ML22194A220

From kanterella
Jump to navigation Jump to search
2 to Updated Final Safety Analysis Report, Chapter 7, Instrumentation and Controls
ML22194A220
Person / Time
Site: Summer South Carolina Electric & Gas Company icon.png
Issue date: 06/27/2022
From:
Dominion Energy South Carolina
To:
Office of Nuclear Reactor Regulation
Shared Package
ML22194A236 List: ... further results
References
22-179
Download: ML22194A220 (274)
v  d  e


Text

V.C. Summer Power Station Safety Analysis Report Instrumentation and Controls Chapter 7 Revision 22--Updated Online 05/27/22

Revision 22--Updated Online 05/27/22 VC SUMMER UFSAR 1 of 1 This Revision summary replaces the List of Effective pages of the VC Summer FSAR, effective June 30, 2021. It will appear in Chapter 00 of the VC Summer FSAR and is the best history available of all the changes made to the original VC Summer FSAR. As changes are made now, only a REV bar will appear in the right margin next to a change. All other REV bars from previous NRC updates will eventually be removed. These changes were made to accommodate VC Summer fleet integration efforts.

Revision 22--Updated Online 05/27/22 VC SUMMER UFSAR 7-i Instrumentation and Controls Table of Contents Section Title Page 7.0 INSTRUMENTATION AND CONTROLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-1

7.1 INTRODUCTION

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-1 7.1.1 Identification of Safety-Related Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-4 7.1.1.1 Safety-Related Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-4 7.1.1.2 Safety-Related Display Instrumentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-4 7.1.1.3 Instrumentation and Control System Designers . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-5 7.1.1.4 Plant Comparison. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-5 7.1.2 Identification of Safety Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-5 7.1.2.1 Design Bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-5 7.1.2.2 Independence of Redundant Safety-Related Systems . . . . . . . . . . . . . . . . . . . . . . 7.1-10 7.1.2.3 Physical Identification of Safety-Related Equipment . . . . . . . . . . . . . . . . . . . . . . 7.1-14 7.1.2.4 Conformance to Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-14 7.1.2.5 Conformance to Regulatory Guide 1.22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-14 7.1.2.6 Conformance to Regulatory Guide 1.47 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-21 7.1.2.7 Conformance to Regulatory Guide 1.53 and IEEE Standard 379-1972 . . . . . . . . 7.1-21 7.1.2.8 Conformance to Regulatory Guide 1.63 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-22 7.1.2.9 Conformance to IEEE Standard 317-1972 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-22 7.1.2.10 Conformance to IEEE Standard 336-1971 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-22 7.1.2.11 Conformance to IEEE Standard 338-1971 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-22 7.1.3 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-23 7.2 REACTOR TRIP SYSTEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-1 7.2.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-1 7.2.1.1 System Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-1 7.2.1.2 Design Bases Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-13 7.2.1.3 Final Systems Drawings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-15 7.2.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-15 7.2.2.1 Failure Mode and Effects Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-15 7.2.2.2 Evaluation of Design Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-15 7.2.2.3 Specific Control and Protection Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-26 7.2.2.4 Additional Postulated Accidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-30

Revision 22--Updated Online 05/27/22 VC SUMMER UFSAR 7-ii Instrumentation and Controls Table of Contents (Continued)

Section Title Page 7.2.3 Tests and Inspections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-30 7.2.4 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-30 7.3 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM. . . . . . . . . . . . . 7.3-1 7.3.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-1 7.3.1.1 System Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-1 7.3.1.2 Design Bases Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-7 7.3.1.3 Final System Drawings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-9 7.3.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-9 7.3.2.1 Failure Mode and Effects Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-9 7.3.2.2 Compliance With Standards and Design Criteria . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-10 7.3.2.3 Further Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-21 7.3.2.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-22 7.3.3 Electric Hydrogen Recombiner-Description of Instrumentation . . . . . . . . . . . . . . 7.3-24 7.3.3.1 Initiating Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-24 7.3.3.2 Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-24 7.3.3.3 Bypasses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-24 7.3.3.4 Interlocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-24 7.3.3.5 Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-25 7.3.3.6 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-25 7.3.3.7 Diversity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-25 7.3.3.8 Actuated Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-25 7.3.4 Cross References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-25 7.3.5 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-25 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN . . . . . . . . . . . . . . . . . . . . . . . 7.4-1 7.4.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.4-1 7.4.1.1 Monitoring Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.4-2 7.4.1.2 Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.4-2 7.4.1.3 Control Room Evacuation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.4-7 7.4.1.4 Equipment and Systems Available for Cold Shutdown. . . . . . . . . . . . . . . . . . . . . 7.4-7 7.4.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.4-8 7.4.2.1 Conformance to General Design Criterion 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.4-10 7.4.2.2 Conformance to IEEE Standard 279-1971 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.4-10

Revision 22--Updated Online 05/27/22 VC SUMMER UFSAR 7-iii Instrumentation and Controls Table of Contents (Continued)

Section Title Page 7.4.3 Cross References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.4-10 7.5 SAFETY RELATED DISPLAY INSTRUMENTATION . . . . . . . . . . . . . . . . . . . 7.5-1 7.5.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5-1 7.5.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5-1 7.5.3 Design Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5-1 7.5.4 ESF Monitor Lights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5-1 7.5.5 Inadequate Core Cooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5-2 7.5.6 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5-3 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY . . . . . . . . . . . . . . . . . . . . . 7.6-1 7.6.1 Instrumentation and Control Power Supply System. . . . . . . . . . . . . . . . . . . . . . . . 7.6-1 7.6.1.1 Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-1 7.6.1.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-1 7.6.2 Residual Heat Removal Isolation Valves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-2 7.6.2.1 Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-2 7.6.2.2 Analyses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-3 7.6.3 Refueling Interlocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-3 7.6.4 Accumulator Motor Operated Valves. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-3 7.6.5 Leakage Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-5 7.6.5.1 Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-5 7.6.5.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-6 7.6.6 Interlocks for RCS Pressure Control During Low Temperature Operation . . . . . . 7.6-6 7.6.7 Switchover From Injection to Recirculation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-6 7.6.7.1 Description of Instrumentation Used for Switchover . . . . . . . . . . . . . . . . . . . . . . 7.6-6 7.6.7.2 Initiating Circuit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-7 7.6.7.3 Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-7 7.6.7.4 Bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-7 7.6.7.5 Interlocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-7 7.6.7.6 Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-7 7.6.7.7 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-7 7.6.7.8 Diversity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-8 7.6.7.9 Actuated Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-8 7.6.7.10 Channel Bypass Indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-8

Revision 22--Updated Online 05/27/22 VC SUMMER UFSAR 7-iv Instrumentation and Controls Table of Contents (Continued)

Section Title Page 7.6.8 Deleted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-8 7.6.9 Deleted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-8 7.6.10 Deleted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-8 7.6.11 Switchover From Spray to Recirculation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-8 7.6.11.1 Description of Instrumentation Used for Switchover . . . . . . . . . . . . . . . . . . . . . . 7.6-8 7.6.11.2 Initiation Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-9 7.6.11.3 Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-9 7.6.11.4 Bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-9 7.6.11.5 Interlocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-9 7.6.11.6 Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-9 7.6.11.7 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-10 7.6.11.8 Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-10 7.6.11.9 Actuated Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-10 7.6.11.10 Channel Bypass Indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-10 7.6.12 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-10 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY . . . . . . . . . . . . . . . . . . 7.7-1 7.7.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-1 7.7.1.1 Reactor Control System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-2 7.7.1.2 Rod Control System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-3 7.7.1.3 Plant Control Signals for Monitoring and Indicating . . . . . . . . . . . . . . . . . . . . . . 7.7-4 7.7.1.4 Plant Control System Interlocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-8 7.7.1.5 Pressurizer Pressure Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-9 7.7.1.6 Pressurizer Water Level Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-10 7.7.1.7 Steam Generator Water Level Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-10 7.7.1.8 Steam Dump Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-11 7.7.1.9 Incore Instrumentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-13 7.7.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-15 7.7.2.1 Separation of Protection and Control System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-16 7.7.2.2 Response Considerations of Reactivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-16 7.7.2.3 Step Load Changes Without Steam Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-18 7.7.2.4 Loading and Unloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-19 7.7.2.5 Load Rejection Furnished by Steam Dump System . . . . . . . . . . . . . . . . . . . . . . . 7.7-19 7.7.2.6 Turbine Generator Trip with Reactor Trip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-19

Revision 22--Updated Online 05/27/22 VC SUMMER UFSAR 7-v Instrumentation and Controls Table of Contents (Continued)

Section Title Page 7.7.3 Technical Support Complex (TSC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-20 7.7.3.1 Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-20 7.7.3.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-22 7.7.4 Critical Systems Leak Monitoring System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-22 7.7.4.1 Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-22 7.7.4.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-23 7.7.5 Reactor Vessel Level Instrumentation System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-23 7.7.6 Core Subcooling Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-23 7.7.7 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-23 7.8 ATWS MITIGATION SYSTEM ACTUATION CIRCUITRY (AMSAC). . . . . . 7.8-1 7.8.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-1 7.8.1.1 System Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-1 7.8.1.2 Equipment Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-1 7.8.1.3 Functional Performance Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-3 7.8.1.4 AMSAC Interlocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-3 7.8.1.5 Steam Generator Level Sensor Arrangement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-3 7.8.1.6 Turbine Impulse Chamber Pressure Arrangement. . . . . . . . . . . . . . . . . . . . . . . . . 7.8-3 7.8.1.7 Trip System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-4 7.8.1.8 Isolation Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-4 7.8.1.9 AMSAC Diversity from the Reactor Protection Systems . . . . . . . . . . . . . . . . . . . 7.8-4 7.8.1.10 Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-4 7.8.1.11 Environmental Variations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-5 7.8.1.12 Setpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-5 7.8.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-5 7.8.2.1 Safety Classification/Safety-Related Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-5 7.8.2.2 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-6 7.8.2.3 Diversity from the Existing Trip System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-6 7.8.2.4 Electrical Independence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-6 7.8.2.5 Physical Separation from the Reactor Trip System and Engineered Safety Features Actuation System . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-6 7.8.2.6 Environmental Qualification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-6 7.8.2.7 Seismic Qualification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-6 7.8.2.8 Test, Maintenance, and Surveillance Quality Assurance. . . . . . . . . . . . . . . . . . . . 7.8-7 7.8.2.9 Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-7

Revision 22--Updated Online 05/27/22 VC SUMMER UFSAR 7-vi Instrumentation and Controls Table of Contents Section Title Page 7.8.2.10 Testability at Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-7 7.8.2.11 Inadvertent Actuation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-8 7.8.2.12 Maintenance Bypasses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-8 7.8.2.13 Operating Bypasses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-8 7.8.2.14 Indication of Bypasses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-8 7.8.2.15 Means for Bypassing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-8 7.8.2.16 Completion of Mitigative Actions Once Initiated . . . . . . . . . . . . . . . . . . . . . . . . 7.8-8 7.8.2.17 Manual Initiation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-9 7.8.2.18 Information Readout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-9 7.8.3 Compliance With Standards and Design Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-9

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7-vii Instrumentation and Controls List of Tables Section Title Page Table 7.1-1 Listing of Applicable Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71-25 Table 7.1-2 Applicable Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71-35 Table 7.1-3 Conformance With Regulatory Guide 1.53 and IEEE 379-1972, for Balance of Plant Safety Related Instrumentation Control Systems . . . . 71-40 Table 7.2-1 List of Reactor Trips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72-31 Table 7.2-2 Protection System Interlocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72-33 Table 7.2-3 Reactor Trip System Instrumentation . . . . . . . . . . . . . . . . . . . . . . . . . . 72-35 Table 7.2-4 Reactor Trip Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72-37 Table 7.3-1 Instrumentation Operating Condition for Engineered Safety Features . 73-27 Table 7.3-2 Instrument Operating Conditions for Isolation Functions . . . . . . . . . . . 73-28 Table 7.3-3 Interlocks for Engineered Safety Features Actuation System . . . . . . . . 73-30 Table 7.3-4 Secondary System Accidents and Required Instrumentation, Minor Secondary System Pipe Break Major Secondary System Pipe Break. . . . . . . . . . . . . . . . . . . . . . . . . . . 73-32 Table 7.3-5 Primary System Accidents and Required Instrumentation Ruptures in Small Pipes, Cracks in Large Pipes, Ruptures of Large Pipes, Steam Generator Tube Rupture. . . . . . . . . . . 73-33 Table 7.3-6 Engineered Safety Feature Loading Sequence Control Panels, Degree of Conformance With Regulatory Guide 1.53 and IEEE-379-1972 (1) . . . . . . . . . . . . . . . . . . . 73-34 Table 7.3-7 Instrument and Control Data Cross References . . . . . . . . . . . . . . . . . . . 73-36 Table 7.4-1 Summary of Control Stations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74-11 Table 7.4-2 Instrument and Control Data Cross References . . . . . . . . . . . . . . . . . . . 74-19 Table 7.5-2 Control Room Indicators and/or Recorders Available to the Operator to Monitor Significant Plant Parameters During Normal Operation . . . 75-4 Table 7.6-1 Leak Detection Methods Inside Control Room . . . . . . . . . . . . . . . . . . . 76-11 Table 7.7-1 Plant Control System Interlocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77-24 Table 7.7-2 Intentionally Blank. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77-26

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7-viii Instrumentation and Controls List of Figures Section Title Page Figure 7.1-1 Protection System Block Diagram. . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1-42 Figure 7.2-1 Functional Diagrams Index and Symbols (Sheet 1 of 15) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-42 Figure 7.2-1 (DWG. NO. 108D837 Sh. 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-42 Figure 7.2-1 Functional Diagrams Reactor Trip Signals (Sheet 2 of 15) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-43 Figure 7.2-1 (DWG. NO. 108D837 Sh. 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-43 Figure 7.2-1 Functional Diagrams Nuclear Instr. and Manual Trip Signals (Sheet 3 of 15) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-44 Figure 7.2-1 (DWG. NO. 108D837 Sh. 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-44 Figure 7.2-1 Functional Diagrams Nuclear Instr. Permissive Blocks (Sheet 4 of 15) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-45 Figure 7.2-1 (DWG. NO. 108D837 Sh. 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-45 Figure 7.2-1 Functional Diagrams Pressurizer Trip Signals (Sheet 6 of 15) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-47 Figure 7.2-1 (DWG. NO. 108D837 Sh. 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-47 Figure 7.2-1 Functional Diagrams Steam Generator Trip Signals (Sheet 7 of 15) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-48 Figure 7.2-1 (DWG. NO. 108D837 Sh. 7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-48 Figure 7.2-1 Functional Diagrams Rod Controls and Rod Blocks (Sheet 9 of 15)

(DWG. NO. 108D837 Sh. 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-50 Figure 7.2-1 Functional Diagrams Steam Dump Control (Sheet 10 of 15)

(DWG. NO. 108D837 Sh. 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-51 Figure 7.2-1 Functional Diagrams Pressurizer Pressure and Level Control (Sheet 11 of 15)

(DWG. NO. 108D837 Sh. 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-52 Figure 7.2-1 Functional Diagrams Pressurizer Heater Control (Sheet 12 of 15)

(DWG. NO. 108D837 Sh. 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-53 Figure 7.2-1 Functional Diagrams

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 9-ix Instrumentation and Controls List of Figures (Continued)

Section Title Page Feedwater Control and Isolation (Sheet 13 of 15)

(DWG. NO. 108D837 Sh. 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-54 Figure 7.2-2 Setpoint Reduction Function For Overtemperature T Trip. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-57 Figure 7.2-3 Reactor Trip/ESF Actuation Mechanical Linkage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2-58 Figure 7.3-2 Typical Engineered Safety Features Test Circuits . . . . . . . . . . . . . . . . 7.3-44 Figure 7.3-3 Engineered Safety Features Test Cabinet-Index, Notes and Legend . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3-45 Figure 7.4-2 Control Room Evacuation Panel (XPN-7200-CE (A & B) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.4-26 Figure 7.5-5 Westinghouse Safety Injection Groups (1-3) ESF Monitor Lights (GAI Dwg. b-804-664) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5-15 Figure 7.6-1 Logic Diagram - Residual Heat Removal System Isolation Valves XVG8701A and XVG8702B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-14 Figure 7.6-1a Logic Diagram - Residual Heat Removal System Isolation Valves XVG8701B and XVG8702A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-15 Figure 7.6-1b Logic Diagram - Residual Heat Removal System Isolation Valves XVG 8701A, 8701B, 8702A, 8702B. . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-16 Figure 7.6-2 Functional Block Diagram of. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-17 Figure 7.6-2 Accumulator Isolation Valve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-17 Figure 7.6-9 Safety Injection System & Reactor Building spray System Recirculation Isolation Valves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-24 Figure 7.6-10 Safety Injection System & Reactor Building spray System Recirculation Isolation Valves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6-25 Figure 7.7-1 Simplified Block Diagram of Reactor Control System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-27 Figure 7.7-2 Control bank Rod Insertion Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-28 Figure 7.7-3 Rod Deviation Comparator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-29 Figure 7.7-4 Block Diagram of Pressurizer pressure Control system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-30 Figure 7.7-5 Block Diagram of Pressurizer Level Control System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-31 Figure 7.7-6 Block Diagram of Steam Generator

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 9-x Instrumentation and Controls List of Figures (Continued)

Section Title Page Water Level Control system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-32 Figure 7.7-7 Block Diagram of Main Feedwater Pump Speed Control System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-33 Figure 7.7-8 Block Diagram of Steam Dump Control System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-34 Figure 7.7-9 Basic Flux-Mapping system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-35 Figure 7.7-10 (Deleted Per RN 99-085) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-36 Figure 7.7-11 (Deleted Per RN 99-085) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-36 Figure 7.7-14 Simplified Block Diagram Rod Control System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-37 Figure 7.7-15 Control Bank D Partial Simplified Schematic Diagram Power Cabinets 18D and 28D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7-38 Figure 7.8-1 Actuation Logic System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 7.8-10

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-1 CHAPTER 7 - INSTRUMENTATION AND CONTROLS 7.0 INSTRUMENTATION AND CONTROLS

7.1 INTRODUCTION

This chapter presents the various plant instrumentation and control systems by relating the functional performance requirements, design bases, system descriptions, design evaluations, and tests and inspections for each. The information provided in this chapter emphasizes those instruments and associated equipment which constitute the protection system as defined in IEEE Standard 279-1971 "IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations," (Reference 1).

The primary purpose of the instrumentation and control systems is to provide automatic protection and exercise proper control against unsafe and improper reactor operation during steady-state and transient power operations (ANS Conditions I, II, III) and to provide initiating signals to mitigate the consequences of faulted conditions (ANS Condition IV). ANS conditions are discussed in Chapter 15. Consequently, the information presented in this chapter emphasizes those instrumentation and control systems which are central to assuring that the reactor can be operated to produce power in a manner that ensures no undue risk to the health and safety of the public.

It is shown that the applicable criteria and codes, such as General Design Criteria and IEEE Standards, concerned with the safe generation of nuclear power are met by these systems. See Table 7.1-1 for a listing of applicable criteria.

Terminology used in this chapter is based on the definitions given in IEEE Standard 279-1971 which is listed in Table 7.1-1. In addition, the following definitions apply:

1. Degree of Redundancy The difference between the number of channels monitoring a variable and the number of channels which when tripped, will cause an automatic system trip.
2. Minimum Degree of Redundancy The degree of redundancy below which operation is prohibited, or otherwise restricted by the Technical Specifications.
3. Cold Shutdown Condition When the reactor is subcritical by at least 1 percent k/k and Tavg is 200 °F.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-2

4. Hot Shutdown Condition When the reactor is subcritical, by an amount greater than or equal to the margin specified in the applicable Technical Specification and Tavg is in the range specified in the applicable Technical Specification.
5. Phase A Containment Isolation Closure of all nonessential process lines which penetrate the Reactor Building, except engineered safety features lines, component cooling lines and steam lines into and out of the Reactor Building, initiated by the safety injection signal, or manually.
6. Phase B Containment Isolation Closure of remaining process lines, initiated by Reactor Building Hi-3 pressure signal or manually (process lines do not include engineered safety features lines). Steam lines will previously have been closed by Reactor Building Hi-2 pressure signal.
7. System Response Times
a. Reactor Trip System Response Time The Reactor Trip System response time shall be the time interval from when the monitored parameter exceeds its trip setpoint at the channel sensor until loss of stationary gripper coil voltage.
b. Engineered Safety Features Actuation System Response Time The Engineered Safety Features Actuation System response time shall be that time interval from when the monitored parameter exceeds its engineered safety features actuation setpoint at the channel sensor until the engineered safety features equipment is capable of performing its safety function (i.e., the valves travel to their required positions, pump discharge pressures reach their required values, etc.). Times shall include diesel generator starting and sequence loading delays where applicable.
8. Reproducibility This definition is taken from Scientific Apparatus Manufactures Association (SAMA)

Standard PMC-20.2-1973, Process Measurement and Control Terminology: "the closeness of agreement among repeated measurements of the output for the same value of input, under normal operating conditions over a period of time, approaching from both directions." It includes drift due to environmental effects, hysteresis, long term drift, and repeatability.

Long term drift (aging of components, etc.) is not an important factor in accuracy requirements since, in general, the drift is not significant with respect to the time elapsed between testing. Therefore, long term drift may be eliminated from this definition.

Reproducibility, in most cases, is a part of the definition of accuracy (see item 9).

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-3

9. Accuracy This definition is derived from Scientific Apparatus Manufactures Association (SAMA)

Standard PMC-20.2-1973, Process Measurement and Control Terminology. An accuracy statement for a device falls under Note 2 of the Scientific Apparatus Manufactures Association definition of accuracy, which means reference accuracy or the accuracy of that device at reference operating conditions: "Reference accuracy includes conformity, hysteresis and repeatability." To adequately define the accuracy of a system, the term reproducibility is useful as it covers normal operating conditions. The following terms, "trip accuracy" and "indicated accuracy," etc., will then include conformity and reproducibility under normal operating conditions. Where the final result does not have to conform to an actual process variable but is related to another value established by testing, conformity may be eliminated, and the term reproducibility may be substituted for accuracy.

10. Normal Operating Conditions Normal operating conditions include normal process temperature and pressure changes, and ambient temperature changes around the transmitter and racks. The normal operating conditions exclude those parameters experienced under post accident conditions.
11. Readout Devices For consistency the final device of a complete channel is considered a readout device. This includes indicators, recorders, and controllers.
12. Channel Accuracy This definition includes accuracy of primary element, transmitter and rack modules. It does not include readout devices or rack environmental effects, but does include process and environmental effects on field mounted hardware. Rack environmental effects are included in the next 2 definitions to avoid duplication due to dual inputs.
13. Indicated and/or Recorded Accuracy This definition includes channel accuracy, accuracy of readout devices and rack environmental effects.
14. Trip Accuracy This definition includes comparator accuracy, channel accuracy, for each input, and rack environmental effects. This is the tolerance expressed in process terms (or percent or span) within which the complete channel must perform its intended trip function. This includes all instrument errors but no process effects such as streaming. The term "actuation accuracy" may be used where the word "trip" might cause confusion (for example, when starting pumps and other equipment).

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-4

15. Control Accuracy This definition includes channel accuracy, accuracy of readout devices (isolator, controller),

and rack environmental effects. Where an isolator separates control and protection signals, the isolator accuracy is added to the channel accuracy to determine control accuracy, but credit is taken for tuning beyond this point; i.e., the accuracy of these modules (excluding controllers) is included in the original channel accuracy. It is simply defined as the accuracy of the control signal in percent of the span of that signal. This will then include gain changes where the control span is different from the span of the measured variable. Where controllers are involved, the control span is the input span of the controller. No error is included for the time in which the system is in a non-steady-state condition.

7.1.1 Identification of Safety-Related Systems 7.1.1.1 Safety-Related Systems The Nuclear Steam Supply System (NSSS) instrumentation discussed in Chapter 7 that is required to function to achieve the system responses assumed in the safety evaluations, and those needed to shutdown the plant safely are given in this section. Table 7.1-2 identifies safety related instrumentation and control systems.

7.1.1.1.1 Reactor Trip System The Reactor Trip System is a functionally defined system described in Section 7.2. The equipment which provides the trip functions is identified and discussed in Section 7.2. Design bases for the Reactor Trip System are given in Section 7.1.2.1. Figure 7.1-1 includes a single line diagram of this system. Additional background information on the Reactor Trip System is contained in Reference 2.

7.1.1.1.2 Engineered Safety Features Actuation System The Engineered Safety Features Actuation System is a functionally defined system described in Section 7.3. The equipment which provides the actuation functions is identified and discussed in Section 7.3. Design bases for the Engineered Safety Features Actuation System are given in Section 7.1.2.1.

7.1.1.1.3 Instrumentation and Control Power Supply System Design bases for the Instrumentation and Control Power Supply System are given in Section 7.1.2.1. Further description of this system is provided in Section 7.6.1.

7.1.1.2 Safety-Related Display Instrumentation Display instrumentation provides the operator with information to enable him to monitor the results of engineered safety features actions following a Condition II, III, or IV event. Section 7.5

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-5 describes the instrumentation required to maintain the plant in a hot shutdown condition or to proceed to cold shutdown.

7.1.1.3 Instrumentation and Control System Designers Systems discussed in Chapter 7 have definitive functional requirements developed on the basis of the Westinghouse Nuclear Steam Supply System design. Figure 7.2-1 defines scope interface.

Regardless of the supplier, the functional requirements necessary to assure plant safety and proper control are clearly delineated.

7.1.1.4 Plant Comparison System functions for all systems discussed in Chapter 7 are similar to those of the Joseph M.

Farley Nuclear Plant. A comparison table is provided in Section 1.3.

7.1.2 Identification of Safety Criteria Section 7.1.2.1 gives design bases for the systems given in Section 7.1.1.1. Design bases for non-safety related systems are provided in the sections which describe the systems. Conservative considerations for instrument errors are included in the accident analyses presented in Chapter 15.

Functional requirements, developed on the basis of the results of the accident analyses, which have utilized conservative assumptions and parameters are used in designing these systems and a preoperational testing program verifies the adequacy of the design. Accuracies are given in Sections 7.2, 7.3, and 7.5.

The documents listed in Table 7.1-1 were considered in the design of the systems given in Section 7.1.1. In general, the scope of these documents is given in the document itself. This determines the systems or parts of systems to which the document is applicable. A discussion of compliance with each document for systems in its scope is provided in the referenced sections given in Table 7.1-1 for each criterion. Because some documents were issued after design and testing had been completed, the equipment documentation may not meet the format requirements of some standards. Justification for any exceptions taken to each document for systems in its scope is provided in the referenced sections.

Table 7.1-2 outlines the design criteria that have been implemented in the design of safety related instrument and control systems.

7.1.2.1 Design Bases 7.1.2.1.1 Reactor Trip System The Reactor Trip System acts to limit the consequences of Condition II events (faults of moderate frequency), such as loss of feedwater flow, by, at most, a shutdown of the reactor and turbine, with the plant capable of returning to operation after corrective action. The Reactor Trip System features impose a limiting boundary region to plant operation which ensures that the reactor safety limits are not exceeded during Condition II events and that these events can be

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-6 accommodated without developing into more severe conditions. Reactor trip setpoints are given in the Technical Specifications.

The design requirements for the Reactor Trip System are derived by analyses of plant operating and fault conditions where automatic rapid control rod insertion is necessary in order to prevent or limit core or reactor coolant boundary damage. The design bases addressed in IEEE Standard 279-1971 are discussed in Section 7.2.1. The design limits specified by Westinghouse for the Reactor Trip System are:

1. There shall be at least a 95% probability (at a 95% confidence level) that departure from nucleate boiling (DNB) will not occur as a result of any anticipated transient or malfunction (Condition II faults).
2. Power density shall not exceed the rated linear power density for Condition II faults. See Chapter 4 for fuel design limits.
3. The stress limit of the Reactor Coolant System for the various conditions shall be as specified in Chapter 5.
4. Release of radioactive material shall not be sufficient to interrupt or restrict public use of those areas beyond the exclusion radius as a result of any Condition III fault.
5. For any Condition IV fault, release of radioactive material shall not result in an undue risk to public health and safety.

7.1.2.1.2 Engineered Safety Features Actuation System The Engineered Safety Features Actuation System acts to limit the consequences of Condition III events (infrequent faults such as primary coolant spillage from a small rupture which exceeds normal charging system makeup and requires actuation of the Safety Injection System). The Engineered Safety Features Actuation System acts to mitigate Condition IV events (limiting faults, which include the potential for significant release of radioactive material).

The design bases for the Engineered Safety Features Actuation System are derived from the design bases given in Chapter 6 for the engineered safety features. Design bases requirements of IEEE Standard 279-1971 are addressed in Section 7.3.1.2. General design requirements are given below:

1. Automatic Actuation Requirements The primary requirement of the Engineered Safety Features Actuation System is to receive input signals (information) from the various on-going processes within the reactor plant and containment and automatically provide, as output, timely and effective signals to actuate the various components and subsystems comprising the Engineered Safety Features System.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-7

2. Manual Actuation Requirements The Engineered Safety Features Actuation System must have provisions in the control room for manually initiating the functions of the Engineered Safety Features System.

7.1.2.1.3 Instrumentation and Control Power Supply System The Instrumentation and Control Power Supply System provides continuous, reliable, regulated single phase a-c power to all instrumentation and control equipment required for plant safety.

Details of this system are provided in Section 7.6. The design bases are given below:

1. The inverter shall have the capacity and regulation required for the a-c output for proper operation of the equipment supplied.
2. Redundant loads shall be assigned to different distribution panels which are supplied from different inverters.
3. Auxiliary devices that are required to operate dependent equipment shall be supplied from the same distribution panel to prevent the loss of electric power in one protection set from causing the loss of equipment in another protection set. No single failure shall cause a loss of power supply to more than one distribution panel.
4. Each of the distribution panels shall have access only to its respective inverter supply and a standby power supply.
5. The system shall comply with IEEE Standard 308-1971, paragraph 5.4.

7.1.2.1.4 Emergency Power Design bases and system description for the emergency power supply are provided in Chapter 8.

7.1.2.1.5 Interlocks Interlocks are discussed in Sections 7.2, 7.3, 7.6, and 7.7. The Reactor Trip and Engineered Safety Features Actuation System protection (P) interlocks are given on Tables 7.2-2 and 7.3-3. The safety analyses demonstrate that even under conservative critical conditions for either postulated or hypothetical accidents, the protective systems ensures that the Nuclear Steam Supply System will be put into and maintained in a safe state following an ANS Condition II, III, or IV accident commensurate with applicable Technical Specifications and pertinent ANS Criteria. Therefore, the protective systems have been designed to meet IEEE Standard 279-1971 and are entirely redundant and separate, including all permissives and blocks. All blocks of a protective function are automatically cleared whenever the protective function would be required to function in accordance with General Design Criteria 20, 21, and 22 and paragraphs 4.11, 4.12 and 4.13 of IEEE Standard 279-1971. Control interlocks (C) are identified on Table 7.7-1. Because control interlocks are not safety-related, they have not been specifically designed to meet the requirements of IEEE Protection System Standards.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-8 7.1.2.1.6 Bypasses Bypasses of protective functions are designed to meet the requirements of IEEE Standard 279-1971, paragraphs 4.11, 4.12, 4.13, and 4.14. A discussion of bypasses provided is given in Sections 7.2 and 7.3.

7.1.2.1.7 Equipment Protection The criteria for equipment protection are given in Chapter 3. Equipment related to safe operation of the plant is designed, constructed and installed to protect it from damage. This is accomplished by working to accepted standards and criteria aimed at providing reliable instrumentation which is available under varying conditions. As an example, certain equipment is seismically qualified in accordance with IEEE Standard 344-1971. During construction, independence and separation is achieved, as required by IEEE Standard 279-1971 and IEEE Standard 384-1974, either by barriers, physical separation or demonstration by test. This serves to protect against complete destruction of a system by fires, missiles or other natural hazards.

7.1.2.1.8 Diversity Functional diversity has been designed into the system. Functional diversity is discussed in Reference 3. The extent of diverse system variables has been evaluated for a wide variety of postulated accidents. Generally, 2 or more diverse protection functions would automatically occur to mitigate the consequences of an accident.

For example, there are automatic reactor trips based upon neutron flux measurements, reactor coolant loop temperature and flow measurements, steam generation level measurements, pressurizer pressure and level measurements, feedwater flow measurements, and reactor coolant pump underfrequency and undervoltage measurements, as well as manually, and by initiation of a safety injection signal or turbine trip.

Regarding the Engineered Safety Features Actuation System for a loss of coolant accident, a safety injection signal can be obtained manually or by automatic initiation from any one of the following diverse parameter measurements:

1. Low pressurizer pressure.
2. High Reactor Building pressure (Hi-1).

For a steam break accident, safety injection signal actuation is provided by:

1. Low steam line pressure.
2. High steam line differential pressure.
3. For a steam break inside Reactor Building, high Reactor Building pressure (Hi-1) provides an additional parameter for generation of the signal.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-9 All of the above sets of signals are redundant and physically separated and meet the requirements of IEEE Standard 279-1971.

7.1.2.1.9 Bistable Trip Setpoints Westinghouse specifies 3 setpoints applicable to reactor trip and engineered safety features actuation:

1. Safety limit setpoint.
2. Limiting setpoint.
3. Nominal setpoint.

The safety limit is the value assumed in the accident analysis and is the least conservative value.

The limiting setpoint is the Technical Specification value and is obtained by subtracting a safety margin from the safety limit. The safety margin accounts for instrument error, process uncertainties such as flow stratification and transport factor effects, etc.

The nominal setpoint is the value set into the equipment and is obtained by subtracting allowances for instrument drift and calibration uncertainty from the limiting setpoint. The nominal setpoint allows for the normal expected instrument setpoint drifts such that the Technical Specification limits will not be exceeded under normal operation.

The setpoints that require trip action are given in the Technical Specifications. A further discussion on setpoints is found in Section 7.2.2.2.1.

The trip setpoint is determined by factors other than the most accurate portion of the instruments range. The safety limit setpoint is determined only by the accident analysis. As described above, allowance is then made for process uncertainties, instrument error, instrument drift, and calibration uncertainty to obtain the nominal setpoint value which is actually set into the equipment. The only requirement on the instruments accuracy value is that over the instrument span, the error must always be less than or equal to the error value allowed in the accident analysis. The instrument does not need to be the most accurate at the setpoint value as long as it meets the minimum accuracy requirement. The accident analysis accounts for the expected errors at the actual setpoint.

Range selection for the instrumentation covers the expected range of the process variable being monitored consistent with its application. The design of the Reactor Protection and Engineered Safety Features Systems is such that the bistable trip setpoints do not require process transmitters to operate within 5% of the high and low end of their calibrated span or range. Functional requirements established for every channel in the Reactor Protection and Engineered Safety Features Systems stipulate the maximum allowable errors on accuracy, linearity, and reproducibility. The protection channels have the capability for, and are tested to ascertain that the characteristics throughout the entire span in all aspects are acceptable and meet functional

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-10 requirement specifications. As a result, no protection channel actuates within 5% of the limits of its specified span (activation setpoints are located between 5 - 95% of span).

In this regard, it should be noted that the specific functional requirements for response time, setpoint, and operating span was finalized based on the results and evaluation of safety studies carried out using data pertinent to the plant. Emphasis is placed on establishing adequate performance requirements under both normal and faulted conditions. This includes consideration of process transmitters margins such that even under a highly improbable situation of full power operation at the limits of the operating map (as defined by the high and low pressure reactor trip, T overpower and overtemperature trip lines (departure from nucleate boiling protection) and the steam generator safety valve pressure setpoint) that adequate instrument response is available to ensure plant safety.

7.1.2.1.10 Engineered Safety Features Motor Specifications Engineered safety features motor specifications are described in Section 8.3.1.1.4.

7.1.2.2 Independence of Redundant Safety-Related Systems The safety related systems in Section 7.1.1.1 are designed to meet the independence and separation requirements of Criterion 22 of the 1971 General Design Criteria and paragraph 4.6 of IEEE Standard 279-1971.

The electrical power supply, instrumentation, and control conductors for redundant circuits of a nuclear plant have physical separation to preserve the redundancy and to ensure that no single credible event will prevent operation of the associated function due to electrical conductor damage. Critical circuits and functions include power, control and analog instrumentation associated with the operation of the Reactor Trip System or Engineered Safety Features Actuation System. Credible events shall include, but not be limited to, the effects of short circuits, pipe rupture, missiles, fire, etc., and are considered in the basic plant design.

7.1.2.2.1 General Specifications for field wiring of redundant circuitry are discussed in Section 8.3.1.4.

The physical separation criteria for redundant safety related system sensors, sensing lines, wireways, cables, and components on control boards/racks within Westinghouse scope meet recommendations contained in Regulatory Guide 1.75 and Westinghouse letter NS-CE-604 of March 31, 1975 from C. Eicheldinger to the Secretary of the Commission.

7.1.2.2.2 Specific Systems Independence is maintained throughout the system, extending from the sensor through to the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters. Separation of wiring is achieved using separate wireways, cable trays, conduit runs and Reactor Building penetrations for each redundant protection channel set.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-11 Redundant analog equipment is separated by locating modules in different protection rack sets.

Each redundant channel set is energized from a separate a-c power feed.

There are 4 separate process analog sets. Separation of redundant analog channels begins at the process sensors and is maintained in the field wiring, Reactor Building penetrations, and analog protection cabinets to the redundant trains in the logic racks. Redundant analog channels are separated by locating modules in different cabinets.

Since all equipment within any cabinet is associated with a single protection set, there is no requirement for separation of wiring and components within the cabinet.

In the Nuclear Instrumentation System, Process Systems, and Solid-State Protection System input cabinets where redundant channel instrumentation are physically adjacent, there are no wireways, or cable penetrations which would permit, for example, a fire resulting from electrical failure in one channel to propagate into redundant channels in the logic racks. Redundant analog channels are separated by locating modules in different cabinets. Since all equipment within any cabinet is associated with a single protection set, there is no requirement for separation of wiring and components within the cabinet. Nevertheless, concerns relative to wiring of isolation devices within protection cabinets prompted Westinghouse programs aimed at alleviating them. A discussion is given in Section 7.2.2.2.3.7.

Two (2) reactor trip breakers are actuated by 2 separate logic matrices which interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all full length control rod drive mechanisms, permitting the rods to free fall into the core.

1. Reactor Trip System
a. Separate routing shall be maintained for the 4 basic Reactor Trip System channel sets analog sensing signals, bistable output signals and power supplies for such systems. The separation of these 4 channel sets shall be maintained from sensors to instrument cabinets to logic system input cabinets.
b. Separate routing of the redundant reactor trip signals from the redundant logic system cabinets shall be maintained, and in addition, they shall be separated by spatial separation or by provision of barriers or by separate cable trays or wireways from the 4 analog channel sets.
2. Engineered Safety Features Actuation System
a. Separate routing shall be maintained for the 4 basic sets of Engineered Safety Features Actuation System analog sensing signals, bistable output signals and power supplies for such systems. The separation of these 4 channel sets shall be maintained from sensors to instrument cabinets to logic system input cabinets.
b. Separate routing of the engineered safety features actuation signals from the redundant logic system cabinets shall be maintained. In addition, they shall be separated by spatial separation or by provisions of barriers or by separate cable trays or wireways from the 4 analog channel sets.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-12

c. Separate routing of control and power circuits associated with the operation of engineered safety features equipment is required to retain redundancies provided in the system design and power supplies.
3. Instrumentation and Control Power Supply System The separation criteria presented also apply to the power supplies for the load centers and buses distributing power to redundant components and to the control of these power supplies.
4. Control Board A majority of the control board switches and associated lights are furnished in modules.

These modules provide a high degree of physical protection for the switches, associated lights, and wiring. Control board switches and associated lights which are not located in modules and other devices within the control boards are located such that a minimum of 6 inches air separation is maintained between devices and wiring associated with different trains. Where this 6 inches of air space in all directions cannot be maintained, barriers are provided or an analysis of the installation is performed. This analysis is based on tests performed to determine the flame retardant characteristics of the wiring material, equipment, and other materials internal to the panel.

Where necessary to maintain separation, cabling from devices on the front of the control board to the horizontal metal wireways (gutters) within the control board is routed in flexible conduit or metallic braid. The redundant cables are then routed through separate gutters to the termination cabinets located beneath the control room via vertical metal wireways (risers). The termination cabinets are arranged to maintain the separated routing of the control board cables through the termination cabinets to the field wiring tray systems. In addition, separate metal wireways and termination cabinets are used for the various low-level analog channels and for the various control-level channels.

Relay subpanels located in or associated with the control boards contain Class 1E devices such as fuses, relays, and relay type isolation devices. Mutually redundant safety related devices are located on separate subpanels. Separate metal wireways provide separation for Class 1E wiring and non-Class 1E wiring departing the subpanels. Where relay panels contain relay type isolation devices, the separation of the wiring from the input and output terminals to the separate wireways may be less than 6 inches provided it is not less than the 1 inch distance between input and output terminals of the isolation device.

Flame resistant cable is used for internal module wiring and multi-conductor cables within the control board. Flame resistant single conductor cable with 30 MIL insulation is used for intraboard jumpers. Sizing of copper conductors is based upon conservative current carrying capacities set forth by the National Electric Code.

Inherent flame-retardant characteristics and properties were an important consideration in the selection, design, and fabrication of components and materials used in the control board; therefore, a postulated fire cannot propagate.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-13 In order to maintain separation between wiring associated with different trains, mutually redundant safety train wiring is not terminated on a single device. Backup manual actuation switches link the separate trains by mechanical means to provide greater reliability of operator action for the manual reactor trip function and manual engineered safety features actuations. The linked switches are themselves redundant so that operation of either set of linked switches will actuate safety trains A and B simultaneously. This is shown in Figure 7.2-3. The design of the manual reactor trip function and manual engineered safety features actuations comply with Regulatory Guide 1.62 (see also Figure 7.3.2.2.7).

Manual actuation from the control room of each Reactor Protection or Engineered Safety Features System is provided by 2 functionally redundant, physically separate and independent switches meeting the requirements of IEEE-279-1971. In order to prevent inadvertent manual actuation of reactor building spray, a pair of switches must be operated simultaneously. A second pair of switches is provided for manual actuation so a single failure will not prevent manual actuation of the reactor building spray. Redundant switches are provided for the manual control of steam line isolation.

Control switches are provided on the control board for all components that are actuated by manual engineered safety features function initiation switches.

Manual controls for the reactor protection and engineered safety features are listed in Tables 7.2-1, 7.3-1, and 7.3-2.

Transmitted signals (flow, pressure, temperature, etc.) which cause actuation of the engineered safety features are either indicated or recorded. Redundant channels of post accident monitoring indicators are separated by barriers and/or air separation.

