefore, the SLCS as a system by itself is not required to be redundant.

FSAR Rev. 65 7.4-10

SSES-FSAR Text Rev. 61 The SLCS provides, however, a means for shutting down the reactor by using a liquid neutron absorber in lieu of the control rod drive system.

The SLCS System provides a unique function of suppression pool pH control to prevent iodine re-evolution following a postulated design basis loss of coolant accident. The SLCS is not required to be redundant or diverse for the suppression pool pH control function.

7.4.1.2.3.6 Actuated Devices When the SLCS is initiated to inject a liquid neutron absorber into the reactor, the following devices are actuated:

(1) Both explosive valves are fired; (2) The selected injection pump is started, and (3) The pressure sensing equipment indicates that the SLCS is pumping liquid into the reactor.

7.4.1.2.3.7 Separation The SLCS is separated both physically and electrically from the control rod drive system. The SLCS instrument channels are separated in accordance with the requirements of IEEE 279-1971.

7.4.1.2.3.8 Testability The instrumentation and control system of the SLCS is tested when the system test is performed as outlined in Section 14.2.

7.4.1.2.4 Environmental Considerations The environmental considerations for the instrument and control portions of the SLCS are discussed in Section 3.11. The instrument and control portions of the SLCS are seismically qualified to remain functional following a Safe Shutdown Earthquake (SSE). Refer to Section 3.10a for seismic qualification aspects.

7.4.1.2.5 Operational Considerations 7.4.1.2.5.1 General Information The control scheme for the SLCS is shown in Dwg. M1-C41-31, Sh. 1. The SLCS is manually initiated in the main control room by inserting the proper key in the keylocking switch and turning it to either the "START A" or Start B position. Upon SLCS manual initiation, the RWCU outboard isolation valve automatically closes to prevent removal of boron by the RWCU demineralizers.

When the storage tank level sensors indicate that the storage tank is dry and injection is complete, the system may be manually turned off by turning the key lock switch to the STOP position.

FSAR Rev. 65 7.4-11

SSES-FSAR Text Rev. 61 7.4.1.2.5.2 Reactor Operator Information The following items are located in the main control room for operator information:

Analog Indication (1) Storage tank level (2) Pump pressures (3) Injection flow Indicating Lamps (1) Pump status (2) Explosive valve continuity (3) Injection valve status (4) Maintenance valve status Annunciators The SLCS control room annunciators indicate:

(1) Injection valve not fully open.

(2) The loss of continuity of either explosive valve primers.

(3) Standby liquid storage tank high or low temperature.

(4) Standby liquid tank high and low level.

The following items are located locally at the equipment for operator utilization:

Analog Indication (1) Storage tank level (2) System pressure (3) Storage tank temperature Indicating Lamps (1) Storage tank heaters A&B status (2) Storage tank high and low level alarm status FSAR Rev. 65 7.4-12

SSES-FSAR Text Rev. 61 7.4.1.2.5.3 Setpoints The SLCS has setpoints for the various instruments as follows:

(1) The injection valve position switches are adjusted to indicate the valve is fully open.

(2) Loss of continuity activates the annunciator below the trickle current that is observed when both primers of an explosive valve are new.

(3) The high and low standby liquid temperature switch is set to activate the annunciator at temperatures of 110°F and 60°F, respectively.

(4) The high and low standby liquid storage tank level switch is set to activate the annunciator at levels which assure that the maximum and minimum volume/concentration limits of Figure 9.3-14 are met. A redundant storage tank level switch is also provided.

(5) The thermostatic controller is set to turn on the operating heater when the standby liquid temperature drops to 65oF and to turn off the heater at 75oF.

7.4.1.3 RHRS/Reactor Shutdown Cooling Mode - Instrumentation and Controls 7.4.1.3.1 System Identification 7.4.1.3.1.1 Function The shutdown cooling mode of the RHR System (including the reactor vessel head spray) used during a normal reactor shutdown and cooldown is the non-safety portion of the RHRS. The shutdown cooling mode utilizes most of the safety classified portions of the RHRS.

The initial phase of a normal RCPB cooldown is accomplished by routing steam from the reactor vessel to the main condenser which serves as the heat sink.

The Reactor Shutdown Cooling System consists of a set of pumps, valves, heat exchangers, and instrumentation designed to provide decay heat removal capability for the core. The system specifically accomplishes the following:

(1) The reactor shutdown cooling system is capable of providing cooling for the reactor during shutdown operation after the vessel pressure is reduced below 98 psig.

(2) The system is capable of cooling the reactor water to a temperature at which reactor refueling and servicing can be accomplished.

(3) The system is capable of diverting part of the shutdown flow to a nozzle in the reactor vessel head to condense the steam generated from the hot walls of the vessel while it is being flooded.

The system can accomplish its design objectives by a preferred means by directly extracting reactor vessel water from the vessel via the recirculation loop B and routing it to a heat exchanger and back to the vessel, or by an alternate means by indirectly extracting the water via relief valve FSAR Rev. 65 7.4-13

SSES-FSAR Text Rev. 61 discharge lines to the suppression pool and routing pool water to the heat exchanger and back to the vessel.

7.4.1.3.1.2 Classification Electrical components for the Reactor Shutdown Cooling Mode of the Residual Heat Removal System are classified as Safety Class 2 and Seismic Category I.

7.4.1.3.2 Power Sources This system utilizes standby power sources, since the RHRS has safety modes of operation (e.g.,

LPCI) connected to this equipment.

7.4.1.3.3 Equipment Design 7.4.1.3.3.1 General The reactor water is cooled by taking suction from the B reactor recirculation loop; the water is pumped through the system heat exchanger and back to the reactor vessel via either recirculation loop. Part of the flow can be diverted to a nozzle in the vessel head to provide for head cooling.

The function of head cooling is to condense steam generated from the hot walls of the vessel while it is being flooded, thereby keeping system pressure down. During the initial phase of shutdown cooling mode, only a portion of the RHR system heat exchanger capacity is required. This allows the remaining portion of the RHR system with its heat exchanger, associated pumps, and valving to be available for the LPCI mode. The LPCI mode portion of the system is shifted to the shutdown mode after the reactor is depressurized so the proper cooling rate may be achieved with the lower reactor water inlet temperature. If it is necessary to discharge a complete core load of reactor fuel to the fuel pool, a means is provided for making a physical intertie between the spent fuel pool cooling and clean-up system and the RHR heat exchangers. This increases the cooling capacity of the spent fuel pool cooling and clean-up system to handle the heat load for this situation.

7.4.1.3.3.2 Initiating Circuits The reactor shutdown cooling mode is initiated by manual operator actions. There is no requirement for automatic control.

7.4.1.3.3.3 Logic and Sequencing The following reactor shutdown cooling operating sequence is to be utilized:

(1) The RHRS valving should be aligned for shutdown cooling mode (2) The recirculation loop suction valve is opened (3) The RHRS Heat Exchangers are lined up for water-water heat transfer FSAR Rev. 65 7.4-14

SSES-FSAR Text Rev. 61 7.4.1.3.3.4 Bypasses and Interlocks To prevent opening the reactor shutdown cooling valves except under proper conditions, the interlocks are provided as shown in Table 7.4-2-1, 7.4-2-2, 7.4-2-3, and 7.4-2-4.

The two RHR pumps used for shutdown cooling are interlocked to trip if the reactor shutdown cooling valves and suction valves from the suppression pool are not properly positioned.

7.4.1.3.3.5 Redundancy and Diversity The reactor shutdown cooling mode contains two loops. Either loop is sufficient to satisfy the cooling requirements for shutdown cooling. A diverse method of shutdown cooling is provided by the alternate shutdown cooling mode, which is actually an extension of the LPCI mode. To establish the alternate mode, the normal shutdown cooling loop is bypassed by manually switching to take suction water from the suppression pool and manually opening the ADS valves to allow reactor water to flow back to the suppression pool.

7.4.1.3.3.6 Actuated Devices All valves in the shutdown cooling mode are equipped with remote manual switches in the main control room. Further discussion can be found in Subsection 7.3.1.1a relative to the general operation of the RHR system including its other modes of its operation.

7.4.1.3.3.7 Separation Since various modes of operation of the RHR system perform safety-related functions (LPCI and containment cooling), any system equipment performing these functions satisfy the appropriate safety separation criteria (refer to Subsection 7.3.1.1a).

7.4.1.3.3.8 Testability The reactor shutdown cooling system pumps (RHR) may be tested during normal plant operation.

All motor operated valves in the system may be tested during normal plant operation from the remote switches in the main control room.