7.1.2.2.3 Fire Protection Electrical equipment is supplied with noncombustible or fire retardant material. Materials which may ignite or explode from an electrical spark, flame, or from heating are not used. Current carrying capacities of instrument cabinet wiring preclude electrical fires resulting from excessive overcurrent (I2R) losses. For example, wiring used for instrument cabinet construction has teflon or tefzel insulation and is adequately sized based on current carrying capacities set forth by the National Electric Code. In addition, fire retardant (intumescent) paint is used to prevent fire or heat propagation from rack to rack. The application of paint to interiors and/or exteriors of nuclear safety related electrical equipment located outside the Reactor Building containment is a non-nuclear safety related activity. Braided sheathed material is noncombustible.

For early warning and protection against propagation of electrical fires, smoke or other high sensitivity detectors are provided for fire detection, alarm and extinguishing systems in remote wireways or other unattended areas where large concentrations of cables are installed (see Section 8.3.3.2).

Details of the fire protection system are provided in Section 9.5.1.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-14 7.1.2.3 Physical Identification of Safety-Related Equipment There are 4 separate protection sets identifiable with process equipment associated with the Reactor Trip and Engineered Safety Features Actuation Systems. A protection set may be comprised of more than a single process equipment cabinet. The color coding of each process equipment rack nameplate coincides with the color code established for the protection set of which it is a part. Redundant channels are separated by locating them in different equipment cabinets. Separation of redundant channels begins at the process sensors and is maintained in the field wiring, Reactor Building penetrations and equipment cabinets to the redundant trains in the logic racks. The Solid-State Protection System input cabinets are divided into 4 isolated compartments, each service 1 of the 4 redundant input channels. Horizontal 1/8 inch thick solid steel barriers, coated with fire retardant paint, separate the compartments. Four (4), 1/8 inch thick solid steel, wireways coated with fire retardant paint enter the input cabinets vertically, even in its own quadrant. The wireway for a particular compartment is open only into that compartment so that flame could not propagate to affect other channels. At the logic racks the protection set color coding for redundant channels is clearly maintained until the channel loses its identity in the redundant logic trains. The color coded nameplates described below provide identification of equipment associated with protective functions and their channel set association:

PROTECTION SET COLOR CODING I RED with BLACK lettering II ORANGE with BLACK lettering III BLUE with BLACK lettering IV YELLOW with BLACK lettering Noncabinet mounted protective equipment and components are provided with an identification tag or nameplate. Small electrical components such as relays have nameplates on the enclosure which houses them. There are also identification nameplates on the input panels of the Solid-State Logic Protection System. The identification of cables, cable trays, conduits and electrical equipment is discussed in Section 8.3.1.5.

7.1.2.4 Conformance to Criteria A listing of applicable criteria and the sections where conformance is discussed is given in Tables 7.1-1 and 7.1-2.

7.1.2.5 Conformance to Regulatory Guide 1.22 Periodic testing of the Reactor Trip and Engineered Safety Features Actuation Systems, as described in Sections 7.2.2 and 7.3.2, complies with Regulatory Guide 1.22, "Periodic Testing of Protection System Actuation Functions."

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-15 Where the ability of a system to respond to a bona fide accident signal is intentionally bypassed for the purpose of performing a test during reactor operation, each bypass condition is automatically indicated to the reactor operator in the Main Control Room by a separate annunciator for the train in test. Test circuitry does not allow 2 trains to be tested at the same time so that extension of the bypass condition to the redundant system is prevented.

The actuation logic for the Reactor Trip and Engineered Safety Features Actuation System is tested as described in Sections 7.2 and 7.3. As recommended by Regulatory Guide 1.22, where actuated equipment is not tested during reactor operation it has been determined that:

1. There is no practicable system design that would permit operation of the equipment without adversely affecting the safety or operability of the plant;
2. The probability that the protection system will fail to initiate the operation of the equipment is, and can be maintained, acceptably low without testing the equipment during reactor operation; and
3. The equipment can routinely be tested when the reactor is shutdown.

The list of equipment that cannot be tested at full power so as not to damage equipment or upset plant operation is:

1. Manual actuation switches.
2. Reactor coolant pump breakers.
3. Turbine.
4. Main steam line isolation valves (complete closure).
5. Main feedwater isolation valves (close).
6. Feedwater control valves and feedwater bypass control valves (close).
7. Main feedwater pump trip solenoids.
8. Reactor coolant pump component cooling water isolation valves (close).
9. Reactor coolant pump seal water return valves (close).
10. Instrument air supply to reactor building isolation valves (close).
11. Engineered safety features loading sequencer input buffer and output relays.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-16 The justifications for not testing the above items at full power are discussed below:

1. Manual Actuation Switches These would cause initiation of their protection system function at power causing plant upset and/or reactor trip. The analog signals, from which the automatic safety injection signal is derived, is tested at power in the same manner as the other analog signals and as described in Section 7.2.2.2.3. The processing of these signals in the Solid-State Protection System wherein their channel orientation converts to a logic train orientation is tested at power by the built-in semiautomatic test provisions of the Solid-State Protection System. The reactor trip breakers are tested at power as discussed in Section 7.2.2.2.3.
2. Reactor Coolant Pump Breakers No credit is taken in the accident analyses for a reactor coolant pump breaker opening causing a reactor trip. Since testing them at power would cause plant upset, the reactor coolant pump breakers do not need to be tested at power.
3. Turbine Testing of main turbine trip signals during normal operation would result in a reactor trip.

Although the EHC control system turbine trip logic is not qualified as a safety related system, it is a highly reliable system that consists of redundant (2-of-3 per train) trip actuation logic (as functionally shown on Figure 7.2-1, Sheet 15). The turbine trip logic allows for an Online ETD Test method which temporarily cycles applicable components, for the Electronic Trip Device (ETD) undergoing test, into its tripped state; the corresponding exercised components include Primary Trip Relay (PTR) logic output, one ETD solenoid, one ETD dump valve, and its dump valve position indication. This test method systematically verifies the functionality of each 1-of-3 ETD solenoid/dump valve in each of the two ETD trains, without actually tripping the Turbine. (Note that 2-of-3 Emergency Trip Relay (ETR) logic outputs (also shown on Figure 7.2-1, Sheet 15) are functionally verified only during offline testing, given its application as backup protection.)

The interface between the Engineered Safety Features (ESF) System and the EHC control system is also shown functionally on Figure 7.2-1, Sheet 15. Trip signals received from these ESF System interfaces (or from other Turbine protection trip signals) will be processed by EHC control system trip actuation logic circuitry, which include PTRs (or the backup ETRs, where applicable). Receipt of 2-of-3 actuations via either PTRs or ETRs (in either train) will result in de-energized ETD solenoids and tripped-open ETD dump valves. The outcome of either trains 2-of-3 dump valve actuation is ETS hydraulic fluid loss (dump), closure of Turbine Stop and Control Valves, and a Turbine Trip condition. This 2-of-3 Turbine Trip actuation can also result from a complete loss of both non-safety related power supply feeders to the EHC control system cabinet (including the loss of a dedicated EHC battery-backed uninterruptible power supply, in the alternate feeder circuit).

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-17 Given the identified problem (turbine trip initiation) incurred with periodic testing during power operation of the entire 2-of-3 turbine trip actuation logic, the proposed resolution (using the Online ETD Test method) meets the intent of Regulatory Guide 1.22, Section D.4 guidelines (see Appendix 3A). The Online ETD Test method provides for periodic testing of individual components within a practical system design, without adversely affecting the plant safety or operability. Use of the Online ETD Test method is further justified since: the probability of protection system failure to trip the Turbine is acceptably low, given trip system redundancy and power fail safe design features; and the complete turbine trip logic is routinely tested during refueling outages.

4. Main Steam Line Isolation Valves (Complete Closure)

Main steam line isolation valves are routinely tested during refueling outages. Testing of the main steam line isolation valves to full closure at power is not practical. As the plant power is increased, the core average temperature is programmed to increase. If the valves are fully closed under these elevated temperature conditions, the steam pressure transient would unnecessarily operate the steam generator relief valves and possibly the steam generator safety valves. The steam pressure transient produced would cause shrinkage in the steam generator level, which would cause the reactor to trip on low-low steam generator water level. Testing during operation will decrease the operating life of the valve.

Based on the above identified problems incurred with periodic testing of the main steam line isolation valves at power and since, 1) no practical system design will permit operation of the valves without adversely affecting the safety or operability of the plant, 2) the probability that the protection system will fail to initiate the actuated equipment is acceptably low due to test up to final actuation, 3) these valves will be routinely tested during refueling outages, and 4) these valves are tested during plant operation by partial closure (90 to 95 percent open) by actuating a test solenoid valve which does not inhibit an engineered safety feature automatic closure, the proposed resolution meets the guidelines of Section D.4 of Regulatory Guide 1.22.

5. Main Feedwater Isolation Valves (Close)

The main feedwater isolation valves are routinely tested during refueling outages. Periodic testing of these feedwater isolation valves, closing them completely, or partially, at power would induce steam generator water level transients and oscillations which would trip the reactor. These transient conditions would be caused by perturbing the feedwater flow and pressure conditions necessary for proper operation of the variable-speed feedwater pump control system and the steam generator water level control system. An operation which induces perturbations in the main feedwater flow, whether deliberate or otherwise, may lead to a reactor trip and should be avoided.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-18 Based on these identified problems incurred with periodic testing of the backup feedwater valves at power and since, 1) no practical system design will permit operation of these valves without adversely affecting the safety or operability of the plant, 2) the probability that the protection system will fail to initiate the activated equipment is acceptably low due to testing up to final actuation, and 3) these valves will be routinely tested during refueling outages, the proposed resolution meets the guidelines of Section D.4 of Regulatory Guide 1.22.

6. Feedwater Control Valves (Close)

These valves are routinely tested during refueling outages. To close them at power would adversely affect the operability of the plant. The verification of operability of feedwater control valves at power is assured by confirmation of proper operation of the Steam Generator Water Level System. The actual actuation function of the solenoids, which provides the closing function is periodically tested at power as discussed in Section 7.3.2.2.5.

The operability of the slave relay which actuates the solenoid, which is the actuating device, is verified during this test. Although the actual closing of these control valves is blocked when the slave relay is tested, all functions are tested to assure that no electrical malfunctions have occurred which could defeat the protective function. It is noted that the solenoids work on the de-energize-to-actuate principle, so that the feedwater control valves will fail close upon either the loss of electrical power to the solenoids or loss of air pressure.

Based on the above, the testing of the isolating function of feedwater control valves meets the guidelines of Section D.4 of Regulatory Guide 1.22.

7. Main Feedwater Pump Trip Solenoids The containment integrity analysis assumes the feedwater isolation valves and/or feedwater control valves isolate feedwater flow and therefore the feedwater pump trip solenoids require no periodic testing.

However, these trip solenoids are routinely tested during refueling outages. To close them at full power would adversely affect the operability of the plant. The actual actuation function of the solenoids, which provides the closing function is periodically tested at power as discussed in Section 7.3.2.2.5. The operability of the slave relay which actuates the solenoid, which is the actuating device, is verified during this test. Although the actual closing of these trip solenoids is blocked when the slave relay is tested, all functions are tested to assure that no electrical malfunctions have occurred which could defeat the function of the solenoids.

8. Reactor Coolant Pump Component Cooling Water Isolation Valves (Close)

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-19 Component cooling water supply and return containment isolation valves are routinely tested during refueling outages. Testing of these valves while the reactor coolant pumps are operating introduces an unnecessary risk of costly damage to all the reactor coolant pumps.

Loss of component cooling water to these pumps is of economic consideration only, as the reactor coolant pumps are not required to perform any safety-related function.

The reactor coolant pumps will not seize due to complete loss of component cooling.

Information from the pump manufacturer indicates that the bearing babbitt would eventually break down but not so rapidly as to overcome the inertia of the flywheel. If the pumps are not stopped within 3 to 10 minutes after component cooling water is isolated, pump damage could be incurred.

Also, since the component cooling water flowrates and temperatures are about equal during both plant power operation and plant refueling, periodic tests of these valves during a refueling outage would duplicate accident conditions. Additionally, possibility of failure of containment isolation is remote because an additional failure of the low pressure fluid system in addition to failure of both isolation valves would have to occur to open a path through the containment.

Based on the above described potential reactor coolant pump damage incurred with periodic testing of the component cooling water containment isolation valves at power, the duplication of at-power operating conditions during refueling outages, and since, 1) no practical system design will permit operation of these valves without adversely affecting the safety or operability of the plant, 2) the probability that the protection system will fail to initiate the activated equipment is acceptably low due to testing up to final actuation, and 3) these valves will be routinely tested during refueling outages when the reactor coolant pumps are not operating, the proposed resolution meets the guidelines of Section D.4 of Regulatory Guide 1.22.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-20

9. Reactor Coolant Pump Seal Water Return Valves (Close)

Seal return line isolation valves are routinely tested during refueling outages. Closure of these valves during operation would cause the safety valve to lift, with the possibility of valve chatter. Valve chatter would damage this relief valve. Testing of these valves at power would cause equipment damage. Therefore, these valves will be tested during scheduled refueling outages. As above, additional containment penetrations and isolation valves introduce additional unnecessary potential pathways for radioactive release following a postulated accident. Thus, the guidelines of Section D.4 of Regulatory Guide 1.22 are met.

10. Instrument Air Supply to Reactor Building Isolation Valves (Close)

The Reactor Building instrument air isolation valves are routinely tested during refueling outages. Closing the valves completely at power would result in loss of instrument air supply inside containment, causing an upset to normal operation which could cause a reactor trip.

Based on the above identified problem incurred with periodic testing of the Reactor Building instrument air isolation valves at power and since, 1) no practical system design will permit operation of the valves without adversely affecting the safety or operability of the plant, 2) the probability that the protection system will fail to initiate the actuated equipment is acceptably low due to test up to final actuation, and 3) these valves will be routinely tested during refueling outages, the proposed resolution meets the guidelines of Section D.4 of Regulatory Guide 1.22.

11. Engineered Safety Feature Loading Sequencer Input Buffer and Output Relays The Engineered Safety Feature Loading Sequencer output and input buffer relays are routinely tested during refueling outages. Testing the output relays will actuate plant equipment and requires extensive system and breaker alignments to perform the entire output relay test. Due to the intensity required for testing, plant operability and safety could be jeopardized. The Engineered Safety Feature Loading Sequencer is not designed to test the output relays by continuity of the electrical circuitry associated with the relays as a check in lieu of actual operation; therefore, the only test is by actuation. A reliability study showed that the probability of the output relays to fail when required to initiate the operation of equipment is, and can be, maintained acceptably low without periodic testing of the actuated equipment during reactor operation. The 18 month test frequency is acceptable. The Engineered Safety Feature Loading Sequencer is not designed to test the input buffer relays on line without actually initiating Safety Injection or Blackout sequence. The total testing by actuation of undervoltage relays and Safety Injection signals to final equipment actuation is performed every 18 months while plant is shutdown. The inputs and logic up through the output relay drivers are tested with the reactor operational is a continuous automatic test mode.

Based on the above, the testing of the ESFLS meets the guidelines of Section D.4 of Regulatory Guide 1.22.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-21 7.1.2.6 Conformance to Regulatory Guide 1.47 The principles described in Regulatory Guide 1.47 have been used to design the bypassed and inoperable status indication for the Engineered Safety Features Systems. System level indication is provided on the Control Room bypass and inoperable status indication CRT to display the operable status of each of the redundant portions of the Emergency Core Cooling System, the Reactor Building Cooling System, and the Reactor Building Spray System, and supporting systems: Engineered Safety Features Power System, Chilled Water System, Service Water System and Component Cooling Water System.

Inoperable indication occurs automatically when equipment vital to the operation of the system has been removed from service and a contact is available from the equipment to signify this condition (e.g., control switch in the "pull to lock" position, switchgear circuit breaker withdrawn from the operating position, safety system bypassed for logic testing). Inoperable indication also occurs when the operator, by administrative procedures, removes essential equipment from service and at the same time manually inputs the status into the Technical Support Center Computer. When automatic equipment inoperable indication occurs, it will be accompanied by an audible alarm.

The following criteria are utilized in providing contacts for automatic indication of inoperable status.

1. The bypass or inoperable condition effects one of the Emergency Core Cooling Systems, Reactor Building Cooling Systems, or Reactor Building Spray Systems, and/or the Auxiliary Support Systems for these systems are required to perform automatically a function important to the safety of the public.
2. The bypass or inoperable condition can reasonably be expected to occur more frequently than once per year.
3. The bypass or inoperable condition is expected to occur when the effected safety system is required to be operable.

7.1.2.7 Conformance to Regulatory Guide 1.53 and IEEE Standard 379-1972 The principles described in IEEE Standard 379-1972 were used in the design of the Westinghouse protection system. The system complies with the intent of this standard and the additional guidance of Regulatory Guide 1.53, although the formal analyses have not been documented exactly as outlined. Westinghouse has gone beyond the required analyses and has performed a fault tree analysis, Reference 3.

The referenced topical report provides details of the analyses of the protection systems previously made to show conformance with the single failure criterion set forth in paragraph 4.2 of IEEE Standard 279-1971. The interpretation of the single failure criterion provided by IEEE Standard 379-1972 does not indicate substantial differences with the Westinghouse interpretation of the criterion except in the methods used to confirm design reliability. Established design criteria in conjunction with sound engineering practices form the bases for the Westinghouse protection

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-22 systems. The Reactor Trip and Engineered Safety Features Actuation Systems are each redundant safety systems. The required periodic testing of these systems will disclose any failures or loss of redundancy which could have occurred in the interval between tests, thus ensuring the availability of these systems.

Chapters 6.0, 8.0, 9.0, and 10.0 discuss the single failure criteria for safety systems and auxiliary support systems within the balance of plant scope. Section 7.3.2.2 outlines the degree of conformance for the Engineered Safety Features loading sequence control panels. The degree of conformance for the undervoltage/underfrequency relay panels is addressed in Section 8.3.1.1.1.

Table 7.1-3 outlines, in detail, how the specific principles described by Regulatory Guide 1.53 and IEEE 379-1972, have been used in the design of balance of plant safety related instrumentation and control systems.

7.1.2.8 Conformance to Regulatory Guide 1.63 Regulatory Guide 1.63 is discussed in Appendix 3A.

7.1.2.9 Conformance to IEEE Standard 317-1972 Electrical penetrations are designed and fabricated in accordance with the requirements of IEEE Standard 317-1972.

7.1.2.10 Conformance to IEEE Standard 336-1971 Conformance with the scope of IEEE Standard 336-1971 for installation, inspection, and testing of instrumentation and electrical equipment during construction and startup is covered in Chapters 14 and 17.

7.1.2.11 Conformance to IEEE Standard 338-1971 The periodic testing of the Reactor Trip System and Engineered Safety Features Actuation System conforms to the requirements of IEEE Standard 338-1971 with the following comments:

1. The surveillance requirements of the Technical Specifications for the protection system ensure that the system functional operability is maintained comparable to the original design standards. Periodic tests at frequent intervals demonstrate this capability for the system, excluding sensors.

Overall protection systems response times shall be demonstrated by test or verification.

Sensors within Westinghouse scope will be demonstrated adequate for this design by vendor testing, in-site tests in operating plants with appropriately similar design, or by suitable type testing. The Nuclear Instrumentation System detectors are excluded since they exhibit response time characteristics such that delays attributable to them are negligible in the overall channel response time required for safety.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-23 A periodic verification test program for sensors within Westinghouse scope, for determining any deterioration of installed sensors response time, is currently being performed by on-site Surveillance Test Procedures (STP). Should sensor fail criteria outlined in the STP, the sensor is either replaced or repaired.

Each test shall include at least 1 logic train such that both logic trains are tested at least 1 per 36 months and 1 channel per function such that all channels are tested at least once every (N times 18 months), where N is the total number of redundant channels in a specific protective function.

The measurement of response time at the specified time intervals provides assurance that the protective and engineered safety features action function associated with each channel is completed within the time limit assumed in the accident analyses.

As an alternative to periodic measurement of instrument channel response time, Amendment 146 permits a verification of the channel response time by summation of allocated sensor, signal processing and actuation logic response times with actual response time tests performed on the remainder of the channel. The methodology is provided in References 4 and 5 and is only applicable to such equipment as was reviewed and approved by the NRC.

The allocated times must be verified as bounding prior to placing a component in service and re-verified following any work that may adversely affect the component response time.

2. Surveillance test failures are trended and evaluated through various programs to ensure equipment reliability specified in the IEEE Standard 338-1971.
3. The periodic time interval discussed in paragraph 4.3 of IEEE Standard 338-1971, and specified in the Technical Specifications, is conservatively selected to assure that equipment associated with protection functions has not drifted beyond its minimum performance requirements. If any protection channel appears to be marginal or requires more frequent adjustments due to plant condition changes, the time interval will be decreased to accommodate the situation until the marginal performance is resolved.
4. The test interval discussed in paragraph 5.2 of IEEE Standard 338-1971, is developed primarily on past operating experience and modified if necessary to assure that system and subsystem protection is reliably provided. Analytic methods for determining reliability are not used to determine test interval.

Based on the scope definition given in IEEE Standard 338-1971, no other systems described in Chapter 7 are required to comply with this standard.

7.1.3 References

1. The Institute of Electrical and Electronic Engineers, Inc., IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations, IEEE Standard 279-1971.
2. Katz, D. N., Solid-State Logic Protection System Description, WCAP-7488-L (Proprietary),

March, 1971 and WCAP-7672 (Non-Proprietary), May, 1971.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-24

3. Gangloff, W. C. and Loftus, W. D., An Evaluation of Solid-State Logic Reactor Protection in Anticipated Transients, WCAP-7706-L (Proprietary) and WCAP-7706 (Non-Proprietary),

February, 1973.

4. WCAP-13632-P-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements, January 1996.
5. WCAP-14036-P-A, Revision 1, Elimination of Periodic Protection Channel Response Time Tests, October 1998.
6. Amendment 146 to the Virgil C. Summer Nuclear Station Technical Specifications, Response Time Testing Elimination.

Revision 22--Updated Online 05/27/22 Table 7.1-1 Listing of Applicable Criteria Criteria Title Conformance Discussed IN General Design Criteria (GDC),

Appendix A to 10 1, CFR 50 GDC-1 Quality Standards and Records 3.1.2, 7 GDC-2 Design Bases for Protection Against Natural Phenomena 3.1.2, 3.10, 7.2.1.1.11 GDC-3 Fire Protection 3.1.2, 7.1.2.2.3 GDC-4 Environmental and Missile Design Bases 3.1.2, 7.2.2.2 GDC-5 Sharing of Structures, Systems, and 3.1.2 Components GDC-10 Reactor Design 3.1.2, 7.2.2.2 VC SUMMER FSAR GDC-12 Suppression of Reactor Power Oscillations 3.1.2 GDC-13 Instrumentation and Control 3.1.2, 7.3.1, 7.3.2 GDC-15 Reactor Coolant System Design 3.1.2, 7.2.2.2 GDC-17 Electric Power Systems 3.1.2, Chapter 8 GDC-19 Control Room 3.1.2 7.1-25

Table 7.1-1 (continued)

Revision 22--Updated Online 05/27/22 Listing of Applicable Criteria Criteria Title Conformance Discussed IN GDC-20 Protection System Functions 3.1.2, 7.2.2.2, 7.3.1, 7.3.2 GDC-21 Protection System Reliability and Testability 3.1.2, 7.2.2.2, 7.3.1, 7.3.2 GDC-22 Protection System Independence 3.1.2, 7.1.2.2, 7.2.2.2, 7.3.1, 7.3.2 GDC-23 Protection System Failure Modes 3.1.2, 7.2.2.2, 7.3.1, 7.3.2 GDC-24 Separation of Protection and Control Systems 3.1.2,7.2.2.2, 7.3.1, 7.3.2 GDC-25 Protection System Requirements for Reactivity Control 3.1.2, 7.3.2 Malfunctions GDC-26 Reactivity Control System Redundancy and Capability 3.1.2 GDC-27 Combined Reactivity Control Systems Capability 3.1.2, 7.3.1, 7.3.2 GDC-28 Reactivity Limits 3.1.2, 7.3.1, 7.3.2 GDC-29 Protection Against Anticipated Operational Occurrences 3.1.2, 7.2.2.2 VC SUMMER FSAR GDC-33 Reactor Coolant Makeup 3.1.2 GDC-34 Residual Heat Removal 3.1.2 GDC-35 Emergency Core Cooling 3.1.2, 7.3.1, 7.3.2 GDC-37 Testing of Emergency Core Cooling System 3.1.2, 7.3.2 GDC-38 Containment Heat Removal 3.1.2, 7.3.1, 7.3.2 7.1-26

Table 7.1-1 (continued)

Revision 22--Updated Online 05/27/22 Listing of Applicable Criteria Criteria Title Conformance Discussed IN GDC-40 Testing of Containment Heat Removal System 3.1.2, 7.3.2 GDC-41 Containment Atmosphere Cleanup 3.1.2 GDC-43 Testing of Containment Atmosphere 3.1.2, 7.3.2 Cleanup Systems GDC-44 Cooling Water 3.1.2 GDC-46 Testing of Cooling Water System 3.1.2, 7.3.2 GDC-50 Containment Design Basis 3.1.2 GDC-54 Piping Systems Penetrating Containment 3.1.2 GDC-55 Reactor Coolant Pressure Boundary 3.1.2 Penetrating Containment GDC-56 Primary Containment Isolation 3.1.2 VC SUMMER FSAR GDC-57 Closed Systems Isolation Valves 3.1.2 7.1-27

Table 7.1-1 (continued)

Revision 22--Updated Online 05/27/22 Listing of Applicable Criteria Criteria Title Conformance Discussed IN

2. Institute of Electrical and Electronics Engineers (IEEE)

Standards:

IEEE Std 279-1971 Criteria for Protection Systems for Nuclear Power Generating 7.1, 7.2, 7.3, 7.6 (ANSI N42.7-1972) Stations IEEE Std 308-1971 Criteria for Class 1E Electric Systems for Nuclear Power 7.6 Generating Stations IEEE Std 317-1972 Electric Penetration Assemblies in Containment Structures for 7.1.2.9 Nuclear Power Generating Stations IEEE Std 323-1971 IEEE Standard for Qualifying Class 1E Equipment for Nuclear 3.11 Power Generating Stations IEEE Std 334-1971 Type Tests of Continuous-Duty Class 1 Motors Installed Inside 3A (RG 1.40)

VC SUMMER FSAR the Containment of Nuclear Power Generating Stations IEEE Std 336-1971 Installation, Inspection and Testing Requirements for 7.1.2.10 (ANSI N45.2.4- Instrumentation and Electric Equipment During the 1972) Construction of Nuclear Power Generating Stations IEEE Std 338-1971 Criteria for the Periodic Testing of Nuclear Power Generation 7.1.2.11 Station Protection Systems 7.1-28

Table 7.1-1 (continued)

Revision 22--Updated Online 05/27/22 Listing of Applicable Criteria Criteria Title Conformance Discussed IN IEEE Std 344-1971 Guide for Seismic Qualification of Class 1 Electrical 3.10 (ANSI N41.7) Equipment for Nuclear Power Generating Stations IEEE Std 379-1972 Guide for the Application of the Single 7.1.2.7 (ANSI N41.2) Failure Criterion to Nuclear Power Generating Station Protection Systems IEEE Std 382-1972 Type Test of Class 1 Electric Valve Operators 3.11 IEEE Std 384-1974 Criteria for Separation of Class 1E Equipment 7.1.2.2.1 (ANSI N41.14) and Circuits VC SUMMER FSAR 7.1-29

Table 7.1-1 (continued)

Revision 22--Updated Online 05/27/22 Listing of Applicable Criteria Criteria Title Conformance Discussed IN Regulatory Guides

3. (RG)

RG 1.6 Independence Between Redundant Stand-by Onsite) Power Chapter 8 Sources and Between Their Distribution Systems RG 1.11 Instrument Lines Penetrating Primary Reactor Containment 3A, 7.3.1.1.2 RG 1.22 Periodic Testing of Protection System Actuation Functions 3A, 7.1.2.5, 7.3.2.2.5 RG 1.29 Seismic Design Classification 3A RG 1.30 Quality Assurance Requirements for the Installation, 3A, Chapter 17 Inspection, and Testing of Instrumentation and Electric Equipment RG 1.32 Use of IEEE Std 308-1971, "Criteria for Class 1E Electric 7.6 Systems for Nuclear Power Generating Station" VC SUMMER FSAR RG 1.47 Bypassed and Inoperable Status Indication for Nuclear Power 3A, 7.1.2.6 Plant Safety Systems RG 1.53 Application of the Single Failure Criterion to Nuclear Power 3A, 7.1.2.7 Plant Protection Systems RG 1.62 Manual Initiation of Protection Actions 3A, 7.3.2.2.7 RG 1.63 Electric Penetration Assemblies in Containment Structures for 3A Water-Cooled Nuclear Power Plants 7.1-30

Table 7.1-1 (continued)

Revision 22--Updated Online 05/27/22 Listing of Applicable Criteria Criteria Title Conformance Discussed IN RG 1.68 Preoperational and Initial Startup Test Programs 3A, Chapter 14 for Water-Cooled Power Reactors RG 1.70 Standard Format and Content of Safety Analysis Reports for 3A, Chapter 7 Nuclear Power Plants, Rev. 2 RG 1.73 Qualification Test of Electric Valve Operators Installed Inside 3A the Containment of Nuclear Power Plants RG 1.75 Physical Independence of Electric Systems 3A, 7.1.2.2.1 RG 1.80 Preoperational Testing of Instrument Air Systems 3A, 9.3.1 RG 1.89 Qualification of Class 1E Equipment for Nuclear Power Plants 3A, 3.11 RG 1.95 Protection of Nuclear Power Plant Control Room Operators 3A, 6.4 Against An Accident Chlorine Release RG 1.97 Instrumentation for Light-Water-Cooled Nuclear Power Plants 3A VC SUMMER FSAR to Assess Plant Conditions During and Following an Accident RG 1.100 Seismic Qualification of Electric Equipment for Nuclear Power 3A Plants RG 1.105 Instrument Spans and Setpoints 3A RG 1.106 Thermal Overload Protection for Electric Motors on Motor-Operated Valves RG 1.114 Guidance on Being Operator at the Controls 3A of a Nuclear Power Plant 7.1-31

Table 7.1-1 (continued)

Revision 22--Updated Online 05/27/22 Listing of Applicable Criteria Criteria Title Conformance Discussed IN Branch Technical Positions (BTP)

4. EICSB BTP EICSB 1 Backfitting of the Protection and Emergency Chapters 7, 8 Power Systems of Nuclear Reactors BTP EICSB 3 Isolation of Low Pressure Systems from 7.6.2 the High Pressure Reactor Coolant System BTP EICSB 4 Requirements on Motor Operated Valves in 7.6.4 the ECCS Accumulator Lines BTP EICSB 5 Scram Breaker Test Requirements - 7.2.2.2.3, Technical Specifications Technical Specifications (Table 4.3-1, Item 21)

BTP EICSB 9 Definition and Use of "Channel - Calibration" - Technical Specifications Technical Specifications (Table 4.3-1, Item 2)

VC SUMMER FSAR BTP EICSB 10 Electrical and Mechanical Equipment 3.10 Seismic Qualification Program 7.1-32

Table 7.1-1 (continued)

Revision 22--Updated Online 05/27/22 Listing of Applicable Criteria Criteria Title Conformance Discussed IN BTP EICSB 12 Protection System Trip Point Changes 7.2.2.2.1, Technical Specifications for Operation with Reactor Coolant Pumps (3/4.1)

Out of Service BTP EICSB 13 Design Criteria for Auxiliary Feedwater Systems 7.3.2.3 BTP EICSB 14 Spurious Withdrawals of Single Control 7.7.2.2, 15.2.1, 15.2.2, 15.3.6 Rods in Pressurized Water Reactors BTP EICSB 15 Reactor Coolant Pump Breaker Qualification 3.10, 7.1.2.5, 7.2.1.1.2(4)

BTP EICSB 16 Control Element Assembly (CEA) Interlocks Not Applicable in Combustion Engineering Reactors BTP EICSB 18 Application of the Single Failure Criteria Technical Specifications (3/4.5) to Manually Controlled Electrically Operated Valves BTP EICSB 19 Acceptability of Design Criteria for Hydrogen Not Applicable VC SUMMER FSAR Mixing and Drywell Vacuum Relief Systems BTP EICSB 20 Design of Instrumentation and Controls 7.6.5, 6.3.2.2.2, Table 6.3-3 Provided to Accomplish Changeover from Injection to Recirculation Mode 7.1-33

Table 7.1-1 (continued)

Revision 22--Updated Online 05/27/22 Listing of Applicable Criteria Criteria Title Conformance Discussed IN BTP EICSB 21 Guidance for Application of Reg. Guide 1.47 7.1.2.6 BTP EICSB 22 Guidance for Application of Reg. Guide 1.22 7.1.2.5 BTP EICSB 23 Qualification of Safety-Related Display 7.5 Instrumentation for Post Accident Condition Monitoring and Safe Shutdown BTP EICSB 24 Testing of Reactor Trip System and 7.1.2.11 Engineered Safety Feature Actuation System Sensor Response Times BTP EICSB 25 Guidance for the Interpretation of General 3.1.2 Design Criterion 37 for Testing the Operability of the Emergency Core Cooling System as a Whole BTP EICSB 26 Requirements for Reactor Protection System 7.2.1.1.2 Anticipatory Trips VC SUMMER FSAR BTP EICSB 27 Design Criteria for Thermal Overload Protection 8.3.1.3 for Motors of Motor Operated Valves 7.1-34

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-35 Table 7.1-2 Applicable Criteria See next page for pdf insert

TABLE 7.1-2 APPLICABLE CRITERIA REACTOR TRIP SYSTEM ENGINEERED SAFETY FEATURES SYSTEM ENGINEERED SAFETY FEATURES SYSTEMS REQUIRED FOR SAFE SHUTDOWN SYSTEMS REQUIRED FOR SAFETY RELATED ALL OTHER INSTRUMENT SYSTEMS REQUIRED FOR SAFETY CONTROL (RTS) 7.2 (ESF) 7.3 SUPPORTING SYSTEMS (SRSS) 7.4 SAFE SHUTDOWN DISPLAY 7.6 SYSTEMS (ESF SUPPORTING) (SRSS) 7.4 INSTRUMENTS NOT (SR) 7.5 REQUIRED FOR SAFETY 7.7 (1)

NSSS RCP TURBINE 7.3 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.3 6.4 6.5 10.4.9 9.2.2 9.5 9.2.1 9.4.7 6.2, 9.4 9.2.2 9.5 10.4.9 9.2.1 9.4.7 10.3 6.2, 9.4 9.3.4 9.3.4 CREP ESF 7.6.1 7.6.2 7.6.3 7.6.4 7.6.5 INPUTS INPUTS INPUTS ESFAS RB HEAT RB AIR CONTAINMENT COMBUSTIBLE CONTAINMENT SI HABITABILITY FISSION EMERGENCY CC DG SW VU HVAC CC DG EF SW VU MS HVAC CHARGING BA MONITORING PAM MONITOR I & C RHR REFUELING ACCUMULATOR LEAK (2) REMOVAL PURIFICATION ISOLATION GAS CONTROL LEAKAGE SYSTEMS PRODUCT FEEDWATER SYSTEM SYSTEM SYSTEM SYSTEM SYSTEMS SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM SYSTEMS PUMPS TRANSFER INDICATORS LIGHTS POWER INTERLOCKS INTERLOCKS MOTOR DETECTION AND CLEANUP TESTING REMOVAL (4) (5) (4) (6) PUMPS SUPPLY OPERATED SYSTEMS (3) AND W BOP W BOP W BOP SYSTEM VALVES CONTROL SYSTEMS GENERAL DESIGN CRITERIA GDC-1 QUALITY STANDARDS AND RECORDS X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X 57 X 7 GDC-2 DESIGN BASES FOR PROTECTION AGAINST NATURAL PHENOMENA X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X 57 X X GDC-3 FIRE PROTECTION (8) X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X 57 X X GDC-4 ENVIRONMENTAL AND MISSILE DESIGN BASES X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X 57 X X GDC-5 SHARING OF STRUCTURES, SYSTEMS, AND COMPONENTS GDC-10 REACTOR DESIGN X X X X X X X X X X X X X X X X X X X GDC-12 SUPPRESSION OF REACTOR POWER OSCILLATIONS GDC-13 INSTRUMENTATION AND CONTROL X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X GDC-15 REACTOR COOLANT SYSTEM DESIGN X GDC-17 ELECTRIC POWER SYSTEMS X X X GDC-19 CONTROL ROOM X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X GDC-20 PROTECTION SYSTEM FUNCTIONS X X X X 9 9 9 9 9 9 9 9 9 9 9 9 9 9 X 9 9 9 9 X GDC-21 PROTECTION SYSTEM RELIABILITY AND TESTABILITY X X X 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 10 10 X X 11 GDC-22 PROTECTION SYSTEM INDEPENDENCE X X X X 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 12 12 X GDC 23 PROTECTION SYSTEM FAILURE MODES X X 13 13 9 9 9 13 9 9 9 9 13 9 9 9 9 13 9 9 9 9 9 13 GDC-24 SEPARATION OF PROTECTION AND CONTROL SYSTEMS X X X X X X X X X X X X X X X X X X X X X X X X X X X X GDC-25 PROTECTION SYSTEM REQUIREMENTS FOR REACTIVITY CONTROL 14 MALFUNCTIONS GDC-26 REACTIVITY CONTROL SYSTEM REDUNDANCY AND CAPABILITY 15 15 GDC-27 COMBINED REACTIVITY CONTROL SYSTEMS CAPABILITY 16 16 16 GDC-28 REACTIVITY LIMITS 17 17 17 GDC-29 PROTECTION AGAINST ANTICIPATED OPERATIONAL OCCURRENCES X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X GDC-33 REACTOR COOLANT MAKEUP X X X X X X X X X 18 X 18 X GDC-34 RESIDUAL HEAT REMOVAL X 19 X X X X X X X X X X X 19 X X X X X X GDC-35 EMERGENCY CORE COOLING X 20 X X X X X X X X X X X X X X X X X 00-01 GDC-37 TESTING OF EMERGENCY CORE COOLING SYSTEM X 20 X X X X X X X X X X X X X X X GDC-38 CONTAINMENT HEAT REMOVAL X X X X X X X X X X X X X X X X X X GDC-40 TESTING OF CONTAINMENT HEAT REMOVAL SYSTEM X 13 13 X X X 13 X 13 X X X X 13 X 13 X X X X X X GDC-41 CONTAINMENT ATMOSPHERE CLEANUP X 13 13 13 13 X X 13 X 13 X X X 13 X 13 X X X X X X GDC-43 TESTING OF CONTAINMENT ATMOSPHERE CLEANUP SYSTEM X X 13 X 13 X 13 X 13 X X 13 X 13 X X X 13 X 13 X X X X X X GDC-44 COOLING WATER X X X X X X X X X X X X X X X X GDC-46 TESTING OF COOLING WATER SYSTEM X X X X X X X X X X X X X X X X GDC-50 CONTAINMENT DESIGN BASIS X GDC-54 PIPING SYSTEMS PENETRATING CONTAINMENT X 13 X 13 X 13 GDC-55 REACTOR COOLANT PRESSURE BOUNDARY PENETRATING CONTAINMENT 13 13 GDC-56 PRIMARY CONTAINMENT ISOLATION 13 13 GDC-57 CLOSED SYSTEMS ISOLATION VALVES 13 13 IEEE STANDARDS IEEE CRITERIA FOR PROTECTION SYSTEMS FOR NUCLEAR POWER GENERATING X X X X 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 23 21 21 X 24 22 21 279-1971 STATIONS 22 22 22 IEEE CRITERIA FOR CLASS 1R ELECTRIC SYSTEMS FOR NUCLEAR POWER X X X X X X X X X X X X X X X X X X X X X X X 26 26 26 X X 26 26 X X X 26 396-1971 GENERATING STATIONS IEEE ELECTRIC PENETRATION ASSEMBLIES IN CONTAINMENT STRUCTURES FOR X X X X X X X X X X X X X X X X X X X X X X X X 317-1972 NUCLEAR POWER GENERATING STATIONS IEEE IEEE STANDARD FOR QUALIFYING CLASS 1E EQUIPMENT FOR NUCLEAR 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 323-1971 POWER GENERATING STATIONS IEEE TYPE TEST OF CONTINUOUS DUTY CLASS 1 MOTORS INSTALLED INSIDE THE 27 27 334-1971 CONTAINMENT OF NUCLEAR POWER GENERATING STATIONS 28 28 IEEE INSTALLATION, INSPECTION AND TESTING REQUIREMENTS FOR X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X 336-1971 INSTRUMENTATION AND ELECTRIC EQUIPMENT DURING THE CONSTRUCTION OF NUCLEAR POWER GENERATING STATIONS IEEE CRITERIA FOR THE PERIODIC TESTING OF NUCLEAR POWER GENERATION X X X X9 9 9 9 9 X 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 X X 9 11 30 338-1971 STATION PROTECTION SYSTEMS (29) 30 IEEE GUIDE FOR SEISMIC QUALIFICATION OF CLASS 1 ELECTRICAL EQUIPMENT 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 57 31 32 344-1971 FOR NUCLEAR POWER GENERATING STATIONS IEEE GUIDE FOR THE APPLICATION OF THE SINGLE FAILURE CRITERIA TO 33 X X 33 33 33 33 33 35 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 X 11 35 33 379-1972 NUCLEAR POWER GENERATING STATION PROTECTION SYSTEMS 34 IEEE TYPE TEST OF CLASS 1 ELECTRIC VALVE OPERATORS 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 382-1972 IEEE CRITERIA FOR SEPARATION OF CLASS 1E EQUIPMENT AND CIRCUITS 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 384-1974 36 X IS DEFINED AS MEANING THE INSTRUMENT AND CONTROL SYSTEM AND COMPONENTS MEET THE REFERENCED CRITERIA IS DEFINED AS MEANING THE REFERENCED CRITERIA IS NOT APPLICABLE TO THE INSTRUMENT AND CONTROL SYSTEM AND COMPONENTS 7.1-36 Reformatted Per Amendment 00-01

TABLE 7.1-2 APPLICABLE CRITERIA (Continued)

REACTOR TRIP SYSTEM ENGINEERED SAFETY FEATURES SYSTEM ENGINEERED SAFETY FEATURES SYSTEMS REQUIRED FOR SAFE SHUTDOWN SYSTEMS REQUIRED FOR SAFETY RELATED ALL OTHER INSTRUMENT SYSTEMS REQUIRED FOR SAFETY CONTROL (RTS) 7.2 (ESF) 7.3 SUPPORTING SYSTEMS (SRSS) 7.4 SAFE SHUTDOWN DISPLAY 7.6 SYSTEMS (ESF SUPPORTING) (SRSS) 7.4 INSTRUMENTS NOT (SR) 7.5 REQUIRED FOR SAFETY 7.7 (1)

NSSS RCP TURBINE 7.3 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.3 6.4 6.5 10.4.9 9.2.2 9.5 9.2.1 9.4.7 6.2, 9.4 9.2.2 9.5 10.4.9 9.2.1 9.4.7 10.3 6.2, 9.4 9.3.4 9.3.4 CREP ESF 7.6.1 7.6.2 7.6.3 7.6.4 7.6.5 INPUTS INPUTS INPUTS ESFAS RB HEAT RB AIR CONTAINMENT COMBUSTIBLE CONTAINMENT SI HABITABILITY FISSION EMERGENCY CC DG SW VU HVAC CC DG EF SW VU MS HVAC CHARGING BA MONITORING PAM MONITOR I & C RHR REFUELING ACCUMULATOR LEAK (2) REMOVAL PURIFICATION ISOLATION GAS CONTROL LEAKAGE SYSTEMS PRODUCT FEEDWATER SYSTEM SYSTEM SYSTEM SYSTEM SYSTEMS SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM SYSTEMS PUMPS TRANSFER INDICATORS LIGHTS POWER INTERLOCKS INTERLOCKS MOTOR DETECTION AND CLEANUP TESTING REMOVAL (4) (5) (4) (6) PUMPS SUPPLY OPERATED SYSTEMS (3) AND W BOP W BOP W BOP SYSTEM VALVES CONTROL SYSTEMS REGULATORY GUIDES (APPENDIX 3A DELINEATES THE APPLICABLE RG REVISION AND/OR DATE).

RG 1.6 INDEPENDENCE BETWEEN REDUNDANT STANDBY (ONSITE) POWER X X X SOURCES AND BETWEEN THEIR DISTRIBUTION SYSTEMS RG 1.7 CONTROL OF COMBUSTIBLE GAS CONCENTRATIONS IN CONTAINMENT FOLLOWING A LOSS-OF-COOLANT ACCIDENT RG 1.11 INSTRUMENT LINES PENETRATING PRIMARY REACTOR CONTAINMENT 38 38 X 39 38 RG 1.12 INSTRUMENTATION FOR EARTHQUAKES (40)

RG 1.22 PERIODIC TESTING OF PROTECTION SYSTEM ACTUATION FUNCTIONS X 41 41 41 41 41 30 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 10 10 24 30 41 RG 1.29 SEISMIC DESIGN CLASSIFICATION 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 57 38 38 RG 1.30 QUALITY ASSURANCE REQUIREMENTS FOR THE INSTALLATION, INSPECTION, X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X AND TESTING OF INSTRUMENTATION AND ELECTRICAL EQUIPMENT (38)

RG 1.32 USE OF IEEE STANDARD 308-1971 "CRITERIA FOR CLASS 1E ELECTRIC X X X X X X X X X X X X X X X X X X X X X X X 26 26 X X 26 26 X X X 26 SYSTEMS FOR NUCLEAR POWER GENERATING STATIONS" 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 26 38 38 38 38 38 38 38 00-01 RG 1.45 REACTOR COOLANT PRESSURE BOUNDARY LEAKAGE DETECTION SYSTEMS 42 RG 1.47 BYPASSED AND INOPERABLE STATUS INDICATION FOR NUCLEAR POWER X X X X X X X X X X X X X X X X X X X X X X X PLANT SAFETY SYSTEMS 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 RG 1.53 APPLICATION OF THE SINGLE FAILURE CRITERION TO NUCLEAR POWER 33 X X 33 33 33 33 33 35 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 X 11 35 33 PLANT PROTECTION SYSTEMS 34 RG 1.62 MANUAL INITIATION OF PROTECTION ACTIONS X X X X X X X X X X X X X X X X X X X X X X X RG 1.63 ELECTRIC PENETRATION ASSEMBLIES IN CONTAINMENT STRUCTURES FOR 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 WATER-COOLED NUCLEAR POWER PLANTS RG 1.68 PREOPERATIONAL AND INITIAL START-UP TEST PROGRAMS FOR X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X WATER-COOLED POWER REACTORS 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 RG 1.70 STANDARD FORMAT AND CONTENT OF SAFETY ANALYSIS REPORTS FOR X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X NUCLEAR POWER PLANTS. REV. 1 (38)

RG 1.73 QUALIFICATION TEST OF ELECTRIC VALVE OPERATORS INSTALLED INSIDE 27 27 27 27 27 27 27 27 27 27 27 27 THE CONTAINMENT RG 1.75 PHYSICAL INDEPENDENCE OF ELECTRIC SYSTEMS 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 36 RG 1.80 PREOPERATIONAL TESTING OF INSTRUMENT AIR SYSTEMS (30)

RG 1.89 QUALIFICATION OF CLASS 1E EQUIPMENT FOR NUCLEAR POWER PLANTS 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 RG 1.95 PROTECTION OF NUCLEAR POWER PLANT CONTROL ROOM OPERATORS 44 AGAINST AN ACCIDENTAL CHLORINE RELEASE RG 1.97 INSTRUMENTATION FOR LIGHT WATER-COOLED NUCLEAR POWER PLANTS 45 45 45 45 45 45 45 45 45 45 X TO ACCESS PLANT CONDITIONS DURING AND FOLLOWING AN ACCIDENT RG 1.100 SEISMIC QUALIFICATION OF ELECTRIC EQUIPMENT FOR NUCLEAR POWER 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 57 31 32 PLANTS RG 1.105 INSTRUMENT SPANS AND SETPOINTS 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 RG 1.106 THERMAL OVERLOAD PROTECTION FOR ELECTRIC MOTORS ON MOTOR 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 OPERATED VALVES RG 1.108 PERIODIC TESTING OF DIESEL GENERATOR UNITS USED AS ONSITE 38 38 ELECTRIC POWER SYSTEMS AT NUCLEAR POWER PLANTS RG 1.114 GUIDANCE ON BEING OPERATOR AT THE CONTROLS OF A NUCLEAR POWER X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X PLANT 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 RG 1.118 PERIODIC TESTING OF ELECTRIC POWER AND PROTECTION SYSTEMS (46)

RG 1.120 FIRE PROTECTION GUIDELINES FOR NUCLEAR POWER PLANTS (8)

X IS DEFINED AS MEANING THE INSTRUMENT AND CONTROL SYSTEM AND COMPONENTS MEET THE REFERENCED CRITERIA IS DEFINED AS MEANING THE REFERENCED CRITERIA IS NOT APPLICABLE TO THE INSTRUMENT AND CONTROL SYSTEM AND COMPONENTS 7.1-37 Reformatted Per Amendment 00-01

TABLE 7.1-2 APPLICABLE CRITERIA (Continued)

REACTOR TRIP SYSTEM ENGINEERED SAFETY FEATURES SYSTEM ENGINEERED SAFETY FEATURES SYSTEMS REQUIRED FOR SAFE SHUTDOWN SYSTEMS REQUIRED FOR SAFETY RELATED ALL OTHER INSTRUMENT SYSTEMS REQUIRED FOR SAFETY CONTROL (RTS) 7.2 (ESF) 7.3 SUPPORTING SYSTEMS (SRSS) 7.4 SAFE SHUTDOWN DISPLAY 7.6 SYSTEMS (ESF SUPPORTING) (SRSS) 7.4 INSTRUMENTS NOT (SR) 7.5 REQUIRED FOR SAFETY 7.7 (1)

NSSS RCP TURBINE 7.3 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.3 6.4 6.5 10.4.9 9.2.2 9.5 9.2.1 9.4.7 6.2, 9.4 9.2.2 9.5 10.4.9 9.2.1 9.4.7 10.3 6.2, 9.4 9.3.4 9.3.4 CREP ESF 7.6.1 7.6.2 7.6.3 7.6.4 7.6.5 INPUTS INPUTS INPUTS ESFAS RB HEAT RB AIR CONTAINMENT COMBUSTIBLE CONTAINMENT SI HABITABILITY FISSION EMERGENCY CC DG SW VU HVAC CC DG EF SW VU MS HVAC CHARGING BA MONITORING PAM MONITOR I & C RHR REFUELING ACCUMULATOR LEAK (2) REMOVAL PURIFICATION ISOLATION GAS CONTROL LEAKAGE SYSTEMS PRODUCT FEEDWATER SYSTEM SYSTEM SYSTEM SYSTEM SYSTEMS SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM SYSTEMS PUMPS TRANSFER INDICATORS LIGHTS POWER INTERLOCKS INTERLOCKS MOTOR DETECTION AND CLEANUP TESTING REMOVAL (4) (5) (4) (6) PUMPS SUPPLY OPERATED SYSTEMS (3) AND W BOP W BOP W BOP SYSTEM VALVES CONTROL SYSTEMS EICSB BRANCH TECHNICAL POSITIONS BTP BACKFITTING OF THE PROTECTION AND EMERGENCY POWER SYSTEMS OF EICSB NUCLEAR REACTORS 1

BTP ISOLATION OF LOW PRESSURE SYSTEMS FROM THE HIGH PRESSURE X EICSB REACTOR COOLANT SYSTEMS 11 3

BTP REQUIREMENTS ON MOTOR OPERATED VALVES IN THE ECCS 47 EICSB ACCUMULATOR LINES 4

BTP SCRAM BREAKER TEST REQUIREMENTS - TECHNICAL SPECIFICATIONS X v EICSB 48 5

BTP DEFINITION AND USE OF "CHANNEL - CALIBRATION" - TECHNICAL EICSB SPECIFICATIONS (49) 9 BTP ELECTRICAL AND MECHANICAL EQUIPMENT SEISMIC QUALIFICATION 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 57 31 32 EICSB PROGRAM 10 BTP PROTECTION SYSTEM TRIP POINT CHANGES FOR OPERATION WITH 50 50 EICSB REACTOR COOLANT PUMPS OUT OF SERVICE 12 00-01 BTP DESIGN CRITERIA FOR AUXILIARY FEEDWATER SYSTEMS X X X X X X X X X X X X X X X EICSB 13 BTP SPURIOUS WITHDRAWALS OF SINGLE CONTROL RODS IN PRESSURIZED EICSB WATER REACTORS (51) 14 BTP REACTOR COOLANT PUMP BREAKER QUALIFICATION (52)

EICSB 15 BTP CONTROL ELEMENT ASSEMBLY (CEA) INTERLOCKS IN COMBUSTION EICSB ENGINEERING REACTORS 16 BTP APPLICATION OF THE SINGLE FAILURE CRITERIA TO MANUALLY 53 EICSB CONTROLLED ELECTRICALLY OPERATED VALVES 18 BTP ACCEPTABILITY OF DESIGN CRITERIA FOR HYDROGEN MIXING AND EICSB DRYWELL VACUUM RELIEF SYSTEMS 19 BTP DESIGN OF INSTRUMENTATION AND CONTROLS PROVIDED TO ACCOMPLISH X X X EICSB CHANGEOVER FROM INJECTION TO RECIRCULATION MODE 54 54 20 BTP GUIDE FOR APPLICATION OF REGULATORY GUIDE 1.47 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 EICSB 21 BTP GUIDE FOR APPLICATION OF REGULATORY GUIDE 1.22 X 41 41 41 41 41 30 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 10 10 24 30 EICSB 41 22 BTP QUALIFICATION OF SAFETY RELATED DISPLAY INSTRUMENTATION FOR 10 10 EICSB POST ACCIDENT CONDITION MONITORING AND SAFE SHUTDOWN 23 BTP TESTING OF REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURE 55 55 EICSB ACTUATION SYSTEM SENSOR RESPONSE TIMES 24 BTP GUIDANCE FOR THE INTERPRETATION OF GENERAL DESIGN CRITERION 37 X X EICSB FOR TESTING THE OPERABILITY OF THE EMERGENCY CORE COOLING 20 25 SYSTEM AS A WHOLE BTP REQUIREMENTS FOR REACTOR PROTECTION SYSTEM ANTICIPATORY TRIPS X 2 EICSB 26 BTP DESIGN CRITERIA FOR THERMAL OVERLOAD PROTECTION FOR MOTORS OF 56 56 56 56 56 56 56 56 56 56 56 EICSB MOTOR OPERATED VALVES 27 X IS DEFINED AS MEANING THE INSTRUMENT AND CONTROL SYSTEM AND COMPONENTS MEET THE REFERENCED CRITERIA IS DEFINED AS MEANING THE REFERENCED CRITERIA IS NOT APPLICABLE TO THE INSTRUMENT AND CONTROL SYSTEM AND COMPONENTS 7.1-38 Reformatted Per Amendment 00-01

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-36 NOTES TO TABLE 7.1-2

1. See Section 7.7 for a list of control systems typical of those not required for safety.
2. Although credit is not taken for the turbine trip inputs from the pressure sensors and turbine stop valves (as described in Section 7.2.1.1.2, Item 6) the circuits are classified as Associated with Class 1E, are seismically supported, and are separated in accordance with plant design criteria as described in Appendix 3A (RG 1.75) when located in Seismic Category 1 structures. Safety criteria apply only to the input devices and do not include the mechanical portions of the turbine generator.
3. Safety criteria apply only to those portions of the system that are part of containment.
4. Safety criteria apply only to those portions of HVAC systems that are safety related.
5. Safety criteria denoted as applicable for this input include only the main steam isolation valves, steam generator power operated relief valves, and valves that admit steam to the turbine driven emergency feedwater pump.
6. Applicability is limited to a chemical and volume control system function rather than a safety injection system function.
7. Instrumentation and associated wiring applies.
8. Design satisfies Branch Technical Position APCSB 9.5-1, Appendix A, to the extent outlined in the FPER.
9. Complies for those portions (components) of the system that are part of the protection system, i.e., inputs, logic, actuation device inputs, etc.
10. See Section 7.5.1 for discussion of compliance.
11. See Section 7.6.2 for discussion.
12. See Appendix 3A (RG 1.75) and Sections 7.1.2.2.1, 8.3.1.4, and 8.3.1.5 for discussion of compliance.
13. See Section 3.1.2 for discussion of compliance.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-37 NOTES TO TABLE 7.1-2 (Continued)

14. See Section 3.1 for discussion of GDC 25. The analyses which are discussed in Chapter 15.0 are categorized as Condition II, III, and IV occurrences. These analyses show that the acceptance criteria for these categories are satisfied.
15. See Section 3.1 for discussion of GDC 26.
16. See Section 3.1 for discussion of GDC 27.
17. See Section 3.1 for discussion of GDC 28.
18. As noted in Section 7.4, nonaccident conditions are assumed.
19. See Sections 5.5.7, 6.3, and 7.6.5 for discussion of compliance.
20. See Sections 3.1.2, 6.3, and 7.6.5 for discussion of compliance.
21. 21. The general philosophy of IEEE-279 is met by addressing redundancy and independence on a redundant subsystem basis, i.e., A loop/train and B loop/train basis. Testing can be performed on a loop basis consistent with the requirements of Sections 4.9 and 4.10 of IEEE-279.
22. For Westinghouse scope it is noted that:
a. IEEE-279-1971 is not required as a design basis for systems, equipment, or components to which this note is applicable.
b. The scope of IEEE-279-1971 is limited to the protection system from sensors to actuation devices inputs.
23. See Section 7.5.1 for discussion of post-accident monitoring.
24. See Section 7.6.2.2 for discussion of residual heat removal system interlocks.
25. Deleted (RNs99-015 and 99-114)
26. Non-Class 1E components fed from Class 1E power source.
27. See Section 3.11 and Appendix 3A for discussion of compliance.
28. Applicable only to reactor building cooling unit fan motors.
29. See Section 7.1.2.11 for description of details of conformance to IEEE-338-1971.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-38 NOTES TO TABLE 7.1-2 (Continued)

30. See Section 6.3.4.3 for description of safety injection system testing.
31. See Section 3.10 and Appendix 3A (RG 1.100) for discussion of compliance.
32. See Section 7.6.5 for description of leakage detection system.
33. Complies as outlined in Section 7.1.2.7, Table 7.1-3, and Table 7.3-6.
34. See Sections 6.2.5 and 7.3.3 for discussion of hydrogen recombiner.
35. See Section 6.3.2.9 for discussion of safety injection.
36. Boric acid transfer pump power and control circuits are classified as Associated with Class 1E.
37. See Appendix 3A (RG 1.7), Section 6.2.5 and the response to NRC Question 031.56 for discussion of compliance.
38. See Appendix 3A for discussion of compliance.
39. See Appendix 3A (RG 1.11) and Section 6.2.6 for discussion of compliance.
40. Complies, see Section 3.7.4 and Appendix 3A (RG 1.12) for details.
41. Complies, for the protection system actuated devices, except as noted in Section 7.1.2.5.
42. See Appendix 3A (RG 1.45) and Section 5.2.7 for discussion of compliance.
43. Complies, as applicable to specific system components. Details are discussed in the response to NRC Question 031.49.
44. Complies, see Appendix 3A (RG 1.95).
45. See Appendix 3A (RG 1.97) and Sections 6.2.5 and 7.5 for discussion of compliance.
46. Reasons for non-applicability are outlined in Appendix 3A.
47. See Section 7.6.4 for discussion.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-39 NOTES TO TABLE 7.1-2 (Continued)

48. See Section 7.2.2.2.3.10 for discussion. Also, see Chapter 16.0 (Technical Specifications),

Table 4.3-1.

49. See Technical Specifications, Table 4.3-1.
50. See Technical Specifications, Section 3/4.4.1.
51. The results of analysis of a single rod cluster control assembly at full power are described in Section 15.3.
52. Accident analysis, as described in Sections 15.2.9 and 15.3.4, does not take credit for reactor coolant pump trip. Offsite electric system stability is described in Section 8.2.2.2.
53. BTP EICSB 18 applies to valves XVG8808A,B,C, XVG8884, XVG8885, XVG8886, XVG8888A,B, XVG8889, XVG8106, and XVG8133A,B in the Safety Injection System.

See Chapter 16.0 (Technical Specifications), Section 3/4.5.1 and the responses to NRC Questions 040.18, 211.31, 211.32 and 211.37 for additional details.

54. See Section 6.3.2.7.
55. See Section 7.1.2.11 and Chapter 16.0 (Technical Specifications), Section 3/4.3.
56. See Appendix 3A (RG 1.106) for discussion of thermal overloads for electric motor operated valves.
57. See Section 9.1.4.1 (Item 6) and 9.1.4.3.1.2 (Item 5) and Tables 3.2-1, 3.2-2, and 3.2-3.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-40 Table 7.1-3 Conformance With Regulatory Guide 1.53 and IEEE 379-1972, for Balance of Plant Safety Related Instrumentation Control Systems Criterion Degree of Compliance REGULATORY GUIDE 1.53 C.1 IEEE 379-1972 See IEEE 379-1972, comparison, below.

C.2 Continuity Checks Except as outlined by Sections 7.1.2.5 and 7.3.2.2.5, components are designed to allow operation while being tested during reactor operation.

C.3 Interconnections Channel separation is maintained and integrity is assured through use of isolating devices where interconnections may occur or suitable barriers are employed.

C.4 Protection System Logic and Actuator circuits are designed to prevent a single failure Actuator System from causing loss of a protective function.

IEEE 379-1972 3(1) Redundancy Redundancy is used and maintained to prevent a single failure in a channel or component from preventing operation of the redundant counterpart.

3(2) Detectability Control room indication and alarms are provided and are used in conjunction with periodic testing.

3(3) Nondetectability Not applicable, see Note 1.

3(4) Multiple Faults Not applicable, see Note 1.

3(5) Completing Protective Systems are designed to prevent a single failure from Functions resulting in noncompletion of the system protective function.

3(6) DBE and Single Failure Concurrent occurrence of a design basis event and a single failure was considered in the design. System protective function will not be lost under such circumstances.

3(7) Operational Reliability Not applicable, but included in the design concept.

5.1 Classification Not applicable, but included in the design concept.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-41 Table 7.1-3 (continued)

Conformance With Regulatory Guide 1.53 and IEEE 379-1972, for Balance of Plant Safety Related Instrumentation Control Systems Criterion Degree of Compliance 5.2 Undetectable Failures Not applicable, see Note 1. Also, see Regulatory Guide 1.53, Regulatory Position C.2, above.

5.3 Common Mode Failures Concept was considered during design. Equipment qualification was used significantly in designing against common mode failures. Sections 3.10 and 3.11 outline qualification in more details.

6.1 General See Note 1.

6.2 Channels See Regulatory Guide 1.53, Regulatory Position C.3, above.

6.3 Protection System Logic See Regulatory Guide 1.53, Regulatory Position C.3, above.

6.4 Actuator Circuit See Regulatory Guide 1.53, Regulatory Position C.3, above.

Type 2 and 3 Single Failure Equipment qualification was used significantly in Analysis designing against common mode failures. Sections 3.10 and 3.11 outline qualification in more detail.

6.6 Overall System - Failure Concepts addressed were used during system design.

Analysis (1) Each applicable FSAR section presents a safety evaluation which addresses the single failure criteria.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.1-42 Figure 7.1-1 PROTECTION SYSTEM BLOCK DIAGRAM

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-1 7.2 REACTOR TRIP SYSTEM 7.2.1 Description 7.2.1.1 System Description The reactor trip system automatically keeps the reactor operating within a safe region by shutting down the reactor whenever the limits of the region are approached. The safe operating region is defined by several considerations such as mechanical/hydraulic limitations on equipment, and heat transfer phenomena. Therefore, the reactor trip system keeps surveillance on process variables which are directly related to equipment mechanical limitations, such as pressure, pressurizer water level (to prevent water discharge through safety valves, and uncovering heaters) and also on variables which directly affect the heat transfer capability of the reactor (e.g., flow and reactor coolant temperatures). Still other parameters utilized in the reactor trip system are calculated from various process variables. In any event, whenever a direct process or calculated variable reaches a setpoint the reactor will be shutdown in order to protect against either gross damage to fuel cladding or loss of system integrity which could lead to release of radioactive fission products into the containment.

The following systems make up the reactor trip system. Refer to References 1, 2, and 3 for additional background information.

1. Process Instrumentation and Control System.
2. Nuclear Instrumentation System.
3. Solid-State Logic Protection System.
4. Reactor Trip Switchgear.
5. Manual Actuation Circuit.

The reactor trip system consists of sensors which, when connected with analog circuitry consisting of 2 to 4 redundant channels, monitor various plant parameters and digital circuitry, consisting of 2 redundant logic trains, which receive inputs from the analog protection channels to complete the logic necessary to automatically open the reactor trip breakers.

Each of the two trains, A and B, is capable of opening a separate and independent reactor trip breaker, RTA and RTB, respectively and a bypass breaker, BYB and BYA, respectively. The 2 trip breakers in series connect three-phase a-c power from the rod drive motor generator sets to the rod drive power cabinets, as shown on Figure 7.2-1, Sheet 2. During plant power operation, a d-c undervoltage coil on each reactor trip breaker holds a trip plunger out against its spring, allowing the power to be available at the rod control power supply cabinets. For reactor trip, a loss of d-c voltage to the undervoltage coil, as well as energization of the shunt trip coil, trips open the breaker.

When either of the trip breakers opens, power is interrupted to the rod drive power supply, and the control rods fall, by gravity, into the core. The rods cannot be withdrawn until the trip breakers are

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-2 manually reset. The trip breakers cannot be reset until the abnormal condition which initiated the trip is corrected. Bypass breakers BYA and BYB are provided to permit testing of the trip breakers, as discussed in Figure 7.2.2.2.3.

7.2.1.1.1 Functional Performance Requirements The reactor trip system automatically initiates reactor trip:

1. Whenever necessary to prevent fuel damage for an anticipated operational transient (Condition II).
2. To limit core damage for infrequent faults (Condition III).
3. So that the energy generated in the core is compatible with the design provisions to protect the reactor coolant pressure boundary for limiting fault conditions (Condition IV).

The reactor trip system initiates a turbine trip signal whenever reactor trip is initiated to prevent the reactivity insertion that would otherwise result from excessive reactor system cooldown. The turbine trip avoids unnecessary actuation of the engineered safety features actuation system.

The reactor trip system provides for manual initiation of reactor trip by operator action.

7.2.1.1.2 Reactor Trips The various reactor trip circuits automatically open the reactor trip breakers whenever a condition monitored by the reactor trip system reaches a preset level. To ensure a reliable system, high quality design, components, manufacturing, quality control and testing is used. In addition to redundant channels and trains, the design approach provides a reactor trip system which monitors numerous system variables, therefore providing protection system functional diversity. The extent of this diversity has been evaluated for a wide variety of postulated accidents.

Table 7.2-1 provides a list of reactor trips which are described below.

1. Nuclear Overpower Trips The specific trip functions generated are as follows:
a. Power range high neutron flux trip The power range high neutron flux trip circuit trips the reactor when 2 of the 4 power range channels reach the trip setpoint.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-3 There are 2 bistables (for each of the 4 power range channels), each with its own trip setting used for a high and a low range trip setting. The high trip setting provides protection during normal power operation and is always active. The low trip setting, which provides protection during startup, can be manually bypassed when 2 out of the 4 power range channels read above approximately 10% power (P-10). Three (3) out of the 4 channels below 10% automatically reinstates the trip function. Refer to Table 7.2-2 for a listing of all protection system interlocks.

b. Intermediate range high neutron flux trip The intermediate range high neutron flux trip circuit trips the reactor when 1 out of the 2 intermediate range channels reaches the trip setpoint. This trip, which provides protection during reactor startup, can be manually blocked if 2 out of 4 power range channels are above approximately 10% power (P-10). Three (3) out of the 4 power range channels below this value automatically reinstates the intermediate range high neutron flux trip.

The intermediate range channels (including detectors) are separate from the power range channels. The intermediate range channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing. This bypass action is annunciated on the control board.

c. Source range high neutron flux trip The source range high neutron flux trip circuit trips the reactor when 1 of the 2 source range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup and plant shutdown, can be manually bypassed when 1 of the 2 intermediate range channels reads above the P-6 setpoint value and is automatically reinstated when both intermediate range channels decrease below the P-6 setpoint value.

This trip is also automatically bypassed by 2 out of 4 logic from the power range protection interlock (P-10). This trip function can also be reinstated below P-10 by an administrative action requiring manual actuation of 2 control board mounted switches.

Each switch will reinstate the trip function in 1 of the 2 protection logic trains. The source range trip point is set between the P-6 setpoint (source range cutoff power level) and the maximum source range power level. The channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup. This bypass action is annunciated on the control board.

d. Power range high positive neutron flux rate trip This circuit trips the reactor when a sudden abnormal increase in nuclear power occurs in 2 out of 4 power range channels.

This trip provides DNB protection against rod ejection accidents of low worthfrom mid-power and is always active.

Table 7.2-1, Sheet 3, shows the logic for all of the nuclear overpower and rate trips.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-4

2. Core Thermal Overpower Trips The specific trip functions generated are as follows:
a. Overtemperature T trip This trip protects the core against low DNBR and trips the reactor on coincidence as listed in Table 7.2-1 with 1 set of temperature measurements per loop. The setpoint for this trip is continuously calculated by analog circuitry for each loop by solving the following equation:

§ * º

'7VHWSRLQW '72 <<.  .  ¨¨ W6 ¸¸§¨ 7DYJ 72DYJ *¸.  3 I 'I >> 

¨ W 6 ¸ © ¹

¬ ©  ¹ 1/4 Where:

TO = Indicated T at rated thermal power Tavg = Average reactor coolant temperature (°F)

TOavg = Indicated Tavg at rated thermal power P = Pressurizer pressure (psig)

K1 = Preset bias K2 = Preset gain which compensates for the temperature on the DNB limits K3 = Preset gain which compensates for the effect of pressure on the DNB limits 1,2 = Preset constants which compensate for piping and instrument time delay s = Laplace transform operator (seconds-1) f() = A function of the neutron flux difference between upper and lower long ion chambers (refer to Figure 7.2-2)

A separate long ion chamber unit supplies the flux signal for each overtemperature T trip channel.

Increases in beyond a predefined deadband result in a decrease in trip setpoint. Refer to Figure 7.2-2.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-5 The required 1 pressurizer pressure parameter per loop is obtained from separate sensors connected to 3 separate pressure taps at the top of the pressurizer. Refer to Section 7.2.2.3.3 for an analysis of this arrangement.

Figure 7.2-1, Sheet 5, shows the logic for overtemperature T trip function.

b. Overpower T trip This trip protects against excessive power (fuel rod rating protection) and trips the reactor on coincidence as listed in Table 7.2-1, with 1 set of temperature measurements per loop.

The setpoint for each channel is continuously calculated using the following equation: J J T

§ *

º

'7VHWSRLQW '72 <<.   .  ¨¨ W6 ¸¸7DYJ .  §¨ 7DYJ 72DYJ *¸ >> 

¨ W 6 ¸ © ¹

¬ ©  ¹ 1/4 Where:

TO = Indicated T at rated thermal power K4 = A preset bias K5 = A constant which compensates for piping and instrument time delay K6 = A constant which compensates for the change in density flow and heat capacity of the water with temperature.

TOavg = Indicated Tavg at rated thermal power Tavg = Average reactor coolant temperature (°F) 3 = Preset time constant (seconds) s = Laplace transform operator (seconds-1)

The source of temperature and flux information is identical to that of the overtemperature T trip and the resultant T setpoint is compared to the same T. Figure 7.2-1, Sheet 5, shows the logic for this trip function.

3. Reactor Coolant System Pressurizer Pressure and Water Level Trips The specific trip functions generated are as follows:
a. Pressurizer low pressure trip The purpose of this trip is to protect against low pressure which could lead to DNB. The parameter being sensed is reactor coolant pressure as measured in the pressurizer. Above P-7 the reactor is tripped when the pressurizer measurements fall below preset limits. This trip is blocked below P-7 to permit startup. The trip logic and interlocks are given in Table 7.2-1.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-6 The trip logic is shown on Figure 7.2-1, Sheet 6.

b. Pressurizer high pressure trip The purpose of this trip is to protect the Reactor Coolant System against system overpressure.

The same sensors and transmitters used for the pressurizer low pressure trip are used for the high pressure trip except that separate bistables are used for trip. These bistables trip when uncompensated pressurizer pressure signals exceed preset limits on coincidence as listed in Table 7.2-1. There are no interlocks or permissives associated with this trip function.

The logic for this trip is shown on Table 7.2-1, Sheet 6.

c. Pressurizer high water level trip This trip is provided as a backup to the high pressurizer pressure trip and serves to prevent water relief through the pressurizer safety valves. This trip is blocked below P-7 to permit startup. The coincidence logic and interlocks of pressurizer high water level signals are given in Table 7.2-1.

The trip logic for this function is shown on Figure 7.2-1, Sheet 6.

4. Reactor Coolant System Low Flow Trips These trips protect the core from DNB in the event of a loss of coolant flow situation.

Figure 7.2-1, Sheet 5 shows the logic for these trips. The means of sensing the loss of coolant flow are as follows:

a. Low reactor coolant flow The parameter sensed is reactor coolant flow. Four (4) elbow taps in each coolant loop are used as a flow device that indicates the status of reactor coolant flow. The basic function of this device is to provide information as to whether or not a reduction in flow has occurred. An output signal from 2 out of the 3 bistables in a loop would indicate a low flow in that loop.

The coincidence logic and interlocks are given in Table 7.2-1.

b. Reactor coolant pump undervoltage trip This trip is required in order to protect against low flow which can result from loss of voltage to more than 1 reactor coolant pump motor (e.g., from loss of offsite power or reactor coolant pump breakers opening).

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-7 There are 3 undervoltage sensing relays connected for each pump (1 for each phase) at the motor side of each reactor coolant pump breaker. These relays provide an output signal when the pump voltage goes below approximately 70% of rated voltage. Signals from these relays are time delayed to prevent spurious trips caused by short term voltage perturbations. The coincidence logic and interlocks are given in Table 7.2-1.

c. Reactor coolant pump underfrequency trip This trip protects against low flow resulting from pump underfrequency, for example a major power grid frequency disturbance. The function of this trip is to trip the reactor for an underfrequency condition greater than 2.5 Hz. The setpoint of the underfrequency relays is adjustable between 54.00 and 60.98 Hz (nominal).

There is 1 underfrequency sensing relay for each reactor coolant pump motor. Signals from relays for any 2 of the pump motors (time delayed up to approximately 0.1 seconds to prevent spurious trips caused by short term frequency perturbations) will trip the reactor if the power level is above P-7.

5. Steam Generator Trips The specific trip functions generated are as follows:
a. Low feedwater flow trip This trip protects the reactor from a sudden loss of heat sink. The trip is actuated by steam/feedwater flow mismatch (1 out of 2) in coincidence with low water level (1 out of
2) in any steam generator.

Figure 7.2-1, Sheet 7, shows the logic for this trip function.

There are no interlocks associated with this trip.

b. Low-Low steam generator water level trip This trip protects the reactor from loss of heat sink in the event of a sustained steam/feedwater flow mismatch of insufficient magnitude to cause a low feedwater flow reactor trip. This trip is actuated on 2 out of 3 low-low water level signals occurring in any steam generator.

The logic is shown on Figure 7.2-1, Sheet 7.

6. Reactor Trip on a Turbine Trip (anticipatory)

The reactor trip on a turbine trip is actuated by 2 out of 3 logic from trip fluid pressure signals or by all closed signals from the turbine steam stop valves. A turbine trip causes a direct reactor trip above P-9. The reactor trip on turbine trip provides additional protection and conservatism beyond that required for the health and safety of the public. This trip is included as part of good engineering practice and prudent design. No credit is taken in any of the safety analyses (Chapter 15) for this trip.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-8 The turbine provides anticipatory trips to the reactor protection system from contacts which change position when the turbine stop valves close or when the turbine emergency trip fluid pressure goes below its setpoint.

One of the design bases considered in the protection system is the possibility of an earthquake. With respect to these contacts, their functioning is unrelated to a seismic event in that they are anticipatory to other diverse parameters which cause reactor trip. The contacts are shut during plant operation and open to cause reactor trip when the turbine is tripped. No power is provided to the protection system from the contacts; they merely serve to interrupt power to cause reactor trip. This design functions in a de-energize-to-trip fashion to cause a plant trip if power is interrupted in the trip circuitry. This ensures that the protection system will in no way be degraded by this anticipatory trip because seismic design considerations do not form part of the design bases for anticipatory trip sensors. (The reactor protection system cabinets which receive the inputs from the anticipatory trip sensors are, of course, seismically qualified as discussed in Section 3.10.) The anticipatory trips thus meet IEEE Standard 279-1971, including redundancy, single failure, etc.

Prior to spring 2011 (RF-19), variations in the separation criteria (which still met the intent of IEEE 279 per previous FSAR discussion) existed with the turbine stop valve limit switches and the turbine electro-hydraulic control cabinet (EHC). This previously justified plant design configuration was eliminated by the digital EHC upgrade during RF-19, based upon the following:

  • Turbine stop valve limit switches are now independent from non-safety EHC valve position sensors, safety-related limit switch cabling from each stop valve terminal box is separated from non-safety position sensor cabling, and safety related limit switch wiring is separated (from non-safety EHC position sensors) to the extent practical due to space limitations within each stop valve terminal box.

The logic for this trip is functionally shown on Figure 7.2-1, Sheet 15.

7. Safety Injection Signal Actuation Trip A reactor trip occurs when the safety injection system is actuated. The means of actuating the safety injection system are described in Section 7.3. This trip protects the core against a loss of reactor coolant or steam.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-9 Figure 7.2-1, Sheet 8, shows the logic for this trip.

8. Manual Trip The manual trip consists of 2 switches with 2 outputs on each switch. One (1) output is used to actuate the train A trip breaker and the train B bypass breaker; the other output actuates the train B trip breaker and the train A bypass breaker. Operating a manual trip switch removes the voltage from the undervoltage trip coil and energizes the shunt trip coil.

There are no interlocks which can block this trip. Figure 7.2-1, Sheet 3, shows the manual trip logic. The design conforms to Regulatory Guide 1.62 as shown in Figure 7.2-3.

7.2.1.1.3 Reactor Trip System Interlocks

1. Power Escalation Permissives The overpower protection provided by the out of core nuclear instrumentation consists of 3 discrete, but overlapping, ranges. Continuation of startup operation or power increase requires a permissive signal from the higher range instrumentation channels before the lower range level trips can be manually blocked by the operator.

A 1 of 2 intermediate range permissive signal (P-6) is required prior to source range trip blocking. Source range trips are automatically reactivated when both intermediate range channels are below the permissive (P-6) setpoint. There are 2 manual reset switches for administratively reactivating the source range trip when between the permissive P-6 and P-10 setpoints, if required. Source range trip block is always maintained when above the permissive P-10 setpoint.

The intermediate range trip and power range (low setpoint) trip can only be blocked after satisfactory operation and permissive information are obtained from 2 of 4 power range channels. Four (4) individual blocking switches are provided so that the low range power range trip and intermediate range trip can be independently blocked (1 switch for each train).

These trips are automatically reactivated when any 3 of the 4 power range channels are below the permissive (P-10) setpoint, thus ensuring automatic activation to more restrictive trip protection.

The development of permissives P-6 and P-10 is shown on Figure 7.2-1, Sheet 4. All of the permissives are digital; they are derived from analog signals in the nuclear power range and intermediate range channels.

Separation of circuits is maintained throughout the system where practical. An exception is in the wiring between the turbine stop valve limit switch junction box and the valve limit switches and where external circuits terminate within the junction box. However, wiring within the junction box is separated as far as is practical.

See Table 7.2-2 for the list of protection system interlocks.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-10

2. Blocks at Reactor Trips at Low Power Interlock P-7 blocks a reactor trip at lower power (below approximately 10% of full power) on a low reactor coolant flow in more than 1 loop, reactor coolant pump undervoltage, reactor coolant pump underfrequency, pressurizer low pressure, or pressurizer high water level. See Figure 7.2-1, Sheets 5 and 6 for permissive applications. The low power signal is derived from 3 out of 4 power range neutron flux signals below the setpoint in coincidence with 2 out of 2 turbine first stage pressure signals below the setpoint (low plant load). See Figure 7.2-1, Sheets 4 and 15, for the derivation of P-7.

The P-8 interlock blocks a reactor trip when the plant is below approximately 50% of full power, on a low reactor coolant flow in any 1 loop. The block action (absence of the P-8 interlock signal) occurs when 3 out of 4 neutron flux power range signals are below the setpoint. Thus, below the P-8 setpoint, the reactor will be allowed to operate with 1 inactive loop and trip will not occur until 2 loops are indicating low flow. See Figure 7.2-1, Sheet 4, for derivation of P-8, and Sheet 5 for applicable logic.

Interlock P-9 blocks a reactor trip following a turbine trip below 50% power. See Figure 7.2-1 Sheet 15, for the implementation of the P-9 interlock. See Figure 7.2-1, Sheet 4, for the derivation of P-9.

See Table 7.2-2 for the list of protection system blocks.

7.2.1.1.4 Coolant Temperature Sensor Arrangement Narrow Range Hot and Cold Leg Temperature The hot and cold loop temperature signals are required for input to the protection and control functions are obtained using thermowell mounted RTDs installed in each reactor coolant loop.

The hot leg temperature measurement in each loop is accomplished using 3 fast response narrow range dual element RTDs mounted in thermowells. The hot leg thermowells are located within the 3 scoops previously used for the RTD bypass manifold as locations 120° apart in the cross sectional sleeve. The scoops were modified by drilling a flow hole in the top of the scoops so that water flows in through the existing holes in the leading edge of the scoop, past the RTD and out through the new drilled hole.

Due to temperatures streaming, the 3 fast response hot leg RTDs are electronically averaged to generate the hot leg temperature.

The cold leg temperature measurements in each loop are accomplished by 1 fast response narrow range dual element RTD. The existing cold leg RTD bypass penetration nozzle was modified to accept the thermowell and RTD. Temperature streaming in the cold leg is not a concern due to the mixing action of the reactor coolant pump.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-11 7.2.1.1.5 Pressurizer Water Level Reference Leg Arrangement The design of the pressurizer water level instrumentation employs the usual tank level arrangement using differential pressure between an upper and a lower tap on a column of water. A reference leg connected to the upper tap is kept full of water by condensation of steam at the top of the leg.

7.2.1.1.6 Analog System The analog system consists of two instrumentation systems; the process instrumentation system and the Nuclear Instrumentation System.

Process instrumentation includes those devices (and their interconnection into systems) which measure temperature, pressure, fluid flow, fluid level as in tanks or vessels, and occasionally physiochemical parameters such as fluid conductivity or chemical concentration. Process instrumentation specifically excludes nuclear and radiation measurements. The process instrumentation includes the process measuring devices, power supplies, indicators, recorders, alarm actuating devices, controllers, signal conditioning devices, etc., which are necessary for day-to-day operation of the nuclear steam supply system as well as for monitoring the plant and providing initiation of protective functions upon approach to unsafe plant conditions.

The primary function of nuclear instrumentation is to protect the reactor by monitoring the neutron flux and generating appropriate trips and alarms for various phases of reactor operating and shutdown conditions. It also provides a secondary control function and indicates reactor status during startup and power operation. The nuclear instrumentation system uses information from 3 separate types of instrumentation channels to provide 3 discrete protection levels. Each range of instrumentation (source, intermediate, and power) provides the necessary overpower reactor trip protection required during operation in that range. The overlap of instrument ranges provides reliable continuous protection beginning with source level through the intermediate and low power level. As the reactor power increases, the overpower protection level is increased by administrative procedures after satisfactory higher range instrumentation operation is obtained.

Automatic reset to more restrictive trip protection is provided when reducing power.

Various types of neutron detectors, with appropriate solid-state electronic circuitry, are used to monitor the leakage neutron flux from a completely shutdown condition to 120% of full power.

The power range channels are capable of recording overpower excursions up to 200% of full power. The neutron flux covers a wide range between these extremes. Therefore, monitoring with several ranges of instrumentation is necessary. The lowest range (source range) covers 6 decades of leakage neutron flux. The lowest observed count rate depends on the strength of the neutron sources in the core and the core multiplication associated with the shutdown reactivity.

This is generally greater than 2 counts per second. The next range (intermediate range) covers ten plus decades. Detectors and instrumentation are chosen to provide overlap between the higher portion of the source range and the lower portion of the intermediate range. The highest range of instrumentation (power range) covers approximately 2 decades of the total instrumentation range. This is a linear range that overlaps with the higher portion of the intermediate range.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-12 The system described above provides control room indication and recording of signals proportional to reactor neutron flux during core loading, shutdown, startup and power operation, as well as during subsequent refueling. Startup rate indication for the source and intermediate range channels is provided at the control board. Reactor trip, rod stop, control and alarm signals are transmitted to the reactor control and protection system for automatic plant control.

Equipment failures and test status information are annunciated in the control room.

See References 1 and 2 for additional background information on the process and nuclear instrumentation systems.

7.2.1.1.7 Solid-State Logic Protection System The solid-state logic protection system takes binary inputs (voltage/no voltage) from the process and nuclear instrument channels corresponding to conditions (normal/abnormal) of plant parameters. The system combines these signals in the required logic combination and generates a trip signal (no voltage) to the undervoltage trip attachment and shunt trip auxiliary relay coils of the reactor trip circuit breakers when the necessary combination of signals occur. The system also provides annunciator, status light and computer input signals which indicate the condition of bistable input signals, partial trip and full trip functions and the status of the various blocking, permissive and actuation functions. In addition the system includes means for semi-automatic testing of the logic circuits. Refer to Reference 3 for background information.