7.4.1.3.4 Environmental Considerations The only reactor shutdown cooling control component located inside the drywell that must remain functional in the environment is the control mechanism for the inboard isolation shutdown cooling suction valve. The environmental capabilities of this valve are discussed in Subsection 7.3.1.1a.2.

The control and instrumentation equipment located outside the drywell is selected in consideration of the normal and accident environments in which it must operate.

FSAR Rev. 65 7.4-15

SSES-FSAR Text Rev. 61 RHR equipment is seismically qualified and environmentally classified as discussed in Sections 3.2, 3.10 and 3.11.

7.4.1.3.5 Operational Considerations 7.4.1.3.5.1 General Information All controls for the reactor shutdown cooling mode are located in the main control room.

7.4.1.3.5.2 Reactor Operator Information Refer to Subsection 7.3.1.1a for reactor operator information associated with the RHRS in general.

7.4.1.3.5.3 Setpoints The safety-related setpoints involved in the operation of the shutdown cooling mode of the RHRS are those associated with the Reactor Steam Dome Pressure - High and Reactor Vessel Water Level - Low, Level 3 functions described in the Technical Requirements Manual.

7.4.1.4 Reactor Shutdown from Outside the Control Room (Remote Shutdown) 7.4.1.4.1 Description The Susquehanna SES is designed with a main control room that is common to Unit 1 and 2. If this main control room becomes uninhabitable and must be evacuated, a remote shutdown panel is provided for each unit.

In the event the main control room becomes uninhabitable and must be evacuated due to a fire, as evaluated in the FPRR Sections 3.3 and 6.2.25 an Alternate Control Structure HVAC Control Panel is provided. Control Structure HVAC is a common system and this panel would be available for Unit 1 and 2.

The remote shutdown panels are equipped with sufficient control and monitoring devices to bring the reactor to a hot shutdown condition, and subsequently to cold shutdown condition.

The remote shutdown panel for each unit is located within a locked room in the reactor building of each unit. Access to this room is controlled by a locked door with a keycard. The keycards are under administrative control. The Alternate Control Structure HVAC Control Panel is located in the Control Structure. Access to the control structure is controlled by a locked door with a keycard.

The keycards are under administrative control.

Adequate environmental control capability is provided at the location of these panels. Refer to Subsection 9.4.2 for HVAC systems provided in the reactor building and Subsection 9.4.1 for HVAC systems provided in the control structure.

The following systems are required for safe remote shutdown:

FSAR Rev. 65 7.4-16

SSES-FSAR Text Rev. 61 a) RCIC system to maintain reactor water level.

b) Relief valves and nuclear boiler system to reduce and monitor reactor vessel pressure, respectively.

c) RHR system to control suppression pool water temperature and for reactor water cooling mode.

d) RHR service water system to supply cooling water to the RHR heat exchanger.

e) Emergency service water system to supply cooling water to safety systems and the diesel generators.

f) Suppression pool system monitoring instrumentation.

Tables 7.4-3 and 7.4-4 are listings of control and indicating devices on the remote shutdown panels and the Alternate Control Structure HVAC Control Panel, respectively.

With exception of indication circuits which have no corresponding device located in the Control Room, all control and indicating devices on the panels are normally deenergized and must be connected to the active circuitry by transfer switches. This action bypasses the main control room circuits for control and indication, except for the suppression pool temperature indication, and generates an alarm in the control room as part of the Bypass Indication System (BIS) (see Section 7.5).

The average suppression pool temperature indication is provided at the RSP via the redundant Suppression Pool Temperature Monitoring System (SPOTMOS) equipment, located in the control room and described in Section 7.6.1b.1.2. The SPOTMOS equipment provides a continuous and isolated signal to the RSP indicators.

7.4.1.4.2 Design Criteria The design basis for the remote shutdown panel is in accordance with 10CFR50, Appendix A, Criterion 19 of the General Design Criteria.

7.4.1.4.2.1 Postulated Conditions During the Evacuation of the Main Control Room a) The reactor is operating at or below the design power level.

b) The plant is not experiencing a major transient condition or a recovery from an abnormal condition.

c) Design basis accidents, such as a LOCA, do not occur during the period when the control room is uninhabitable.

d) Control room evacuation was initiated by an undefined cause. For example, an environmental condition intolerable to humans forces the operators to leave the control structure.

FSAR Rev. 65 7.4-17

SSES-FSAR Text Rev. 61 e) The design assumes that no disaster resulting from a natural phenomenon has occurred.

The control room is not physically destroyed. However, it remains uninhabitable for an extended period of time.

f) Total loss of offsite power has been considered in the design.

g) Loss of safety system redundancy for the plant does not occur as a result of the event requiring control room evacuation.

h) The cause of the evacuation is of such nature that the control room operating personnel will have sufficient time to manually scram each reactor before leaving the control room. As a backup procedure, manual trip actuation of the circuit breakers for the reactor protection system (RPS) logic will allow the operator to achieve initial reactor scram from outside the main control room.

i) The event causing main control room evacuation will not prevent access to the remote shutdown panel. If the event causing main control room evacuation is a fire, access to the Alternate Control Structure HVAC Control Panel will not be prevented.

7.4.1.4.2.2 Design Considerations a) The design of the remote shutdown panel and the Alternate Control Structure HVAC Control Panel is in accordance with seismic qualification requirements for Seismic Category I.

b) The divisionalization and separation of safety-related systems and their components is not violated by the design of the panels.

c) The remote shutdown or Alternate CSHVAC control panel design does not compromise the single failure criteria of controls in the main control room. The control devices and instruments on the remote shutdown panel itself are not designed to meet the single failure criteria.

d) Testability of the readout instruments is provided by test switches on the front of the panel.

e) Upon actuation, the transfer switches will generate a signal to actuate valves in a direction that will isolate piping that could bypass significant volumes of water away from systems required for remote shutdown.

The valves that are actuated to the "safe-condition" are listed in Table 7.4-3.

f) The design provides redundant safety grade capability to achieve and maintain hot shutdown and/or attaining subsequent cold shutdown through the use of suitable procedures from a location(s) remote from the control room, assuming no fire damage to any required systems and equipment and assuming no accident has occurred. Credit is taken for manual actuation (exclusive of continuous control) of systems from locations that are reasonably accessible from the Remote Shutdown Panel. Credit is not taken for manual actions involving jumpering, rewiring or disconnecting circuits.

FSAR Rev. 65 7.4-18

SSES-FSAR Text Rev. 61 g) The design is such that the manual transfer of control to the remote location(s) does not disable any, automatic actuation of ESF functions while the plant is attaining or maintained in hot shutdown, other than where ESF features are manually placed in service to achieve or maintain hot shutdown. The design may disable automatic LPCI actuation in this manner only when necessary in order to enable control of the RHR system from the remote location and while operating this system to effect cold shutdown from hot shutdown.

h) The design provides, as a minimum, non-redundant safety grade systems necessary to achieve and maintain hot shutdown and/or cold shutdown from either the control room or from a remote location(s) assuming a postulated fire in any fire area, including the control room or the Remote Shutdown Panel. Credit is taken for manual actuation (exclusive of continuous control) of systems from locations that are reasonably accessible from the control room or the Remote Shutdown Panel, as applicable. Credit is not taken for manual actions involving jumpering, rewiring or disconnecting circuits. The design is such that in the event of fire damage in any fire area, systems could be repaired or made operable within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> if required for cold shutdown.

i) Communication from the Remote Shutdown Panel, is available in various forms from the Remote Shutdown Panel area to the areas requiring local control, including:

1. an intraplant public address, 5-channels page/talk handset intercom system,
2. an intraplant maintenance/test jack telephone system, and
3. portable communication systems (walkie talkies).

These systems will support the control of any of the aforementioned redundant mechanisms.

7.4.1.4.2.3 Remote Shutdown Functional Capabilities The capabilities of the remote shutdown control panel are outlined in the following discussion. See Subsections 9.4.1 and 9.2.12 for the capabilities of the Alternate CSHVAC Control Panel.

Hot Shutdown After reactor scram has been manually initiated, transfer switches on the remote shutdown panel allow the operator to transfer control from the control room to the remote instrumentation and controls for the systems described in Subsection 7.4.1.4.1.

Main steamline isolation is likely to occur; hence, reactor pressure will be relieved to the suppression pool through the RPV relief valves. Control of three pressure relief valves is provided on the remote shutdown panel. Reactor pressure can be monitored.

The operation of the RCIC system can be manually initiated, controlled, and monitored to maintain water level in the reactor pressure vessel. Reactor vessel level can be monitored. Condensate Storage Tank display information is not provided on the Remote Shutdown Panel. A 135,000 reserve capacity is maintained in the Condensate Storage Tank for HPCI and RCIC use only. This reserve will allow over three hours of RCIC operation at the design flow rate of 600 GPM. Three hours of RCIC operation is adequate to cool the reactor from the operating temperature of 546°F to the RHR shutdown cooling initiation temperature of 338°F assuming a cooldown rate of 100°F/hr.