7.2.1.1.8 Isolation Amplifiers Westinghouse considers it advantageous to employ control signals derived from individual protection channels through isolation amplifiers contained in the protection channel, as permitted by IEEE Standard 279-1971.

Analog signals derived from protection channels for nonprotective functions are obtained through isolation amplifiers located in the analog protection racks. By definition, nonprotective functions include those signals used for control, remote process indication, and computer monitoring.

7.2.1.1.9 Energy Supply and Environmental Variations The energy supply for the reactor trip system, including the voltage and frequency variations, is described in Section 7.6 and Chapter 8. The environmental variations, throughout which the system will perform, is given in Section 3.11 and Chapter 8.

7.2.1.1.10 Setpoints The setpoints that require trip action are given in the Technical Specifications. A detailed discussion on setpoints is found in Section 7.1.2.1.9.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-13 7.2.1.1.11 Seismic Design The seismic design considerations for the reactor trip system are given in Section 3.10. This design meets the requirements of Criterion 2 of the 1971 General Design Criteria (GDC).

7.2.1.2 Design Bases Information The information given below presents the design bases information requested by Section 3 of IEEE Standard 279-1971. Functional logic diagrams are presented in Figure 7.2-1.

7.2.1.2.1 Generating Station Conditions The following are the generating station conditions requiring reactor trip:

1. DNBR approaching the safety limit.
2. Power density (kilowatts per foot) approaching rated value for Condition II faults (see Chapter 4 for fuel design limits).
3. Reactor Coolant System overpressure creating stresses approaching the limits specified in Chapter 5.

7.2.1.2.2 Generating Station Variables The following are the variables required to be monitored in order to provide reactor trips (see Table 7.2-1).

1. Neutron flux.
2. Reactor coolant temperature.
3. Reactor coolant system pressure (pressurizer pressure).
4. Pressurizer water level.
5. Reactor coolant flow.
6. Reactor coolant pump operational status (voltage and frequency).
7. Steam generator feedwater flow.
8. Steam generator water level.
9. Turbine generator operational status (trip fluid pressure and stop valve position).
10. Steam flow 7.2.1.2.3 Spatially Dependent Variables The following variable is spatially dependent:

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-14

1. Reactor coolant temperature (see Section 7.3.1.2 for a discussion of this variable spatial dependence).

7.2.1.2.4 Limits, Margins and Setpoints The parameter values that will require reactor trip are given in the Technical Specifications, and in Chapter 15, Accident Analyses. Chapter 15 proves that the setpoints used in Chapter 16 are conservative.

The setpoints for the various functions in the reactor trip system have been analytically determined such that the operational limits so prescribed will prevent fuel rod clad damage and loss of integrity of the reactor coolant system as a result of any ANS Condition II incident (anticipated malfunction). As such, during any ANS Condition II incident, the reactor trip system limits the following parameters to:

1. Minimum DNBR safety limit.
2. Maximum system pressure . 2750 psia
3. Fuel rod maximum linear power for determination of protection setpoints 18.0 kW/foot The accident analyses described in Section 15.2 demonstrate that the functional requirements as specified for the reactor trip system are adequate to meet the above considerations, even assuming, for conservatism, adverse combinations of instrument errors (refer to Table 15.1-2). A discussion of the safety limits associated with the reactor core and reactor coolant system, plus the limiting safety system setpoints, are presented in the Technical Specifications.

7.2.1.2.5 Abnormal Events The malfunctions, accidents or other unusual events which could physically damage reactor trip system components or could cause environmental changes are as follows:

1. Earthquakes (see Chapters 2 and 3).
2. Fire (see Section 9.5).
3. Missiles (see Section 3.5).
4. Flood (see Chapters 2 and 3).
5. Wind and Tornadoes (see Section 3.3).

The reactor trip system fulfills the requirements of IEEE Standard 279-1971 to provide automatic protection and to provide initiating signals to mitigate the consequences of faulted conditions.

7.2.1.2.6 Minimum Performance Requirements

1. Reactor trip system response times

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-15 Reactor trip system response time is defined in Section 7.1. Typical maximum allowable time delays in generating the reactor trip signal are tabulated in Table 7.2-3. (See Section 7.1.2.11 for a discussion of periodic response time verification

2. Reactor trip accuracies Accuracy is defined in Section 7.1. Reactor trip accuracies are tabulated in Table 7.2-3. An additional discussion on accuracy is found in Table 7.1.2.1.9.
3. Protection system ranges Typical protection system ranges are tabulated in Table 7.2.3. Range selection for the instrumentation covers the expected range of the process variable being monitored during power operation. Limiting setpoints are at least 5% from the end of the instrument span.

7.2.1.3 Final Systems Drawings Functional block diagrams, electrical elementaries and other drawings required to assure electrical separation and perform a safety review are provided in the safety-related drawing package as discussed in Section 1.7.

7.2.2 Analysis 7.2.2.1 Failure Mode and Effects Analyses An analysis of the reactor trip system has been performed. Results of this study and a fault tree analysis are presented in Reference 4.

7.2.2.2 Evaluation of Design Limits While most setpoints used in the reactor protection system are fixed, there are variable setpoints, most notably the overtemperature T and overpower T setpoints. All setpoints in the reactor trip system have been selected on the basis of engineering design or safety studies. The capability of the reactor trip system to prevent loss of integrity of the fuel cladding and/or Reactor Coolant System pressure boundary during Condition II and III transients is demonstrated in Chapter 15.

These accident analyses are carried out using those setpoints determined from results of the engineering design studies. Setpoint limits are presented in the Technical Specifications. A discussion of the intent for each of the various reactor trips and the accident analyses (where appropriate) which utilize this trip is presented below. It should be noted that the selection trip setpoints all provide for margin before protection action is actually required to allow for uncertainties and instrument errors. The design meets the requirements of Criteria 10 and 20 of the 1971 GDC.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-16 7.2.2.2.1 Trip Setpoint Discussion The accident analysis shows that below the DNBR safety limit, a potential for local fuel cladding failure exists. The DNBR existing at any point in the core for a given core design can be determined as a function of the core inlet temperature, power output, operating pressure and flow.

Consequently, core safety limits in terms of a DNBR equal to the safety limit for the hot channel can be developed as a function of core T, Tavg and pressure for a specified flow as illustrated by the solid lines in Figure 15.1-1. Also shown as solid lines in Figure 15.1-1 are the loci of conditions equivalent to 118% of power as a function of T and Tavg representing the overpower (kW/ft) limit on the fuel. The dashed lines indicate the maximum permissible setpoint (T) as a function of Tavg and pressure for the overtemperature and overpower reactor trip. Actual setpoint constants in the equation representing the dashed lines are as given in the Technical Specifications. These values are conservative to allow for instrument errors. The design meets the requirements of Criteria 10, 15, 20, and 29 of the 1971 GDC.

DNBR is not a directly measurable quantity; however, the process variables that determine DNBR are sensed and evaluated. Small isolated changes in various process variables may not individually result in violation of a core safety limit; whereas the combined variations, over sufficient time, may cause the overpower or overtemperature safety limit to be exceeded. The design concept of the reactor trip system takes cognizance of this situation by providing reactor trips associated with individual process variables in addition to the overpower/overtemperature safety limit trips. Process variable trips prevent reactor operation whenever a change in the monitored value is such that a core or system safety limit is in danger of being exceeded should operation continue. Basically, the high pressure, low pressure and overpower/overtemperature T trips provide sufficient protection for slow transients as opposed to such trips as low flow or high flux which will trip the reactor for rapid changes in flow or flux, respectively, that would result in fuel damage before actuation of the slower responding T trips could be effected.

Therefore, the reactor trip system has been designed to provide protection for fuel cladding and Reactor Coolant System pressure boundary integrity where: 1) a rapid change in a single variable or factor which will quickly result in exceeding a core or a system safety limit, and 2) a slow change in 1 or more variables will have an integrated effect which will cause safety limits to be exceeded. Overall, the reactor trip system offers diverse and comprehensive protection against fuel cladding failure and/or loss of reactor coolant system integrity for Condition II and III accidents. This is demonstrated by Table 7.2-4 which lists the various trips of the reactor trip system, the corresponding Technical Specification on safety limits and safety system settings and the appropriate accident discussed in the safety analyses in which the trip could be utilized.

The design meets the requirements of Criterion 21 of the 1971 GDC.

Preoperational testing is performed on reactor trip system components and systems to determine equipment readiness for startup. This testing serves as a further evaluation of the system design.

Analyses of the results of Condition I, II, III, and IV events, including considerations of instrumentation installed to mitigate their consequences are presented in Chapter 15. The

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-17 instrumentation installed to mitigate the consequences of load rejection and turbine trip is given in Section 7.4.

7.2.2.2.2 Reactor Coolant Flow Measurement The elbow taps used on each loop in the primary coolant system are instrument devices that indicate the status of the reactor coolant flow. The basic function of this device is to provide information as to whether or not a reduction in flow has occurred. The correlation between flow and elbow tap signal is given by the following equation:



'3 § : *

¨¨ ¸¸ 

'32 © :2 ¹ where P0 is the pressure differential at the reference flow, w0, and P is the pressure differential at the corresponding flow, w. The full flow reference point is established during initial plant startup. The low flow trip point is then established by extrapolating along the correlation curve.

The expected absolute accuracy of the channel is within +/- 10% of full flow and field results have shown the repeatability of the trip point to be within +/- 1%.

7.2.2.2.3 Evaluation of Compliance to Applicable Codes and Standards The reactor trip system meets the criteria of the General Design Criteria as indicated. The reactor trip system meets the requirements of Section 4 of IEEE Standard 279-1971 as indicated below.

7.2.2.2.3.1 General Functional Requirement The protection system automatically initiates appropriate protective action whenever a condition monitored by the system reaches a preset level. Functional performance requirements are given in Section 7.2.1.1.1. Section 7.2.1.2.4 presents a discussion of limits, margins and setpoints; Section 7.2.1.2.5 discusses unusual (abnormal) events; and Section 7.2.1.2.6 presents minimum performance requirements.

7.2.2.2.3.2 Single Failure Criterion The protection system is designed to provide 2, 3, or 4 instrumentation channels for each protective function and 2 logic train circuits. These redundant channels and trainsare electrically isolated and physically separated. Thus, any single failure within a channel or train will not prevent protective action at the system level when required. Loss of input power to a channel or logic train will result in a signal calling for a trip. This design meets the requirements of Criterion 23 of the 1971 GDC.

To prevent the occurrence of common mode failures, such additional measures as functional diversity, physical separation, and testing as well as administrative control during design,

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-18 production, installation and operation are employed. The design meets the requirements of Criteria 21 and 22 of the 1971 GDC.

7.2.2.2.3.3 Quality of Components and Modules For a discussion on the quality of the components and modules used in the reactor trip system, refer to Chapter 17. The quality assurance applied conforms to Criterion 1 of the 1971 GDC.

7.2.2.2.3.4 Equipment Qualification For a discussion of the type tests made to verify the performance requirements, refer to Section 3.11. The test results demonstrate that the design meets the requirements of Criterion 4 of the 1971 GDC.

7.2.2.2.3.5 Channel Integrity Protection system channels required to operate in accident conditions maintain necessary functional capability under extremes of conditions relating to environment, energy supply, malfunctions, and accidents. The energy supply for the reactor trip system is described in Section 7.6 and Chapter 8. The environmental variations, throughout which the system will perform is given in Section 3.11.

7.2.2.2.3.6 Independence Channel independence is carried throughout the system, extending from the sensor through to the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters. Separation of wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant channel. Redundant analog equipment is separated by locating modules in different protection cabinets. Each redundant protection channel set is energized from a separate a-c power feed. This design meets the requirements of Criterion 21 of the 1971 GDC.

Two (2) reactor trip breakers are actuated by 2 separate logic matrices which interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all full length control rod drive mechanisms, permitting the rods to free fall into the core (see Figure 7.1-1).

The design philosophy is to make maximum use of a wide variety of measurements. The protection system continuously monitors numerous diverse system variables. Generally, 2 or more diverse protection functions would terminate an accident before intolerable consequences could occur. This design meets the requirements of Criterion 22 of the 1971 GDC.

7.2.2.2.3.7 Control and Protection System Interaction The protection system is designed to be independent of the control system. In certain applications the control signals and other nonprotective functions are derived from individual protective

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-19 channels through isolation amplifiers. The isolation amplifiers are classified as part of the protection system and are located in the analog protective racks. Nonprotective functions include those signals used for control, remote process indication, and computer monitoring. The isolation amplifiers are designed such that a short circuit, open circuit, or the application of credible fault voltages from within the cabinets on the isolated output portion of the circuit (i.e., the nonprotective side of the circuit) will not affect the input (protective) side of the circuit. The signals obtained through the isolation amplifiers are never returned to the protective racks. This design meets the requirements of Criterion 24 of the 1971 GDC and paragraph 4.7 of IEEE Standard 279-1971.

Moreover, Westinghouse programs in the period of late 1973 to mid 1976 have demonstrated by tests that credible faults or interference on cables associated with protection system racks cannot degrade system performance. The nuclear instrumentation and solid state protection systems tests are reported in the Westinghouse Protection System Noise Tests which were accepted by the NRC in support of the Diablo Canyon Application (Docket Numbers 50-275 and 50-323). The tests on the 7300 Series Process Control System are reported in Reference 5, a topical report accepted by the NRC.

In the Virgil C. Summer Nuclear Station, cables leaving the protection system racks are not routed with cables carrying potentials greater than those to which the systems were subjected in the Westinghouse test programs. Consequently these test programs are applicable to the Virgil C.

Summer Nuclear Station and demonstrate that protection system performance cannot be degraded even if subjected to abnormal electrical conditions which far exceed those which can be reasonably postulated.

The results of applying various malfunction conditions on the output portion of the isolation amplifiers show that no significant disturbance to the isolation amplifier input signal occurred.

7.2.2.2.3.8 Derivation of System Inputs To the extent feasible and practical, protection system inputs are derived from signals which are direct measures of the desired variables. Variables monitored for the various reactor trips are listed in Section 7.2.1.2.2.

7.2.2.2.3.9 Capability for Sensor Checks The operational availability of each system input sensor during reactor operation is accomplished by cross checking between channels that bear a known relationship to each other and that have readouts available. Channel checks are discussed in Technical Specification 3/4.3 and Table 4.3-1 of the Technical Specifications.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-20 7.2.2.2.3.10 Capability for Testing The reactor trip system is capable of being tested during power operation. Where only parts of the system are tested at any one time, the testing sequence provides the necessary overlap between the parts to assure complete system operation. The testing capabilities are in conformance with Regulatory Guide 1.22 as discussed in Section 7.1.2.5.

The protection system is designed to permit periodic testing of the analog channel portion of the reactor trip system during reactor power operation without initiating a protective action unless a trip condition actually exists. This is because of the coincidence logic required for the reactor trip.

These tests may be performed at any plant power from cold shutdown to full power. Before starting any of these tests with the plant at power, all redundant reactor trip channels associated with the function to be tested must be in the normal (unstripped) mode in order to avoid spurious trips. Setpoints are referenced in the precautions, limitations and setpoints portion of the plant technical manual.

1. Analog Channel Tests Analog channel testing is performed at the analog instrumentation rack set by individually introducing dummy input signals into the instrumentation channels and observing the tripping of the appropriate output bistables. Process analog output to the logic circuitry is interrupted during individual channel test by a test switch which, when thrown, de-energizes the associated logic input and inserts a proving lamp in the bistable output. Interruption of the bistable output to the logic circuitry for any cause (test, maintenance purposes, or removed from service) will cause that portion of the logic to be actuated (partial trip) accompanied by a partial trip alarm and channel status light actuation in the control room.

Each channel contains those switches, test points, etc. necessary to test the channel. See Reference 1 for additional background information.

The following periodic tests of the analog channels of the protection circuits are performed:

a. Tavg and T protection channel testing.
b. Pressurizer pressure protection channel testing.
c. Pressurizer water level protection channel testing.
d. Steam/feedwater flow protection channel testing.
e. Steam generator water level protection channel testing.
f. Reactor coolant low flow, underfrequency, and undervoltage protection channels.
g. Turbine first stage pressure channel testing.
2. Nuclear Instrumentation Channel Tests

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-21 The power range channels of the Nuclear Instrumentation System are tested by superimposing a test signal on the actual detector signal being received by the channel at the time of testing. The output of the bistable is not placed in a tripped condition prior to testing.

Also, since the power range channel logic is 2 out of 4, bypass of this reactor trip function is not required.

To test a power range channel, a TEST-OPERATE switch is provided to require deliberate operator action and operation of which will initiate the CHANNEL TEST annunciator in the control room. Bistable operation is tested by increasing the test signal to its trip setpoint and verifying bistable relay operation by control board annunciator and trip status lights.

It should be noted that a valid trip signal would cause the channel under test to trip at a lower actual reactor power level. A reactor trip would occur when a second bistable trips. No provision has been made in the channel test circuit for reducing the channel signal level below that signal being received from the Nuclear Instrumentation System detector.

A Nuclear Instrumentation System channel which can cause a reactor trip through 1 of 2 protection logic (source or intermediate range) is provided with a bypass function which prevents the initiation of a reactor trip from that particular channel during the short period that it is undergoing test. These bypasses are annunciated in the control room.

The following periodic tests of the Nuclear Instrumentation System are performed:

a. Testing at plant shutdown (1) Source range testing.

(2) Intermediate range testing.

(3) Power range testing.

b. Testing below P-6 permissive power level (1) Source range testing.
c. Testing below P-10 permissive power level (1) Intermediate range testing.

(2) Power range, low setpoint testing.

d. Testing above P-10 permissive power level (1) Power range testing.

Any deviations noted during the performance of these tests are investigated and corrected in accordance with the established calibration and troubleshooting procedures provided in the plant technical manual for the Nuclear Instrumentation System. Control and protection trip settings are indicated in the plant technical manual under precautions, limitations, and setpoints.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-22 For additional background information on the Nuclear Instrumentation System see Reference 2.

3. Solid-State Logic Testing The reactor logic trains of the reactor trip system are designed to be capable of complete testing at power. After the individual channel analog testing is complete, the logic matrices are tested from the train A and train B logic rack test panels. This step provides overlap between the analog and logic portions of the test program. During this test, all of the logic inputs are actuated automatically in all combinations of trip and nontrip logic. Trip logic is not maintained sufficiently long enough to permit opening of the reactor trip breakers. The reactor trip undervoltage coils are pulsed in order to check continuity. During logic testing of 1 train, the other train can initiate any required protective functions. Annunciation is provided in the control room to indicate when a train is in test (train output bypassed) and when a reactor trip breaker is bypassed. Logic testing can be performed in less than 30 minutes.

A direct reactor trip resulting from undervoltage or underfrequency on the reactor coolant pump buses is provided as discussed in Section 7.2.1 and shown on Figure 7.2-1. The logic for these trips is capable of being tested during power operation. When parts of the trip are being tested, the sequence is such that an overlap is provided between parts so that a complete logic test is provided. Thus complete testing of Westinghouse equipment is possible.

This design complies with the testing requirements of IEEE Standard 279-1971 and IEEE Standard 338-1971 discussed in Section 7.1.2.11.

The permissive and block interlocks associated with the reactor trip system and engineered safety features actuation system are given on Tables 7.2-2 and 7.3-3 and designated protection or P interlocks. As a part of the protection system, these interlocks are designed to meet the testing requirements of IEEE Standards 279-1971 and 338-1971.

Testing of all protection system interlocks is provided by the logic testing and semi-automatic testing capabilities of the solid-state protection system. In the solid-state protection system the undervoltage trip attachment and shunt trip auxiliary relay coils (reactor trip) and master relays (engineered safeguards actuation) are pulsed for all combinations of trip or actuation logic with and without the interlock signals. For example, reactor trip on low flow (2 out of 3 loops showing 2 out of 3 low flow) is tested to verify operability of the trip above P-7 and nontrip below P-7 (see Figure 7.2-1, Sheet 5). Interlock testing may be performed at power.

Testing of the logic trains of the reactor trip system includes a check of the input relays and a logic matrix check. The following sequence is used to test the system:

a. Check of input relays

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-23 During testing of the process instrumentation system and Nuclear Instrumentation System channels, each channel bistable is placed in a trip mode causing one input relay in train A and one in train B to de-energize. A contact of each relay is connected to a universal logic printed circuit card. This card performs both the reactor trip and monitoring functions.

Reactor trip inputs cause status lamps and annunciators on the control board to operate as shown in Figure 7.2-1. Either the Train A or Train B input relay operation will light the status lamp and annunciator.

Each train contains a multiplexing test switch. At the start of a process or Nuclear Instrumentation System test, this switch (in either train) is placed in the A + B position.

The A + B position alternately allows information to be transmitted from the 2 trains to the control board. A steady status lamp and annunciator indicates that input relays in both trains have been de-energized. A flashing lamp means that the input relays in the 2 trains did not both de-energize. Contact inputs to the logic protection system, such as reactor coolant pump bus underfrequency relays, operate input relays which are tested by operating the remote contacts as described above and using the same type of indications as those provided for bistable input relays.

Actuation of the input relays provides the overlap between the testing of the logic protection system and the testing of those systems supplying the inputs to the logic protection system. Test indications are status lamps and annunciators on the control board.

Inputs to the logic protection system are checked 1 channel at a time, leaving the other channels in service. For example, a function that trips the reactor when 2 out of 4 channels trip becomes a 1 out of 3 trip when 1 channel is placed in the trip mode. Both trains of the logic protection system remain in service during this portion of the test.

b. Check of logic matrices Logic matrices are checked 1 train at a time. Input relays are not operated during this portion of the test. Reactor trips from the train being tested are inhibited with the use of the input error inhibit switch on the semi-automatic test panel in the train. At the completion of the logic matrix tests, one bistable in each channel of process instrumentation or nuclear instrumentation is tripped to check closure of the input error inhibit switch contacts.

The logic test scheme uses pulse techniques to check the coincidence logic. All possible trip and nontrip combinations are checked. Pulses from the tester are applied to the inputs of the universal logic card at the same terminals that connect to the input relay contacts.

Thus there is an overlap between the input relay check and the logic matrix check. Pulses are fed back from the reactor trip breaker undervoltage trip attachment and shunt trip auxiliary relay coils to the tester. The pulses are of such short duration that the reactor trip breaker undervoltage coil armature cannot respond mechanically.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-24 Test indications that are provided are an annunciator in the control room indicating that reactor trips from the train have been blocked and that the train is being tested, and green and red lamps on the semi-automatic tester to indicate a good or bad logic matrix test.

Protection capability provided during this portion of the test is from the train not being tested.

The testing capability meets the requirements of Criterion 21 of the 1971 GDC.

4. Testing of Reactor Trip Breakers Normally, reactor trip breakers 52/RTA and 52/RTB (see Figure 7.2-1, Sheet 2) are in service, and bypass breakers 52/BYA and 52/BYB are withdrawn (out of service). The following procedure describes the method used for testing the trip breakers:
a. With bypass breaker 52/BYA racked out, manually close and trip it to verify its operation.
b. Rack in and close 52/BYA. Manually trip 52/RTA through a protection system logic matrix while at the same time operating the Auto Shunt Trip Block pushbutton on the automatic shunt trip panel. This verifies operation of the Undervoltage Trip Attachment (UVTA) when the breaker trips. After reclosing RTA, trip it again by operation of the Auto Shunt Trip Test pushbutton on the automatic shunt trip panel. This is to verify tripping of the breaker through the shunt trip device.
c. Reset 52/RTA.
d. Trip and rack out 52/BYA.
e. Repeat above steps to test trip breaker 52/RTB using bypass breaker 52/BYB.

Auxiliary contacts of the bypass breakers are connected into the alarm system of their respective trains such that if either train is placed in test while the bypass breaker of the other train is closed, both reactor trip breakers and both bypass breakers will automatically trip.

Auxiliary contacts of the bypass breakers are also connected in such a way that if an attempt is made to close the bypass breaker in 1 train while the bypass breaker of the other train is already closed, both bypass breakers will automatically trip.

The train A and train B alarm systems operate separate annunciators in the control room. The 2 bypass breakers also operate an annunciator in the control room. Bypassing of a protection train with either the bypass breaker or with the test switches will result in audible and visual indications.

The complete reactor trip system is normally required to be in service. However, to permit online testing of the various protection channels or to permit continued operation in the event of a subsystem instrumentation channel failure, a Technical Specification, 3/4.3, defining the minimum number of operable channels has been formulated. This Technical Specification also defines the required restriction to operation in the event that the channel operability requirements cannot be met.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-25 7.2.2.2.3.11 Channel Bypass or Removal from Operation The protection system is designed to permit periodic testing of the analog channel portion of the reactor trip system during reactor power operation without initiating a protective action unless a trip condition actually exists. This is because of the coincidence logic required for reactor trip.

Additional information is given in Section 7.3.2.2.5.

7.2.2.2.3.12 Operating Bypasses Where operating requirements necessitate automatic or manual bypass of a protective function, the design is such that the bypass is removed automatically whenever permissive conditions are not met. Devices used to achieve automatic removal of the bypass of a protective function are considered part of the protective system and are designed in accordance with the criteria of this section. Indication is provided in the control room if some part of the system has been administratively bypassed or taken out of service.

7.2.2.2.3.13 Indication of Bypasses Bypass indication is discussed in Section 7.1.2.6 and Appendix 3A.

7.2.2.2.3.14 Access to Means for Bypassing The design provides for administrative control of access to the means for manually bypassing channels or protective functions.

7.2.2.2.3.15 Multiple Setpoints For monitoring neutron flux, multiple setpoints are used. When a more restrictive trip setting becomes necessary to provide adequate protection for a particular mode of operation or set of operating conditions, the protective system circuits are designed to provide positive means or administrative control to assure that the more restrictive trip setpoint is used. The devices used to prevent improper use of less restrictive trip settings are considered part of the protective system and are designed in accordance with the criteria of this section.

7.2.2.2.3.16 Completion of Protective Action The protection system is so designed that, once initiated, a protective action goes to completion.

Return to normal operation requires action by the operator.

7.2.2.2.3.17 Manual Initiation Switches are provided on the control board for manual initiation of protective action. Failure in the automatic system does not prevent the manual actuation of the protective functions. Manual actuation relies on the operation of a minimum of equipment.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-26 7.2.2.2.3.18 Access The design provides for administrative control of access to all setpoint adjustments, module calibration adjustments, and test points.

7.2.2.2.3.19 Identification of Protective Actions Protective channel identification is discussed in Section 7.1.2.3. Indication is discussed in Section 7.2.2.2.3.20.

7.2.2.2.3.20 Information Read Out The protective system provides the operator with complete information pertinent to system status and safety. All transmitted signals (flow, pressure, temperature, etc.) which can cause a reactor trip will be either indicated or recorded for every channel, including all neutron flux power range currents (top detector, bottom detector, algebraic difference and average of bottom and top detector currents).

Any reactor trip will actuate an alarm and an annunciator. Such protective actions are indicated and identified down to the channel level.

Alarms and annunciators are also used to alert the operator of deviations from normal operating conditions so that he may take appropriate corrective action to avoid a reactor trip. Actuation of any rod stop or trip of any reactor trip channel will actuate an alarm.

7.2.2.2.3.21 System Repair The system is designed to facilitate the recognition, location, replacement, and repair of malfunctioning components or modules. Refer to the discussion in Section 7.2.2.2.3.10.

7.2.2.3 Specific Control and Protection Interactions 7.2.2.3.1 Neutron Flux Four (4) power range neutron flux channels are provided for overpower protection. An isolated auctioneered high signal is derived by auctioneering of the 4 channels for automatic rod control. If any channel fails in such a way as to produce a low output, that channel is incapable of proper overpower protection but will not cause control rod movement because of the auctioneer. Two (2) out of 4 overpower trip logic will ensure an overpower trip if needed even with an independent failure in another channel.

In addition, channel deviation signals in the control system will give an alarm if any neutron flux channel deviates significantly from the average of the flux signals. Also, the control system will respond only to rapid changes in indicated neutron flux; slow changes or drifts are compensated by the temperature control signals. Finally, an overpower signal from any nuclear power range

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-27 channel will block manual and automatic rod withdrawal. The setpoint for this rod stop is below the reactor trip setpoint.

7.2.2.3.2 Coolant Temperature The accuracy of the resistance temperature detector temperature measurements is demonstrated during plant startup. Tests compare with each other as well as with the temperature measurements obtained from cold leg piping of each loop. The comparisons are done with the Reactor Coolant System in an isothermal condition. The linearity of the T detectors as a function of plant power is also checked during plant startup as far as reactor protection is concerned. Reactor trip system setpoints are based upon percentages of the indicated T at nominal full power rather than on absolute values of T. This is done to account for loop differences which are inherent. Therefore, the percent T scheme is relative, not absolute, and therefore provides better protective action without the expense of accuracy. For this reason, the linearity of the T signals as a function of power is of importance rather than the absolute values of the T. As part of the plant startup tests, the resistance temperature detector signals will be compared with the core exit thermocouple signals.

The input signals to the reactor control systems are obtained from electronically isolated protection Tavg and Delta-T signals, (one per loop). A Median Signal Selector (MSS) is implemented in the reactor control system, one for Tavg and one for Delta-T. The MSS receives three signals as input and selects the median signal for input to the appropriate control system.

Any single failure (high or low) in a calculated temperature will not result in adverse control system behavior since the failed high or low temperature signal will be rejected by the MSS.

Hence, the implementation of a MSS in the reactor coolant systems in conjunction with the 2 out of 3 protection logic satisfies the requirements of IEEE 279-1971, Section 4.7, Control and Protection System Interaction.

In addition, channel deviation signals in the control system will give an alarm if any temperature channel deviates significantly from the median value. Automatic rod withdrawal blocks and turbine runback (power demand reduction) will also occur if any 2 of the 3 overtemperature or overpower T channels indicate an adverse condition.

7.2.2.3.3 Pressurizer Pressure The pressurizer pressure protection channel signals are used for high and low pressure protection and as inputs to the overtemperature T trip protection function. Pressurizer pressure is sensed by fast response pressure transmitters. Control signals are not derived from protection channels.

A spurious high pressure signal from one control channel can cause decreasing pressure by actuation of either spray or relief valves. Protection is provided in the low pressurizer pressure reactor trip and in the logic for safety injection to ensure low pressure protection.

Overpressure protection is based upon the positive surge of the reactor coolant produced as a result of turbine trip under full load, assuming the core continues to produce full power. The self-

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-28 actuated safety valves are sized on the basis of steam flow from the pressurizer to accommodate this surge at a setpoint of 2500 psia and an accumulation of 3%. Note that no credit is taken for the relief capability provided by the power operated relief valves during this surge.

In addition, operation of any 1 of the power operated relief valves can maintain pressure below the high pressure trip point for most transients. The rate of pressure rise achievable with heaters is slow, and ample time and pressure alarms are available to alert the operator of the need for appropriate action.

One (1) tap on the pressurizer is shared for 1 each protection level and pressure transmitter, 2 control pressure transmitters and 1 wide range level transmitter. Redundancy is not compromised by having a shared tap since the logic for this trip is 2 out of 3. If the shared tap is plugged, the affected channels will remain static. If the impulse line bursts, the indicated pressure will drop to

0. In either case the fault is easily detectable, and the protective function remains operable.

7.2.2.3.4 Pressurizer Water Level Three (3) pressurizer water level channels are used for reactor trip. Isolated signals from these channels are used for pressurizer water level control. A failure in the level control system could fill or empty the pressurizer at a slow rate (on the order of 30 minutes or more).

The high water level trip setpoint provides sufficient margin such that the undesirable condition of discharging liquid coolant through the safety valves is avoided. Even at full power conditions, which would produce the worst thermal expansion rates, a failure of the water level control would not lead to any liquid discharge through the safety valves. This is due to the automatic high pressurizer pressure reactor trip actuating at a pressure sufficiently below the safety valve setpoint.

For control failures which tend to empty the pressurizer, 2 out of 3 logic for safety injection action on low pressure ensures that the protection system can withstand an independent failure in another channel. In addition, ample time and alarms exist to alert the operator of the need for appropriate action.

7.2.2.3.5 Steam Generator Water Level and Feedwater Flow The basic function of the reactor protection circuits associated with low steam generator water level and low feedwater flow is to preserve the steam generator heat sink for removal of long term residual heat. Should a complete loss of feedwater occur, the reactor would be tripped on coincidence of steam/feedwater flow mismatch and low steam generator water level or on low-low steam generator water level. In addition, redundant emergency feedwater pumps are provided to supply feedwater in order to maintain residual heat removal after trip. These reactor trips act before the steam generators are dry to reduce the required capacity and increase the starting time requirements of these emergency feedwater pumps and to minimize the thermal transient on the reactor coolant system and steam generators. Therefore, the following reactor trip circuits are provided for each steam generator to ensure that sufficient initial thermal capacity is available in the steam generator at the start of the transient:

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-29

1. A mismatch in steam and feedwater flow coincident with low steam generator water level;
2. A low-low steam generator water level regardless of steam/feedwater flowmismatch; It is desirable to minimize thermal transients on a steam generator for credible loss of feedwater accidents. Hence, it should be noted that controller malfunctions caused by a protection system failure affect only 1 steam generator; the steam generator level signal used in the feedwater control originates separately from that used in the low feedwater reactor trip.

A spurious high signal from the feedwater flow channel being used for control would cause a reduction in feedwater flow preventing that channel from ultimately tripping. However, the mismatch between steam demand and feedwater flow produced by this spurious signal will actuate alarms to alert the operator of this situation in time for manual correction. If the condition is allowed to continue and the mismatch is not sufficient to trip the reactor, reactor trip will occur on a low-low water level signal independent of indicated feedwater flow.

A spurious low signal from the feedwater flow channel being used for control would cause an increase in feedwater flow. The mismatch between steam flow and feedwater flow produced by the spurious signal would actuate alarms to alert the operator of the situation in time for manual correction. If the condition continues, a 2 out of 3 high-high steam generator water level signal in any loop, independent of the indicated feedwater flow, will cause feedwater isolation and trip the turbine. The turbine trip will result in a subsequent reactor trip if power is above the P-9 setpoint.

The high-high steam generator water level trip is an equipment protective trip preventing excessive moisture carryover which could damage the turbine blading.

In addition, the 3 element feedwater controller incorporates reset action on the level error signal, such that with expected controller settings a rapid increase or decrease in the flow signal would cause only a small change in level before the controller would compensate for the level error. A slow change in the feedwater signal would have no effect at all. A spurious low or high steam flow signal would have the same effect as high or low feedwater signal, discussed above.

A spurious high steam generator water level signal from the protection channel used for control will tend to close the feedwater valve. However, before a reactor trip would occur, 2 out of 3 channels for a steam generator would have to indicate a high water level. A spurious low steam generator water level signal will tend to open the feedwater valve. Again, before a reactor trip would occur, 2 out of 3 channels in a loop would have to indicate a low water level. Any slow drift in the water level signal will permit the operator to respond to the level alarms and take corrective action. Automatic protection is provided in case the spurious high level reduces feedwater flow sufficiently to cause low level in the steam generator. The reactor will trip either on a mismatch on steam and feedwater flow coincident with low water level or, ultimately, on low-low steam generator water level. Automatic protection is also provided in case the spurious low level signal increases feedwater flow sufficiently to cause high level in the steam generator. A turbine trip and feedwater isolation would occur on 2 out of 3 high-high steam generator water level in any loop.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-30 7.2.2.4 Additional Postulated Accidents Loss of plant instrument air or loss of component cooling water is discussed in Section 7.3.2.

Load rejection and turbine trip are discussed in further detail in Section 7.7.

The control interlocks, called rod stops, that are provided to prevent abnormal power conditions which could result from excessive control rod withdrawal are discussed in Section 7.7.1.4.1 and listed on Table 7.7-1. Excessively high power operation (which is prevented by blocking of automatic rod withdrawal), if allowed to continue, might lead to a safety limit (as given in the Technical Specifications) being reached. Before such a limit is reached, protection will be available from the reactor trip system. At the power levels of the rod block setpoints, safety limits have not been reached; and therefore these rod withdrawal stops do not come under the scope of safety-related systems, and are considered as control systems.

7.2.3 Tests and Inspections The reactor trip system meets the testing requirements of IEEE Standard 338-1971 as discussed in Section 7.1.2.11. The testability of the system is discussed in Section 7.2.2.2.3. The initial test intervals are specified in the Technical Specifications. Written test procedures and documentation, conforming to the requirements of IEEE Standard 338-1971, will be available for audit by responsible personnel. Periodic testing complies with Regulatory Guide 1.22 as discussed in Sections 7.1.2.5 and 7.2.2.2.3.

7.2.4 References

1. Reid, J. B., Process Instrumentation for Westinghouse Nuclear Steam Supply Systems, WCAP-7913, January, 1973.
2. Lipchak, J. B., Nuclear Instrumentation System, WCAP-8255, January, 1974.
3. Katz, D. N., Solid State Logic Protection System Description, WCAP-7488-L Proprietary),

March, 1971 and WCAP-7672 (Non-Proprietary), May, 1971.

4. Gangloff, W. C. and Loftus, W. D., An Evaluation of Solid-State Logic Reactor Protection In Anticipated Transients, WCAP-7706-L (Proprietary) and WCAP-7706 Non-Proprietary),

February, 1973.

5. Siroky, R. M. and Marasco, F. W., 7300 Series Process Control System Noise Tests, WCAP-8892A, June, 1977.

Revision 22--Updated Online 05/27/22 Table 7.2-1 List of Reactor Trips Reactor Trip Coincidence Logic Interlocks Comments High and low setting; manual block and automatic reset of low Manual block of low setting setting by P-10

1. High neutron flux (Power Range) 2/4 permitted by P-10
2. Intermediate range neutron flux 1/2 Manual block permitted by P-10 Manual block and automatic reset Manual block permitted by P-6, Manual block and automatic reset.
3. Source range neutron flux 1/2 interlocked with P-10 Automatic block above P-10 Power range high positive
4. neutron flux rate 2/4 No interlocks
5. Overtemperature T 2/3 No interlocks VC SUMMER FSAR
6. Overpower T 2/3 No interlocks
7. Pressurizer low pressure 2/3 Interlocked with P-7 Blocked below P-7
8. Pressurizer high pressure 2/3 No interlocks
9. Pressurizer high water level 2/3 Interlocked with P-7 Blocked below P-7
10. Low reactor coolant flow a. 2/3 in 2/3 loops Interlocked with P-7 Low flow in one loop will cause a reactor trip when above P-8 and a
b. 2/3 in any loop Interlocked with P-8 low flow in two loops will cause a reactor trip when above P-7; blocked below P-7 7.2-31

Table 7.2-1 Revision 22--Updated Online 05/27/22 List of Reactor Trips Reactor Trip Coincidence Logic Interlocks Comments Reactor coolant pump

11. undervoltage 2/3 Interlocked with P-7 Underfrequency on 2 motors will trip all reactor coolant pump Reactor coolant pump breakers and cause reactor trip;
12. underfrequency 2/3 Interlocked with P-7 blocked below P-7
13. Low feedwater flow 1/2 in any loop(1) No interlocks Low-Low Steam
14. Generator Water Level 2/3 in any loop No interlocks Safety injection signal Coincident with No interlocks (See Section 7.3 for engineered actuation of safety safety features actuation
15. injection conditions)
16. Turbine trip (anticipatory)

VC SUMMER FSAR

a. Trip fluid pressure 2/3 Interlocked with P-9 Blocked below P-9
b. Turbine stop valve close 4/4 Interlocked with P-9 Blocked below P-9
17. Manual 1/2 No interlocks (1) 1/2 steam/feedwater flow mismatch in coincidence with 1/2 low steam generator water level.

7.2-32

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-33 Table 7.2-2 Protection System Interlocks I. POWER ESCALATION PERMISSIVES Designation Derivation Function P-6 Presence of P-6: 1/2 neutron flux Allows manual block of source range (intermediate range) above setpoint reactor trip Absence of P-6: 2/2 neutron flux Defeats the block of source range (intermediate range) below setpoint reactor trip P-10 Presence of P-10: 2/4 neutron flux Allows manual block of power range (power range) above setpoint (low setpoint) reactor trip Allows manual block of intermediate range reactor trip and intermediate range rod stops (C-1)

Blocks source range reactor trip (backup for P-6)

Absence of P-10: 3/4 neutron flux Defeats the block of power range (power range) below setpoint (low setpoint) reactor trip Defeats the block of intermediate range reactor trip and intermediate range rod stops (C-1)

Input to P-7

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-34 Table 7.2-2 (continued)

Protection System Interlocks II. BLOCKS OF REACTOR TRIPS Designation Derivation Function P-7 Absence of P-7: 3/4 neutron flux Blocks reactor trip on: Low reactor (power range) below setpoint (from coolant flow in more than one loop, P-10) undervoltage, underfrequency, pressurizer low pressure, and pressurizer high level and 2/2 turbine first stage pressure below setpoint (from P-13)

Absence of P-8: 3/4 neutron flux Blocks reactor trip on low reactor P-8 (power range) below setpoint coolant flow in a single loop Absence of P-9: 3/4 neutron flux Blocks reactor trip on turbine trip P-9 (power range) below setpoint 2/2 turbine first stage pressure below Input to P-7 P-13 setpoint

Revision 22--Updated Online 05/27/22 Table 7.2-3 Reactor Trip System Instrumentation Reactor Trip Signal Range Trip Accuracy Time Response (sec)

1. Power range high neutron flux 1 to 120% full power +/- 1% of full power 0.5 Intermediate range high neutron 10.2 decades of neutron +/- 2.3% of full scale 0.5 flux flux overlapping source range by 5 decades and
2. including 100% power Source range high neutron flux 6 decades of neutron +/- 3.5% of full scale (1) 0.5
3. flux (1 to 106 counts/sec)

Power range high positive +/- 15% of full +/- 5% (1) 0.5

4. neutron flux rate
5. Overtemperature T TH 530 to 650 °F +/- 2% T span 8.5 TC 510 to 630 °F TAV 530 to 630 °F VC SUMMER FSAR PPRZR 1700 to 2500 psig F

(ø) - 50.0 to +50% T Setpoint 0 to 100 °F

6. Overpower T TH 530 to 650 °F +/- 2% T span 8.5 TC 510 to 630 °F TAV 530 to 630 °F T Setpoint 0 to 100 °F

(ø) - 50.0 to +50% T

7. Pressurizer low pressure 1700 to 2500 psig +/- 18 psi 1.0
8. Pressurizer high pressure 1700 to 2500 psig +/- 14 psi 1.0 7.2-35

Table 7.2-3 (continued)

Revision 22--Updated Online 05/27/22 Reactor Trip System Instrumentation Reactor Trip Signal Range Trip Accuracy Time Response (sec)

9. Pressurizer high water level Entire distance between taps +/- 2.25% of full range p 2.0 between taps at design temperature and pressure
10. Low reactor coolant flow 0 to 120% of rated flow +/- 2.5% of full flow within range 1.0 of 70% to 100% of full flow (1)
11. Reactor coolant pump 0 to 100% rated voltage +/- 0.23% of rated voltage 1.5 undervoltage 12, Reactor coolant pump 54.00 to 60.98 Hz (nominal) +/- 0.005 Hz 0.6 underfrequency
13. Low feedwater flow (2) 0 to 120% maximum calculated +/- 6.5% (3) 1.5 feedwater flow Low-low steam generator water Total distance between narrow +/- 2.25% of p signal over the 1.5
14. level range steam generator level taps pressure range of 700 to 1200 VC SUMMER FSAR psig
15. Turbine trip from low hydraulic Differential pressure range 400 +/- 1.5% of differential 0.6 fluid pressure to 1200 psig pressure range (1) Reproducibility (see definitions in Section 7.1)

(2) 1/2 steam/feedwater flow mismatch in coincidence with 1/2 low steam generator water level.