FSAR Rev. 65 7.4-19

SSES-FSAR Text Rev. 61 Condensate Storage Tank level indication is provided locally at the tank, should the operator desire this information.

The Residual Heat Removal (RHR) system can be used in a suppression pool cooling mode to control temperature of the suppression pool water.

Monitoring and control of the RHR service water system and emergency service water system is provided for cooling water to RHR heat exchangers, RHR and RCIC room coolers, and diesel generators.

Controls for the containment (drywell) instrument gas supply suction and injection valve make it possible to provide operating gas pressure to the RPV relief valves.

Monitoring of containment pressure/temperature, suppression pool level/temperature and suppression chamber temperature is provided by indicators.

Cold Shutdown Manual operation of the RPV relief valves will cool the reactor and reduce its pressure at a controlled rate until RCIC (and/or HPCI) systems discontinue operation.

Reactor pressure reduction below 98 psig dome pressure allows operation of the residual heat removal (RHR) system to operate in the reactor shutdown cooling mode. The RHR system is connected to the reactor vessel via the reactor recirculation system and cooling is provided with RHR heat exchangers to bring the reactor to a cold, low pressure condition. The Remote Shutdown Panel provides control for the "B" RHR pump on Unit 1, and the "A" RHR pump on Unit

2. RHR flow indication (0-30,000 GPM) is provided on the remote shutdown panel for the appropriate RHR loop. RHR suction for shutdown cooling is taken from the "B" reactor recirculation loop on both units. Control for the "B" reactor recirculation pump suction valve (F023B) is provided on the remote shutdown panel on both units. This valve will be closed prior to initiating RHR shutdown cooling. Closing this valve will trip the "B" recirculation pump, thereby protecting both the applicable RHR pump, and the "B" recirculation pump from cavitation. The "A" reactor recirculation pump suction valve (F023A) will be closed from Motor Control Center 2B237043 prior to initiating A loop RHR shutdown cooling at unit two remote shutdown panel.

Closing this valve will prevent shutdown cooling flow diversion around the reactor core. All remaining recirculation suction and discharge valves will remain in an "as-is" position throughout the remote shutdown operation.

7.4.1.4.3 Consideration for Operation of the Remote Shutdown Panel a) Scram each unit's reactor.

b) Operate transfer switches to shift operations from the main control room to the remote shutdown panel.

c) Open containment instrument gas supply valves.

d) Start manual depressurization of the reactor pressure vessel by operating the pressure relief valves.

FSAR Rev. 65 7.4-20

SSES-FSAR Text Rev. 61 e) If automatic initiation has not occurred, start RCIC system, to maintain reactor water level.

f) Initiate RHR system in the suppression pool cooling mode.

Place RHR service water and emergency service water in operation.

g) Reactor water level will rise as a result of RCIC system flow.

Manually control the system flow rate to maintain the required level.

h) Observe reactor water level, reactor pressure, and suppression pool temperatures.

i) Actuate two relief valves to continue reactor vessel depressurization, while observing suppression pool temperature.

j) Reduce reactor pressure to 98 psig.

k) The RCIC system will discontinue operation.

l) Place the RHR system in the reactor shutdown cooling mode. If desired, flush the system for several minutes. Then reroute the flow through the RHR heat exchanger and back into the vessel. Continue cooldown until the reactor is in the cold, low pressure condition.

m) Hold the required reactor water level with the RHR system.

7.4.1.4.4 Consideration for Operation of the Alternate Control Structure HVAC Panel a) Operate transfer switches to shift operation from the main control room to the Alternate Control Panel.

b) Start the 'A' loop of control structure chilled water system.

c) Start the 'A' train of the SGTS equipment room ventilating exhaust system, control structure HVAC unit, computer room HVAC unit, and the battery room exhaust system.

7.4.2 Analysis 7.4.2.1 Reactor Core Isolation Cooling (RCIC) System - Instrumentation and Control 7.4.2.1.1 General Functional Requirements Conformance For events other than pipe breaks, such as RCPB isolations, the RCIC system has a makeup capacity sufficient to prevent the reactor vessel water level decreasing to the level where the core is uncovered. All components necessary for initiating the RCIC System when it is aligned to the control room are capable of start-up independent of auxiliary AC power, plant service air, and external cooling water systems.

To provide a high degree of assurance that the RCIC system shall operate when necessary and in time to provide adequate inventory makeup, the power supply for the system is taken from energy FSAR Rev. 65 7.4-21

SSES-FSAR Text Rev. 61 sources of high reliability and which are immediately available. Evaluation of instrumentation reliability for the RCIC system shows that no failure of a single initiating sensor either prevents or falsely starts the system.

A design flow functional test of the RCIC system can be performed during plant operation by taking suction from the demineralized water in the condensate storage tank and discharging through the full flow test return line back to the condensate storage tank. During the test, the discharge valve to the reactor vessel remains closed and reactor operation is not disturbed. Control system design provides automatic return from the test mode to the operating mode if system initiation is required during testing except for the conditions described in Subsection 7.4.1.1.3.1.

Chapter 15 and Appendix 15A examine the system-level aspects of this system in plant operation and consider its function under various plant transient events.

7.4.2.1.2 Specific Regulatory Requirements Conformance 7.4.2.1.2.1 NRC Regulatory Guides Conformance 7.4.2.1.2.1.1 Regulatory Guide 1.6 Although it is not required that RCIC alone meet single failure criterion, redundant power sources are required for inboard and outboard RCIC isolation valves. These power sources are consistent with the guidelines of Regulatory Guide 1.6 as described in Subsections 8.1.6.1 and 8.3.2.2.

7.4.2.1.2.1.2 Regulatory Guide 1.11 All RCIC instrument lines penetrating or connected to containment meet the requirements of regulatory position C.1.

7.4.2.1.2.1.3 Regulatory Guide 1.22 RCIC is fully testable from initiating sensors to actuated devices during full power operation.

7.4.2.1.2.1.4 Regulatory Guide 1.29 The safety-related portion of RCIC instrumentation and control is classified as Seismic Category I and is qualified to remain functional following an SSE.

7.4.2.1.2.1.5 Regulatory Guide 1.30 Conformance to Regulatory Guide 1.30 is discussed in Subsection 7.1.2.

7.4.2.1.2.1.6 Regulatory Guide 1.32 FSAR Rev. 65 7.4-22

SSES-FSAR Text Rev. 61 Conformance to Regulatory Guide 1.32 as discussed in Section 8.1 is applicable to RCIC safety-related control instrumentation.

7.4.2.1.2.1.7 Regulatory Guide 1.47 Regulatory Guide 1.47 Positions C.1, C.2, and C.3 Automatic indication is provided in the control room to inform the operator that the system is inoperable. Annunciation RCIC out of service is provided to indicate a system or part of a system is not operable. Bypassing is not allowed in the trip logic or actuator logic. Bypasses of certain infrequently used pieces of equipment, such as manual locked open valves, are not automatically annunciated in the main control room; however, capability for manual activation of each system level bypass indicator is provided in the main control room for equipment that has infrequently used bypasses. An administratively controlled switch may be used for this manual activation. Further examples of automatic indication of inoperability are listed below:

(1) If any circuit breaker is racked out, indication is provided in the main control room.

(2) All motor control center control circuits are individually monitored. If control voltage is lost as a result of tripping of a motor starter feeder breaker or removal of a fuse in the control circuit, indication is provided in the main control room.

(3) Instruments which form part of a one-out-of-two twice logic can be removed from service for calibration. Removal of the instrument from service is indicated in the control room as a single instrument channel trip.

(4) The RCIC System contains a control switch with "Test Mode" capability which provides continuous control room indication that "Test Mode" has been selected.

Regulatory Guide 1.47 Position C.4 System level out of service annunciator may be administratively activated by the control room operator by activating a control switch.

All the annunciators can be tested by depressing the annunciator test switches on the control room benchboards.

Individual indicators are arranged together on the control room panel to indicate what function of the system is out of service, bypassed, or otherwise inoperable. All bypass and inoperability indicators both at a system level and component level are grouped only with items that will prevent a system from operating if needed. Indication of pressures, temperatures, and other system variables that are a result of system operation are not included with the bypass and inoperability indicators.

As a result of design, preoperational testing and startup testing, no erroneous bypass indication is anticipated.