(3) Channel accuracy of feedwater flow analog signal is +/- 2.5% of maximum calculated feedwater flow. Accuracy of steam flow signal is +/- 3% of maximum calculated flow over the pressure range of 700 to 1200 psig.

7.2-36

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-37 Table 7.2-4 Reactor Trip Correlation TECH (1) (2)

TRIP ACCIDENT SPEC (3)

1. Power Range High Neutron 1. Uncontrolled Rod Cluster Control 2.2.1 Flux Trip (Low Setpoint) Assembly Bank Withdrawal From Table 2.2-1 a Subcritical Condition (15.2.1) #2
2. Excessive Heat Removal Due to Feedwater System Malfunctions (15.2.10)
3. Rupture of a Control Rod Drive Mechanism Housing (Rod Cluster Control Assembly Ejection)

(15.4.6)

4. Uncontrolled Boron Dilution (15.2.4)
2. Power Range High Neutron 1. Uncontrolled Rod Cluster Control Flux Trip (High Setpoint) Assembly Bank Withdrawal From 2.2.1 a Subcritical Condition (15.2.1) Table 2.2-1
  1. 2
2. Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power (15.2.2)
3. Startup of an Inactive Reactor Coolant Loop (15.2.6)
4. Excessive Heat Removal Due to Feedwater System Malfunctions (15.2.10)
5. Excessive Load Increase Incident (15.2.11)
6. Accidental Depressurization of the Main Steam System (15.2.13)
7. Rupture of a Control Rod Drive Mechanism Housing (Rod Cluster Control Assembly Ejection)

(15.4.6)

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-38 Table 7.2-4 (continued)

Reactor Trip Correlation TECH TRIP(1) ACCIDENT(2) SPEC (3)

8. Uncontrolled Boron Dilution (15.2.4)
3. Intermediate Range High 1. Uncontrolled Rod Cluster Control See Note 4 Neutron Flux Trip Assembly Bank Withdrawal From 2.2.1 a Subcritical Condition (15.2.1) Table 2.2-1
  1. 5
4. Source Range High Neutron 1. Uncontrolled Rod Cluster Control See Note 4 Flux Trip Assembly Bank Withdrawal From 2.2.1 a Subcritical Condition (15.2.1) Table 2.2-1
  1. 6
5. Power Range High Positive 1. Rupture of a Control Rod Drive 2.2.1 Neutron Flux Rate Trip Mechanism Housing (Rod Cluster Table 2.2-1 Control Assembly Ejection) #3 (15.4.6)
6. Overtemperature T Trip 1. Uncontrolled Rod Cluster Control See Note 1 Assembly Bank Withdrawal at 2.2.1 Power (15.2.2) Table 2.2-1
  1. 7
2. Uncontrolled Boron Dilution (15.2.4)
3. Loss of External Electrical Load and/or Turbine Trip (15.2.7)
4. Excessive Heat Removal Due to Feedwater System Malfunctions (15.2.10)
5. Excessive Load Increase Incident (15.2.11)
6. Accidental Depressurization of the Reactor Coolant System (15.2.12)
7. Accidental Depressurization of the Main Steam System (15.2.13)

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-39 Table 7.2-4 (continued)

Reactor Trip Correlation TECH TRIP(1) ACCIDENT(2) SPEC (3)

7. Overpower T Trip 1. Uncontrolled Rod Cluster Control See Note 2 Assembly Bank Withdrawal at 2.2.1 Power (15.2.2) Table 2.2-1
  1. 8
2. Excessive Heat Removal Due to Feedwater System Malfunctions (15.2.10)
3. Excessive Load Increase Incident (15.2.11)
4. Accidental Depressurization of the Main Steam System (15.2.13)
5. Major Secondary System Pipe Ruptures (15.4.2)
8. Pressurizer Low Pressure Trip 1. Accidental Depressurization of the 2.2.1 Reactor Coolant System (15.2.12) Table 2.2-1
  1. 9
2. Loss of Reactor Coolant From Small Ruptured Pipes or From Cracks in Large Pipes Which Actuates ECCS (15.3.1)
3. Major Reactor Coolant System Pipe Ruptures (LOCA) (15.4.1)
4. Steam Generator Tube Rupture (15.4.3)
5. Inadvertent Operation of the ECCS (15.2.14)
9. Pressurizer High Pressure Trip 1. Uncontrolled Rod Cluster Control 2.2.1 Assembly Bank Withdrawal at Table 2.2-1 Power (15.2.2) # 10
2. Loss of External Electrical Load and/or Turbine Trip (15.2.7)

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-40 Table 7.2-4 (continued)

Reactor Trip Correlation TECH TRIP(1) ACCIDENT(2) SPEC (3)

10. Pressurizer High Water Level 1. Uncontrolled Rod Cluster Control 2.2.1 Trip Assembly Bank at Power (15.2.2) Table 2.2-1
  1. 11
2. Loss of External Electrical Load and/or Turbine Trip (15.2.7)
11. Low Reactor Coolant Flow 1. Partial Loss of Forced Reactor 2.2.1 Coolant Flow (15.2.5) Table 2.2-1
  1. 12
2. Loss of Offsite Power to the Station Auxiliaries (15.2.9)
3. Complete Loss of Forced Reactor Coolant Flow (15.3.4)
12. Reactor Coolant Pump 1. Complete Loss of Forced Reactor 2.2.1 Undervoltage Trip Coolant Flow (15.3.4) Table 2.2-1
  1. 15
13. Reactor Coolant Pump 1. Complete Loss of Forced Reactor 2.2.1 Underfrequency Trip Coolant Flow (15.3.4) Table 2.2-1
  1. 16
14. Low Feedwater Flow Trip 1. Loss of Normal Feedwater (15.2.8) See Note 4 2.2.1 Table 2.2-1
  1. 14
8. Uncontrolled Boron Dilution (15.2.4)
15. Low-low Steam Generator 1. Loss of Normal Feedwater (15.2.8) 2.2.1 Water Level Trip Table 2.2-1
  1. 13
2. Feedwater Line Break (15.4.2.2)
16. Reactor Trip on Turbine Trip 1. Loss of External Electrical Load See Note 4 and/or Turbine Trip (15.2.7) 2.2.1 Table 2.2-1
  1. 17

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-41 Table 7.2-4 (continued)

Reactor Trip Correlation TECH TRIP(1) ACCIDENT(2) SPEC (3)

2. Loss of Offsite Power to the Station Auxiliaries (15.2.9)
3. Excessive Heat Removal Due to Feedwater System Malfunction (15.2.10)
17. Safety injection Signal 1. Accidental Depressurization of the See Note 5 Actuation Trip Main Steam System (15.2.13) 2.2.1 Table 2.2-1
  1. 18
18. Manual Trip (Chapter 15) Available for all Accidents See Note 4 (1) Trips are listed in order of discussion in Section 7.2 (2) References refer to accident analyses presented in Chapter 15.

(3) References refer to Virgil C. Summer Technical Specifications.

(4) A Technical Specification is not required because this trip is not assumed to function in the accident analyses.

(5) Accident assumes that the reactor is tripped at end of life (EOL) which is the worst initial condition for this case.

Figure 7.2-1 Revision 22--Updated Online 05/27/22 FUNCTIONAL DIAGRAMS INDEX AND SYMBOLS (SHEET 1 OF 15)

(DWG. NO. 108D837 SH. 1)

VC SUMMER FSAR 7.2-42

Figure 7.2-1 Revision 22--Updated Online 05/27/22 FUNCTIONAL DIAGRAMS REACTOR TRIP SIGNALS (SHEET 2 OF 15)

(DWG. NO. 108D837 SH. 2)

VC SUMMER FSAR 7.2-43

Figure 7.2-1 Revision 22--Updated Online 05/27/22 FUNCTIONAL DIAGRAMS NUCLEAR INSTR. AND MANUAL TRIP SIGNALS (SHEET 3 OF 15)

(DWG. NO. 108D837 SH. 3)

VC SUMMER FSAR 7.2-44

Figure 7.2-1 Revision 22--Updated Online 05/27/22 FUNCTIONAL DIAGRAMS NUCLEAR INSTR. PERMISSIVE BLOCKS (SHEET 4 OF 15)

(DWG. NO. 108D837 SH. 4)

VC SUMMER FSAR 7.2-45

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-46 FSAR FIGURE REFERENCE FIGURE 7.2-1, Sheet 5 DRAWING 1MS-41-001

Figure 7.2-1 Revision 22--Updated Online 05/27/22 FUNCTIONAL DIAGRAMS PRESSURIZER TRIP SIGNALS (SHEET 6 OF 15)

(DWG. NO. 108D837 SH. 6 VC SUMMER FSAR 7.2-47

Figure 7.2-1 Revision 22--Updated Online 05/27/22 FUNCTIONAL DIAGRAMS STEAM GENERATOR TRIP SIGNALS (SHEET 7 OF 15)

(DWG. NO. 108D837 SH. 7 VC SUMMER FSAR 7.2-48

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-49 FSAR FIGURE REFERENCE FIGURE 7.2-1, Sheet 8 DRAWING 1MS-41-011

Figure 7.2-1 Revision 22--Updated Online 05/27/22 FUNCTIONAL DIAGRAMS ROD CONTROLS AND ROD BLOCKS (SHEET 9 OF 15)

(DWG. NO. 108D837 SH. 9 VC SUMMER FSAR 7.2-50

Figure 7.2-1 Revision 22--Updated Online 05/27/22 FUNCTIONAL DIAGRAMS STEAM DUMP CONTROL (SHEET 10 OF 15)

(DWG. NO. 108D837 SH. 10 VC SUMMER FSAR 7.2-51

Figure 7.2-1 Revision 22--Updated Online 05/27/22 FUNCTIONAL DIAGRAMS PRESSURIZER PRESSURE AND LEVEL CONTROL (SHEET 11 OF 15)

(DWG. NO. 108D837 SH. 11 VC SUMMER FSAR 7.2-52

Figure 7.2-1 Revision 22--Updated Online 05/27/22 FUNCTIONAL DIAGRAMS PRESSURIZER HEATER CONTROL (SHEET 12 OF 15)

(DWG. NO. 108D837 SH. 12 VC SUMMER FSAR 7.2-53

Figure 7.2-1 Revision 22--Updated Online 05/27/22 FUNCTIONAL DIAGRAMS FEEDWATER CONTROL AND ISOLATION (SHEET 13 OF 15)

(DWG. NO. 108D837 SH. 13 VC SUMMER FSAR 7.2-54

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-55 FSAR FIGURE REFERENCE FIGURE 7.2-1, Sheet 14 DRAWING 1MS-41-011

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-56 FSAR FIGURE REFERENCE FIGURE 7.2-1, Sheet 15 DRAWING 1MS-41-011

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.2-57 Figure 7.2-2 SETPOINT REDUCTION FUNCTION FOR OVERTEMPERATURE T TRIP

Figure 7.2-3 Revision 22--Updated Online 05/27/22 REACTOR TRIP/ESF ACTUATION MECHANICAL LINKAGE VC SUMMER FSAR 7.2-58

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-1 7.3 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM In addition to the requirements for a reactor trip for anticipated abnormal transients, the facility is provided with adequate instrumentation and controls to sense accident situations and initiate the operation of necessary engineered safety features. The occurrence of a limiting fault, such as a loss of coolant accident or a steam line break, requires a reactor trip plus actuation of one or more of the engineered safety features in order to prevent or mitigate damage to the core and Reactor Coolant System components, and ensure containment integrity.

In order to accomplish these design objectives the Engineered Safety Features System has proper and timely initiating signals which are to be supplied by the sensors, transmitters and logic components making up the various instrumentation channels of the Engineered Safety Features Actuation System.

7.3.1 Description The Engineered Safety Features Actuation System uses selected plant parameters, determines whether or not predetermined safety limits are being exceeded and, if they are, combines the signals into logic matrices sensitive to combinations indicative of primary or secondary system boundary ruptures (Condition III or IV faults). Once the required logic combination is completed, the system sends actuation signals to the appropriate engineered safety features components. The Engineered Safety Features Actuation System meets the requirements of Criteria 13, 20, 27, 28, and 38 of the 1971 General Design Criteria (GDC).

7.3.1.1 System Description The Engineered Safety Features Actuation System is a functionally defined system described in this section. The equipment which provides the actuation functions identified in Section 7.3.1.1.1 is listed below and discussed in this section and the references.

1. Process Instrumentation and Control System (Reference 1).
2. Solid-State Logic Protection System (Reference 2).
3. Engineered safety features test cabinet (Reference 3).
4. Engineered safety features loading sequence control panels.
5. Manual actuation circuits.

The Engineered Safety Features Actuation System consists of 2 discrete portions of circuitry: 1)

An analog portion consisting of 3 to 4 redundant channels per parameter or variable to monitor various plant parameters such as the Reactor Coolant System and steam system pressures, temperatures and flows and Reactor Building pressures; and 2) a digital portion consisting of 2 redundant logic trains which receive inputs from the analog protection channels and perform the logic needed to actuate the engineered safety features. Each digital train is capable of actuating the engineered safety features equipment required. The intent is that any single failure within the Engineered Safety Features Actuation System shall not prevent system action when required.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-2 The redundant concept is applied to both the analog and logic portions of the system. Separation of redundant analog channels begins at the process sensors and is maintained in the field wiring, containment penetrations and analog protection racks terminating at the redundant safeguards logic racks. The design meets the requirements of Criteria 20, 21, 22, 23, and 24 of the 1971 GDC.

The variables are sensed by the analog circuitry as discussed in Reference 1 and in Section 7.2.

The outputs from the analog channels are combined into actuation logic as shown on Figure 7.2-1, Sheets 5, 6, 7, and 8. Tables 7.3-1 and 7.3-2 give additional information pertaining to logic and function.

The interlocks associated with the Engineered Safety Features Actuation System are outlined in Table 7.3-3. These interlocks satisfy the functional requirements discussed in Section 7.1.2.

Manual actuation from the control board of both trains of containment isolation Phase A is provided by operation of either one of the redundant momentary containment isolation Phase A controls. Also on the control board is manual actuation of safety injection by one of the redundant controls and a manual activation of containment isolation Phase B by either of 2 sets of controls.

Each set consists of 2 switches which also actuate reactor building spray.

Manual controls are also provided to supplement the semi-automatic switchover from the injection to the recirculation phase after a loss of coolant accident.

7.3.1.1.1 Function Initiation The specific functions which rely on the Engineered Safety Features Actuation System for initiation are:

1. A reactor trip, provided one has not already been generated by the Reactor Trip System.
2. Cold leg injection isolation valves which are opened for injection of borated water by charging pumps into the cold legs of the Reactor Coolant System.
3. Charging pumps and associated valving which provide emergency makeup water to the cold legs of the Reactor Coolant System following a loss of coolant accident.
4. Phase A containment isolation, whose function is to prevent fission product release.

(Isolation of all lines not essential to reactor protection.)

5. Steam line isolation to prevent the continuous, uncontrolled blowdown of more than one steam generator and thereby uncontrolled Reactor Coolant System cooldown.
6. Main feedwater line isolation to prevent or mitigate the effect of excessive cooldown.
7. Start the emergency diesels to assure backup supply of power to emergency and supporting systems components.
8. Isolate the control room intake ducts to meet control room occupancy requirements following a loss of coolant accident.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-3

9. Reactor building spray actuation which performs the following functions:
a. Initiates reactor building spray to reduce reactor building pressure and temperature following a loss of coolant or steam line break accident inside the Reactor Building.

Iodine removal benefits are also obtained from reactor building spray following a loss of coolant accident.

b. Initiates Phase B containment isolation which isolates the Reactor Building following a loss of reactor coolant accident, or a steam or feedwater line break within the Reactor Building to limit radioactive releases. (Phase B isolation together with Phase A isolation results in isolation of all but engineered safety features lines penetrating the Reactor Building.)
10. Initiates the engineered safety features loading sequence (ESFLS) which provides timing in order to load the buses at predetermined intervals, avoiding overload conditions on the associated bus. In addition, the engineered safety features loading sequence provides for tripping and blocking of loads. The engineered safety features loading sequence initiates the following functions:
a. Those pumps which serve as part of the heat sink for Reactor Building cooling (i.e.,

service water) and associated supporting systems, such as component cooling water pumps and chilled water pumps.

b. Motor driven emergency feedwater pumps.
c. Residual heat removal pumps.
d. Reactor building cooling units (recirculation fans and filtration system) which cool the Reactor Building and limit the potential for release of fission products from the Reactor Building by reducing pressure following an accident.
e. Trip and lockout of non-engineered safety features loads.

7.3.1.1.2 Analog Circuitry The process analog sensors and racks for the Engineered Safety Features Actuation System are covered in Reference 1. Discussed in this report are the parameters to be measured including pressures, flows, tank and vessel water levels, and temperatures as well as the measurement and signal transmission considerations. These latter considerations include the transmitters, orifices and flow elements, resistance temperature detectors, as well as automatic calculations, signal conditioning and location and mounting of the devices.

The sensors monitoring the primary system are located as shown on the piping flow diagrams in Chapter 5. The secondary system sensor locations are shown on the steam system flow diagrams given in Chapter 10.

Reactor Building pressure is sensed by 4 physically separated differential pressure transmitters mounted and supported outside of the Reactor Building. These transmitters, meeting Class 1E seismic criteria regarding mounting, are connected to the Reactor Building atmosphere by a filled transmission system. The distance from penetration to transmitter is kept to a minimum, and

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-4 separation is maintained. This arrangement, together with the pressure sensors external to the Reactor Building, meets the double barrier requirements of General Design Criteria-56 and Regulatory Guide 1.11.

Pumps and valves which are an integral part of, or associated with the engineered safeguards (used for injection, reactor building spray and recirculation) will have an operation/position status light.

Engineered safety features remote operated valves have position indication on the control board in 2 places to show proper positioning of the valves. Red and green indicator lights are located next to the manual control station showing open and closed positions. The engineered safety features (safety injection) positions of these valves are displayed by an energized bright light on the monitor light panels, which consist of an array of white lights which are dim when the valves are in their normal or required positions for power operations. The monitor lights for automatically actuated valves are energized when the valve is in the automatically actuated position. These monitor lights thus enable the operator to quickly assess the status of the Engineered Safety Features Systems. These indications are derived from contacts integral to the valve operators. The circuits for the engineered safety features monitor lights and red/green lights are classified as associated circuits and have electrical and physical separation. In the cases of the accumulator isolation valves, redundancy of position indication is provided by valve stem mounted limit switches which actuate annunciators on the control board when the valves are not correctly positioned for engineered safety features actuation. The stem mounted switches for the accumulator isolation valves are independent of the limit switches in the motor operators.

7.3.1.1.3 Digital Circuitry The engineered safety features logic racks are discussed in detail in Reference 2. The description includes the considerations and provisions for physical and electrical separation as well as details of the circuitry. Reference 2 also covers certain aspects of online test provisions, provisions for test points, considerations for the instrument power source, considerations for accomplishing physical separation. The outputs from the analog channels are combined into actuation logic as shown on Sheets 5, 6, 7, 8, and 14 of Figure 7.2-1.

To facilitate engineered safety features actuation testing, 2 test cabinets (1 per train) are provided which enable operation, to the maximum practical extent, of safety features loads on a group by group basis until actuation of all devices has been checked (see Reference 3). Final actuation testing is discussed in detail in Section 7.3.2.

Separation and redundancy requirements are satisfied for the engineered safety features loading sequence by the provision of 2 independent engineered safety features load sequencer control panels. These physically separate control panels, located in the relay room, each consist of a logic output relay cabinet.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-5 7.3.1.1.4 Final Actuation Circuitry The outputs of the Solid-State Logic Protection System (the slave relays) are energized to actuate.

These devices are listed as follows:

1. Safety Injection System pump and valve actuators. See Chapter 6 for flow diagrams and additional information.
2. Containment isolation (Phase A - T signal isolates all nonessential process lines on receipt of safety injection signal; Phase B - P signal isolates remaining process lines (which do not include engineered safety features lines) on receipt of 2/4 Hi-3 containment pressure signal).

For further information, see Section 6.2.4.

3. Diesel start (see Chapter 8).
4. Feedwater isolation (see Chapter 10).
5. Ventilation isolation valve and damper actuators (see Chapter 6).
6. Steam line isolation valve actuators (see Chapter 10).
7. Reactor Building spray pump and valve actuators (see Chapter 6).
8. Engineered safety features loading sequence (see Section 7.3.1.1.5).

If an accident is assumed to occur coincident with a loss of offsite power, the engineered safety features loads must be sequenced onto the diesel generators to prevent overloading them. This sequence is discussed in Chapter 8. The design meets the requirements of Criterion 35 of the 1971 General Design Criteria.

7.3.1.1.5 Engineered Safety Features Loading Sequence Control Panels The ESFLS automatically loads engineered safety features components to the ESF buses under the following conditions:

a. Loss of offsite power or degradation of voltage. Safety injection.
b. Safety injection.
c. Safety injection coincident with loss of offsite power or degradation of voltage.

The loss of offsite power or degradation of voltage considered here is related to the engineered safety features buses (7.2 V buses 1DA and/or 1DB). Loss of voltage is detected on either bus by 3/3 loss of voltage relays. Degraded voltage is detected on either bus by 3/3 degraded voltage relays. The safety injection signal is generated by the Solid-State Protection System. To assure component operation under the various initiating conditions, 2 initiating sequences are provided.

These sequences are a blackout sequence, which loads the components needed to shut down the plant in the event of a loss of power or degraded voltage, and a safety injection sequence, which loads the components needed to mitigate the consequences of design bases accidents occurring coincident with a loss of offsite power or degradation of voltage.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-6 The initiation of engineered safety features loads following safety injection with engineered safety features bus power available utilizes the same safety injection sequence identified above.

Use of the loading sequencer during conditions when ESF bus power is available provides the following benefits:

1. Enhanced reliability due to a simplified logic for component actuation.
2. Improved online testing capability.

As discussed in Section 8.3, each 7.2 kV engineered safety features bus is fed from both the normal (offsite) and emergency (onsite) supplies and each engineered safety features bus is provided with loss of voltage and degraded voltage relays. This arrangement enables operation of the engineered safety features logic sequence independent of the source (offsite or onsite) of power.

When initiated, the sequencer provides timing to load the buses at 5 second intervals. Order of loading is determined by system requirements, design capabilities of the diesel and the type of incident or accident, as evaluated by the engineered safety features logic sequence logic circuitry (see Figure 7.3-1 and Section 8.3). In addition, the sequencer provides for tripping and blocking of loads. The engineered safety features logic sequence is located in the relay room and indication is provided on the main control board. It provides the operator with information on the progress of the loading sequence and consists of internal logic circuits and output relays (the relays are located in a cabinet in the relay room). The output of these relays actuates the required safety-related equipment.

Each engineered safety features loading sequence consists of the following components:

1. Logic circuits, located in the logic section of the control cabinet.
2. Indication, located on the monitor section of the control cabinet and on section XCP-6117 of the main control board. The indication on the main control board provides the operator with information necessary for evaluation of progress of the loading sequence.
3. Output relays, located in the relay cabinet, to provide multiple contacts for the various functions.

7.3.1.1.6 Support Systems The following systems are required for support of the engineered safety features:

1. Service Water - Heat Removal (see Chapter 9).
2. Component Cooling Water Systems - Heat Removal (see Chapter 9).
3. Chilled Water System - Heat Removal (see Chapter 9).
4. Class 1E Electrical Power Distribution Systems (see Chapter 8).
5. Other Heating, Ventilating and Air Conditioning Systems (see Section 9.4.5).

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-7 7.3.1.2 Design Bases Information The functional diagrams presented in Figure 7.2-1, Sheets 5, 6, 7, and 8 provide a graphic outline of the functional logic associated with requirements for the Engineered Safety Features Actuation System. Requirements for the Engineered Safety Features System are given in Chapter 6. Given below is the design bases information required in IEEE Standard 279-1971, Reference 4.

7.3.1.2.1 Generating Station Conditions The following is a summary of those generating station conditions requiring protective action:

1. Primary System
a. Rupture in small pipes or cracks in large pipes.
b. Rupture of a reactor coolant pipe (loss of coolant accident).
c. Steam generator tube rupture.
2. Secondary System
a. Minor secondary system pipe breaks resulting in steam release rates equivalent to a single dump, relief, or safety valve.
b. Rupture of a major steam pipe.

7.3.1.2.2 Generating Station Variables The following list summarizes the generating station variables required to be monitored for the automatic initiation of safety injection during each accident identified in the preceding section.

Post accident monitoring requirements are described in the VCSNS Environmental Qualification/Reg. Guide 1.97 Design Basis Document.

1. Primary System Accidents
a. Pressurizer pressure.
b. Reactor Building pressure (not required for steam generator tube rupture).
2. Secondary System Accidents
a. Pressurizer pressure.
b. Steam line pressures.
c. Reactor Building pressure (steam or feedwater line break inside reactor building).
d. Steam line differential pressure.

7.3.1.2.3 Spatially Dependent Variables The only variable sensed by the Engineered Safety Features Actuation System which has spatial dependence is reactor coolant temperature. The effect on the measurement is negated by taking

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-8 multiple samples from the reactor coolant hot leg and averaging these samples by mixing in the resistance temperature detector bypass loop.

7.3.1.2.4 Limits, Margins, and Levels Prudent operational limits, available margins, and setpoints before onset of unsafe conditions requiring protective action are discussed in Chapter 15 and the Technical Specifications.

7.3.1.2.5 Abnormal Events The malfunctions, accidents, or other unusual events which could physically damage protection system components or could cause environmental changes are as follows:

1. Loss of coolant accident (see Sections 15.3 and 15.4).
2. Steam line breaks (see Sections 15.3 and 15.4).
3. Earthquakes (see Chapters 2 and 3).
4. Fire (see Section 9.5.1).
5. Explosion (Hydrogen buildup inside the Reactor Building) (see Section 15.4).
6. Missiles (see Section 3.5).
7. Flood (see Chapters 2 and 3).

7.3.1.2.6 Minimum Performance Requirements Minimum performance requirements are as follows:

1. System Response Times The Engineered Safety Features Actuation System response time is defined as the interval required for the engineered safety features sequence to be initiated subsequent to the point in time that the appropriate variable(s) exceed setpoints. The response time includes sensor/process (analog) and logic (digital) delay plus, the time delay associated with tripping open the reactor trip breakers and control and latching mechanisms. The values listed herein are maximum allowable times consistent with the safety analyses and are systematically verified during plant preoperational startup tests. These maximum delay times thus include all compensation and therefore require that any such network be aligned and operating during verification testing.

The Engineered Safety Features Actuation System is always capable of having response time tests performed using the same methods as those tests performed during the preoperational test program or following significant component changes.

System response times for loss of coolant protection are:

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-9

a. Pressurizer pressure -1.0 second
b. Reactor building pressure - 1.5 seconds Maximum allowable time delays in generating the actuation signal for steam break protection are given in Table 7.3-4.
2. System Accuracies Accuracies required for generating the required actuation signals for loss of coolant protection are given in Table 7.3-5.
3. Ranges of sensed variables to be accommodated until conclusion of protective action is assured are given in Table 7.3-5.

7.3.1.3 Final System Drawings The schematic diagrams for the systems discussed in this section are discussed in Section 1.7.

7.3.2 Analysis 7.3.2.1 Failure Mode and Effects Analyses Failure mode and effects analyses have been performed on Engineered Safety Features Systems (ESFS) equipment within the scope of Westinghouse. The results verify that these systems meet protection single failure criteria as required by IEEE Standard 279-1971 and the Virgil C. Summer Nuclear Station (Engineered Safety Features Systems) equipment is designed to equivalent safety design criteria. The actuation of the Virgil C. Summer Nuclear Station Engineered Safety Features Systems is functionally the same as the systems studied in these analyses.

The failure mode and effects analysis (FMEA) which was performed on engineered safety features engineered safety features equipment within the scope of Westinghouse was for a typical Westinghouse Engineered Safety Features Actuation System (ESFAS). (See Reference [5]). The analysis has generic application to all Westinghouse Engineered Safety Features Actuation Systems of the Virgil C. Summer Nuclear Station vintage. The conclusion is that the analysis (1) qualitatively demonstrates the reliability of the Engineered Safety Features Actuation System to perform its intended function and (2) shows that the Engineered Safety Features Actuation System does comply with the single failure criterion, because no single failure was found which could prevent the Engineered Safety Features Actuation System from generating the proper actuation signal on demand for an engineered safety feature. Random single failures are either in a safe direction or a redundant channel or train ensures the necessary actuation capability.

The basis of a failure mode and effects analysis is principally that single failures are detectable, identifiable, and random. They are not systematic (common mode). The systematic failure considerations applied to equipment hardware, as well as actuation functions, are addressed elsewhere in the final safety analysis report, such as:

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-10

1. Seismic qualification of Seismic Category 1 instrumentation and electrical equipment (Section 3.10). This conforms to Section 4.7.4.2 of IEEE 279-1971.
2. Environmental design of mechanical and electrical equipment (Section 3.11). This conforms to Section 4.7.4.2 of IEEE 279-1971.
3. The Nuclear Instrumentation System, the Solid State Protection System, and the 7300 Series Process Control System noise tests (See Section 7.2.2.2.3.7 and Reference 5 in Section 7.2.4).
4. Manual initiation of protective actions (See Section 7.3.2.2.7).

7.3.2.2 Compliance With Standards and Design Criteria Discussion of the General Design Criteria (GDC) is provided in various sections of Chapter 7 where a particular General Design Criteria is applicable. Applicable General Design Criteria include Criteria 13, 20, 21, 22, 23, 24, 25, 27, 28, 35, 37, 38, 40, 43, and 46 of the 1971 General Design Criteria. Compliance with certain IEEE Standards is presented in Sections 7.1.2.7, 7.1.2.9, 7.1.2.10, and 7.1.2.11. The discussion given below shows that the Engineered Safety Features Actuation System complies with IEEE Standard 279-1971, Reference 4. For the list of references to the discussions of conformance to applicable criteria, see Table 7.1-1.

Table 7.3-6 outlines the degree of conformance of the engineered safety features loading sequence control panels to Regulatory Guide 1.53 and IEEE Standard 379-1972, Reference 5.

7.3.2.2.1 Single Failure Criteria The discussion presented in Section 7.2.2.2.3 is applicable to the Engineered Safety Features Actuation System, with the following exception.

In the engineered safety features, a loss of instrument power will call for actuation of engineered safety features equipment controlled by the specific bistable that lost power (Reactor Building spray excepted). The actuated equipment must have power to comply. The power supply for the protection systems is discussed in Section 7.6 and in Chapter 8. For Reactor Building spray, the final bistables are energized to trip to avoid spurious actuation. In addition, manual Reactor Building spray requires a simultaneous actuation of 2 manual controls. This is considered acceptable because spray actuation on Hi-3 Reactor Building pressure signal provides automatic initiation of the system via protection channels meeting the criteria in Reference 4. Moreover, 2 sets (2 switches per set) of Reactor Building spray manual initiation switches are provided to meet the requirements of IEEE Standard 279-1971. Also it is possible for all engineered safety features equipment (valves, pumps, etc.) to be individually manually actuated from the control board.

Hence, a third mode of Reactor Building spray initiation is available. The design meets the requirements of Criteria 21 and 23 of the 1971 General Design Criteria.

7.3.2.2.2 Equipment Qualification Equipment qualifications are discussed in Sections 3.10 and 3.11.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-11 7.3.2.2.3 Channel Independence The discussion presented in Section 7.2.2.2.3 is applicable. The engineered safety features slave relay outputs from the solid-state logic protection cabinets are redundant, and the actuations associated with each train are energized up to and including the final actuators by the separate a-c power supplies which power the logic trains.

7.3.2.2.4 Control and Protection System Interaction The discussions presented in Section 7.2.2.2.3 are applicable.

7.3.2.2.5 Capability for Sensor Checks and Equipment Test and Calibration The discussions of system testability in Section 7.2.2.2.3 are applicable to the sensors, analog circuitry, and logic trains of the Engineered Safety Features Actuation System.

The following discussions cover those areas in which the testing provisions differ from those for the Reactor Trip System.

7.3.2.2.5.1 Testing of Engineered Safety Features Actuation Systems The Engineered Safety Features Systems are tested to provide assurance that the systems will operate as designed and will be available to function properly in the unlikely event of an accident.

The testing program meets the requirements of Criteria 21, 37, 40, and 43 of the 1971 General Design Criteria and requirements on testing of the Emergency Core Cooling System as stated in General Design Criteria-37 except for the operation of those components that will cause an adverse effect to the safety or operability of the plant per Regulatory Guide 1.22 as discussed in Section 7.1.2.5. The tests described in Section 7.2.2.2.3 and further discussed in Section 6.3.4 meet the actual safety injection. The test, as described, demonstrates the performance of the full operational sequence that brings the system into operation, the transfer between normal and emergency power sources and the operation of associated cooling water systems. The charging pumps and residual heat removal pumps are started and operated and their performance verified in a separate test discussed in Section 6.3.4. When the pump tests are considered in conjunction with the Emergency Core Cooling System test, the requirements of General Design Criteria-37 on testing of the Emergency Core Cooling System are met as close as possible without causing an actual safety injection.

Testing as described in Sections 6.3.4, 7.2.2.2.3, and 7.3.2.2.5 provides complete periodic testability during reactor operation of all logic and components associated with the Emergency Core Cooling System.

This design meets the requirements of Regulatory Guide 1.22 as discussed in the above sections.

The program is as follows:

1. Prior to initial plant operations, Engineered Safety Features System tests will be conducted.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-12

2. Subsequent to initial startup, Engineered Safety Features System tests will be conducted during each regularly scheduled refueling outage.
3. During online operation of the reactor, engineered safety features analog and logic circuitry will be fully tested. In addition, essentially all of the engineered safety features final actuators will be fully tested. The remaining few final actuators whose operation is not compatible with continued online plant operation will be checked by means of continuity testing.

7.3.2.2.5.2 Performance Test Acceptability Standard for the S (Safety Injection Signal) and for the P (the Automatic Demand Signal for Reactor Building Spray Actuation)

Actuation Signals Generation During reactor operation the basis for Engineered Safety Features Actuation Systems acceptability will be the successful completion of the overlapping tests performed on the initiating system and the Engineered Safety Features Actuation System, see Figure 7.3-2. Checks of process indications verify operability of the sensors. Analog checks and tests verify the operability of the analog circuitry from the input of these circuits through to and including the logic input relays except for the input relays associated with the Reactor Building spray function which are tested during the solid-state logic testing. Solid-State logic testing also checks the digital signal path from and including logic input relay contacts through the logic matrices and master relays and performs continuity tests on the coils of the output slave relays; final actuator testing operates the output slave relays and verifies operability of those devices which require safeguards actuation and which can be tested without causing plant upset. A continuity check is performed on the actuators of the untestable devices. Operation of the final devices is confirmed by control board indication and visual observation that the appropriate pump breakers close and automatic valves shall have completed their travel.

The basis for acceptability for the engineered safety features interlocks will be control board indication of proper receipt of the signal upon introducing the required input at the appropriate setpoint.

Routine periodic inspections of the ESF equipment and performance acceptability testing of the S (Safety Injection Signal) and of the P (Automatic Demand Signal for Reactor Building Spray Actuation) are consistent with inspections and tests of the NSSS Electrical Equipment Section 3.11.2.2.1 and the Technical Specifications.

7.3.2.2.5.3 Frequency of Performance of Engineered Safety Features Actuation Tests During reactor operation, complete system testing (excluding sensors or those devices whose operation would cause plant upset) is performed on a periodic basis. Testing, including the sensors, is also performed during scheduled plant shutdown for refueling.

7.3.2.2.5.4 Engineered Safety Features Actuation Test Description The following sections describe the testing circuitry and procedures for the online portion of the testing program. The guidelines used in developing the circuitry and procedures are:

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-13

1. The test procedures must not involve the potential for damage to any plant equipment.
2. The test procedures must minimize the potential for accidental tripping.
3. The provisions for online testing must minimize complication of engineered safety features actuation circuits so that their reliability is not degraded.

7.3.2.2.5.5 Description of Initiation Circuitry Several systems comprise the total Engineered Safety Features System, the majority of which may be initiated by different process conditions and be reset independently of each other.

The remaining functions (listed in Section 7.3.1.1.1) are initiated by a common signal (safety injection) which in turn may be generated by different process conditions.

In addition, operation of all other vital auxiliary support systems, such as Emergency Feedwater, Component Cooling Water, Service Water, and Heating, Ventilating and Air Conditioning Systems listed in Section 9.4.5, is initiated by the safety injection signal.

Each function is actuated by a logic circuit which is duplicated for each of the 2 redundant trains of engineered safety features initiation circuits.

The output of each of the initiation circuits consists of a master relay which drives slave relays for contact multiplication as required. The logic, master, and slave relays are mounted in the solid-state logic protection cabinets designated Train A, and Train B, respectively, for the redundant counterparts. The master and slave relay circuits operate various pump and fan circuit breakers or starters, motor operated valve contactors, solenoid operated valves, emergency generator starting, etc.

7.3.2.2.5.6 Analog Testing Analog testing is identical to that used for reactor trip circuitry and is described in Section 7.2.2.2.3.

An exception to this is Reactor Building spray, which is energized to actuate 2/4 and reverts to 2/3 when 1 channel is in test.

7.3.2.2.5.7 Solid-State Logic Testing Except for Reactor Building spray channels; solid-state logic testing is the same as that discussed in Section 7.2.2.2.3. During logic testing of 1 train, the other train can initiate the required engineered safety features function. For additional details, see Reference 2.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-14 7.3.2.2.5.8 Actuator Testing At this point, testing of the initiation circuits through operation of the master relay and its contacts to the coils of the slave relays has been accomplished. Slave relays (K601, K602, etc.) do not operate because of reduced voltage.

The Engineered Safety Features Actuation System final actuation device or actuated equipment testing shall be performed from the engineered safety features test cabinets. These cabinets are normally located near the Solid-State Logic Protection System equipment. There is 1 test cabinet provided for each of the 2 protection Trains A and B. Each cabinet contains individual test switches necessary to actuate the slave relays. To prevent accidental actuation, test switches are of the type that must be rotated and then depressed to operate the slave relays. Assignments of contacts of the slave relays for actuation of various final devices or actuators have been made such that groups of devices or actuated equipment, can be operated individually during plant operation without causing plant upset or equipment damage. In the unlikely event that a safety injection signal is initiated during the test of the final device that is actuated by this test, the device will already be in its engineered safety feature position.

During this last procedure, close communication between the Control Room operator and the operator at the test panel is required. Prior to the energizing of a slave relay, the operator in the Control Room assures that plant conditions will permit operation of the equipment that will be actuated by the relay. After the tester has energized the slave relay, the Control Room operator observes that all equipment has operated as indicated by appropriate indicating lamps, monitor lamps and annunciators on the control board and, using a prepared check list, records all operations. After proper operation is verified, the test switch is reset at the test panel and each device is returned to its desired mode from the control board.

By means of the procedures outlined above, all engineered safety features devices actuated by engineered safety features actuation systems initiation circuits, with the exceptions noted in Section 7.1.2.5 under a discussion of Regulatory Guide 1.22 are operated by the automatic circuitry.

7.3.2.2.5.9 Actuator Blocking and Continuity Test Circuits Those few final actuation devices that cannot be designed to be actuated during plant operation (discussed in Section 7.1.2.5) have been assigned to slave relays for which additional test circuitry has been provided to individually block actuation of a final device upon operation of the associated slave relay during testing. Operation of these slave relays, including contact operations, and continuity of the electrical circuits associated with the final devices control are checked in lieu of actual operation. The circuits provide for monitoring of the slave relay contacts, the devices control circuit cabling, control voltage and the devices actuation relay coils, solenoids, etc. Interlocking prevents blocking the output from more than 1 output relay in a protection train at a time. Interlocking between trains is also provided to prevent continuity testing in both trains simultaneously, therefore the redundant device associated with the protection train not under test will be available in the event protection action is required. If an accident occurs during testing, the automatic actuation circuitry will override testing as noted above. One (1)

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-15 exception to this is that if the accident occurs while testing a slave relay whose output must be blocked, those few final actuation devices associated with this slave relay will not be overridden; however, the redundant devices in the other train would be operational and would perform the required safety function. Actuation devices to be blocked are identified in Section 7.1.2.5.

The continuity test circuits for these components that cannot be actuated online are verified by proving lights on the engineered safety features test racks.

The typical schemes for blocking operation of selected engineered safety features function actuator circuits are shown in Figure 7.3-3 as details A and B. The schemes operate as explained below and are duplicated for each engineered safety features train.

Detail A shows the circuit for contact closure for protection function actuation. Under normal plant operation, and equipment not under test, the test lamps DS

  • for the various circuits will be energized. Typical circuit path will be through the normally closed test relay contact K
  • and through test lamp connections 1 to 3. Coils X1 and X will be capable of being energized for protection function actuation upon closure of solid-state logic output relay contacts K *. Coil X1 or X is typical for a breaker closing auxiliary coil, motor starter master coil, coil of a solenoid valve, auxiliary relay, etc. When the contacts K
  • are opened to block energizing of coil X1 and X2, the white lamp is de-energized, and the slave relay K
  • may be energized to perform continuity testing. To verify operability of the blocking relay in both blocking and restoring normal service, open the blocking relay contact in series with lamp connections - the test lamp should be de-energized; close the blocking relay contact in series with the lamp connections

- the test lamp should now be energized, which verifies that the circuit is now in its normal, i.e.,

operable condition.

Detail B shows the circuit for contact opening for protection function actuation. Under normal plant operation, and equipment not under test, and white test lamps DS

  • for the various circuits will be energized, and green test lamp DS
  • will be de-energized. Typical circuit path for white lamp DS
  • will be through the normally closed solid-state logic output relay contact K
  • and through test lamp connections 1 to 3. Coils Y1 and Y2 will be capable of being de-energized for protection function actuation upon opening of solid-state logic output relay contacts K *.

Coil Y2 is typical for a solenoid valve coil, auxiliary relay, etc. When the contacts K8

  • are closed to block de-energizing of coils Y1 and Y2, the green test lamp is energized, and the slave relay K
  • may be energized to verify operation (opening of its contacts). To verify operability of the blocking relay in both blocking and restoring normal service, close the blocking relay contact to the green lamp - the green test lamp should now be energized also; open this blocking relay contact - the green test lamp should be de-energized, which verifies that the circuit is now in its normal, i.e., operable condition.

7.3.2.2.5.10 The testing provisions of the engineered safety features loading sequence control panels differ from the Engineered Safety Features Actuation System. Each engineered safety features loading sequence control panel is designed to combine automatic testing with manual testing. Continuous and periodic test features are provided to test for equipment faults (e.g., open circuits, short

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-16 circuits, inoperative timers). All system accuracy and functional requirements are maintained when automatic testing is implemented. These features are provided in accordance with IEEE-420, Section 4.7 and the following:

1. Automatic Test The Automatic Test Feature has 3 operating modes: Continuous, Fast, and Slow. During these modes, the Automatic Test Feature monitors the engineered safety features loading sequence and upon occurrence of an improper response will display the step number of the failed test and energize a fault relay for remote annunciator. The Continuous mode provides on-line surveillance of the engineered safety features loading sequence operation by repeatedly cycling the Automatic Test circuits through their test states and monitoring the various system outputs for appropriate responses. Operation is check from the logic input signals through the logic and counter stages and up to and including the relay driven outputs.

The surveillance will not interface with system requirements nor cause an undesired relay actuation during normal system operation. The Fast mode operates in the same manner as the Continuous mode except that only 1 test cycle is performed for each operation initiated test.

The Slow mode allows manual stepping of the Automatic Test circuits through a test cycle to observe the system response via the cabinet control panel indicators. Operation is checked from the logic input signals through the logic and counter stages, the relay driver outputs, and output relays. The Slow mode actuates the output relays thereby starting or tripping plant equipment.

Fault detection and annunciation, local and remote, are automatic in the Continuous and Fast mode while operation interpretation of the system response is required in the Slow mode.

Additionally, automatic resetting of the Automatic Test circuits, in response to a True input signal, is provided in the Continuous and Fast modes. Manual reset is required in the Slow mode.

2. Manual Test The Manual Test Features provide the means to verify all engineered safety features loading sequence functions locally at the cabinet control panel. Input test switches enable simulation of all inputs, including operation of the input buffer relays, in any combination or time sequence. Output test switches enable actuation of each step or output individually, including operating of the final associated solid state driver stage. Blocking switches, which allow active testing of Output 1 and Output 4 without effecting associated external loads, are also provided. Indicator lamps associated with each input, system, startup, each step and each output allow the operation to visually observe the results of all tests.

7.3.2.2.5.11 Time Required for Testing It is estimated that analog testing can be performed at a rate of several channels per hour. Logic testing of both Trains A and B can be performed in less than 30 minutes. Testing of actuated components (including those which can only be partially tested) will be a function of control

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-17 room operator availability. It is expected to require several shifts to accomplish these tests. During this procedure automatic actuation circuitry will override testing, except for those few devices associated with a single slave relay whose outputs must be blocked and then only while blocked.

It is anticipated that continuity testing associated with a blocked slave relay could take several minutes. During this time the redundant devices in the other train would be functional.

7.3.2.2.5.12 Summary of Online Testing Capabilities The procedures described provide capability for checking completely from the process signal to the logic cabinets and from there to the individual pump and fan circuit breakers or starters, valve contactors, pilot solenoid valves, etc., including all field cabling actually used in the circuitry called upon to operate for an accident condition. For those few devices whose operation could adversely affect plant or equipment operation, the same procedure provides for checking from the process signal to the logic rack. To check the final actuation device, a continuity test of the individual control circuits is performed.

The procedures require testing at various locations.

1. Analog testing and verification of bistable setpoint are accomplished at process analog racks.

Verification of bistable relay operation is done at the control board status lights.

2. Logic testing through operation of the master relays and low voltage application to slave relays is done at the logic rack test panel.
3. Testing of pumps, fans and valves is done at a test panel located in the vicinity of the logic racks in combination with the control room operator.
4. Continuity testing from those circuits that cannot be operated is done at the same test panel mentioned in item 3 above.

The reactor coolant pump essential service isolation valves consist of the isolation valves on the component cooling water and the seal water return header.

The main reason for not testing these valves periodically is that the reactor coolant pumps may be damaged. Although pump damage from this type of test would not result in a situation which endangers the health and safety of the public, it could result in unnecessary shutdown of the reactor for an extended period of time while the reactor coolant pump or certain of its parts were replaced. This would place a great economic burden on South Carolina Electric and Gas Company.

Reactor Building Spray System pump tests will be performed periodically. The pump tests will be performed with the isolation valves in the spray pump discharge lines at the Reactor Building blocked closed; the Sodium Hydroxide Storage Tank valves are also blocked closed.

7.3.2.2.5.13 Testing During Shutdown Emergency Core Cooling System tests will be performed at each major fuel reloading with the Reactor Coolant System isolated from the Emergency Core Cooling System by closing the

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-18 appropriate valves. A test safety injection signal will then be applied to initiate operation of active components (pumps and valves) of the Emergency Core Cooling System. This is in compliance with Criterion 37 of the 1971 General Design Criteria.

7.3.2.2.5.14 Periodic Maintenance Inspection The maintenance procedures which follow may be accomplished in any order. The frequency will depend on the operating conditions and requirements of the reactor power plant. If any degradation of equipment operation is noted, either mechanically or electrically, remedial action is taken to repair, replace, or readjust the equipment.

Typical maintenance procedures include the following:

1. Check cleanliness of all exterior and interior surfaces.
2. Inspect for loose or broken control knobs and burned-out indicator lamps.
3. Inspect for moisture and condition of cables and wiring.
4. Visually or mechanically check connectors and terminal boards for looseness, poor connection, or corrosion.
5. Inspect the components of each assembly for signs of overheating or component deterioration.
6. Perform complete system operating check.

The balance of the requirements listed in Reference 4 (paragraphs 4.11 through 4.22) are discussed inSection 7.2.2.2.3. Paragraph 4.20 receives special attention in Section 7.5.4.

7.3.2.2.6 Manual Resets and Blocking Features The manual reset feature associated with reactor building spray actuation is provided in the standard design of the Westinghouse Solid-State Protection System design for 2 basic purposes:

First, the feature permits the operator to start an interruption procedure of automatic reactor building spray in the event of false initiation of an actuation signal. Second, although spray system performance is automatic, the reset feature enables the operator to start a manual takeover of the system to handle unexpected events which can be better dealt with by operator appraisal of changing conditions following an accident.

It is most important to note that manual control of the Spray System does not occur, once actuation has begun, by just resetting the associated log devices alone. Components will seal in (latch) so that removal of the actuation signal, in itself, will neither cancel or prevent completion of protective action or provide the operator with manual override of the automatic system by this single action. In order to take complete control of the system to interrupt its automatic performance, the operator must deliberately unlatch relays which have sealed in the initial actuation signals in the associated motor control center, in addition to tripping the pump motor circuit breakers, if stopping the pumps is desirable or necessary.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-19 The manual reset feature associated with reactor building spray, therefore, does not perform a bypass function. It is merely the first of several manual operations required to take control from the automatic system or interrupt its completion should such an action be considered necessary.

In event that the operator anticipates system actuation and erroneously concludes that it is undesirable or unnecessary and imposes a standing reset condition in 1 train (by operating and holding the corresponding reset switch at the time the initiate signal is transmitted) the other train will automatically carry the protective action to completion. In the event that the reset condition is imposed simultaneously in both trains at the time the initiate signals are generated, the automatic sequential completion of system action is interrupted and control has been taken by the operator.

Manual takeover will be maintained, even though the reset switches are released, if the original initiate signal exists. Should the initiate signal then clear and return again, automatic system actuation will repeat.

Note also that any time delays imposed on the system action are to be applied after the initiating signals are latched. Delay of actuation signals for fluid systems lineup, load sequencing, etc., does not provide the operator time to interrupt automatic completion, with manual reset alone, as would be the case if time delay were imposed prior to sealing of the initial actuation signal.

The manual block features associated with pressurizer and steam line safety injection signals provide the operator with the means to block initiation of safety injection during plant startup.

These block features meet the requirements of paragraph 4.12 of IEEE Standard 279-1971 in that automatic removal of the block occurs when plant conditions require the protection system to be functional.

Safety injection actuation on low pressurizer pressure may be manually blocked when the primary pressure falls below the P-11 setpoint. Safety injection and steamline isolation actuation on low steamline pressure may also be manually blocked below the P-12 setpoint (low-low Tavg). Safety injection cannot be blocked on high steam line differential pressure or high-1 containment pressure, and steam line isolation cannot be blocked on either high steam line flow coincident with low-low Tavg or high-2 containment pressure. Thus these signals would always be available to automatically terminate a steam line rupture during cooldown or startup.

Furthermore, during heatup and cooldown and while safety injection is blocked, the operator will be in full manual control of the plant. He will be cognizant of the plant operating conditions and the expected changes in these parameters. If a serious steam line break should occur during this time, it should be apparent to the operator so that he can take the necessary action to prevent any adverse consequences in a timely fashion.

The types of instrumentation available to the operator which would indicate that a steam line break has occurred consists of alarms and indicated values. Alarms could occur on high steam flow, low steam line pressure (SI actuation, Steamline Isolation), low-low steam generator level (reactor trip), low steam generator level, high steam line differential pressure (SI actuation), high source range nuclear flux (reactor trip), and containment pressure high-1 (SI actuation) and high-2 (steam line isolation).

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-20 The instrumentation which would be indicated on the control board consists of the above channels plus Tavg, pressurizer level and pressurizer pressure. Since the shutdown margin during cooldown or startup is greater than that for the case analyzed in the FSAR, there will be more time for manual action to terminate the transient. Furthermore, the steam line pressure during cooldown and startup would be such that the consequences of the steam generator blowdown would be less severe than for the hot zero power case analyzed in the Final Safety Analysis Report.

Therefore, either the protection system will automatically terminate the transient or the operator will determine soon after the incident begins that a break has occurred and will take the necessary action.

7.3.2.2.7 Manual Initiation of Protective Actions (Regulatory Guide 1.62)

There are 3 individual main steam isolation valve momentary control switches (1 per loop) mounted on the control board. Each switch when actuated, will isolate its main steam line. In addition, an independent momentary control switch, mounted on the control board, will isolate all 3 main steam lines when actuated.

Manual initiation of semi-automatic switchover to recirculation following a loss of primary coolant accident is in compliance with paragraph 4.17 of IEEE Standard 279-1971 with the following comments:

1. The manual operations that are involved in this switchover are described in Section 6.3.
2. Once safety injection is initiated following a loss of primary coolant accident, the Reactor Building sump isolation valves in the Residual Heat Removal System pump suction lines will open automatically upon receipt of a lo-lo level signal from the refueling water storage tank level instrumentation.
3. Manual initiation of either 1 of 2 redundant safety injection actuation main control board mounted switches not only provides for actuation of the components required for reactor protection and mitigation of adverse consequences of the postulated accident prior to the recirculation mode associated with a loss of primary coolant accident, but also enables the Reactor Building sump isolation valves to automatically open when the lo-lo level setpoint on the refueling water storage tank is reached.

Manual operation of other components or manual verification of proper position as part of emergency procedures is not precluded nor otherwise in conflict with the above described compliance to paragraph 4.17 of IEEE Standard 279-1971.

No exception to the requirements of IEEE Standard 279-1971 has been taken in the manual initiation circuit of safety injection. Although paragraph 4.17 of IEEE Standard 279-1971 requires that a single failure within common portions of the protective system shall not defeat the protective action by manual or automatic means, the standard does not specifically preclude the sharing of initiated circuitry logic between automatic and manual functions. It is true that the manual safety injection initiation functions associated with 1 actuation train (e.g., Train A) shares portions of the automatic initiation circuitry logic of the same logic train; however, a single failure

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-21 in shared functions does not defeat the protective action of the redundant actuation train (e.g.,

Train B). A single failure in shared functions does not defeat the protective action of the safety functions. It is further noted that the sharing of the logic by manual and automatic initiation is consistent with the system level action requirements of IEEE Standard 279-1971, paragraph 4.17 and consistent with the minimization of complexity.

7.3.2.3 Further Considerations In addition to the considerations given above, a loss of instrument air or loss of component cooling water to vital equipment has been considered. Neither the loss of instrument air nor the loss of component cooling water (assuming no other accident conditions) can cause safety limits as given in the Technical Specifications to be exceeded. Likewise, loss of either 1 of the 2 will not adversely affect the core or the Reactor Coolant System nor will it prevent an orderly shutdown if this is necessary. Furthermore, all pneumatically operated valves and controls will assume a preferred operating position upon loss of instrument air. It is also noted that, for conservatism during the accident analyses (Chapter 15), credit is not taken for the instrument air systems nor for any control system benefit.

In its present design, Westinghouse does not provide any circuitry which will directly trip the reactor coolant pumps on a loss of component cooling water. Normally, indication in the control room is provided whenever component cooling water is lost. The reactor coolant pumps can run about 10 minutes after a loss of component cooling water. This provides adequate time for the operator to correct the problem or trip the plant if necessary.

In regards to the Emergency Feedwater System, there are 2 motor driven pumps and one turbine driven pump. The motor driven pumps are initiated automatically by the following signals:

1. Safety injection, through the engineered safety features load sequencer.
2. Low-low level (2/3) in any steam generator (derived from the Solid-State Protection System output cabinets).
3. Manual start.
4. Trip of all main feed pumps.
5. Undervoltage on the diesel bus.

The turbine driven pump as well as the closing of blowdown and sample valves are initiated automatically by:

1. Low-low level (2/3) in 2/3 steam generators (derived from the Solid-State Protection System output cabinets).
2. Manual start.
3. Undervoltage on both diesel buses.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-22 To assure auto-start of the component cooling water and service water pumps on the inactive loop and to prevent diesel generator overloading on a SI/LOOP signal, the circuit breaker(s) for the out of service or spare pump/chiller for systems with swing components will be racked out.

7.3.2.4 Summary The effectiveness of the Engineered Safety Features Actuation System is evaluated in Chapter 15, based on the ability of the system to contain the effects of Condition III and IV faults, including loss of reactor coolant and steam break accidents. The Engineered Safety Features Actuation System parameters are based upon the component performance specifications which are given by the manufacturer or verified by test for each component. Appropriate factors to account for uncertainties in the data are factored into the constants characterizing the system.

The Engineered Safety Features Actuation System must detect Condition III and IV faults and generate signals which actuate the engineered safety features. The system must sense the accident condition and generate the signal actuating the protection function reliably and within a time determined by and consistent with the accident analyses in Chapter 15.

Much longer times are associated with the actuation of the mechanical and fluid system equipment associated with engineered safety features. This includes the time required for switching, bringing pumps and other equipment to speed and the time required for them to take load.

Operating procedures require that the complete Engineered Safety Features Actuation System normally be operable. However, redundancy of system components is such that the system operability assumed for the safety analyses can still be met with certain instrumentation channels out of service. Channels that are out of service are to be placed in the tripped mode, or bypass mode in the case of Reactor Building spray.

7.3.2.4.1 Loss of Coolant Protection By analysis of loss of coolant accident and in system tests it has been verified that (except for very small coolant system breaks, which can be protected against by the charging pumps followed by an orderly shutdown), the effects of various loss of coolant accidents are reliably detected by the low pressurizer pressure signal.

For large coolant system breaks the passive accumulators inject first, because of the rapid pressure drop. This protects the reactor during the unavoidable delay associated with actuating the active Emergency Core Cooling System phase.

High Reactor Building pressure also actuates the Emergency Core Cooling System. Therefore, emergency core cooling actuation can be brought about by sensing this other direct consequence of a primary system break; that is the Engineered Safety Features Actuation System detects the leakage of the coolant into the Reactor Building. The generation time of the actuation signal of about 1.5 seconds, after detection of the consequences of the accident, is adequate.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-23 Reactor Building spray will provide additional emergency cooling of the Reactor Building and also limit fission product release upon sensing elevated Reactor Building pressure (Hi-3) to mitigate the effects of a loss of coolant accident.

The delay time between detection of the accident condition and the generation of the actuation signal for these systems is assumed to be about 1.0 second; well within the capability of the protection system equipment. However, this time is short compared to that required for startup of the fluid systems.

The analyses in Chapter 15 show that the diverse methods of detecting the accident condition and the time for generation of the signals by the protection systems are adequate to provide reliable and timely protection against the effects of loss of coolant.

7.3.2.4.2 Steam Line Break Protection The Emergency Core Cooling System is also actuated in order to protect against a steam line break. Table 7.3.4 gives the time between sensing high steam line differential pressure or low steam line pressure and generation of the actuation signal. Analysis of steam line break accidents, assuming this delay for signal generation, shows that safety injection is actuated for a steam line break in time to limit or prevent further core damage for steam break cases. There is a reactor trip and the core reactivity is further reduced by the borated water injected by the Emergency Core Cooling System.

Additional protection against the effects of steam line break is provided by feedwater isolation which occurs upon actuation of the Emergency Core Cooling System. Feedwater isolation is initiated in order to prevent excessive cooldown of the reactor vessel and thus protect the Reactor Coolant System boundary.

Additional protection against a steam line break accident is provided by closure of all steam line isolation valves in order to prevent uncontrolled blowdown of all steam generators. The time for generation of the protection system signal (about 2.0 seconds) is again short compared to the time to trip the fast acting steam line isolation valves which are designed to close in less than approximately 5 seconds.

In addition to actuation of the engineered safety features, the effect of a steam line break accident also generates a signal resulting in a reactor trip on overpower or following Emergency Core Cooling System actuation. The core activity is further reduced by the Emergency Core Cooling System.

The analyses in Chapter 15 of the steam line break accidents and an evaluation of the protection system instrumentation and channel design shows that the Engineered Safety Features Actuation Systems are effective in preventing or mitigating the effects of a steam line break accident.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-24 7.3.3 Electric Hydrogen Recombiner-Description of Instrumentation The Electric Hydrogen Recombiner System is discussed in Section 6.2.5. Two (2) redundant recombiners, which are located inside the Reactor Building, do not require any instrumentation inside the Reactor Building for proper operation after a loss of coolant accident (LOCA).

Thermocouples are provided for convenience in test and periodic checkout of the recombiner; however, they are not considered necessary to assure proper operation of the recombiner.

There are provided for each recombiner a control panel and a power supply panel which are located outside the Reactor Building, as shown on Figure 6.2.54 and Figure 6.2-58. The power supply panel contains an isolation transformer plus a controller to regulate power into the recombiners. The manually operated potentiometer for this controller is on the control panel. For equipment test and periodic checkout, a thermocouple readout instrument is also provided on the control panel for monitoring temperatures in the recombiner. To control the recombination process, the correct power input which will bring the recombiner above the threshold temperature for recombination will be set on the controller. Setting of the controller is accomplished at the local control panel and power input monitored by a wattmeter, which is also mounted on the control panel. This predetermined power setting will cover variations in Reactor Building pressure and hydrogen concentration in the post-loss of coolant accident environment. The manually operated switch for energizing a recombiner is on the control panel.

7.3.3.1 Initiating Circuits The Hydrogen Recombiner System would be operated only during periodic testing and after a loss-of-coolant accident. Operation is initiated manually from the control station, so as to allow the heating elements within the unit to be energized. A 2 position switch is provided on the control panel for this purpose.

7.3.3.2 Logic All operation of the electric hydrogen recombiner is by operator action; there are no automatic logic functions required. A post accident hydrogen analyzer will be used to indicate when the recombiners or the venting system should be actuated.

7.3.3.3 Bypasses The electric hydrogen recombiners are normally not operating and are not armed for automatic actuation. Following an accident the elapsed time prior to the needed start of the equipment is in terms of hours or days. The recombiners are also operated during periodic testing. Other than these times they are in a standby mode. This standby mode is not a bypass mode, which refers to the inoperative status of systems that are normally operating.

7.3.3.4 Interlocks There are no functional interlocks associated with the electric hydrogen recombiner.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-25 7.3.3.5 Sequence Each electric hydrogen recombiner is capable of being supplied from an independent onsite diesel generator. Loading on the emergency electric bus is by manual means, not by sequencers.

7.3.3.6 Redundancy To meet the requirements for redundancy and independence, 2 electric hydrogen recombiners are provided, and each recombiner is provided with a separate power panel and control panel and each is powered from a separate Class 1E bus. The operation of a single unit is intended to provide the required hydrogen removal capability.

7.3.3.7 Diversity Diversity between the redundant portions of the Electric Hydrogen Recombiner System is not required to protect against systematic failures, such as, multiple failures resulting from a credible single event. The design and environmental and seismic qualification of the Westinghouse electric hydrogen recombiner, as reported on in topical report WCAP-7709-L (Proprietary) with Supplements 1 to 7 and WCAP-7820 (Non-Proprietary), was found acceptable for the prototype and production models by the NRC. This acceptance was reported in NRCs letters of May 1, 1975 from D. B. Vassalo to C. Eicheldinger, Manager of W Nuclear Safety Department and of June 22, 1978 from John Stolz to T. M. Anderson regarding supplements 5, 6, and 7.

7.3.3.8 Actuated Devices A manually operated switch on the control panel is used to initiate operation of an electric hydrogen recombiner. This switch energizes a contactor in the power supply panel which applies the 3-phase electric power source to the transformer, also in the power supply panel. Electric power input to the recombiner is controlled by a controller in the power supply panel, by means of a manually operated potentiometer and a wattmeter on the control panel. Electric power is fed to the recombiners electric resistance heaters which are used to heat a continuous flow of Reactor Building atmosphere to the hydrogen-oxygen reaction temperature. This causes hydrogen to combine with the oxygen which is in the Reactor Building.

7.3.4 Cross References Table 7.3-7 provides cross references outlining appropriate sections that supply descriptions of initiating circuitry, logic, bypasses, interlocks, sequencing, redundancy, diversity and actuated devices for ESF and ESF supporting systems.

7.3.5 References

1. Reid, J. B., Process Instrumentation for Westinghouse Nuclear Steam Supply System (4 Loop Plant using WCID 7300 Series Process Instrumentation), WCAP-7913, 1973.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-26

2. Katz, D. N., Solid-State Logic Protection System Description, WCAP-7488-L (Proprietary),

1971 and WCAP-7672 (Non-Proprietary), 1971.

3. Swogger, J. W., Testing of Engineered Safety Features Actuation System, WCAP-7705, Revision 2, 1976.
4. The Institute of Electrical and Electronics Engineers, Inc., IEEE Standard: Criteria for Protection System for Nuclear Power Generating Stations, IEEE Standard 279-1971.
5. Eggleston, F. T., Rawlins, D. H., Petrow J. R., Failure Mode and Effects Analysis (FMEA) of the Engineering Safeguard Features Actuation System, WCAP-8584, (Proprietary) 1976, and WCAP-8760 (Non-Proprietary), 1976.

Revision 22--Updated Online 05/27/22 Table 7.3-1 Instrumentation Operating Condition for Engineered Safety Features Number Function Unit Number of Channels Number of Channels to Trip

1. Safety Injection (SIS)
a. Manual 2 1
b. Reactor building pressure (Hi-1) 3 2
c. High differential pressure 2 / steam line indicating that between steam lines the steam line pressure is low 3/steam line in comparison to the two lines
d. Pressurizer low pressure (1) 3 2
e. Low steam line pressure 3 pressure signals 2
2. Reactor Building Spray VC SUMMER FSAR
a. Manual (2) 4 2
b. Reactor building pressure (Hi-3) (3) 4 2 (1) Permissible bypass if reactor coolant pressure is less than 2,000 psig.

(2) Manual actuation of reactor building spray is accomplished by actuating either of two sets (two switches per set). Both switches in a set must be actuated to obtain a manually initiated spray signal.

(3) Coincident with containment isolation Phase A.

7.3-27

Revision 22--Updated Online 05/27/22 Table 7.3-2 Instrument Operating Conditions for Isolation Functions Number of Channels Number Function Unit Number of Channels to Trip

1. Containment Isolation
a. Safety Injection Phase A See Item No. 1 (a) through (e) of Table 7.3-1
b. Reactor Building Pressure See Item No. 2 (b) of Table 7.3-1 Phase B
c. Manual Phase A 2 1 Phase B See Item No. 2 (a) of Table 7.3-1
2. Steam Line Isolation VC SUMMER FSAR
a. High Steam Flow in 2/3 Steam 2 flow signals/steam line 1 flow signal/steam line in any two Lines Coincident with Low lines Tavg 3 Tavg signals 2
b. Low steam line pressure See Item No. 1 (e) of Table 7.3-1
c. Reactor Building Pressure 3 2 (Hi-2)
d. Manual(1) 1/loop 1/loop (1) System level isolation also available 7.3-28

Table 7.3-2 (continued)

Revision 22--Updated Online 05/27/22 Instrument Operating Conditions for Isolation Functions Number of Channels Number Function Unit Number of Channels to Trip

3. Feedwater Line Isolation
a. Safety Injection See all signals Item No. 1 of Table 7.3-1
b. Steam Generator High-High 3/loop 2/loop Level (any loop)
c. Low Tavg Coincident with 3 2 Reactor Trip (1) System level isolation also available VC SUMMER FSAR 7.3-29

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-30 Table 7.3-3 Interlocks for Engineered Safety Features Actuation System Designation Input Function Performed P-4 Reactor tripped Presence of P-4 signal actuates turbine trip Presence of P-4 signal closes main feedwater valves on Tavg below low Tavg setpoint Presence of P-4 signal prevents opening of main feedwater valves which were closed by safety injection or high-high steam generator water level Presence of P-4 signal allows manual reset/block of the automatic reactuation of safety injection Absence of P-4 signal defeats the manual reset/block preventing automatic reactuation of safety injection P-11 2/3 pressurizer pressure below setpoint Allows manual block of safety (Presence of P-11 signal permits injection actuation on low pressurizer functions shown. Absence of signal pressure and level signal defeats functions shown)

Blocks automatic opening of the pressurizer power relief valves P-12 2/3 (1)Tavg below setpoint (Presence of Allows manual block of safety P-12 signal performs or permits injection actuation and steam line functions shown. Absence of signal isolation on low steam line pressure defeats function shown)

Blocks steam dump except for cooldown valves Allows manual bypass of steam dump block for the cooldown valves only (1) This signal in coincidence with high steam line flow actuates steam line isolation.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-31 Table 7.3-3 (continued)

Interlocks for Engineered Safety Features Actuation System Designation Input Function Performed P-14 2/3 Steam generator water level above Closes all feedwater control valves setpoint on any steam generator (Presence of signal performs or permits functions shown)

Trips all main feedwater pumps which closes the pump discharge valves Actuates turbine trip

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-32 Table 7.3-4 Secondary System Accidents and Required Instrumentation, Minor Secondary System Pipe Break Major Secondary System Pipe Break

Response

Channel Time (4) Accuracy (1) Range Reactor Building 1.5 sec full scale +/- 1.75% of -5 to 15 psig Pressure (2)

Steam Line Pressure(2) 1.0 sec +/- 2.25% of span 0 to 1300 psig Steam Line 1.0 sec +/- 3.0% of span 0 to 1200 psig Differential Pressure Steam Line Flow(2) 2.0 sec +/- 4.5% of maximum 0 to 120% maximum guaranteed flow over calculated flow the pressure range of 700 to 1200 psig Tavg(2) 8.5 sec(3) +/- 3.6°F 530 to 63 °F Pressurizer Pressure 1.0 sec +/- 1.75% of span 1700 to 2500 psig (1) See Section 7.1 for definition of ESFAS accuracy.

(2) Used for closing main steam line stop valves.

(3) RCS Tavg as measured at the resistance temperature detector output.

(4) That time interval from when the monitored parameter exceeds its ESF setpoint at the channel sensor until the channel bistable changes state.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-33 Table 7.3-5 Primary System Accidents and Required Instrumentation Ruptures in Small Pipes, Cracks in Large Pipes, Ruptures of Large Pipes, Steam Generator Tube Rupture

Response

Channel Time(3) Accuracy (1) Range Pressurizer Pressure 1.0 sec +/- 1.75% of span 1700 to 2500 psig Reactor Building Pressure (2) 1.5 sec +/- 1.75% of span -5 to 15 psig (1) See Section 7.1 for definition of ESFAS accuracy.

(2) Not required for steam generator tube rupture.

(3) That time interval from when the monitored parameter exceeds its ESF setpoint at the channel sensor until the channel bistable changes state.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-34 Table 7.3-6 Engineered Safety Feature Loading Sequence Control Panels, Degree of Conformance With Regulatory Guide 1.53 and IEEE-379-1972 (1)

Criteria FSAR SECTION Regulatory Guide 1.53 C.1, IEEE 379-1972 See IEEE 379 comparison below C.2, Continuity Checks 7.3.2.2.5.9 C.3, Interconnections 7.1.2.1.7, 7.1.2.1.8, 7.1.2.2, 7.3.2.2, 7.3.2.2.3, 7.3.2.2.7 C.4, Protection System Logic and Actuator System 7.3.2.2.5.9, 7.3.2.3 IEEE 379-1972 3(1), Redundancy 7.1.2.2, 7.3.1.1.3. 8.3.1.4 3(2), Detectability 7.3.2.2.5.9 3(3), Nondetectability None identified, NA 3(4), Multiple Faults NA, included in 7.3.2.2.5.9 3(5), Completing Protective Functions 7.3.2.2, 7.3.2.2.3, 8.3.1.4 3(6), DBE and Single Failure 3.10, 3.11, 7.3.1.2.5 3(7), Operational Reliability NA, included in design concept 5.1, Classification NA, included in design concept 5.2, Undetectable Failures NA, testing features are provided to detect all failures 5.3, Common Mode Failures None identified, NA 6.1, General 7.1.2.2, 7.3.1.1, 7.3.1.1.3, 7.3.1.1.5, 7.3.2.4 6.2, Channels NA, included in design concept 6.3, Protection System Logic NA, redundant logic is completely separate 6.4, Actuator Circuit NA to this equipment 6.5, Type 2 and 3 Single Failure Analysis 3.10, 3.11, 7.3.1.2.5, 7.3.2.3

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-35 Table 7.3-6 (continued)

Engineered Safety Feature Loading Sequence Control Panels, Degree of Conformance With Regulatory Guide 1.53 and IEEE-379-1972 (1)

Criteria FSAR SECTION IEEE 379-1972 (Continued) 6.6, Overall System - Failure Analysis NA, no interconnection between control and protective systems for this equipment (1) Formal analyses have not been provided. However, FSAR Sections referenced indicate compliance with the concept outlined in the criteria.

Revision 22--Updated Online 05/27/22 Table 7.3-7 Instrument and Control Data Cross References Reference Related Drawings (1)

FSAR FSAR Drawing Category System Sections Figure Number Engineered Safety Engineered Safety Features 7.1.2.5, 7.1.2.6, 7.3.1.1, 7.2-1 Sh. 8 -

Features System Actuation System (ESFAS) 7.3.2.2.3, 7.3.2.2.5.5, 7.3.1 thru 7.3.3 -

7.3.2.2.6, 7.5.4 7.5-1 thru 7.5-6 -

Tables 7.3-1, 7.3-3

- B-208-066 B-208-094 B-208-103 D-2544-1013 7244D38 (1MS-42-017)

Reactor Building Heat Removal Reactor Building Ventilation 6.2.2.2.2.1, 6.2.2.2.2.2, 6.2-49 -

6.2.2.5.2.2, 7.1.2.6., 7.3.1.1, 7.3-1 -

7.3.1.1.6, 7.5.4, 9.2.1.5, - B-208-004 VC SUMMER FSAR 9.4.7.2.5 Sh AH273 thru AH276 Notes 3,6 - 8756D01 (1MS-51-221)

Reactor Building Spray System 6.2.2.2.1, 6.2.2.5.1.6, 7.1.2.6, 6.2-46 -

7.3.1.1, 7.3.1.1.6, 7.5.4 - B-208-005

- B-208-097 Notes 3,6 - 8756D01 (1MS-51-221)

Reactor Building Air 6.2.2.2.1, 6.2.2.5.1.6, 6.2.3, 6.2-46 -

Purification and Cleanup 7.3.1.1, 7.3.1.1.6, 7.5.4 - B-208-005

- B-208-097 Notes 3,6. - 8756D01 (1MS-51-221)

Engineered Safety Containment Isolation 6.2.4, 7.3.1.1, 7.5.4 6.2-52 -

Features System Tables 6.2-54, 7.3-2 Notes 3,6 7.3-36

Table 7.3-7 (continued)

Revision 22--Updated Online 05/27/22 Instrument and Control Data Cross References Reference Related Drawings (1)

FSAR FSAR Drawing Category System Sections Figure Number Combustible Gas Control 6.2.4, 6.2.5, 7.3.3 6.2-54 -

Table 6.2-54 6.2-58 B-208-054 Containment Leakage 6.2.6, 6.2.6.1.5 6.2-59 -

Testing Note 7 6.2-60 -

Safety Injection System Isolation Valves - 6.2.4, 6.3.2.2.7, 6.3.5.5 6.3-1 Sh 2 B-208-095 Sh SI72 Accumulator N2 Supply 7.1.2.5, 6.3.2.11.1, 7.3.1.1, (8880) 7.5.4 Tables 7.3-1, 7.3-2, 7.3-3, 6.2-54 Notes 2, 3, 4, 6 Isolation Valves - 6.2.4, 6.3.2.2.7, 6.3.5.5, 6.3-1 Sh 2 B-208-095, Sh SI59, Accumulator Test 7.1.2.5, 6.3.2.11.1, 7.3.1.1, 7.5.4 SI76 (8871 & 8961)

VC SUMMER FSAR Tables 7.3-1, 7.3-2, 7.3-3, 6.2-54, Notes 2, 3, 4, 6 Isolation Valves - 6.2.4, 6.3.2.2.7, 7.1.2.5, 6.3-1 Sh 2 B-208-095, Sh SI58 Accumulator Fill Line 6.3.2.11.1, 6.3.5.5, 7.3.1.1, (8860) 7.5.4 Tables 6.2-54, 7.3-1, 7.3-3 Notes 2, 3, 4, 6 Engineered Safety Sump Isolation Valves 6.2.4, 6.3.2.2.7, 6.3.5.5, 7.6-9 B-208-095, Sh SI-21, Features System (Recirc. following SI) 6.3.2.11.1, 7.6.7 22, 23, 24 8811A, B, & 8812A, B Tables 6.2-54, 7.3-1, 7.3-3 7.3-37 Note 3

Table 7.3-7 (continued)

Revision 22--Updated Online 05/27/22 Instrument and Control Data Cross References Reference Related Drawings (1)

FSAR FSAR Drawing Category System Sections Figure Number Isolation Valves 6.2.4, 6.3.2.2.7, 6.3.5.5, 6.3-1 Sh 1 B-208-095 (8801A & B) 7.1.2.5, 6.3.2.11, 7.3.1.1 Sh SI09, 10, 11, 12 Tables 6.2-54, 7.3-1, 7.3-3, 6.3-7 Notes 2, 3, 5, 6 Isolation Valves - 6.3.2.2.7, 7.6.4, 6.3.2.11, 7.6-2 B-208-095, Accumulator 7.3.1.1, 6.3.2.15 Sh SI-16, 17, 18 (8808A, B, C)

Tables 7.3-1, 7.3-2, 7.3-3 Notes 2,3, 5 RHR/LO-HEAD SI Pump 6.3.2.2.7. 6.3.2.2.4.1, 6.3-1 Sh 3 B-208-084 7.1.2.5, 7.3.1.1, 7.3.1.1.6, 7.3-1 Sh RH-01, 02 6.3.2.11.1 Tables 7.3-1, 7.3-3, 8.3-3, 6.3-7 Notes 3, 5, 6 VC SUMMER FSAR CENT. CHARGING/HI HEAD 6.3.2.2.4.2, 6.3.2.2.7, 6.3-1 Sh 3 B-208-021 SI Pump 7.1.2.5, 7.3.1.1.5, 7.3-1 Sh CS-04, 05, 6.3.2.11.1, 7.3.1.1 06, 07, 08 Tables 7.3-1, 7.3-3, 8.3-3, 6.3-7 Notes 3, 5, 6 Engineered Safety Habitability Systems 6.4, 6.4.1.5, 7.3.1.1 9.4-1 -

Features System 7.3.1.1.5 B-208-04, Note 6 Sh AH102 thru AH105 7.3-38

Table 7.3-7 (continued)

Revision 22--Updated Online 05/27/22 Instrument and Control Data Cross References Reference Related Drawings (1)

FSAR FSAR Drawing Category System Sections Figure Number Fission Product Removal and Control Systems Reactor Building 6.2.2.2.2, 6.2.2.5.2, 6.2-49 -

Cooling Unit 6.5.1.3, 6.5.1.5.1, B-208-004, HEPA Filters 7.3.1.1, 7.5.4, Sh AH273 thru AH284 Notes 3, 6 Control Room 6.4, 6.4.1.5, 6.5.1.3, 6.5.1.5.2, 9.4-1 B-208-004, Emergency 7.3.1.1, 7.3.1.1.5, 9.4.1.2.1, - Sh AH102, AH103 Filter Plenums 9.4.1.3 Note 6 Fuel Handling 6.5.1.3, 6.5.1.5.3. 7.3-1 -

Building Charcoal 7.3.1.1, 7.3.1.1.5 9.4 -

Exhaust System 9.4.3.2.1, 9.4.3.3 - B-208-004 Notes 3, 6 Sh AH174, AH175 8576D01 (1MS-51-221)

VC SUMMER FSAR Emergency Feedwater System 7.1, 7.3.1.1 7.3-1 -

7.3.1.1.5, 7.5.4, 10.4-16 -

10.4.9.2, 10.4.9.3 - B-208-032, 10.4.9.5 - 8576D01 (1MS-51-221)

Note 6 7.3-39

Table 7.3-7 (continued)

Revision 22--Updated Online 05/27/22 Instrument and Control Data Cross References Reference Related Drawings (1)

FSAR FSAR Drawing Category System Sections Figure Number Engineered Safety Component Cooling Water 7.1, 7.1.2.6, 7.3.1.1, 7.3-1 -

Features Supporting System 7.3.1.1.5, 7.4, 7.5.4, 9.2-4 thru 9.2-7 -

Systems 9.2.2.1, 9.2.2.2, 9.2.2.3, - -

9.2.2.5, 11.4.2 - B-208-005 Note 3 B-208-011 Diesel Generator System 7.3.1.1, 7.4, 8.3.1.1.2 8.2-3 -

9.5.4.2, 9.5.4.3, 9.5.4.5 8.3-oh thru 8.3-oj -

9.5.5.3, 9.5.5.5, 9.5.6.1, 9.5-2 -

9.5.7.3, 9.5.7.5, 9.5.8.3 9.5-3 Notes 3, 6 9.5-4 9.5-6 9.5-7

- B-208-005

- B-208-023 Engineered Safety Service Water System 7.1, 7.1.2.6, 7.3.1.1 7.3-1 -

Features System 7.3.1.1.5, 7.4, 7.5.4 9.2-1 -

VC SUMMER FSAR 9.2.1.2, 9.2.1.3 9.2-2 (4 Sheets) -

9.2.1.5 - B-208-005 Note 3 - B-208-101

- 8756D01 (1MS-51-221)

Chilled Water System 7.1.2.6, 7.3.1.1, 7.3.2.2.5, 7.3-1 -

7.5.4, 9.4.7.2.4, 9.4.7.3 9.4-22 -

9.4-22 -

9.4-24 -

Note 3 - B-208-005

- B-208-109

- 8756D01 (1MS-51-221) 7.3-40

Table 7.3-7 (continued)

Revision 22--Updated Online 05/27/22 Instrument and Control Data Cross References Reference Related Drawings (1)

FSAR FSAR Drawing Category System Sections Figure Number Engineered Safety Heating, Ventilating and Air Features System Conditioning Systems Auxiliary and Fuel 6.5.1.3, 6.5.1.5.3, 7.3.1.1, 7.3-1 -

Handling Building 7.3.1.1.5, 9.4.2.1, 9.4.2.2, 9.4-10 -

Ventilation Systems 9.4.2.3, 9.4.3.2, 9.4.3.3 9.4-11 -

Notes 3, 6 B-208-004

- Sh AH174, AH175 B-208-108,

- Sh VL05 thru VL09 8756D01 (1MS-51-221)

Control Building Ventilation 6.4, 6.4.1.5, 6.5.1.3, 9.4-1 -

Systems 6.5.1.5.2, 7.3.1.1, 9.4-2 -

7.3.1.1.5, 9.4.1.2, 9.4-3 -

9.4.1.3, 12.2.4.2.1 9.4-5 -

B-208-004, Sh AH102 VC SUMMER FSAR Note 6 thru AH105, AH107, AH108, AH147, AH148 8756D01 (1MS-51-221)

Diesel Generator Building 7.3.1.1.5, 8.3.1.1.2.4, 9.4-18 B-208-004, Sh AH 164 Ventilation System 9.4.7.2.1, 9.4.7.3 - thru AH167 Notes 2, 3, 6 7.3-41

Table 7.3-7 (continued)

Revision 22--Updated Online 05/27/22 Instrument and Control Data Cross References Reference Related Drawings (1)

FSAR FSAR Drawing Category System Sections Figure Number Engineered Safety Intermediate Building 7.3.1.1, 7.3.1.1.5, 9.4-15 thru -

Features System Ventilation 9.4.6.2, 9.4.6.3 9.4-17 -

System - B-208-004 Sh AH194 thru AH197 B-208-108 Sh VL18, VL19, VL22, VL24, VL26, VL27, VL30, VL31 8756D01 (1MS-51-221)

Reactor Building Ventilation 6.2.2.2.2.1, 6.2.2.2.2.2, 6.2-49 -

Systems 6.2.2.5.2.2, 7.1.2.6, 7.3-1 -

7.3.1.1, 7.3.1.1.5, 7.5.4, - -

9.2.1.5, 9.4.7.2.5, B-208-004 Sh AH273 thru AH276 Notes 3, 6 8756D01 (1MS-51-221)

VC SUMMER FSAR Service Water Pumphouse 7.3.1.1.5, 9.4.7.2.2, 9.4-19 B-208-004 Sh AH326 Ventilation System 9.4.7.3 - thru AH331

- 8756D01 (1MS-51-221)

(1) FSAR figure numbers refer to figures in the FSAR; drawing numbers refer to drawings in the Wiring Schematic Package (see Section 1.7)

(2) Not sequenced (3) Not diverse (4) Solenoid valve is the actuation device (5) Motor Control Center is actuation device (6) No Interlocks or Bypasses are provided which would inhibit ESF actuation.