FSAR Rev. 65 7.4-23

SSES-FSAR Text Rev. 61 These indication provisions serve to supplement administrative controls and aid the operator in assessing the availability of component and system level protective actions This indication does not perform a safety function.

All circuits are electrically independent of the station safety systems to prevent the possibility of adverse effects.

Each indicator which can be periodically tested is provided with dual lamps. Also see conformance to Regulatory Position C.4 above.

7.4.2.1.2.1.8 Regulatory Guide 1.53 RCIC meets the single-failure criterion on a network basis in conjunction with HPCI. It is not necessary for RCIC alone to meet the single-failure criterion in itself since its function is duplicated or backed up by other systems. Redundant sensors are discussed in Subsection 7.4.2.1.2.3.1.6.

7.4.2.1.2.1.9 Regulatory Guide 1.62 RCIC may be automatically as well as manually initiated inside the main control room as well as at the remote shutdown facility outside the main control room.

7.4.2.1.2.1.10 Regulatory Guide 1.63 See Subsection 7.1.2.6.13.

7.4.2.1.2.1.11 Regulatory Guide 1.75 Conformance to Regulatory Guide 1.75 is discussed in Subsection 7.1.2.6.17.

7.4.2.1.2.1.12 Regulatory Guide 1.89 Conformance to Regulatory Guide 1.89 is discussed in Section 3.11. See the Susquehanna SES Environmental Qualification Program for Class 1E Equipment.

7.4.2.1.2.2 NRC Regulations Conformance - 10CFR50 Appendix A Requirements 7.4.2.1.2.2.1 General Design Criterion 13 The reactor vessel water level, RCIC pump discharge pressure, and RCIC flow rate are monitored and displayed in the main control room.

FSAR Rev. 65 7.4-24

SSES-FSAR Text Rev. 61 7.4.2.1.2.2.2 General Design Criterion 20 The RCIC system constantly monitors the water level in the reactor vessel and is automatically initiated when the level drops below the pre-established setpoint.

7.4.2.1.2.2.3 General Design Criterion 21 RCIC is fully testable from sensor to actuated device during normal operation. Reliability of operation is enhanced through the use of high functional reliability components and thoroughly engineered design.

7.4.2.1.2.2.4 General Design Criterion 22 RCIC initiation signal is supplied by redundant, independent sensors in a one-out-of-two twice logic.

7.4.2.1.2.2.5 General Design Criterion 29 Thorough design and selection of highly reliable components assure an extremely high probability that RCIC will accomplish its intended safety function.

7.4.2.1.2.2.6 General Design Criterion 34 Conformance to General Design Criterion 34 is discussed is Subsection 7.4.1.1.1.1.(3).

7.4.2.1.2.2.7 General Design Criterion 37 RCIC is not part of the ECCS.

7.4.2.1.2.3 Conformance to Industry Codes and Standards 7.4.2.1.2.3.1 IEEE 279-1971 7.4.2.1.2.3.1.1 General Functional Requirement (IEEE 279-1971, Paragraph 4.1)

RCIC is automatically initiated by reactor low water level measurements.

7.4.2.1.2.3.1.2 Single-Failure Criterion (IEEE 279-1971, Paragraph 4.2)

The RCIC system is not required to meet the single-failure criterion. The control logic circuits for the RCIC initiation and control are housed in a single relay cabinet and the power supply for the control logic and other RCIC equipment is from a single DC power source.

FSAR Rev. 65 7.4-25

SSES-FSAR Text Rev. 61 The RCIC initiation sensors wiring and relay logic cabinet do, however, meet the single-failure criterion. Physical separation of instrument lines is provided so that no single instrument rack destruction or single instrument line (pipe) failure can prevent RCIC initiation. Wiring separation between divisions also provides tolerance to single raceway destruction (including shorts, opens, and grounds) in the accident detection portion of the control logic. The single-failure criterion is not applied to logic relay cabinet or to other equipment required to function for RCIC operation.

7.4.2.1.2.3.1.3 Quality of Components and Modules The components of the RCIC instrumentation and control are of the same high quality as the ECCS systems. The safety-related portion of RCIC control and instrumentation components and modules is seismically qualified to remain functional following a Safe Shutdown Earthquake (SSE).

7.4.2.1.2.3.1.4 Equipment Qualification (IEEE 279-1971, Paragraph 4.4)

Refer to Sections 3.10 and 3.11 7.4.2.1.2.3.1.5 Channel Integrity (IEEE 279-1971, Paragraph 4.5)

The RCIC system instrument initiation channels satisfy the channel integrity objective.

7.4.2.1.2.3.1.6 Channel Independence (IEEE 279-1971, Paragraph 4.6)

Channel independence for initiation sensors is provided by electrical and mechanical separation.

The A and C sensors for reactor vessel level, for instance, are located on one local instrument panel identified as Division 1 equipment and the B and D sensors are located on a second instrument panel widely separated from the first and identified as Division 2 equipment. The A and C sensors have a common pair of process taps which are widely separated from the corresponding taps for the B and D sensors.

Disabling of one or both sensors in one location does not disable the control for RCIC initiation.

7.4.2.1.2.3.1.7 Control and Protection Interaction (IEEE 279-1971, Paragraph 4.7)

The RCIC system has no interaction with plant control systems. Annunciator circuits using contacts of sensors and logic relays cannot impair the operability of the RCIC system control because of electrical isolation.

7.4.2.1.2.3.1.8 Derivation of System Inputs (IEEE 279 -1971, Paragraph 4.8)

The RCIC system uses a direct measure of the need for coolant inventory makeup, e.g., reactor vessel low water level.

FSAR Rev. 65 7.4-26

SSES-FSAR Text Rev. 61 7.4.2.1.2.3.1.9 Capability for Sensor Checks (IEEE 279-1971, Paragraph 4.9)

All sensors are installed with calibration taps and instrument valves to permit testing during normal plant operation or during shutdown.

The reactor vessel level switches can be checked for operability by closing the low side instrument valve and bleeding off a small amount of water through the low side bleed valves which are provided for venting the instruments), while observing the scale reading and channel trip indication in the main control room, and then reopening the instrument valve.

7.4.2.1.2.3.1.10 Capability for Test and Calibration (IEEE 279-1971, Paragraph 4.10)

The RCIC control system is capable of being completely tested during normal plant operation to verify that each element of the system, whether active or passive, is capable of performing its intended function. As part of this test, the turbine and pump are started in the test mode with the pump discharging to the condensate storage tank. In this test mode all major components except the isolation valves are tested. Valve operability tests complete the major component testing.

Sensors are exercised by applying test pressure.

7.4.2.1.2.3.1.11 Channel Bypass or Removal from Operation (IEEE 279-1971, Paragraph 4.11)

Calibration of a sensor which introduces a single instrument channel trip will not cause a protective function without the coincident trip of a second channel. There are no instrument channel bypasses. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning. Removal of an instrument channel from service during calibration will be brief.

7.4.2.1.2.3.1.12 Operating Bypasses (IEEE 279-1971, Paragraph 4.12)

RCIC has no operating bypasses.

7.4.2.1.2.3.1.13 Indication of Bypasses (IEEE 279-1971, Paragraph 4.1.3)

Automatic indication of bypasses is provided by individual annunciators to indicate what function of the system is out of service, bypassed or otherwise inoperative. In addition, each of the indicated bypasses also activates a "system inoperative" or a "system out of service" annunciator. Manual "system inoperative" or "system out of service" switches are provided for operator use and may be used for items that are only under supervisory control.

There are several means by which the RCIC system could be deliberately rendered inoperative by plant operating personnel:

(1) Manually opening feeder breakers to the motor starter for valves, pumps, etc., that are required to function during RCIC operation. Manually opening a breaker for a specific motor will deenergize the control power to the motor starter and annunciate loss of power alarm in the main control room. Tagging procedures may also be used to indicate FSAR Rev. 65 7.4-27

SSES-FSAR Text Rev. 61 out-of-service equipment and are considered an adequate indication of equipment status.

Manual opening of breakers is a requirement for safe maintenance of equipment.

(2) Manually opening DC control power feeder breakers. Tripping or opening a DC control power feeder breaker will give a loss-of-power alarm.

(3) Manually shutting off instrument line valves in various specific combination.

(4) Placing of the flow controller from "Auto" to "Manual" operation in the main control room or adjusting "Auto" setpoint in the incorrect position. Manual operation of the flow controller setpoint in the incorrect position. Manual operation of the flow controller is provided to allow operator intervention should the auto portion of the controller fail. The availability of an auto setpoint control on the controller is desirable so that the operator can regulate the flow to maintain water level rather than cycling the turbine between the auto trip and start level setpoints and without going to the "Manual" mode of operation. The controller is in the main control room and therefore under the direct supervision of the control room operator.

All of these items are under supervisory control and are not automatically defeated by RCIC initiation signals.

The following is a list of automatic bypasses which can render the RCIC system inoperative:

(1) RCIC steamline isolation signal.

(2) RCIC turbine trip caused by:

a. RCIC isolation signal.
b. RCIC pump suction pressure low.
c. RCIC turbine exhaust pressure high.
d. RCIC turbine overspeed.

These functions are discussed in Subsection 7.4.1.1.3.2.

7.4.2.1.2.3.1.14 Access to Means for Bypassing (IEEE 279-1971, Paragraph 4.14)

Access to motor control centers and instrument valves is controlled as discussed in Subsection 7.4.2.1.2.3.1.13. Access to other means of bypassing is located in the relay rooms and therefore under the administrative control of the operators.

7.4.2.1.2.3.1.15 Multiple Setpoints (IEEE 279-1971, Paragraph 4.15)

This is not applicable because all setpoints are fixed.

FSAR Rev. 65 7.4-28

SSES-FSAR Text Rev. 61 7.4.2.1.2.3.1.16 Completion of Protective Action Once it is Initiated (IEEE 279-1971, Paragraph 4.16)

The final control elements for the RCIC system are essentially bistable, i.e., motor-operated valves stay open or closed once they have reached their desired position, even though their starter may drop out. In the case of pump starters, the auto initiation signal is electrically sealed-in.

Thus, once protective action is initiated (i.e., flow established), it must go to completion until terminated by deliberate operator action or automatically stopped on high vessel water level or system malfunction trip signals.

7.4.2.1.2.3.1.17 Manual Actuation (IEEE 279-1971, Paragraph 4.17)

Each piece of RCIC actuation equipment required to operate (pumps and valves) is capable of manual initiation from the main control room.

Failure of logic circuitry to initiate the RCIC system will not affect the manual control of equipment.

However, failures of active components or control circuits which produce a turbine trip may disable the manual actuation of the RCIC system. Failures of this type are continuously monitored by alarms.

7.4.2.1.2.3.1.18 Access to Setpoint Adjustment (IEEE 279-1971, Paragraph 4.18)

Setpoint adjustments for the RCIC system sensors are integral with the sensors on the local instrument racks and cannot be changed without the use of tools to remove covers over these adjustments. Control relay cabinets are capable of being locked to prevent unauthorized actuation.

7.4.2.1.2.3.1.19 Identification of Protective Actions (IEEE 279-1971, Paragraph 4.19)

Protective actions are directly indicated and identified by annunciator operation or action of the sensor relay which has an identification tag and a clear glass window front which permits convenient visible verification of the relay position. The combination of annunciation and relay observation is considered to fulfill the requirements of this criterion.

7.4.2.1.2.3.1.20 Information Readout (IEEE 279-1971, Paragraph 4.20)

The RCIC control system is designed to provide the operator with accurate and timely information pertinent to its status. It does not introduce signals into other systems that could cause anomalous indications confusing to the operator. Periodic testing is provided for verifying the operability of the RCIC components and, by proper selection of test periods to be compatible with the historically established reliability of the components tested, complete and timely indications are made available. Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the RCIC function is available and/or operating properly.

FSAR Rev. 65 7.4-29

SSES-FSAR Text Rev. 61 7.4.2.1.2.3.1.21 System Repair (IEEE 279-1971, Paragraph 4.21)

The RCIC control system is designed to permit repair or replacement of components. All devices in the system are designed for a 40-year lifetime under the imposed duty cycles. Since this duty cycle is composed mainly of periodic testing rather than operation, lifetime is more a matter of "shelf life" than active life.

Recognition and location of a failed component will be accomplished during periodic testing. The simplicity of the logic will make the detection and location relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time. For example, estimated replacement time for the type relay used is less than 30 minutes. Sensors which are connected to the instrument piping cannot be changed so readily, but they are required to be connected with separable screwed or bolted fittings and could be changed in less than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, including electrical connection replacement.

7.4.2.1.2.3.1.22 Identification (IEEE 279-1971, Paragraph 4.22)

All controls and instruments are located in one section of the main control room panel and clearly identified by nameplates. Relays and relay panels are identified by nameplates.

7.4.2.1.2.3.2 IEEE 308-1974 Compliance to IEEE 308-1974 is described in Section 8.3.

7.4.2.1.2.3.3 IEEE 323-1971 Specific conformance to requirements of IEEE 323 is covered in Subsection 7.1.2.5 and Section 3.11.

7.4.2.1.2.3.4 IEEE 338-1971 The RCIC system is fully testable during normal operation. The discharge valve to the feedwater line remains closed during the test, and reactor operation remains undisturbed, thus meeting requirements of IEEE STD 338-1971. Refer to Subsections 7.4.2.1.2.3.1.9 and 7.4.2.1.2.3.1.10 for further discussion.

7.4.2.1.2.3.5 IEEE 344-1971 The conformance to the requirements of IEEE 344-1971 is detailed in Section 3.10a.

FSAR Rev. 65 7.4-30

SSES-FSAR Text Rev. 61 7.4.2.2 Standby Liquid Control System (SLCS) Instrumentation and Controls 7.4.2.2.1 General Functional Requirements Conformance Redundant positive displacement pumps, explosive valves, and control circuits for the standby liquid control system components have been provided as described in Subsection 7.4.1.2. A single manual switch initiates either pump A or pump B and both explosive valves. This constitutes all of the active equipment required for injection of the sodium pentaborate solution. Continuity relays provide monitoring of the explosive valves, and indicator lights provide indication on the Reactor Core Cooling Benchboard of system status. Testability is described in Section 14.2. The redundant pumps and explosive valves and their control circuits are powered from different essential power sources within the same division as described in Section 7.4.1.2.2.

Chapter 15 and Appendix 15A examine the system-level aspects of the subject system under applicable plant events.

7.4.2.2.2 Specific Regulatory Requirements Conformance 7.4.2.2.2.1 NRC Regulatory Guides Conformance 7.4.2.2.2.1.1 Regulatory Guide 1.6 Since it is not necessary for SLCS to meet the single-failure criterion even for suppression pool pH control post DBA LOCA see Section 7.4.1.2.3, redundant power sources are not required. SLCS equipments are connectable to divisional essential power.

7.4.2.2.2.1.2 Regulatory Guide 1.11 No SLCS instrument lines penetrate the containment.

7.4.2.2.2.1.3 Regulatory Guide 1.22 SLCS is capable of testing from initiation to actuated devices during normal operation. In the test mode, demineralized water is circulated in the SLCS loops rather than sodium pentaborate. The explosive valves may be tested when plant is shut down. Otherwise, continuity in the explosive valve initiation circuits is continuously monitored during plant operation.

7.4.2.2.2.1.4 Regulatory Guide 1.29 The control instrumentation of SLCS is classified as Seismic Category I and is qualified to remain functional following a SSE.

7.4.2.2.2.1.5 Regulatory Guide 1.30 Conformance to Regulatory Guide 1.30 is discussed in Subsection 7.1.2.6.

FSAR Rev. 65 7.4-31

SSES-FSAR Text Rev. 61 7.4.2.2.2.1.6 Regulatory Guide 1.32 Conformance to IEEE 308 as discussed in Section 8.3 is applicable to SLCS control instrumentation.

7.4.2.2.2.1.7 Regulatory Guide 1.47 The continuity of the explosive valve circuit is continuously monitored and is annunciated in the control room. The level and temperature of the sodium pentaborate tank are monitored with the high and low levels and high and low temperature conditions annunciated in the control room. The removal of all other equipments for servicing may be manually annunciated and is administratively controlled.

7.4.2.2.2.1.8 Regulatory Guide 1.53 SLCS serves as a back-up for the control rod system when an insufficient number of control rods can be remote manually inserted from full power setting. The system is also required to control suppression pool pH post DBA-LOCA. It is not necessary for SLCS to meet the single-failure criterion. The pumps and pump motors and the explosive valves are redundant so that no single failure in these components will cause or prevent initiation of SLCS. The system must also meet the requirements of Section 7.4.1.2.3.

7.4.2.2.2.1.9 Regulatory Guide 1.62 SLCS is initiated manually from the main control room.

7.4.2.2.2.1.10 Regulatory Guide 1.63 See Subsection 7.1.2.6.13.

7.4.2.2.2.1.11 Regulatory Guide 1.89 Conformance to Regulatory Guide 1.89 is discussed in Section 3.11. See the Susquehanna SES Environmental Qualification Program for Class IE Equipment. Additional requirements are discussed in Section 7.4.1.2.3.