(7) The containment leakage testing system is not an Engineered Safety Features System or an essential Auxiliary Supporting System. The system includes only that equipment and instrumentation required to perform the initial and periodic containment leakage testing during plant shutdown. All penetrations through containment are capped during 7.3-42 normal plant operation.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.3-43 FSAR FIGURE REFERENCE FIGURE 7.3-1 DRAWING D-203-203

Figure 7.3-2 Revision 22--Updated Online 05/27/22 TYPICAL ENGINEERED SAFETY FEATURES TEST CIRCUITS VC SUMMER FSAR 7.3-44

Figure 7.3-3 Revision 22--Updated Online 05/27/22 ENGINEERED SAFETY FEATURES TEST CABINET-INDEX, NOTES AND LEGEND VC SUMMER FSAR Amendment 0 August 1984 7.3-45

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.4-1 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN The functions necessary for safe shutdown are available from instrumentation channels that are associated with the major systems in both the primary and secondary of the Nuclear Steam Supply System. These channels are normally aligned to serve a variety of operational functions, including startup and shutdown as well as protective functions. There are no identifiable safe shutdown systems per se. However, prescribed procedures for securing and maintaining the plant in a safe condition can be instituted by appropriate alignment of selected systems in the Nuclear Steam Supply System. The discussion of these systems together with the applicable codes, criteria and guidelines is found in other sections of this Final Safety Analysis Report. In addition, the alignment of shutdown functions associated with the engineered safety features which are invoked under postulated limiting fault situations is discussed in Chapter 6 and Section 7.3.

The instrumentation and control functions which are required to be aligned for maintaining safe shutdown of the reactor that are discussed in this section are the minimum number under nonaccident conditions. These functions will permit the necessary operations that will:

1. Prevent the reactor from achieving criticality in violation of the Technical Specifications and
2. Provide an adequate heat sink such that design and safety limits are not exceeded.

7.4.1 Description The designation of systems that can be used for safe shutdown depends on identifying those systems which provide the following capabilities for maintaining a safe shutdown:

1. Boration (see Section 9.3.4, Chemical and Volume Control System).
2. Adequate supply for emergency feedwater (see Section 10.4.9, Emergency Feedwater System).
3. Residual heat removal (see Section 5.5.7, Residual Heat Removal System).

These systems are identified in the following lists together with the associated instrumentation and controls provisions. The identification of the monitoring indicators (Section 7.4.1.1) and controls (Section 7.4.1.2) are those necessary for maintaining a hot shutdown. The equipment and services available for a cold shutdown are identified in Section 7.4.1.4.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.4-2 7.4.1.1 Monitoring Indicators Safety related display instrumentation, as described in Section 7.5, is provided outside as well as inside the Control Room. The necessary indicators for maintaining a hot shutdown are as follows:

1. Water level indicator for each steam generator (1).
2. Pressure indicator for each steam generator (1).
3. Pressurizer water level indicator (1).
4. Pressurizer pressure indicator (1).

In addition, the following indicators are also provided:

1. Reactor Building temperature (1).
2. Volume control tank level (1).
3. Charging pressure and flow (1).
4. Emergency boration flow (1).
5. Condensate storage tank level (1).
6. Letdown flow (1).

7.4.1.2 Controls 7.4.1.2.1 General Considerations

1. The turbine is tripped. (Note that this can be accomplished at the turbine as well as in the Control Room.)
2. The reactor is tripped. (Note that this can be accomplished at the reactor trip switchgear as well as in the Control Room.)
3. All automatic systems continued functioning. (Discussed in Sections 7.2 and 7.7.)

(1) Indication is physically located on the Control Room Evacuation Panel (CREP).

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.4-3

4. For certain equipment having motor controls outside the Control Room (which duplicate the functions inside the Control Room) the controls are provided with a selector switch at the local station which transfers control of the switchgear from the Control Room to the local station(s). Placing the local selector switch in the local operating position will give an annunciating alarm in the Control Room. The transfer switches are designed so that after the transfer switch is in the local position, a failure in the Control Room or Cable Spreading Room does not cause a failure in the local control. Also, a failure in the local control circuit beyond the transfer switch does not cause a failure in the remote control circuit when the control is transferred there. The following equipment is provided with transfer switches:
a. Pressurizer heater backup group 1 (4) (see Section 5.5.10, Pressurizer).
b. Pressurizer heater backup group 2 (4) (see Section 5.5.10, Pressurizer).
c. Charging flow controller (setpoint station) (see Section 9.3.4, Chemical and Volume Control System).
d. Emergency borate valve (see Section 9.3.4, Chemical and Volume Control System).
e. Turbine driven emergency feedwater pump flow control valves (see Section 10.4.9, Emergency Feedwater System).
f. Motor driven emergency feedwater pump flow control valves (see Section 10.4.9, Emergency Feedwater System).
g. Letdown line isolation valves (see Section 9.3.4, Chemical and Volume Control System).
h. Letdown orifice A, B, and C isolation valves (see Section 9.3.4, Chemical and Volume Control System).
i. Steam supply valve to emergency feedwater pump turbine (see Section 10.4.9, Emergency Feedwater System).
j. NOT USED.
k. Service water pumps A and B (see Section 9.2.1, Service Water System).
l. Service water pump C (as part of A train and as part of B train) (see Section 9.2.1, Service Water System).
m. Boric acid transfer pump B (see Section 9.3.4, Chemical and Volume Control System).
n. Pressurizer power operated relief valves PCV445A and PCV444B (see Section 5.5.13, Safety and Relief Valves).

The backup heater groups are designed to be available during plant operations required to maintain hot shutdown or bring the plant to cold shutdown. However, this availability is not a mandatory requirement for maintaining hot shutdown or for bringing the plant to cold shutdown.

These switches are shown by Figures 7.4-1 through 7.4-2.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.4-4 Use of the transfer switch removes the automatic actuation capability for the following components (such as motors):

a. Pressurizer heater backup group 1 (see Section 5.5.10, Pressurizer).
b. Pressurizer heater backup group 2 (see Section 5.5.10, Pressurizer).
c. Service water pumps (see Section 9.2.1, Service Water System).
d. Boric acid transfer pump B (see Section 9.3.4, Chemical and Volume Control System).
e. Pressurizer power operated relief valves PCV445A and PCV444B (see Section 5.5.13, Safety and Relief Valves).

Removal of this automatic actuation capability does not jeopardize plant safety, since no accident is postulated to occur concurrent with the need for this transfer.

5. Certain motor operated valves, such as for service water backup water supply to the Emergency Feedwater System (see Section 10.4.9, Emergency Feedwater System) will have their electrical operators disconnected and the valves will be positioned manually by disconnecting the main circuit breaker at the motor control center and operating the valve by means of the handwheel after depressing a lever n the direction marked Manual Control.
6. Certain pumps will be controlled from their motor switchgear mechanical switches. The ability to perform the shutdown function is not jeopardized by a failure in the Control Room or Cable Spreading Room since redundant equipment could be used. In the unlikely event that a failure in the Control Room or Cable Spreading Room short circuits the switchgear trip circuit, local operation of the switchgear (without control power) would isolate this fault.

Such operation can be accomplished as follows:

a. Remove both the closing and trip fuses to isolate d-c control voltage.
b. Manually close the circuit breaker utilizing operating mechanism located on the breaker.
c. Manually trip the circuit breaker utilizing operating mechanism located on the breaker.
7. Certain redundant equipment (air compressors, see Section 9.3.1, Compressed Air Systems); heating, ventilating and air conditioning chillers (see Section 9.4.7, Miscellaneous Building Ventilation and Cooling Systems); and diesel generators (see Sections 8.3.1.1.2, Onsite Standby Power Supply, and 9.5, Other Auxiliary Systems) have comprehensive local control cabinets with functionally parallel start/stop controls extended to the Control Room. The ability to perform the shutdown function is not jeopardized by a failure in the Control Room or Cable Spreading Room since redundant equipment could be used. In the unlikely event that a failure in the Control Room or Cable Spreading Room prevents local control of this equipment, isolation of the fault in parallel control circuits would require removal of the external control wires at the local control cabinets.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.4-5 7.4.1.2.2 Pumps and Fans

1. Emergency feedwater pumps In the event of a trip of all main feedwater pumps (see Section 10.4.7, Condensate and Feedwater Systems), feedwater pumps (see Section 10.4.9, Emergency Feedwater System) start automatically or can be started manually. Start/stop motor controls located locally (as well as being inside the Control Room) are provided as well as handwheel control for the valves.
2. Charging and boric acid transfer pumps Start/stop control for both boric acid pumps is located in the Control Room. In addition, control for one pump is located at CREP.

The start/stop control for 3 charging pumps is located in the Control Room. In addition, controls for B pump and C pump aligned to B train are located at their respective switchgear. Also, all circuit breakers for the 3 pumps can be closed or tripped utilizing the operating mechanisms located on their respective breakers.

3. Service water pumps (2) (see Section 9.2.1, Service Water System).

Start/stop motor controls are located outside as well as inside the Control Room.

4. Component cooling water pumps (see Section 9.2.2, Component Cooling Water System).

The circuit breakers can be closed or tripped from operating mechanisms located on their respective breakers.

5. Instrument air compressors (see Section 9.3.1, Compressed Air Systems). These compressors start automatically on low air pressure.
6. Reactor building cooling units (see Section 6.2.2, Reactor Building Heat Removal Systems). Start/stop motor controls with a selector switch are provided for the fan motors.

The controls are located outside as well as inside the Control Room.

7.4.1.2.3 Diesel Generators (see Section 8.3.1.1.2, Onsite Standby Power Supply, and 9.5, Other Auxiliary Systems)

These units start automatically following a loss of voltage on their respective buses. However, manual controls for diesel startup are also provided locally at the diesel generators (as well as inside the Control Room).

(2) Control and indication are physically located on the CREP

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.4-6 7.4.1.2.4 Valves and Heaters

1. Charging flow control valves(2) (see Section 9.3.4, Chemical and Volume Control System)

Remote manual control with a selector switch for the charging line flow control valves is provided outside, as well as inside, Control Room. These controls duplicate functions that are available inside the Control Room.

2. Letdown orifice isolation valves(2) (see Section 9.3.4, Chemical and Volume Control System).

Open/close controls with a selector switch for the letdown orifice isolation valves are grouped with the controls for the charging flow control valve. These controls duplicate functions that are inside the Control Room.

3. Emergency feedwater control valves(2) (see Section 10.4.9, Emergency Feedwater System)

Controls for these valves are located outside as well as inside the Control Room.

4. Condenser steam dump and atmospheric steam relief valves (see Section 10.4.4, Turbine Bypass System)

The condenser steam dump and atmospheric relief valves are automatically controlled.

Manual control is provided locally as well as inside the Control Room for the atmospheric relief valves. Steam dump to the condenser is blocked on high condenser pressure.

5. Pressurizer heater control (2) (see Section 7.7.1.5, Pressurizer Pressure Control)

On/off control with selector switch is provided for 2 backup heater groups. The heater groups are connected to separate buses, such that each can be connected to separate diesels in the event of loss of outside power. The controls are grouped with the charging flow controls and duplicate functions that are available inside the Control Room.

(2) Control and indication are physically located on the CREP

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.4-7 7.4.1.3 Control Room Evacuation The instrumentation and controls listed in Sections 7.4.1 and 7.4.1.2 that are used to achieve and maintain a safe shutdown are available in the event an evacuation of the Control Room is required. These controls and instrumentation channels together with the equipment identified in Section 7.4.1.4 identify the potential capability for cold shutdown of the reactor subsequent to a Control Room evacuation through the use of suitable procedures. Table 7.4-1 and Figures 7.4-1 through 7.4-2 address the local control stations and the relative locations of these control stations in the plant. The design basis for Control Room evacuation does not consider a concurrent Condition II, III, or IV event, nor a single failure.

Control Room evacuation resulting from a fire in the control complex and the ability to achieve safe shutdown concurrent with the fire is demonstrated in the Fire Protection (FP) DBD.

7.4.1.4 Equipment and Systems Available for Cold Shutdown

1. Reactor coolant pumps (see Section 5.5.1, Reactor Coolant Pumps).
2. Emergency feedwater pumps (see Section 10.4.9, Emergency Feedwater System).
3. Boric acid transfer pumps (see Section 9.3.4, Chemical and Volume Control System).
4. Charging pumps (see Section 9.3.4, Chemical and Volume Control System).
5. Service water pumps (see Section 9.2.1, Service Water System).
6. Reactor building fans (see Section 6.2.2, Reactor Building Heat Removal Systems, and Section 9.4.8, Reactor Building Cooling and Filtering Systems).
7. Component cooling water pumps (see Section 9.2.2, Component Cooling Water System).
8. Residual heat removal pumps (see Section 5.5.7, Residual Heat Removal System)(3).
9. Certain motor control center and switchgear Sections (see Section 8.3, Onsite Power Systems).
10. Controlled steam release and feedwater supply (see Sections 7.7.1.8, Steam Dump Control and 10.4.4, Turbine Bypass System).
11. Boration capability (see Section 9.3.4, Chemical and Volume Control System).

(3) Instrumentation and controls for these systems may require some modification in order that their functions may be performed from outside the Control Room. Note that the reactor plant design does not preclude attaining the cold shutdown condition from outside the Control Room. An assessment of plant conditions can be made on the long term basis (a week or more) to establish procedures for making the necessary physical modifications to instrumentation and control equipment in order to attain cold shutdown. During such time the plant could be safely maintained at hot shutdown condition.

Detailed procedures to be followed in effecting cold shutdown from outside the Control Room are best determined by plant personnel at the time of the postulated incident.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.4-8

12. Nuclear Instrumentation System source and intermediate ranges (both ranges are provided remote from the Control Room, but only source range is independent of the Control Room).

(See Sections 7.2, Reactor Trip System, and 7.7, Control Systems Not Required for Safety).

13. Reactor coolant inventory control (charging and letdown) (see Section 9.3.4, Chemical and Volume Control System).
14. Pressurizer pressure control including opening control for pressurizer relief valves (heaters and spray) (see Section 7.7.1.5, Pressurizer Pressure Control). (3)

In addition, the safety injection signal trip circuit must be defeated and the accumulator isolation valves closed (3) (see Sections 6.3, Emergency Core Cooling System, and 7.3, Engineered Safety Features Actuation System).

The Fire Protection (FP) DBD identifies Virgil Summer Nuclear Stations compliance used to achieve cold shutdown in the event of a fire in the plant.

7.4.2 Analysis Hot shutdown is a stable plant condition, automatically reached following a plant shutdown. The hot shutdown condition can be maintained safely for an extended period of time. In the unlikely event that access to the Control Room is restricted, the plant can be safely kept at a hot shutdown until the Control Room can be re-entered by the use of the monitoring indicators and the controls listed in Sections 7.4.1.1 and 7.4.1.2. These indicators and controls are provided outside as well as inside the Control Room.

(3) Instrumentation and controls for these systems may require some modification in order that their functions may be performed from outside the Control Room. Note that the reactor plant design does not preclude attaining the cold shutdown condition from outside the Control Room. An assessment of plant conditions can be made on the long term basis (a week or more) to establish procedures for making the necessary physical modifications to instrumentation and control equipment in order to attain cold shutdown. During such time the plant could be safely maintained at hot shutdown condition.

Detailed procedures to be followed in effecting cold shutdown from outside the Control Room are best determined by plant personnel at the time of the postulated incident.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.4-9 The safety evaluation of the maintenance of a shutdown with these systems and associated instrumentation and controls has included consideration of the accident consequences that might jeopardize safe shutdown conditions. The accident consequences that are germane are those that would tend to degrade the capabilities for boration, adequate supply for emergency feedwater, and residual heat removal.

The results of the accident analysis are presented in Chapter 15. Of these the following produce the most severe consequences that are pertinent:

1. Uncontrolled Boron Dilution.
2. Loss of Normal Feedwater.
3. Loss of External Electrical Load and/or Turbine Trip.
4. Loss of Offsite Power to the Station Auxiliaries.

It is shown by these analyses that safety is not adversely affected by these incidents with the associated assumptions being that the instrumentation and controls indicated in Sections 7.4.1.1 and 7.4.1.2 are available to control and/or monitor shutdown. These available systems will allow a maintenance of hot shutdown even under the accident conditions listed above which would tend toward a return to criticality or a loss of heat sink.

The results of the analysis which determined the applicability to the Nuclear Steam Supply System safe shutdown systems of the NRC General Design Criteria, IEEE Standard 279-1971, applicable NRC Regulatory Guides and other industry standards are presented in Table 7.1-1. The functions considered and listed below include both safety-related and nonsafety-related equipment.

1. Reactor Trip System (see Section 7.2, Reactor Trip System).
2. Engineered Safety Features Actuation System (see Section 7.3, Engineered Safety Features Actuation System).
3. Safety-related display instrumentation for post accident monitoring (see Section 7.5, Safety-Related Display Instrumentation).
4. Main control board (see Section 7.0, Instrumentation and Controls).
5. Control room evacuation panel (see Sections 7.4.1.1, Monitoring Indicators, and 7.4.1.2, Controls).
6. Residual heat removal (see Section 5.5.7, Residual Heat Removal System).
7. Instrument power supply (see Section 8.3, Onsite Power Systems).
8. Control systems (see Section 7.0, Instrumentation and Controls).

For the discussions addressing how these requirements are satisfied, the column in Table 7.1-1 entitled Conformance Discussed In provides the appropriate reference.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.4-10 An analysis demonstrating the ability to achieve safe shutdown in the event of a fire is presented in the Fire Protection (FP) DBD.

7.4.2.1 Conformance to General Design Criterion 19 As noted in Section 7.4.1.3, equipment is provided outside the Control Room with a design capability for prompt hot shutdown of the reactor and for maintaining the unit in a safe condition during hot shutdown and with a potential capability for subsequent cold shutdown through the use of suitable procedures. For criteria relative to the control board in the Main Control Room, see Section 7.1.2.2.2.

7.4.2.2 Conformance to IEEE Standard 279-1971 The design basis information requested by Section 3 of IEEE Standard 279-1971 for protective action and pertaining to the signals for actuation of reactor trip are presented in Section 7.2.1.2.

The analyses for compliance to the criteria of IEEE Standard 279-1971 for the reactor trip are addressed in Section 7.2.2. The design basis information for protective action for the Engineered Safety Features Actuation system (ESFAS) is presented Section 7.3.1.2 and the analyses for ESFAS are addressed in Section 7.3.2. For the list of references to the discussions of conformance to applicable criteria, see Tables 7.1-1 and 7.1-2.

7.4.3 Cross References Table 7.4-2 provides cross references outlining appropriate sections that supply descriptions of initiating circuitry, logic, bypasses, interlocks, redundancy, diversity and actuated devices for systems required for safe shutdown.

Revision 22--Updated Online 05/27/22 Table 7.4-1 Summary of Control Stations Equipment/Local Reference FSAR Plant Room Control Station Figure No. No.

Residual Heat Removal Pumps XPN6020 (ESF sequencer) 1.2-15 36-11 XPN6025 (ESF sequencer) 1.2-15 36-11 XSW1DA1 Unit 6A 1.2-15 63-01 XSW1DB1 Unit 5D 1.2-6 63-01 Pressurizer Relief Valves XPN7031 (Aux. relay rack No. 1) 1.2-15 36-11 XPN7032 (Aux. relay rack No. 2) 1.2-15 36-11 XPN7200A 1.2-12 36-03A XPN7200B 1.2-12 36-03 Pressurizer Relief Valve Isolation Valves VC SUMMER FSAR XMC1DA2X 1.2-13 63-01 XMC1DB2X 1.2-12 36-01 Pressurizer Heater Control Group APN4103 (Pressurizer controller) 1.2-5 36-18 XPN7008 (Process cabinet) 1.2-15 36-11 XSW1C Unit 2 1.2-18 12-01 Diesel Generators XCX5201 control cabinet 1.2-12 36-04 7.4-11 XCX5202 control cabinet 1.2-12 36-03

Table 7.4-1 (continued)

Revision 22--Updated Online 05/27/22 Summary of Control Stations Equipment/Local Reference FSAR Plant Room Control Station Figure No. No.

Charging Flow Control Valves XPN7200A 1.2-12 36-03A Letdown Orifice Isolation Valves XPN7200A 1.2-12 36.03A XPN7200B 1.2-12 36-03 Emergency Feedwater Control Valves XPN7200A 1.2-12 36-03A XPN7200B 1,2-12 36-03 Condenser Steam Dump and Atmospheric Relief Valves XPN6001 (BOP panel) 1.2-15 36-11 XPN6002 (BOP panel) 1.2-15 36-11 VC SUMMER FSAR XPN7003 (Aux. relay rack) 1.2-15 36-11 XPN7034 (Aux. cabinet) 1.2-15 36-11 XPN7035 (Aux. cabinet) 1.2-15 36-11 XPN7115 (Termination cabinet) 1.2-16 48-02 Safety Injection Accumulator Isolation Valves XMC1DA2X Unit 8AE 1.2-13 63-01 XMC1DA2X Unit 8FJ 1.2-13 63-01 XMC1DB2X Unit 16IM 1.2-6 63-01 7.4-12

Table 7.4-1 (continued)

Revision 22--Updated Online 05/27/22 Summary of Control Stations Equipment/Local Reference FSAR Plant Room Control Station Figure No. No.

Emergency Feedwater Pumps XPN7200B 1.2-12 36-03 XSW1DA Unit 13 1.2-13 63-01 XSW1DB Unit 03 1.2-12 36-01 Charging and Boric Acid Transfer Pumps XPN7200B 1.2-12 36-03 XMC1DA2Y Unit 4CD 1.2-4 12-28 XMC1DB2Y Unit 10GH 1.2-6 63-01 XMC1A3X Unit 6HJ 1.2-6 63-14 XMC1B3X Unit 6IK 1.2-6 63-09 Service Water Pumps XPN7200A 1.2-12 36-03A VC SUMMER FSAR XPN7200B 1.2-12 36-03 Component Cooling Water Pumps XSW1DA Unit 8 1.2-13 63-01 XSW1DB Unit 13 1.2-12 36-01 Instrument Air Compressors XPN7202 1.2-18 12-03 XPN7203 1.2-18 12-03 7.4-13

Table 7.4-1 (continued)

Revision 22--Updated Online 05/27/22 Summary of Control Stations Equipment/Local Reference FSAR Plant Room Control Station Figure No. No.

Reactor Building Cooling Units XSW1DA1 1-2-13 63-01 XSW1DB1 1.2-6 63-01 Pressurizer Heater Backup Group 1 APN4101 (Pressurizer Controller) 1.2-5 36-18 XPN7031 (Aux. relay rack No. 1) 1.2-15 36-11 XPN7200A 1.2-12 36-03A XSW1DA Unit 2 1.2-13 63-01 Pressurizer Heater Backup Group 2 APN4102 (Pressurizer controller) 1.2-5 36-18 XPN7032 (Aux. relay rack No. 2) 1.2-15 36-11 XPN7200B 1.2-12 36-03 VC SUMMER FSAR XSW1DB Unit 5 1.2-12 36-01 Pressurizer Spray Valve XPN7008 (Process cabinet) 1.2-15 36-11 Nuclear Instrumentation System - Source and Intermediate Range XPN7051 (Computer) 1.2-15 36-10 XPN7113 (Main control board termination cabinet) 1.2-16 48-02 XPN7200A 1.2-12 36-03A 7.4-14

Table 7.4-1 (continued)

Revision 22--Updated Online 05/27/22 Summary of Control Stations Equipment/Local Reference FSAR Plant Room Control Station Figure No. No.

Safety Injection Trip Circuit XPN7010 (Solid state protection) 1.2-15 36-11 XPN7020 (Solid state protection) 1.2-15 36-11 XPN7180 (Main control board termination cabinet) 1.2-16 48-02 Service Water to Emergency Feedwater System Valves XMC1DA2X Unit 4 EH 1.2-13 63-01 XMC1DA2X Unit 4 IL 1.2-13 63-01 XMC1DA2X Unit 12 AD 1.2-13 63-01 XMC1DB2X Unit 3 AD 1.2-12 36-01 XMC1DB2X Unit 3 EH 1.2-12 36-01 XMC1DB2X Unit 7 EH 1.2-12 36-01 Reactor Coolant System to Residual Heat Removal System Suction Valves VC SUMMER FSAR XMC1DA2X Unit 7 FJ 1.2-13 63-01 XMC1DA2Y Unit 18 IM 1.2-4 12-28 XMC1DB2Y Unit 4 AE 1.2-6 63-01 XMC1DB2Y Unit 4 FJ 1.2-6 63-01 Borated Water to Charging Pump Valves XMC1DA2Y Unit 2 AD 1.2-4 12-28 XMC1DB2Y Unit 9 EH 1.2-6 63-01 XMC1DB2Y Unit 21 EH 1.2-6 63-01 7.4-15

Table 7.4-1 (continued)

Revision 22--Updated Online 05/27/22 Summary of Control Stations Equipment/Local Reference FSAR Plant Room Control Station Figure No. No.

Service Water Booster Pumps XSW1DA1 Unit 7A 1.2-13 63-01 XSW1DB1 Unit 5A 1.2-6 63-01 Cooling Water Valves to Reactor Building Cooling Units XMC1DA2X Unit 12 IM 1.2-13 63-01 XMC1DA2X Unit 13 AD 1.2-13 63-01 XMC1DA2X Unit 13 EH 1.2-13 63-01 XMC1DA2X Unit 14 EH 1.2-13 63-01 XMC1DA2Y Unit 16 EH 1.2-4 12-28 XMC1DB2X Unit 18 EH 1.2-6 63-01 XMC1DB2Y Unit 19 AD 1.2-6 63-01 XMC1DB2Y Unit 19 EH 1.2-6 63-01 XMC1DB2Y Unit 20 EH 1.2-6 63-01 VC SUMMER FSAR XMC1DB2Y Unit 22 IM 1.2-6 63-01 Chillers XSW1DA1 Unit 7B 1.2-13 63-01 XSW1DA1 Unit 7C 1.2-13 63-01 XSW1DB1 Unit 6A 1.2-6 63-01 XSW1DB1 Unit 7A 1.2-6 63-01 Diesel Generator Fuel Oil Transfer Pumps XMC1DA2Z Unit 1 CD 1.2-12 36-01 XMC1DB2Z Unit 1 CD 1.2-12 36-02 7.4-16

Table 7.4-1 (continued)

Revision 22--Updated Online 05/27/22 Summary of Control Stations Equipment/Local Reference FSAR Plant Room Control Station Figure No. No.

HVAC System Fans VC SUMMER FSAR 7.4-17

Table 7.4-1 (continued)

Revision 22--Updated Online 05/27/22 Summary of Control Stations Equipment/Local Reference FSAR Plant Room Control Station Figure No. No.

XMC1DA2X Unit 2 AB 1.2-13 63-01 XMC1DA2X Unit 2 CD 1.2-13 63-01 XMC1DA2X Unit 2 EF 1.2-13 63-01 XMC1DA2X Unit 9 IJ 1.2-13 63-01 XMC1DA2X Unit 10 EF 1.2-13 63-01 XMC1DA2X Unit 11 EF 1.2-13 63-01 XMC1DA2X Unit 15 IJ 1.2-13 63-01 XMC1DA2Y Unit 7 AB 1.2-4 12-28 XMC1DA2Y Unit 7 CD 1.2-4 12-28 XMC1DA2Y Unit 14 JK 1.2-4 12-28 XMC1DA2Z Unit 4 GI 1.2-12 36-01 XMC1DA2Z Unit 4 JL 1.2-12 36-01 XMC1DB2X Unit 2 IJ 1.2-12 36-01 XMC1DB2X Unit 3 IJ 1.2-12 36-01 XMC1DB2X Unit 6 CD 1.2-12 36-01 VC SUMMER FSAR XMC1DB2Y Unit 4 IJ 1.2-6 63-01 XMC1DB2Y Unit 5 IJ 1.2-6 63-01 XMC1DB2Y Unit 12 GH 1.2-6 63-01 XMC1DB2Y Unit 20 AB 1.2-6 63-01 XMC1DB2Y Unit 20 CD 1.2-6 63-01 XMC1DB2Y Unit 23 KL 1.2-6 63-01 XMC1DB2Y Unit 24 CD 1.2-6 63-01 XMC1DB2Z Unit 3 AC 1.2-12 36-02 XMC1DB2Z Unit 3 DF 1.2-12 36-02 XMC1EA1X Unit 1 GI 1.2-24 25-05 XMC1EB1X Unit 4 JK 1.2-24 41-01 7.4-18 XPN0040 (Motor Control Panel) 1.2-3 88-13NE

Revision 22--Updated Online 05/27/22 Table 7.4-2 Instrument and Control Data Cross References Reference Related Drawings (1)

FSAR FSAR Drawing Category System Sections Figure Number Systems Required for Safe Shutdown Component Cooling Water System 7.4, 7.1.2.6, 7.3.1.1, 7.3-1 -

7.3.1.1.5, 7.4, 7.5.4, 9.2-4 thru -

9.2.2.1, 9.2.2.2, 9.2-7 -

9.2.2.3, 9.2.2.5, - B-208-005 11.4.2 - B-208-011 Note 3 Diesel Generator Systems 7.3.1.1, 7.4, 8.3.1.1.2, 8.2-3 -

9.5.4.2, 9.5.4.3, 9.5.4.5, 8.3-0h thru -

9.5.5.3, 9.5.5.5, 9.5.6.1, 8.3-0j -

9.5.7.3, 9.5.7.5, 9.5.8.3 9.5-2 Notes 3, 6 9.5.3 9.5-4 VC SUMMER FSAR 9.5-6 9.5-7

- B-208-005

- B-208-023 Emergency Feedwater System 7.1, 7.3.1.1, 7.3.1.1.5, 7.3-1 -

7.5.4, 10.4.9.2, 10.4.9.3, 10.4-16 -

10.4.9.5 - B-208-032 Note 6 - 8756D01 (1MS-51-221) 7.4-19

Table 7.4-2 (continued)

Revision 22--Updated Online 05/27/22 Instrument and Control Data Cross References Reference Related Drawings (1)

FSAR FSAR Drawing Category System Sections Figure Number Systems Required for Safe Service Water System 7.1, 7.1.2.6, 7.3.1.1, 7.3-1 -

Shutdown (Continued) 7.3.1.1.5, 7.4, 7.5.4, 9.2-1 -

9.2.1.2, 9.2.1.3, 9.2.1.5 9.2-2 (4 Sheets) -

Note 3 - B-208-005

- B-208-101

- 8756D01 (1MS-51-221)

Chilled Water System 7.1.2.6, 7.3.1.1, 7.3.1.1.5, 7.3-1 -

7.5.4, 9.4.7.2.4, 9.4.7.3 9.4-22 -

9.4-23 -

9.4-24 -

- B-208-005

- B-208-109

- 8756D01 (1MS-51-221)

Main Steam System 6.2.4, 7.3.1.1, 7.5.4, 10.3-1 7.7.1.8, 10.3, 10.3.2.3, 10.4-3 10.4.9.2, 10.4.4.2, 10.4-4 VC SUMMER FSAR

- B-208-063 Table 6.2-54 - B-208-067

- 108D932 Note 7 - 8756D01 (1MS-51-221) 7.4-20

Table 7.4-2 (continued)

Revision 22--Updated Online 05/27/22 Instrument and Control Data Cross References Reference Related Drawings (1)

FSAR FSAR Drawing Category System Sections Figure Number Systems Required for Heating Ventilation and Air Conditioning Safe Shutdown Systems (Continued)

Auxiliary and Fuel 6.5.1.3, 6.5.1.5.3, 7.3.1.1, 7.3-1 -

Handling Building 7.3.1.1.5, 9.4.2.1, 9.4.2.2, 9-4-10 -

Ventilation Systems 9.4.2.3, 9.4.3.2, 9.4.3.3 9.4-11 -

Notes 3, 6 - B-208-004, Sh AH174, AH175 B-208-108, Sh VL05 thru VL09 8756D01 (1MS-51-221)

Control Building 6.4, 6.4.1.5, 6.5.1.3, 9.4-1 -

Ventilation Systems 6.5.1.5.2, 7.3.1.1, 9.4-2 -

7.3.1.1.5, 9.4.1.2, 9.4-3 -

9.4.1.3, 12.2.4.2.1 9.4-5 -

Note 6 - B-208-004, VC SUMMER FSAR Sh AH102 thru AH105, AH107, AH108, AH147, AH148

- 8756D01 (1MS-51-221)

Diesel Generator Building 7.3.1.1.5, 8.3.1.1.2.4, 9.4-18 -

Ventilation System 9.4.7.2.1, 9.4.7.3 - B-208-004, Notes 3, 6 Sh AH164 thru AH167 7.4-21

Table 7.4-2 (continued)

Revision 22--Updated Online 05/27/22 Instrument and Control Data Cross References Reference Related Drawings (1)

FSAR FSAR Drawing Category System Sections Figure Number Systems Required for Heating Ventilation and Air Conditioning Safe Shutdown Systems (Continued)

(Continued)

Intermediate Building 7.3.1.1, 7.3.1.1.5, 9.4-15 thru -

Ventilation System 9.4.6.2, 9.4.6.3 9.4-17 -

- B-208-004, Sh AH194 thru AH197

- B-208-108, Sh

- VL18, VL19, VL22, VL24, VL26, VL27, VL30, VL31

- 8756D01 (1MS-51-221)

Reactor Building 6.2.2.2.2.1, 6.2.2.2.2.2, 6.2-49 -

Ventilation System 6.2.2.5.2.2, 7.1.2.6, 7.3-1 -

7.3.1.1, 7.3.1.1.5, 7.5.4, 9.2.1.5, 9.4.7.2.5 B-208-004, Sh VC SUMMER FSAR AH273 thru AH276 Notes 3, 6 - 8756D01 (1MS-51-221)

Service Water Pumphouse 7.3.1.1.5, 9.4.7.2.2, 9.4-19 B-208-004 Sh Ventilation System 9.4.7.3 - AH326 thru 331

- 8756D01(1MS-51-221)

Boric Acid Transfer Pumps 7.4.1.2.2, 9.3.4.2.3. 9.3-16 B-208-021 9.3.4.2.5.3 Sh 15 Sh CS-01 Tables 9.3-5, 7.1-2 Notes 3, 4 7.4-22

Table 7.4-2 (continued)

Revision 22--Updated Online 05/27/22 Instrument and Control Data Cross References Reference Related Drawings (1)

FSAR FSAR Drawing Category System Sections Figure Number Systems Required for CREP Monitoring Indicators 7.4.1.1 7.2-1 -

Safe Shutdown Table 7.1-2 Sh 11, and 13 (Continued) Notes 2, 3, 5 Charging Pumps 6.3.2.2.4.2, 6.3.2.2.7, 6.3-1 Sh 1 B-208-021 6.3.2.11.1, 7.1.2.5, 7.3-1 Sh CS-04 thru 08 7.3.1.1, 7.3.1.1.5 Tables 6.3-7, 7.3-1, 7.3-3, 8.3-3, 6.3-7 Note 3 VC SUMMER FSAR (1) FSAR figure numbers refer to figures in the FSAR; drawing numbers refer to drawings in the Wiring Schematic Package (see Section 1.7).

(2) Not redundant.

(3) Not diverse.

(4) Motor control center is the actuation device.

(5) Indicators are the actuation device.

(6) No interlocks or bypasses are provided which would inhibit ESF actuation.

(7) The Main Steam System components required for safe shutdown include only the main stream isolation valves, and valves that emit steam to the turbine driven emergency feedwater pump. The steam generator power operated relief valves are safety class, seismic, air operated, fail closed valves. The valves can be manually opened if required for safe shutdown.

7.4-23

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.4-24 FSAR FIGURE REFERENCE FIGURE 7.4-1 DRAWING C-809-202

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.4-25 Figure 7.4-1, Sheet 2 - (Deleted per RN 99-074)

Figure 7.4-1, Sheet 3 - (Deleted per RN 99-074)

Figure 7.4-2 Revision 22--Updated Online 05/27/22 CONTROL ROOM EVACUATION PANEL (XPN-7200-CE (A & B)



&21752/5220(9$&8$7,213$1(/

,'(17,),&$7,212)'(9,&(6

,7(0 '(9,&( '(6&5,37,21 ,7(0 '(9,&( '(6&5,37,21



$ ,QGLFDWRU 7,$5&6&ROG/HJ7HPS $. &RQWURO6ZLWFK 66$/7'12ULILFH,VRO

% 'XDO,QGLFDWRU /,%3=5/HYHO3,$3=53UHVV $/ &RQWURO6ZLWFK 66%/7'12ULILFH,VRO

& 'XDO,QGLFDWRU 1,$,QWHUPHGLDWH5DQJH1,$6RXUFH5DQJH $0 &RQWURO6ZLWFK 66&/7'12ULILFH,VRO

' ,QGLFDWRU ),$/7'1)ORZ $1 &RQWURO6ZLWFK 666WP6XSSO\WR()7XUE

( ,QGLFDWRU )/%&KDUJLQJ)ORZ $2  ;)(56ZLWFK $3=53RZHU5HOLHI

) ,QGLFDWRU 3,$&KDUJLQJ3UHVV   

* ,QGLFDWRU ),$(PHUJHQF\%RUDWH)ORZ $4 &RQWURO6ZLWFK 666:6:3XPS$

+ ,QGLFDWRU 7,$5&6+RW/HJ7HPS $5 &RQWURO6ZLWFK 666:6:3XPS&

, ,QGLFDWRU 7,$5&6&ROG/HJ7HPS $6 &RQWURO6ZLWFK 666:6:3XPS&

- ,QGLFDWRU 7,$5&6+RW/HJ7HPS $7 &RQWURO6ZLWFK 666:6:3XPS%

. 'XDO,QGLFDWRU 3,$6*%3UHVV/,%6*%/HYHO $8  ;)(56ZLWFK /7'1,VRO;)(5

/ ,QGLFDWRU 7,$5&6+RW/HJ7HPS $9  ;)(56ZLWFK /7'1,VRO;)(5

0 'XDO,QGLFDWRU 3,$6*&3UHVV/,%6*&/HYHO $:  ;)(56ZLWFK $/7'12ULILFH,VRO;)(5

1 'XDO,QGLFDWRU /,$%$7DQN/HYHO/,$%$7DQN/HYHO $;  ;)(56ZLWFK %/7'12ULILFH,VRO;)(5

2 ,QGLFDWRU 7,$5&6&ROG/HJ7HPS $<  ;)(56ZLWFK &/7'12ULILFH,VRO;)(5

3 'XDO,QGLFDWRU 7,%5%7HPS/,%&RQGHQVDWH7N/HYHO $=  ;)(56ZLWFK 6WP6XSSO\WR()7XUE

4 'XDO,QGLFDWRU 3,$6*$3UHVV/,%6*$/HYHO   

5 &RQWURO6ZLWFK 665&3=5+HDWHUV%DFNXS*URXS %%  ;)(56ZLWFK 6:6:3XPS$;)(5

6 &RQWURO6ZLWFK 665&3=5+HDWHUV%DFNXS*URXS %&  ;)(56ZLWFK 6:6:3XPS&;)(5

7 &RQWUROOHU +&&KJ)ORZ)&9 %'  ;)(56ZLWFK 6:6:3XPS&;)(5

8 &RQWURO6ZLWFK 66&6$(PHU%RUDWH+/-097 %(  ;)(56ZLWFK 6:6:3XPS%;)(5

VC SUMMER FSAR

9 &RQWUROOHU +&%7'()3WR6*$ %) &RQWURO6ZLWFK 66&6$%$7UDQVIHU3XPS%

: &RQWUROOHU +&%0'()3WR6*$ %*  ;)(56ZLWFK &6%$7UDQVIHU3XPS;)(5

; &RQWUROOHU +&%7'()3WR6*% %+ &RQWURO6ZLWFK 66%3=53RZHU5HOLHI

< &RQWUROOHU +&%0'()3WR6*% %, 'XDO,QGLFDWRU 3,$5&63UHVV3,'5&63UHVV

= &RQWUROOHU +&%7'()3WR6*& %-  ;)(56ZLWFK %3=53RZHU5HOLHI

$$ &RQWUROOHU +&%0'()3WR6*& %. &RQWURO6ZLWFK 66/7'1,VRO

$%  ;)(56ZLWFK 5&3=5+WU*URXS %/  ;)(56ZLWFK /7'1,VRO

$&  ;)(56ZLWFK 5&3=5+WU*URXS %0 'XDO,QGLFDWRU /,9&7/HYHO/,$3=557/HYHO

$'  ;)(56ZLWFK &KJ)ORZ;)(5 %1  ;)(56ZLWFK 76&$76&,QGLFDWRU;)(5

$(  ;)(56ZLWFK &6(PHU%RUDWH;)(5 %2  ;)(56ZLWFK 76&%76&,QGLFDWRU;)(5

$)  ;)(56ZLWFK ()77'()3;)(5 %3  ;)(56ZLWFK ()77'()3

$*  ;)(56ZLWFK ()00'()3;)(5 %4  ;)(56ZLWFK ()00'()3;)(5

$+ &RQWURO6ZLWFK 66/&9/7'1,VRO

$, &RQWURO6ZLWFK 66$3=53RZHU5HOLHI

$- &RQWURO6ZLWFK 66/&9/7'1,VRO

SOUTH CAROLINA ELECTRIC & GAS CO.

VIRGIL C. SUMMER NUCLEAR STATION CONTROL ROOM EVACUATION PANEL (XPN-7200-CE (A&B))

7.4-26 FIGURE 7.4-2 REV. 2

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.5-1 7.5 SAFETY RELATED DISPLAY INSTRUMENTATION 7.5.1 Description Regulatory Guide 1.97, Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident, provides guidance for selection of readouts to monitor plant variables and systems during and following a design basis event. For VCSNS, the post-accident monitoring instrumentation provides readouts to the operator to enable him to perform manual safety functions and to determine the effect of manual actions taken following a reactor trip due to a Condition II, III, or IV event, as defined in Chapter

15. Regulatory Guide 1.97 instrumentation includes the readouts required to maintain the plant in a hot shutdown condition or to proceed to cold shutdown within the limits of the Technical Specifications. Reactivity control after Condition II and III faults will be maintained by administrative sampling of the reactor coolant for boron to ensure that the concentration is sufficient to maintain the reactor subcritical. Additional details are provided in Reference 1.

Table 7.5-2 lists the information available to the operator in addition to Regulatory Guide 1.97 instrumentation for monitoring conditions in the reactor, the Reactor Coolant System, and in the Reactor Building and process systems throughout all normal operating conditions of the plant, including anticipated operational occurrences.

7.5.2 Analysis This section deleted by Amendment No. 94-08 in October, 1994.

7.5.3 Design Criteria This section deleted by Amendment No. 94-08 in October, 1994.

7.5.4 ESF Monitor Lights Certain pumps and valves, which are an integral part of or which are associated with the engineered safety features systems (used for safety injection, Reactor Building spray, and recirculation) are equipped with ESF monitor lights. These bright/dim lights are displayed on the main control board within easy view of the operator. When the plant is in normal full power operation, the ESF monitor lights should generally be dim. These lights change to the bright condition when the component monitored changes to an off normal operating mode. In addition to the ESF monitor lights, certain valves have an annunciator which indicates a change to an off-normal operating mode and actuates an alarm.