7.4.2.2.2.2 NRC Regulations Conformance - 10CFR150 Appendix A Requirements 7.4.2.2.2.2.1 General Design Criterion 13 The sodium pentaborate tank temperature and level and explosive valves control circuit continuity are monitored and annunciated. The sodium pentaborate solution discharge flow rate is monitored and displayed in the main control room.

FSAR Rev. 65 7.4-32

SSES-FSAR Text Rev. 61 7.4.2.2.2.2.2 General Design Criterion 29 SLCS maintains the reactor subcritical by introducing poison into the reactor in the event the control rods fail to achieve subcriticality in the reactor.

7.4.2.2.2.3 Conformance to Industry Codes and Standards 7.4.2.2.2.3.1 IEEE 279-1971 7.4.2.2.2.3.1.1 General Functional Requirement (IEEE 279-1971, Paragraph 4.1)

Display instrumentations in the main control room provide the operator with information on reactor vessel water level, pressure, neutron flux level, control rod position, and scram valve status. Based on this information, the operator decides whether or not to initiate the manually operated SLCS.

7.4.2.2.2.3.1.2 Single Failure Criterion (IEEE 279 -1971, Paragraph 4.2)

SLCS serves as backup to the control rod scram in controlling reactivity. Additionally, the SLCS is required to control suppression pool pH post LOCA. It is not necessary for SLCS to meet the single failure criterion. However, the pumps and the explosive valves are redundant so that no single failure in these components will cause or prevent initiation of SLCS.

See Section 7.4.1.2.3 for SLCS requirements.

7.4.2.2.2.3.1.3 Quality of Components and Modules (IEEE 279-1971, Paragraph 4.3)

The control instrumentations of SLCS are qualified Class 1E in accordance with IEEE 323-1971.

7.4.2.2.2.3.1.4 Equipment Qualification (IEEE 279-1971, Paragraph 4.4)

No components of SLCS are required to operate in the drywell environment. A maintenance valve is the only component located inside the drywell and it is normally locked open. Other SLCS equipments are located in the reactor building or containment and are capable of operation following an SSE.

7.4.2.2.2.3.1.5 Channel Integrity (IEEE 279-1971, Paragraph 4.5)

One of SLC Systems design functions is to prevent re-evolution of iodine from the suppression pool in the event of a Design Basis Accident (DBA-LOCA). SLCS must maintain necessary functional capability under extremes of conditions relating to environment, energy supply, malfunctions, and accidents. See Section 7.4.1.2.3 for specific requirements. It is designed to remain functional following an SSE.

7.4.2.2.2.3.1.6 Channel Independence (IEEE 279-1971, Paragraph 4.6)

FSAR Rev. 65 7.4-33

SSES-FSAR Text Rev. 61 SLCS serves as backup to control rod scram system for shutting down the reactor. SLCS is kept independent of the control rod scram system. SLCS provides the unique function of controlling suppression pool pH post DBA-LOCA. Channel independence is not a concern for this function.

7.4.2.2.2.3.1.7 Control and Protection Interaction (IEEE 279-1971, Paragraph 4.7)

SLCS has no interaction with plant control systems. It has no function during normal plant operation and it is completely independent of control systems and other safety systems.

7.4.2.2.2.3.1.8 Derivation of System Inputs (IEEE 279-1971, Paragraph 4.8)

Since SLCS is a manually initiated system, inputs are derived directly from the operator.

Display instrumentations in the main control room provide the operator with information on reactor vessel water level, pressure, neutron flux level, control rod position and scram valve status. Based on this information, the operator decides whether or not to initiate SLCS.

7.4.2.2.2.3.1.9 Capability of Sensor Checks (IEEE 279-1971, Paragraph 4.9)

The operational availability is checked for by the operator. The sensor checks are made by operator observation of analog indications, indicating lamps, annunciators and status lights located in the control room and locally at the equipment. Refer to Subsection 7.4.1.2.5.2 for further clarification.

7.4.2.2.2.3.1.10 Capability for Test and Calibration (IEEE 279-1971, Paragraph 4.10)

The explosive valves may be tested during plant shutdown. The explosive valve control circuits are continuously monitored and annunciated in the control room. The remainder of the SLCS may be tested during normal plant operation to verify each element passive or active is capable of performing its intended function. In the test mode, demineralized water instead of sodium pentaborate solution is circulated from and back to the test tank.

7.4.2.2.2.3.1.11 Channel Bypass or Removal from Operation (IEEE 279-1971, Paragraph 4.11)

The pumps and pump motors are redundant, so that one pump may be removed from service during normal plant operation.

7.4.2.2.2.3.1.12 Operating Bypass (IEEE 279-1971, Paragraph 4.12)

SLCS has no function during normal plant operation.

FSAR Rev. 65 7.4-34

SSES-FSAR Text Rev. 61 7.4.2.2.2.3.1.13 Indication of Bypass (IEEE 279-1971, Paragraph 4.13)

Removal of components from service may be manually annunciated in the main control room.

7.4.2.2.2.3.1.14 Access to Means for Bypass (IEEE 279-1971, Paragraph 4.14)

Removal of components from service during normal plant operation is under administrative control.

7.4.2.2.2.3.1.15 Multiple Setpoints (IEEE 279-1971, Paragraph 4.15)

The operation of SLCS is not dependent on or affected by setpoints.

7.4.2.2.2.3.1.16 Completion of Protective Action Once it is Initiated (IEEE 279-1971, Paragraph 4.16)

The explosive valves remain open once fired and the pump motor operation once initiated will not stop unless terminated by operator action.

7.4.2.2.2.3.1.17 Manual Initiation (IEEE 279-1971, Paragraph 4.17)

SLCS is manually initiated.

7.4.2.2.2.3.1.18 Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279-1971, Paragraph (4.18)

The operation of SLCS is not dependent on or affected by any setpoint adjustment or calibration.

The control circuits, pumps and pump motors are accessible for test and service.

7.4.2.2.2.3.1.19 Identification of Protective Actions (IEEE 279-1971, Paragraph 4.19)

The explosive valve status, once fired, is indicated in the main control room.

7.4.2.2.2.3.1.20 Information Read-out (IEEE 279-1971, Paragraph 4.20)

The discharge flow rate of sodium pentaborate solution is indicated in the control room.

7.4.2.2.2.3.1.21 System Repair (IEEE 279-1971, Paragraph 4.21)

The control circuits, pumps and pump motors may be repaired or replaced during normal plant operation.

7.4.2.2.2.3.1.22 Identification (IEEE 279-1971, Paragraph 4.22)

FSAR Rev. 65 7.4-35

SSES-FSAR Text Rev. 61 Controls and instrumentation are located in control room panels and are clearly identified by nameplates.

7.4.2.2.2.3.2 IEEE 323-1971 Controls and instrumentation of SLCS required to perform its safety function are part of the Equipment Qualification Program for Class 1E equipment. Specific conformance requirements to IEEE 323 is covered in Section 3.11.

7.4.2.2.2.3.3 IEEE 338-1971 Except for the explosive valves, the design of SLCS permits periodic testing of the system from initiation devices to actuated devices. The explosive valves control circuit continuity is continuously monitored and annunciated in the main control room.

7.4.2.2.2.3.4 IEEE 344-1971 The control instrumentations of SLCS is classified as Seismic Category I and will remain functional following an SSE. Qualification and documentation procedures used for Seismic Category I equipment is discussed in Section 3.10a.

7.4.2.3 Residual Heat Removal System - Reactor Shutdown Cooling Mode Subsystem - Instrumentation and Controls 7.4.2.3.1 General Functional Requirements Conformance The design of the RHRS reactor shutdown cooling subsystem meets the general functional requirements as follows:

(1) Valves.

Manual controls and position indicator are provided in the main control room. No single failure in the valves electrical system can result in a loss of capability to perform a safety function.

Interlocks are provided to close the valves if an isolation signal is present or if high reactor pressure exists.

(2) Instrumentation.

Shutdown Flow indicator is provided. Heat exchanger shutdown cooling water and service water temperatures are provided. Head spray flow indication is provided.

FSAR Rev. 65 7.4-36

SSES-FSAR Text Rev. 61 (3) Annunciation.

Valve motor overload. Heat exchanger cooling water outlet temperature high. Heat exchanger shutdown cooling water high temperature. Shutdown suction header high pressure. Pump motor overload.

(4) Pumps.

Manual controls and stop and start indicators are provided in the control room. Interlocks are provided to trip the pumps if the shutdown cooling valves are not properly set up.

Appendix 15A examines the protective sequences relative to the above event and equipment. Chapter 15 considers the operation and the system level aspects of this system.

7.4.2.3.2 Specific Regulatory Requirements Conformance 7.4.2.3.2.1 Conformance to NRC Regulatory Guides Regulatory Guide requirements are not applicable because the RHR Shutdown Cooling Mode is used only to cool the reactor core for removal of decay heat with the reactor fully shut down.

7.4.2.3.2.2 Conformance to NRC Regulations - 10CFR50 Appendix A Requirements 7.4.2.3.2.2.1 General Design Criterion 34 Residual Heat Removal The Reactor Shutdown Cooling Mode of RHR removes residual heat from the reactor when it is shutdown and the main steamlines are isolated to maintain the fuel and RCPB within design limits.

On-site and off-site power are provided in the event that either source is not available when shutdown cooling is needed.

7.4.2.3.2.3 Conformance to Industry Codes and Standards The only applicable industry codes or standards which apply to the RHRS Shutdown Cooling Mode are those considered for the LPCI and containment cooling modes described in Subsections 7.3.2a.1.2.3.1 and 7.3.2a.4.3. These modes share some of the same equipment.

7.4.2.4 Reactor Shutdown from Outside the Control Room (Remote Shutdown)

The remote shutdown panel is designed in response to the NRC General Design Criterion 19, which requires functional capabilities outside of the control room as described in Subsection 7.4.1.4.

The remote shutdown panel, by itself, does not perform any safety-related or protective function and is by definition not required to follow the design criteria of ESF systems.

FSAR Rev. 65 7.4-37

SSES-FSAR Text Rev. 61 All equipment interfacing with safety-related systems, such as RHR and RCIC, is designed to meet the criteria of those systems.

The design provides protection to safety grade systems which are necessary to achieve and maintain hot or cold shutdown from either the control room or from a remote location(s), assuming a postulated fire in any fire area including the Remote Shutdown Panel or the loss of habitability of the control room. Manual actions involving jumpering, rewiring or disconnecting circuits are not taken.

All other design criteria for the remote shutdown panel are discussed in Subsection 7.4.1.4.

7.

4.3 REFERENCES

7.4.3.1 PLA 5963 Application for License Amendment and Related Technical Specification Changes to Implement Full-Scope Alternative Source Term in Accordance with 10 CFR 50.67.

FSAR Rev. 65 7.4-38

SSES-FSAR TABLE 7.4-2 RHRS SHUTDOWN COOLING BYPASSES AND INTERLOCKS Valve Function I Reactor Pressure Exceeds Isolation Valve Shutdown Manual Open Shutdown Closure Signal Return Line Cooling SetQoint Excess Flow r tnboard suction isolation Cannot open Cannot open Cannot open Outboard suction isolation Cannot open Cannot open Cannot open Reactor injection Can open{1} Cannot open Can open Hea~ spray Cannot open Cannot open Cannot open Radwaste discharge inboard Can open Cannot open Not applicable I

Radwaste discharge outboard Can open Cannot open Not applicable Vatve Function Auto (A) close or Manual (M) close Inboard suction isolation Closes A and M Closes A and M Closes A and M Outboard suction isolation Closes A and M Closes A and M Closes A and M Reactor injection Closes M Closes A and M Closes M i  !

' Head spray Closes A and M Closes A and M Closes A and M Radwaste discharge inboard Closes M Closes A and M Not Applicable Radwaste discharge outboard Closes M Closes A and M Not Applicable Pl 1his valve is normally interlocked closed by reactor pressure but can be opened for test if the other series injection valve is closed.

Rev. 53, 04/99 Page 1 of 1

SSES-FSAR TABLE 7.4-3 REMOTE SHUTDOWN PANEL INSTRUMENTATION UNIT2 HOT COLD DESCRIPTION UNIT 1 SHUTDOWN SHUTDOWN RCIC System .,

--** *- -~ -

HSS-14901A HSS-24901A X .x Instrumentation Transfer A HSS-14902A HSS-24902A

  • X X Control Transfer A HSS-14903A HSS-24903A X X Control Transfer B i------**--** - - * **-

HSS-14904A HSS-24904A X X Control Transfer C HSS-14905A HSS-24905A X X Control Transfer D HSS-149028 HSS-249028 X X Control Transfer M HSS-149038 HSS-24903B X X Control Transfer N HV-E51-1 F059 HV-E51-2F059 X X Control - RCIC turb exh to suppr pool valve HV-E51-15012 HV-E51-25012 X X Control - RCIC turb stop valve

- ~-

HV-E51-1 F045 HV-E51-2F045 X X Control - RCIC turb shutoff valve HV-E51-1F008 HV-E51-2F008 X X Control - RCIC steam supply outboard valve HV-E51-1 F007 HV-E51-2F007 X X Control - RCIC steam supply inboard valve HV-E51-1 F031 HV-E51-2F031 X X Control - RCIC suppression pool to pump suction valve HV-E51-1 F010 HV-E51-2F010 X X Control - RCIC cond storage to pump suction valve

  • - - -- r-----*

FV-E51-1F019 FV-E51-2F019 X X Control - RCIC pump discharge min flow valve HV-E51-1F012 HV-E51-2F012 X X Control - RCIC pump outboard disch valve


~* --- r---*** **

HV-E51-1 F013 HV-E51-2F013 X X Control - RCIC pump inboard disch valve

  • - - - -*- -*--- ~- **-* * -

1P-220 2P-220 X X Control - RCIC vac tank condensate pump-1P-219 2P-219 X X Control - RCIC barometric condenser vac pump HV-E51-1 F060 HV-E51-2F060 X X Control ~ RCIC condenser vac pump disch valve Rev. 53, 04/99 Page 1 of 6

SSES-FSAR TABLE 7.4-3 (Continued)

REMOTE SHUTDOWN PANEL INSTRUMENTATION

,---* ~

HOT COLD UNIT 1 UNIT2 DESCRIPTION SHUTDOWN SHUTDOWN HV-E51-1 F062 HV-E51-2F062 X X Control - RCIC turb exh outboard vac breaker HV-E51-1F084 HV-E51-2F084 X X Control - RCIC turb exh inboard vac breaker HV.,.E51-1F022 HV-E51-2F022 Control - Test FCV to condensate storage tank Sl-15001 S1-25001 X X Indication - RCIC turb speed FIC-14903 FIC-24903 X X Controller - RCIC pump injection flow Fl-14903 Fl-24903 X X Indication - RCIC pump injection flow Transfer switches actuate safe conditions for the following valves:

HV-E51-1 F046 I HV-E51?F046 RCIC turbine cooling water supply (open)

Reactor Recirculation System . .

HV-B31-1 F0238 HV-B31-2F023B X X Control - Reactor recirculation pump suction Nuclear Boiler System HV-B21-1F022A HV-B21-2F022A X X Status - Mn steam line inboard isolation valve A HV-821-1 F022B HV-B21-2F022B X X Status - Mn steam line inboard isolation valve B HV-B21-1 F022C HV-B21-2F022C X X Status - Mn steam line inboard isolation valve C HV-B21-1 F022D HV-B21-2F022O X X Status - Mn steam line inboard isolation valve D Pl-14262 Pl-24262 X X Indication - reactor vessel pressure Ll-14262 U-24262 X X Indication - reactor vessel level PSV-B21-1 F013A PSV-821-2F013A X X Control - RPV btowdown to suppression pool PSV-B21-1 F013B PSV-B21-2F013B X X Control - RPV blowdown to suppression pool PSV-B21-1 F013C PSV-821-2F013C X X Control - RPV blowdown to suppression pool

--- ... --~--- - -*-

Rev. 53 04/99 1

Page 2 of 6

SSES-FSAR TABLE 7.4-3 (Continued)

REMOTE SHUTDOWN PANEL INSTRUMENTATION Ho; M ........ . ... . . . ..

HOT COLD UNIT 1 UNIT2 DESCRI PTlON SHUTDOWN SHUTDOWN RHR System HSS-15110A HSS-25110A X X Instrumentation transfer 8 HSS-25111A X X Control transfer E HSS-25112A X

- X Control transfer F HSS-15112A HSS-15113A HSS-25113A X X Control transfer G HSS-15114A HSS-25114A X X Control transfer H

>------~- --

HSS-15115A HSS-25115A X X Control transfer J HSS-15116A HSS-25116A X X Control transfer K

-- - \

HSS-15117A HSS-25117A X X Control transfer L HSS~15111 B HSS-25111B X X Control transfer R

-- ' -- . ~ --- - ---*

HSS-15112B HSS-25112B X X Control transfer S HSS-15113B HSS-25113B X X Control transfer T

-**-- -- - - -*- ~-*----

HSS-151148 HSS-25114B X X Control transfer U HSS-151158 HSS-251158 X X Control transfer V HSS-15116B HSS-25116B X X Control transfer W HSS-151178 HSS-25117B X X Control transfer X HV-E11-1 F009 HV-E11-2F009 X Control - RHR pump suction from RPV inboard valve

- .. ~---~

HV-E11-1F008 HV-E11-2F008 X Control - RHR pump suction from RPV outboard valve HV-E11-1 F0068 HV-E11-2F006A X X Control - RHR pump suction from RPV HV-E11-1 F0048 HV-E11-2F004A X X Control - RHR pump suction from suppression pool 1P-202B 2P-202A X X Control - RHR pump Rev. 53, 04/99 Page 3 of6

SSES-FSAR TABLE 7 A-3 (Continued)

REMOTE SHUTDOWN PANEL INSTRUMENTATION HOT COLD UNIT 1 UNIT2 DESCRIPTION SHUTDOWN SHUTDOWN HV-E11-1F0078 . HV-E11-2F007A X X Control - RHR min flow valve to suppression pool HV-E11-1F048B HV-E11-2F048A X X Control - RHR heat exchanger bypass valve HV-E11-1 F015B HV-E11-2F015A *X Control - RH R LPCI inboard valve HV-E 11-F022 X Control- RHR head spray inboard valve HV-E11-2F023 X Control - RHR head spray outboard valve HV-25112 X Control- RHR head spray supply valve HV-E11-1F0108 HV-E11-2F010A X Control - RHR head spray Div. 1 cross connection HV-E11-1 F017B HV-E11-2F017A X X Control - RHR LPCI outboard valve HV-E11-1F024B HV-E11-2F024A X X Control - R~R dsch to suppression pool (inboard)

HV-E 11-1 F028B HV-E11-2F028A X X Control - HR dsch to suppression pool (outboard)

HV-E11-1 F0478 HV-E11-2F047 A X X Control - RHR pump dsch to RHR HX valve HV-E11-1F0D3B HV-E11-2F003A X X Control - RHR heat exchanger outlet valve HV-E11-1F040 HV-E11-2F040 X X Control - RHR dsch to LRW inboard valve HV-E11-1 F049 HV-E11-2F049 X

  • Control - RHR dsch to LRW outboard valve HV-E11-1F103B HV-E11-2F103A X X Control - heat exchanger vent valve HV-E11-1F104B HV-E11-2F104A X X Control - heat exchanger vent valve Fl-15105 Fl-25105 X X Indication - RHR system flow Loop B (Unit 2 Loop A}

The following valves of the RHR system are actuated by a signal from the transfer switches to travel in the safe condition . .

HV-E11-1F006A HV-E11-2F006B Pump suction from reactor vessel (closed)

HV-E11-1 FO06C HV-E11-2F006C Pump suction from reactor vessel (closed)

HV-E11-2F016A Drywell spray line (closed)

Rev. 53, 04/99 Page 4 of 6

SSES-FSAR TABLE 7.4-3 (Continued)

REMOTE SHUTDOWN PANEL INSTRUMENTATION HOT COLD UNIT 1 UNIT2 DESCRIPTION SHUTDOWN SHUTDOWN HV-E11-1F0738 HV-E11-2F073A RHR & RHRSW cross-tie (closed)

~ ....... **- -- -- ... .. . .

HV-E11-1 F0060 HV-E 11-2 F006D Pu,:np suction from reactor (closed)

HV-E11-1 F016B Drywell spray line (closed)

--*HV-E11-1 F027B HV-E11-2F027A

-*~

Wet well spray line (closed)

  • ---~- ...

HV-E11-2F0108 Loop A & B cross tie (closed)

R HR Service Water ~ystem HV-11215B HV-21215A X X Control - RHRSW heat exchanger outlet valve HV-112108 HV-2.1210A X X Control - RHRSW heat exchanger inlet valve 1P-506B 2P-506A X X Control - RHR service water pump HV-012228 HV-01222A X X Control - Spray pond loop B (A) bypass valve HV-0122481 HV-01224A1 X x, Control - Spray ___ ., pond dsch valve to network 81 (A 1)

HV-0122482 HV-01224A2 X X Control - Spray pond dsch valve to network B2 (82)

Fl-11207B Fl-21207A X X Indication - RHR service water system flow

- -Emergency Service Water System OP-5048

~CJ4A X

X Control - emergency service water pump OP-5040 504C X X Control - emergency service water pump Containment Instrument Gas System HV-12603 HV-22603 X X Control - containment gas inboard suction valve SV-12605 SV-22605 X X Control - containment gas outboard suction valve

- .. . .. *- * ** ** ,.H -**

SV-12651 SV-22651 X X Control - containment gas injection valve Rev. 53, 04/99 Page5of6

SSES-FSAR TABLE 7.4-3 (Continued)

REMOTE SHUTDOWN PANEL INSTRUMENTATION HOT COLD DESCRIPTION UNIT 1 UNIT2 SHUTDOWN SHUTDOWN Containment and Suppression Pool Monitoring System Pl-15728B Pl-25728A Indication - containment drywell pressure

.. ~

.. *--~-

Tl-15790B2 Tl-25790A2 Indication - containment temperature Ll-15776B2 Ll-25776A2 X X Indication - suppression pool level Tl-15725B Tl-25725B . Indication - suppression chamber temperature Tl-15751 Tl-25751 X X Indication - suppression pool temperature (Div. I SPOTMOS)

... .. . .. i . . . . . -

Tl-15752 Tl-25752 X X Indication - suppression pool temperature (Div. II SPOTMOS)

Reactor Water Clean.:Up System

.. -* ~-- ...

HSS-14454 HSS-24454 Control transfer switch Closes upon placing HSS-14454 and/or HV-G33-1 F004 HV-G33-2F001 HSS-24454 in Emergency position Rev. 53, 04/99 Page 6 of 6

SS *FSAR r e 1 TABLE 7.4-4 ALTERNATE CONTROL STRUCTURE HVAC COH'l'ROL PANEL BOT COLD COMMON SHUTDOWN SHU'l'DOWH DESCRIPTI'.OH cs_ Chilled water systea HSS-07899C X X Control Transfer A HSS-07899D X X Control Transfer B OP162A X X Control-CW Circulating Pump OP171A X X Control-CW Emergency Condenser water circulating Pump OK112A X X Control-Chiller HV-08693A X X Control-CW ESW Control Valve CSHVAC system HSS-07899A X X control Transfer c HSS-07899B X X control Transfer D OV118A X X Control-SGTS Equipment Room Vent system Exhaust Fan OV115A X X Control- Computer Room HVAC Unit Fan OV116A X X Control-Battery Room Vent Sy~tem Exhaust Fan OV103A X X Control-Control Structure HVAC Unit Fan Rev. 43, 05/91

FIGURE 7.4-1 REPLACED BY DWGS. M-149, SH. 1 & M-150, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.4-1 REPLACED BY DWGS. M-149, SH. 1

& M-150, SH. 1 FIGURE 7.4-1, Rev. 50 AutoCAD Figure 7_4_1.doc

FIGURE 7.4-2-1 REPLACED BY DWG. M1-E51-80, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.4-2-1 REPLACED BY DWG. M1-E51-80, SH. 1 FIGURE 7.4-2-1, Rev. 49 AutoCAD Figure 7_4_2_1.doc

FIGURE 7.4-2-2 REPLACED BY DWG. M1-E51-80, SH. 2 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.4-2-2 REPLACED BY DWG. M1-E51-80, SH. 2 FIGURE 7.4-2-2, Rev. 55 AutoCAD Figure 7_4_2_2.doc

FIGURE 7.4-2-3 REPLACED BY DWG. M1-E51-80, SH. 3 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.4-2-3 REPLACED BY DWG. M1-E51-80, SH. 3 FIGURE 7.4-2-3, Rev. 55 AutoCAD Figure 7_4_2_3.doc

FIGURE 7.4-2-4 REPLACED BY DWG. M1-E51-80, SH. 4 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.4-2-4 REPLACED BY DWG. M1-E51-80, SH. 4 FIGURE 7.4-2-4, Rev. 49 AutoCAD Figure 7_4_2_4.doc

FIGURE 7.4-3 REPLACED BY DWG. M-148, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.4-3 REPLACED BY DWG. M-148, SH. 1 FIGURE 7.4-3, Rev. 55 AutoCAD Figure 7_4_3.doc

FIGURE 7.4-4 REPLACED BY DWG. M1-C41-31, SH. 1 FSAR REV. 65 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT FIGURE 7.4-4 REPLACED BY DWG. M1-C41-31, SH. 1 FIGURE 7.4-4, Rev. 55 AutoCAD Figure 7_4_4.doc