The ESF monitor lights are arranged on the main control board as shown by Figures 7.5-1 through 7.5-6 to permit the operator to discover easily a component that is in an off-normal operating mode. These figures also outline the components monitored. Elementary diagrams (GAI Dwg. B-208-066), submitted separately in the Wiring Schematic Package and listed in Table 1.7-1, outline the specific components included.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.5-2 The ESF monitor lights provide supplemental information with regard to the status of ESF components.

7.5.5 Inadequate Core Cooling The inadequate core cooling instrumentation includes the Incore Temperature Monitoring System, the core subcooling monitors, and the Reactor Vessel Level Instrumentation System (RVLIS). These systems meet the requirements of NUREG-0737 item II.F.2 for inadequate core cooling instrumentation. They are also used to provide Post Accident Monitoring Information in compliance with Regulatory Guide 1.97, Rev. 3. See Section 7.5.1.

The Incore Temperature Monitoring system is designed to provide rapid monitoring of fuel assembly outlet temperatures and to verify that the core is being adequately cooled during and after an accident. The Incore Temperature Monitoring System consists of 51 thermocouples positioned in the reactor vessel above the core to measure reactor coolant temperature at the fuel assembly outlets. After the thermocouple leads exit the reactor vessel head the circuits are divided into two electrical trains and separately routed out of the containment, through separate thermocouple penetrations, to two separate thermocouple transmitter/isolator cabinets. Outputs from the cabinets are connected to the plant computer system and Technical Support Center computer and core subcooling monitoring system. Plant computer system displays and SPDS displays, via the Technical Support Center computer, of core exit thermocouple readings are provided in the Control Room.

The core subcooling monitoring system is designed to provide information to plant personnel concerning the status of reactor core heat removal capability. This information includes a continuous display of the saturation margin to provide an early warning that core conditions are approaching saturation. Two separate core subcooling monitoring system microprocessors calculate the RCS saturation margin based on independent wide range RCS pressure input and RCS temperature inputs and display the results on four main control board analog indicators (two per channel). Temperature inputs are from both hot and cold leg wide range RTDs and Incore Temperature Monitoring System thermocouples (two per core quadrant). Only the two indicators utilizing incore thermocouple inputs are used for Post-Accident Regulatory Guide 1.97 monitoring functions.

RVLIS provides an indication of the water level in the reactor vessel when the reactor coolant pumps are not running and the relative void content of the reactor coolant when one or more of the reactor coolant pumps is running. RVLIS provides an anticipatory and unambiguous indication of an inadequate core cooling situation. The system consists of two redundant trains of instrumentation to provide three main control board indications of reactor vessel level. The indicated levels are: 1) reactor vessel upper range (water level above the penetration top of the hot leg pipe when no reactor coolant pumps are running); 2) reactor vessel full range (level from the bottom to the top of the reactor vessel when no reactor coolant pumps are operating); and 3) reactor vessel dynamic range (a measurement of the reactor core and internals pressure drop when reactor coolant pumps are operating which provides means to estimate the relative void content of the circulating fluid).

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.5-3 7.5.6 References

1. Virgil C. Summer Nuclear Station, Summary Report on Regulatory Guide 1.97, Revision 3, Post Accident Monitoring System; Enclosure II to SCE&G letter to USNRC dated April 15, 1985,

Subject:

Generic Letter 82-33, Emergency Response Capability Supplement 1 to NUREG-0737.

Revision 22--Updated Online 05/27/22 Table 7.5-2 Control Room Indicators and/or Recorders Available to the Operator to Monitor Significant Plant Parameters During Normal Operation No. of Channels Indicated, Indicator /

Parameter Available Range Accuracy (1) Recorder Location Notes NUCLEAR INSTRUMENTATION

1. Source Range
a. Count rate 2 1 to 106 counts/sec +/- 5.3% of the Both channels Control board One recorder is used to

-0.5 to 5.0 linear full scale indicated. record any of the 8 decades/min analog voltage Either may be nuclear channels (2 selected for source range, 2 recording. intermediate range, and 4 power range).

b. Startup rate 2 -0.5 to 5.0 +/- 7% of the Both channels Control board decades/min linear full scale indicated analog voltage VC SUMMER FSAR
2. Power Range
a. Uncalibrated ion 4 0 to 120% of full +/- 1% of full power All 8 current signals NIS racks in chamber current (top power current current indicated. control room and bottom uncompensated ion chambers) 7.5-4

Table 7.5-2 (continued)

Revision 22--Updated Online 05/27/22 Control Room Indicators and/or Recorders Available to the Operator to Monitor Significant Plant Parameters During Normal Operation No. of Channels Indicated, Indicator /

Parameter Available Range Accuracy (1) Recorder Location Notes NUCLEAR INSTRUMENTATION (Continued)

2. Power Range (continued)
b. Calibrated ion chamber 4 0 to 125% of full +/- 2% of full All 8 current Control board current (top and bottom power power current signals recorded uncompensated ion current (four recorders) chambers) Recorder 1 upper currents for two diagonally opposed detectors Recorder 2 -

upper currents for remaining detectors Recorder 3 - lower VC SUMMER FSAR currents for two diagonally opposed detectors Recorder 4 - lower currents for remaining detectors.

7.5-5

Table 7.5-2 (continued)

Revision 22--Updated Online 05/27/22 Control Room Indicators and/or Recorders Available to the Operator to Monitor Significant Plant Parameters During Normal Operation No. of Channels Indicated, Indicator /

Parameter Available Range Accuracy (1) Recorder Location Notes NUCLEAR INSTRUMENTATION (Continued)

2. Power Range (continued)
c. Upper and lower ion 4 -30 to +30% +/- 3% of full Diagonally Control board chamber current power current opposed channels difference may be selected for recording at the same time using recorder in Item 1.
d. Average flux of the top 4 0 to 120% of full +/- 3% of full All 4 channels Control board and bottom ion power power for indicated.

chamber indication. Any 2 of the four

+/- 2% for channels may be recording recorded using VC SUMMER FSAR recorder in Item 1 above

e. Average flux of the top 4 0 to 200% of full +/- 2% of full All 4 channels Control board and bottom ion power power to 120% recorded chambers +/- 6% of full power to 200%
f. Flux difference of the 4 - 30 to + 30% +/- 4% All 4 channels Control board top and bottom ion indicated.

chambers 7.5-6

Table 7.5-2 (continued)

Revision 22--Updated Online 05/27/22 Control Room Indicators and/or Recorders Available to the Operator to Monitor Significant Plant Parameters During Normal Operation No. of Channels Indicated, Indicator /

Parameter Available Range Accuracy (1) Recorder Location Notes REACTOR CONTROL SYSTEM

1. Taverage (measured) 1/loop 530 to 350°F +/- 4% F All channels Control board indicated.
2. Overpower T Setpoint 1/loop 0 to 150% of full +/- 4% of full All channels Control board power T power T indicated.

One channel is selected for recording.

3. Overpower T Setpoint 1/loop 0 to 150% of full +/- 4% of full All channels Control board power T power T indicated.

One channel is selected for recording.

VC SUMMER FSAR

4. Overtemperature T 1/loop 0 to 150% of full +/- 4% of full All channels Control board Setpoint power T power T indicated.

One channel is selected for recording.

5. Primary Coolant Flow 3/Loop 0 to 120% of rated Repeatability of All channels Control board flow +/- 4.5% of full indicated.

flow 7.5-7

Table 7.5-2 (continued)

Revision 22--Updated Online 05/27/22 Control Room Indicators and/or Recorders Available to the Operator to Monitor Significant Plant Parameters During Normal Operation No. of Channels Indicated, Indicator /

Parameter Available Range Accuracy (1) Recorder Location Notes REACTOR CONTROL SYSTEM (Continued)

1. Demanded Rod Speed 1 0 to 100% of rated +/- 2% The one channel Control board speed is indicated.
2. Median Tavg 1 530 to 350°F +/- 40°F The one channel Control board is recorded.
3. Treference 1 540 to 5080°F +/- 40°F The one channel Control board is recorded.
4. Control rod Position If system not available, borate and sample accordingly.
a. Number of steps of 1/group 0 to 230 steps +/- 1 step Each group is Control board These signals are used VC SUMMER FSAR demanded rod indicated during in conjunction with the withdrawal rod motion. measured position signals (Item 4c) to detect deviation of any individual rod from the demanded position. A deviation will actuate an alarm and annunciator.
b. Demanded position of 1 0 to 230 steps +/- 1 step The bank is Control board the part length rod bank indicated during rod motion.

7.5-8

Table 7.5-2 (continued)

Revision 22--Updated Online 05/27/22 Control Room Indicators and/or Recorders Available to the Operator to Monitor Significant Plant Parameters During Normal Operation No. of Channels Indicated, Indicator /

Parameter Available Range Accuracy (1) Recorder Location Notes REACTOR CONTROL SYSTEM (Continued)

5. Control rod Bank 4 0 to 230 steps +/- 2.5% of total All 4 control rod Control board 1. One channel for each Demanded Position bank travel bank positions are control bank.

recorded along with 2. An alarm and the low-low limit annunciator is actuated alarm for each bank. when the last rod control bank to be withdrawn reaches the withdrawal limit, when any rod control bank reaches the low-low insertion limit.

FEEDWATER AND STEAM SYSTEMS VC SUMMER FSAR

1. Programmed Steam 1/steam 0 to 100% of span +/- 4% All channels Control board Generator Level Signal generator indicated.
2. Steam Flow 2/steam 0 to 120% of max. +/- 5.5% All channels Control board Accuracy is equipment generator calculated flow indicated. The capability; however, channels used for absolute accuracy control are depends on applicant recorded. calibration against flow.

7.5-9

Table 7.5-2 (continued)

Revision 22--Updated Online 05/27/22 Control Room Indicators and/or Recorders Available to the Operator to Monitor Significant Plant Parameters During Normal Operation No. of Channels Indicated, Indicator /

Parameter Available Range Accuracy (1) Recorder Location Notes FEEDWATER AND STEAM SYSTEMS (Continued)

3. Steam Dump Modulate 1 0 to 85% max. +/- 1.5%d The one channel is Control board OPEN/SHUT Signal calculated steam indicate indication is provided flow in the control room for each steam dump valve.
4. Turbine First Stage 2 0 to 120% of max. +/- 3.5% Both channels Control board OPEN/SHUT Pressure calculated turbine indicated. indication is provided load in the control room for each turbine stop valve.

COMPONENT COOLING WATER SYSTEM

1. Reactor Coolant Pump 2 0 to 500 gpm +/- 5.0% of Both channels Control board Upper and Lower Bearing calibrated span indicated.

Cooling Water Flow VC SUMMER FSAR

2. Reactor Coolant Pump 2 0 to 150 gpm +/- 5.0% of Both channels Control board Thermal Barrier Cooling calibrated span indicated.

Water Flow (1) Includes channel accuracy and environmental effects.

7.5-10

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.5-11 FSAR FIGURE REFERENCE FIGURE 7.5-1 DRAWING B-804-660

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.5-12 FSAR FIGURE REFERENCE FIGURE 7.5-2 DRAWING B-804-661

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.5-13 FSAR FIGURE REFERENCE FIGURE 7.5-3 DRAWING B-804-662

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.5-14 FSAR FIGURE REFERENCE FIGURE 7.5-4 DRAWING B-804-663

Figure 7.5-5 Revision 22--Updated Online 05/27/22 WESTINGHOUSE SAFETY INJECTION GROUPS (1-3) ESF MONITOR LIGHTS (GAI DWG. B-804-664)

VC SUMMER FSAR 7.5-15

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-1 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6.1 Instrumentation and Control Power Supply System 7.6.1.1 Description The following is a description of the Instrumentation and Control Power Supply System:

1. Refer to Figures 8.3-1, 8.3-2, 8.3-2aa, and 8.3-2ab for a single line diagram of the Instrumentation and Control Power Supply System.
2. There are 4 inverters and 6 distribution panels. Four (4) normally operating inverters are connected to 4 distribution panels. The remaining 2 panels are branch loads of the same channelized distribution panel.
3. The inverters provide a source of 120 volt 60 Hz power for the operation of the Nuclear Steam Supply System instrumentation. This power is derived from the 480 volt a-c, 3ø, 60 Hz distribution system Class 1E power supply, or the station batteries which assure continued operation of instrumentation systems in the event of loss of offsite power.
4. Each of the 4 distribution panels fed from the 4 normally operating inverters may be connected to a backup regulated source of 120 volt Class 1E a-c power. The tie is through an automatic static transfer switch or through a manual bypass switch such that the distribution panel cannot be connected to both sources simultaneously.

7.6.1.2 Analysis There are 2 independent 480 volt a-c power sources, each serving 2 inverters. Therefore, loss of either of the two 480 volt a-c power sources affects only 2 of the 4 inverters.

There are 2 independent Class 1E batteries and battery chargers. Each battery is attached to a bus serving 2 inverters.

There is a third battery charger provided, which serves as a standby charger. This charger is provided for use during maintenance of, and backup to the normal battery chargers. The standby charger has mechanically interlocked circuit breakers on the a-c input and d-c output such that only the 2 circuit breakers associated with Channel A or the 2 circuit breakers associated with Channel B can close at one time.

Since not more than 2 inverters are connected to the same bus, a loss of a single bus can only affect 2 of the 4 inverters.

Since each of the 4 instrument channels is supplied power by independently connected inverters, the loss of an inverter cannot affect more than 1 of the 4 instrument channels.

Each distribution panel can receive power from the 120 volt Class 1E a-c backup regulated source through an automatic static transfer switch or through a manual bypass switch. The inverter power

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-2 source and the backup source are aligned such that the distribution panels cannot be connected to both sources at the same time.

Therefore no single failure in the Instrumentation and Control Power Supply System or its associated power supplies can cause a loss of power to more than one of the redundant loads.

The inverters are designed to maintain their outputs within acceptable limits. The loss of the a-c or d-c inputs is alarmed in the Control Room, as is the loss of an inverters output. There are no inverter breaker controls on the control board, as no manual transfers are necessary in the event of loss of the 480 volt a-c preferred power source. The a-c and d-c inputs are diode isolated in the UPS.

Physical separation and provisions to protect against fire are discussed in Chapter 8.

Based on the scope definitions presented in References 1 through 3, the criteria which are applicable to the Instrumentation and Control Power Supply System are listed in IEEE Standard 308-1971. The design is in compliance with IEEE Standard 308-1971 and Regulatory Guide 1.6.

Availability of this system is continuously indicated by the operational status of the systems it serves (see Figures 8.3-1 and 8.3-2) and is verified by periodic testing performed on the served systems. The inverters have been seismically qualified as discussed in Section 3.10 and shown in Table 3.10-2.

7.6.2 Residual Heat Removal Isolation Valves 7.6.2.1 Description There are 2 motor operated gate valves in series in each of 2 inlet lines from the Reactor Coolant System to the Residual Heat Removal System. They are normally closed and are only opened for residual heat removal and Reactor Coolant System overpressure protection after system pressure is reduced below approximately 425 psig and system temperature has been reduced to approximately 350°F (see Chapter 5). They are the same type of valve and motor operator as those used for accumulator isolation (refer to Section 7.6.4), but they differ in their controls indications in the following respect (see Figures 7.6-1, 7.6-1a., and 7.6-1b):

1. Pressure interlocks are provided to prevent opening of the isolation valves whenever the Reactor Coolant System pressure is greater than approximately 425 psig. This interlock is derived from Class 1E process instrumentation channel for the isolation valves closest to the Reactor Coolant System (XVG8702A and XVG8702B) and from another independent process instrumentation channel for the 2 isolation valves closest to the Residual Heat Removal System (XVG8701A and XVG8701B). Interlock diversity is provided through the use of pressure transmitters from different manufacturers employing different measurement principles for the 2 channels of process instrumentation.
2. In addition to the open interlock, an alarm is located in the Control Room which will alert the operator if these valves are not fully closed when the Reactor Coolant System pressure increases above the 520 psig alarm setpoint.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-3 7.6.2.2 Analyses Based on the scope definitions presented in References 2 and 3, these criteria do not apply to the residual heat removal isolation valve interlocks; however, in order to meet NRC requirements and because of the possible severity of the consequences of loss of function, the requirements of IEEE Standard 279-1971 will be applied with the following comments:

1. For the purpose of applying IEEE Standard 279-1971, to this circuit, the following definitions will be used.
a. Protection System The 2 valves in series in each line and all components of their interlocks that prevent opening of the isolation valves whenever the Reactor Coolant System pressure is greater than 425 psig.
b. Protective Action The maintenance of Residual Heat Removal System isolation from the Reactor Coolant System when Reactor Coolant System pressures are above the preset value.
2. IEEE Standard 279-1971, paragraph 4.10: The above mentioned pressure interlock signals and logic will be tested on line to the maximum extent possible without adversely affecting safety. This test will include the analog signal through to the train signal which activates the relays that provide the interlocks into the valve control circuit. This is done in the best interests of safety since defeat of the interlock to permit opening the valve could potentially leave only 1 remaining valve to isolate the low pressure Residual Heat Removal System from the Reactor Coolant System.

It is noted that the valve position lights operated from the motor operated valve limit switch on the operator are similar to the position lights (red for open and green for closed) for the accumulator isolation valves described in Section 7.6.4.

3. IEEE Standard 279-1971, paragraph 4.15: This requirement does not apply, as the setpoints are independent of mode of operation and are not changed.

Environmental qualification of the valves and wiring is discussed in Section 3.11.

7.6.3 Refueling Interlocks Electrical interlocks (i.e., limit switches) as discussed in Section 9.1.4 are provided for minimizing the possibility of damage to the fuel during fuel handling operations.

7.6.4 Accumulator Motor Operated Valves The design of the interconnection of signals to open the accumulator isolation valves meets the following criteria established in previous NRC positions on this matter:

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-4

1. Automatic opening of the accumulator valves when a) the primary coolant system pressure exceeds a preselected value (specified in the Technical Specifications) or b) as a safety injection signal has been initiated. Both signals shall be provided to the valves.
2. Utilization of a safety injection signal to automatically remove (override) any bypass features that are provided to allow an isolation valve to be closed for short periods of time when the Reactor Coolant System is at pressure (in accordance with the provisions of the Technical Specifications). As a result of the confirmatory "S" signal, isolation of an accumulator with the Reactor Coolant System at pressure is acceptable.

The control circuit for these valves is shown on Figure 7.6-2. The valves and control circuits are further discussed in Sections 6.3.2.15 and 6.3.5.

The Safety Injection System accumulator discharge isolation valves are motor operated normally open valves which are controlled from the main control board. These valves are interlocked such that:

1. They open automatically on receipt of an "S" signal with the main control board switch in either the "AUTO" or "CLOSE" position.
2. They open automatically whenever the Reactor Coolant System pressure is above the safety injection unblock pressure (P-11) specified in the Technical Specifications only when the main control board switch is in the "AUTO" position.
3. They cannot be closed as long as an "S" signal is present.

The main control board switches for these valves are 3 position switches which provide a "spring return to auto" from the open position and a "maintain position" from the closed position.

The "maintain closed" position is required to provide an administratively controlled manual block of the automatic opening of the valve at pressure above the safety injection unblock pressure (P-11). The manual block or "maintain closed" position is required when performing periodic check valve leakage tests when Reactor Coolant System is at pressure. The maximum permissible time that an accumulator valve can be closed when the Reactor Coolant System is at pressure is specified in the Technical Specifications.

Administrative control is required to ensure that any accumulator valve, which has been closed at pressures above the safety injection unblock pressure, is returned to the "AUTO" position.

Verification that the valve automatically returns to its normal full open position would also be required.

During plant shutdown, the accumulator valves are in a closed position. To prevent an inadvertent opening of these valves during that period the accumulator valve breakers should be opened or removed. Administrative control is again required to ensure that these valve breakers are closed during the prestartup procedures.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-5 7.6.5 Leakage Detection Systems 7.6.5.1 Description Leakage detection is provided for the following areas and systems:

1. Reactor coolant pressure boundary (see Section 5.2.7 for a detailed description).
2. Engineered safety features systems (i.e., Reactor Building Spray, Residual Heat Removal, Safety Injection systems) in the Auxiliary Building.
3. Feedwater system (intermediate building flood protection).

7.6.5.1.1 Engineered Safety Features Systems in the Auxiliary Building

1. Level Undetected leaks from the Engineered Safety Features Systems in the Auxiliary Building (Reactor Building Spray, Residual Heat Removal, Safety Injection) could have adverse effects upon the safety functions of these systems. For this reason, means for detecting leakage are provided.

Level switches are located in specifically provided alarm drains and in the building drain sumps. When leakage exceeds a flowrate of 25 gpm for the floor drains or 45 gpm the sump drains, an alarm is activated in the Control Room. Upon receipt of such an alarm, the operator takes action to isolate the leak.

Figures 9.3-6 and 9.3-7 schematically depict the locations of alarm drains and building sumps.

2. Temperature Undetected leakage from the Chemical and Volume Control System letdown lines or the Auxiliary Steam System could cause the ambient temperature in the Auxiliary Building to rise. This high temperature could possibly prohibit personnel access to the area and limit the capability of equipment to function. Pipe rupture analysis has indicated the location of the most probable break areas in the system. Temperature sensors located in these break areas actuate alarms in the Control Room. Locations of these sensors are illustrated by Figures 7.6-3a through 7.6-8.

7.6.5.1.2 Feedwater System Safety equipment and systems in the Intermediate Building are protected from flooding due to postulated pipe break or component failure resulting in leakage from the Feedwater System.

The sump level system incorporates a level switch located in each of the 3 Intermediate Building sumps. Should a high level occur in any sump, it is annunciated in the Control Room to alert the

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-6 operator to the need for investigation of the source of leakage and, if necessary, to take manual action to isolate the leak. The high-high sump level detectors are set to detect flooding which occurs at a rate which exceeds the capacity of the sump pumps. When 2 out of 3 redundant high-high sump level switches are energized, the A channel closes the feedwater pump discharge valves and the B channel trips the feedwater pumps and closes the feedwater pump suction valves.

The A channel closes the feedwater isolation valves to the steam generators.

7.6.5.1.3 Leak Detection Methods Inside the Control Room Table 7.6-1 provides a tabulation of leak detection methods inside the Control Room.

7.6.5.2 Analysis Leak detection instrumentation is seismically qualified. These instruments are located throughout the Auxiliary Building in areas where engineered safety features equipment and piping are located. Physical separation and separate electrical power sources are used for 2 sets of redundant instruments. Calibration of the Leak Detection System instrumentation can be performed during plant operation. The instrumentation can be functionally checked by testing at any time.

7.6.6 Interlocks for RCS Pressure Control During Low Temperature Operation This Section deleted by Amendment 1 in August, 1985.

7.6.7 Switchover From Injection to Recirculation The details of achieving cold leg recirculation following safety injection and a postulated LOCA are given in Section 6.3.2.2.7 and on Table 6.3-3.

7.6.7.1 Description of Instrumentation Used for Switchover As noted in Table 6.3-3, protection logic is provided to automatically open the 4 Safety Injection System (SIS), Reactor Building recirculation sump isolation valves (8811A and 8812A in Train A and 8811B and 8812B in Train B) when 2 of 4 (2/4) Refueling Water Storage Tank (RWST) level transmitters sense the Lo-Lo level setpoint in conjunction with the initiation of the engineered safety features actuation signal ("S" signal). The "S" signal is initiated by the contact of a slave relay in the Solid State Protection System output cabinet that closes on Safety Injection and remains closed until manually reset from the control board. This reset switch is separate from the main safety injection reset switch which is not associated with this circuit. The purpose of the sump valve automatic open circuit reset switch is to permit the operator to remove the actuation signal in the event the corresponding sump isolation valve must be closed and retained in a closed position following a LOCA, such as for maintenance purposes.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-7 7.6.7.2 Initiating Circuit The 2/4 Lo-Lo RWST level is the trip signal, which in coincidence with the "S" signal, provides the initiation function which would align the 2 residual heat removal pumps to take suction from the Reactor Building sumps and deliver directly to the RCS.

7.6.7.3 Logic The logic function derived from the RWST level sensors and the "S" signal are depicted in Figure 7.6-9.

7.6.7.4 Bypass The manual reset logic function is shown in Figure 7.6-10 and its purpose and action are described in Section 7.6.7.1. As noted, the "S" signal is retained by sealing it in (i.e., it is latched).

This signal is not removed by action of the main safety injection reset that is used by the operator per emergency procedures to block the "S" signal to certain other equipment prior to realignment for switchover to the recirculation mode following a postulated loss of coolant accident.

7.6.7.5 Interlocks The Trip Signal logic consists of 4 Refueling Water Storage Tank water level transmitters, each of which provides a level signal to 1 of the 4 Refueling Water Storage Tank level channel bistables.

The Refueling Water Storage Tank level channel bistables are:

1. Normally de-energized
2. De-energized on loss of power
3. Energized on Lo-Lo setpoint Each level channel bistable is assigned to a separate instrumentation and control power supply. A Trip Signal is provided from both Train A and Train B Solid State Protection System cabinets to the corresponding Reactor Building recirculation sump isolation valves logic, should 2 of the 4 water level channel bistables receive an RWST level signal lower than the Lo-Lo level setpoint, following the generation of an "S" signal.

7.6.7.6 Sequence This circuit is energized directly from the Solid State Protection System output cabinet and is not sequenced following an accident that requires its functioning.

7.6.7.7 Redundancy The function of this semi-automatic switchover is available from both Train A and Train B down to the actuated equipment. The function including the actuated equipment is, therefore, redundant and train separation and independence are maintained from sensor to actuated equipment.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-8 7.6.7.8 Diversity Diversity of components and equipment between the redundant Trains is not required to protect against systematic failures, such as multiple failures resulting from a credible single event. The associated components are environmentally and seismically qualified in accordance with the procedures described in Sections 3.10 and 3.11. It is noted that there is functional diversity provided in that manual operation is available as a backup to the semi-automatic mode.

7.6.7.9 Actuated Devices The actuated devices are the 4 motor control center starters, 1 for each of the Motor Operated Sump Valves, 8811 A&B, and 8812 A&B.

7.6.7.10 Channel Bypass Indication Indication is provided on the main control board to alert the operator that a Refueling Water Storage Tank water level channel is in the bypass mode and is unavailable. The indication is by status light and alarm window as shown on Figure 7.6-10.

7.6.8 Deleted 7.6.9 Deleted 7.6.10 Deleted 7.6.11 Switchover From Spray to Recirculation The details of the Reactor Building Spray System operation following a postulated loss of coolant accident are given in Section 6.2.2.2.1.2.

7.6.11.1 Description of Instrumentation Used for Switchover As noted in Section 6.2.2.2.1.2 logic is provided to automatically open the 4 Reactor Building Spray System, Reactor Building recirculation sump isolation valves (3004A and 3005A in Train A and 3004B and 3005B in Train B) when 2 of 4 (2/4) Refueling Water Storage Tank (RWST) level transmitters sense the Lo-Lo level setpoint in conjunction with the initiation of the engineered safety features actuation signal ("S" signal). The "S" signal is initiated by the contact of a slave relay in the Solid State Protection System output cabinet that closes on safety injection and remains closed until manually reset from the control board. This reset switch is separate from the main safety injection reset switch which is not associated with this circuit. The purpose of the sump valve automatic open circuit reset switch is to permit the operator to remove the actuation signal in the event the corresponding sump isolation valve must be closed and retained in a closed position following a loss of coolant accident, such as for maintenance purposes.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-9 7.6.11.2 Initiation Circuit The 2/4 Lo-Lo Refueling Water Storage Tank level is the trip signal, which in coincidence with the "S" signal, provides the initiation function which would automatically align the 2 Reactor Building spray pumps to take suction from the Reactor Building recirculation sumps and deliver directly to the Reactor Building spray nozzles.

7.6.11.3 Logic The logic function derived from the Refueling Water Storage Tank level sensors and the "S" signal are depicted in Figures 7.6-9 and 7.6-10.

7.6.11.4 Bypass The manual reset logic function is shown in Figure 7.6-9 and its purpose and action are described inSection 7.6.11.1. As noted, the "S" signal is retained by sealing it in (i.e., it is latched). This signal is not removed by action of the main safety injection reset that is used by the operator per emergency procedures to block the "S" signal to certain other equipment prior to realignment for switchover to the recirculation mode following a postulated loss of coolant accident.

7.6.11.5 Interlocks The Trip Signal logic consists of 4 Refueling Water Storage Tank water level transmitters, each of which provides a level signal to 1 of the 4 Refueling Water Storage Tank level channel bistables.

The Refueling Water Storage Tank level channel bistables are:

1. Normally de-energized
2. De-energized on loss of power
3. Energized on Lo-Lo setpoint Each level channel bistable is assigned to a separate instrumentation and control power supply. A Trip Signal is provided from both Train A and Train B Solid State Protection System cabinets to the corresponding Reactor Building recirculation sump isolation valves logic, should 2 of the 4 water level channel bistables receive an Refueling Water Storage Tank level signal lower than the Lo-Lo level setpoint, following the generation of an "S" signal.

7.6.11.6 Sequence This circuit is energized directly from the Solid State Protection System output cabinet and is not sequenced following an accident that requires its functioning.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-10 7.6.11.7 Redundancy The function of this switchover is available from both Train A and Train B down to the actuated equipment. The function including the actuated equipment is, therefore, redundant and train separation and independence are maintained from sensor to actuated equipment.

7.6.11.8 Diversity Diversity of components and equipment between the redundant Trains is not required to protect against systematic failures, such as multiple failures resulting from a credible single event. The associated components are environmentally and seismically qualified in accordance with the procedures described in Sections 3.10 and 3.11. It is noted that there is functional diversity provided in that manual operation is available as a backup to the semi-automatic mode.

7.6.11.9 Actuated Devices The actuated devices are the 4 motor control center starters, 1 for each of the Motor Operated Sump Valves, 3004 A&B and 3005 A&B.

7.6.11.10 Channel Bypass Indication Indication is provided on the main control board to alert the operator that a Refueling Water Storage Tank water level channel is in the bypass mode and is unavailable. The indication is by status light and alarm window as shown on Figure 7.6-10.

7.6.12 References

1. The Institute of Electrical and Electronic Engineers, Inc., IEEE Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations, IEEE Standard 308-1971.
2. The Institute of Electrical and Electronic Engineers, Inc., IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations, IEEE Standard 279-1971.

Revision 22--Updated Online 05/27/22 Table 7.6-1 Leak Detection Methods Inside Control Room PRIMARY DETECTION PARAMETER ELEMENT CONTROL ROOM DISPLAY TYPE OF LEAKAGE Refueling water storage level transmitters indication reactor coolant leakage to tank level (LT990, LT991, LT992, alarm-high level ECCS LT993)

Accumulator level level transmitters indication reactor coolant leakage to (LT920, LT922, LT924, alarm-high level ECCS LT926, LT928, LT930)

Accumulator pressure pressure transmitters indication reactor coolant leakage to (PT921, PT923, PT925, alarm-high level ECCS PT927, PT929, PT931)

Reactor vessel flange leakoff temperature element indication leakage from reactor VC SUMMER FSAR temperature (TE401) alarm-high temperature vessel Pressurizer safety valve discharge temperature elements indication reactor coolant leakage to temperature (TE463, TE465, TE467, alarm-high temperature pressurizer relief tank TE469)

Pressurizer relief tank temperature element indication reactor coolant leakage to temperature (TE471) alarm-high temperature pressurizer relief tank Pressurizer relief tank level level transmitters (LT470) indication reactor coolant leakage to alarm-high level pressurizer relief tank Flow in pressurizer relief line acoustic leak monitor alarm-high flow reactor coolant leakage to pressurizer relief tank 7.6-11

Table 7.6-1 (continued)

Revision 22--Updated Online 05/27/22 Leak Detection Methods Inside Control Room PRIMARY DETECTION PARAMETER ELEMENT CONTROL ROOM DISPLAY TYPE OF LEAKAGE Leak detection drains level switches alarm-high level nuclear valve leak-off and miscellaneous equipment leakage Steam generator radiation monitor indication primary to secondary blowdown and (RM-L3, RM-L10) alarm-high radiation system leakage sampling radiation Main plant vent radiation monitor indication primary to secondary exhaust radiation (RM-A3) alarm-high radiation system leakage Turbine room radiation monitor indication primary to secondary sump radiation (RM-L8) alarm-high radiation system leakage Component cooling water radiation monitor indication intersystem leakage into radiation (RM-L2A, RM-L2B) alarm-high radiation component cooling water system VC SUMMER FSAR Component cooling water temperature elements indication residual heat removal heat temperature from RHR (TE7037, TW7047) alarm-high temperature exchanger leakage heat exchanger temperature switches (TS038, TS7048) 7.6-12

Table 7.6-1 (continued)

Revision 22--Updated Online 05/27/22 Leak Detection Methods Inside Control Room PRIMARY DETECTION PARAMETER ELEMENT CONTROL ROOM DISPLAY TYPE OF LEAKAGE Component cooling water temperature elements indication reactor coolant drain tank temperature (TE7118) alarm-high temperature heat exchanger leakage from reactor coolant drain tank Component cooling flow transmitters indication reactor coolant drain tank water flow from reactor (FT7116) heat exchanger leakage coolant drain tank Component cooling temperature elements indication reactor coolant pump water temperature from (TE7140, TE7160, TE7180) alarm-high temperature thermal barrier leakage reactor coolant pump thermal barrier Component cooling water flow transmitters indication reactor coolant pump flow from reactor coolant (FT7138, FT7158, FT7178) thermal barrier leakage VC SUMMER FSAR pump thermal barrier 7.6-13

Figure 7.6-1 Revision 22--Updated Online 05/27/22 LOGIC DIAGRAM - RESIDUAL HEAT REMOVAL SYSTEM ISOLATION VALVES XVG8701A AND XVG8702B VC SUMMER FSAR 7.6-14

Figure 7.6-1a Revision 22--Updated Online 05/27/22 LOGIC DIAGRAM - RESIDUAL HEAT REMOVAL SYSTEM ISOLATION VALVES XVG8701B AND XVG8702A VC SUMMER FSAR 7.6-15

Figure 7.6-1b Revision 22--Updated Online 05/27/22 LOGIC DIAGRAM - RESIDUAL HEAT REMOVAL SYSTEM ISOLATION VALVES XVG 8701A, 8701B, 8702A, 8702B VC SUMMER FSAR 7.6-16

Figure 7.6-2 Revision 22--Updated Online 05/27/22 FUNCTIONAL BLOCK DIAGRAM OF ACCUMULATOR ISOLATION VALVE Amendment 0 August 1984 VC SUMMER FSAR 7.6-17

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-18 FSAR FIGURE REFERENCE FIGURE 7.6-3A DRAWING E-304-052

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-19 FSAR FIGURE REFERENCE FIGURE 7.6-4 DRAWING E-304-053

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-20 FSAR FIGURE REFERENCE FIGURE 7.6-5 DRAWING E-304-054

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-21 FSAR FIGURE REFERENCE FIGURE 7.6-6 DRAWING E-304-674

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-22 FSAR FIGURE REFERENCE FIGURE 7.6-7 DRAWING E-304-675

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-23 FSAR FIGURE REFERENCE FIGURE 7.6-8 DRAWING E-304-676

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-24 Figure 7.6-9 SAFETY INJECTION SYSTEM & REACTOR BUILDING SPRAY SYSTEM RECIRCULATION ISOLATION VALVES Amendment 0 August 1984

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.6-25 Figure 7.6-10 SAFETY INJECTION SYSTEM & REACTOR BUILDING SPRAY SYSTEM RECIRCULATION ISOLATION VALVES

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-1 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY The general design objectives of the plant control systems are:

1. To establish and maintain power equilibrium between primary and secondary system during steady-state unit operation;
2. To constrain operational transients so as to preclude unit trip and re-establish steady-state unit operation;
3. To provide the reactor operator with monitoring instrumentation that indicates required input and output control parameters of the systems and provides the operator the capability of assuming manual control of the system.

7.7.1 Description The plant control systems described in this section perform the following functions:

1. Reactor Control System
a. Enables the nuclear plant to accept a step load increase or decrease of 10% and a ramp increase or decrease of 5% per minute within the load range of 15% to 100% without reactor trip, steam dump, or pressurizer relief actuation, subject to possible xenon limitations.
b. Maintains reactor coolant average temperature (Tavg) within prescribed limits by creating the bank demand signals for moving groups of full length rod cluster control assemblies during normal operation and operational transients. The Tavg control also supplies a signal to pressurizer water level control, and steam dump control.
2. Rod Control System
a. Provides for reactor power modulation by manual or automatic control of full length control rod banks in a preselected sequence and for manual operation of individual banks.
b. Systems for Monitoring and Indicating (1) Provide alarms to alert the operator if the required core reactivity shutdown margin is not available due to excessive control rod insertion.

(2) Display control rod position.

(3) Provide alarms to alert the operator in the event of control rod deviation exceeding a preset limit.

3. Plant Control System Interlocks
a. Prevent further withdrawal of the control banks when signal limits are approached that predict the approach of a departure from nucleate boiling ratio (DNBR) limit or linear power (kW/ft) limit.
b. Inhibit automatic turbine load change as required by the Nuclear Steam Supply System.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-2

4. Pressurizer Pressure Control
a. Maintains or restores the pressurizer pressure to the design pressure +/- 50 psi (which is well within reactor trip and relief and safety valve actuation setpoint limits) following normal operational transients that induce pressure changes by control (manual or automatic) of heaters and spray in the pressurizer. Provides steam relief by controlling the power relief valves.
5. Pressurizer Water Level Control
a. Establishes, maintains, and restores pressurizer water level within specified limits as a function of the average coolant temperature. Changes in level are caused by coolant density changes induced by loading, operational, and unloading transients. Level changes are controlled by means of charging flow control (manual or automatic) as well as by manual selection of letdown orifices. Maintaining coolant level in the pressurizer within prescribed limits by actuating the charging and letdown system thus provides control of the reactor coolant water inventory.
6. Steam Generator Water Level Control
a. Establishes and maintains the steam generator water level to within predetermined physical limits during normal operating transients.
b. Restores the steam generator water level to within predetermined limits at unit trip conditions. Regulates the feedwater flowrate such that under operational transients the heat sink for the reactor coolant system does not decrease below a minimum. Steam generator water inventory control is manual or automatic through the use of feedwater control valves.
7. Steam Dump Control
a. Permits the nuclear plant to accept a sudden loss of load without incurring reactor trip.

Steam is dumped to the condenser and/or the atmosphere as necessary to accommodate excess power generation in the reactor during turbine load reduction transients.

b. Ensures that stored energy and residual heat are removed following a reactor trip to bring the plant to equilibrium no load conditions without actuation of the steam generator safety valves.
c. Maintains the plant at no load conditions and permits a manually controlled cooldown of the plant.

7.7.1.1 Reactor Control System The Reactor Control System enables the nuclear plant to follow load changes automatically including the acceptance of step load increase or decreases of 10% and ramp increases or decreases of 5% per minute within the load range of 15% to 100% without reactor trip, steam dump, or pressure relief (subject to possible xenon limitations). The system is also capable of restoring coolant average temperature to within the programmed temperature deadband following a change in load. Manual control rod operation may be performed at any time.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-3 The Reactor Control System controls the reactor coolant average temperature by regulation of control rod bank position. The reactor coolant loop average temperatures are determined from hot leg and cold leg measurements in each reactor coolant loop. There is an average coolant temperature (Tavg) computed for each loop, where:

Thotavg  Tcold Tavg 2

The error between the programmed reference temperature (based on turbine first stage pressure) and the median of the Tavg measured temperatures (which is processed through a lead/lag compensation unit) from each of the reactor coolant loops constitutes the primary control signal as shown in general on Figure 7.7-1 and in more detail on the functional diagrams shown in Figure 7.2-1, Sheet 9. The system is capable of restoring coolant average temperature to the programmed value following a change in load. The programmed coolant temperature increases linearly with turbine load from zero power to the full power condition. The Tavg also supplies a signal to pressurizer level control and steam dump control and rod insertion limit monitoring.

The temperature channels needed to derive the temperature input signals for the Reactor Control System are fed from protection channels via isolation amplifiers.

An additional control input signal is derived from the reactor power versus turbine load mismatch signal. This additional control input signal improves system performance by enhancing response and reducing transient peaks.

7.7.1.2 Rod Control System 7.7.1.2.1 Full Length Rod Control System The full length rod control system receives rod speed and direction signals from the Tavg control system. The rod speed signal by design may vary over the corresponding range of 5 to 45 inches per minute (6 to 72 steps/minute) depending on the magnitude of the input signal. Manual control is provided to move a control bank in or out at a prescribed fixed speed.

When the turbine load reaches approximately 15% of rated load, the operator may select the AUTOMATIC mode, and rod motion is then controlled by the Reactor Control Systems. A permissive interlock C-5 (see Table 7.7-1) derived from the measurements of turbine first stage pressure prevents automatic control when the turbine load is below 15%. In the AUTOMATIC mode, the rods are again withdrawn (or inserted) in a predetermined programmed sequence by the automatic programming with the control interlocks (see Table 7.7-1).

The shutdown banks are always in the fully withdrawn position during normal operation, and are moved to this position at a constant speed by manual control prior to criticality. A reactor trip signal causes them to fall by gravity into the core. There are 2 shutdown banks.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-4 The control banks are the only rods that can be manipulated under automatic control. Each control bank is divided into 2 groups to obtain smaller incremental reactivity changes per step. All rod control cluster assemblies in a group are electrically paralleled to move simultaneously. There is individual position indication for each rod cluster control assembly.

Power to rod drive mechanisms is supplied by 2 motor generator sets operating from 2 separate 480 volt, 3-phase buses. Each generator is the synchronous type and is driven by a 200 Hp induction motor. The a-c power is distributed to the rod control power cabinets through the 2 series connected reactor trip breakers.

The variable speed rod drive programmer affords the ability to insert small amounts of reactivity at low speed to accomplish fine control of reactor coolant average temperature about a small temperature deadband, as well as furnishing control at high speed. A summary of the rod cluster control assembly sequencing characteristics is given below:

1. Two (2) groups within the same bank are stepped such that the relative position of the groups will not differ by more than 1 step.
2. The control banks are programmed such that withdrawal of the banks is sequenced in the following order; control bank A, control bank B, control bank C, and control bank D. The programmed insertion sequence is the opposite of the withdrawal sequence, i.e., the last control bank withdrawn (bank D) is the first control bank inserted.
3. The control bank withdrawals are programmed such that when the first bank reaches a preset position, the second bank begins to move out simultaneously with the first bank. When the first bank reaches the top of the core, it stops, while the second bank continues to move toward its fully withdrawn position. When the second bank reaches a preset position, the third bank begins to move out, and so on. This withdrawal sequence continues until the unit reaches the desired power level. The control bank insertion sequence is the opposite.
4. Overlap between successive control banks is adjustable between 0 to 50% (0 to 115 steps),

with an accuracy of +/- 1 step.

5. Rod speeds for either the shutdown banks or manual operation of the control banks are capable of being controlled between a minimum of 8 steps per minute and a maximum of 72

(+ 0 steps per minute, - 10 steps per minute) steps per minute.

7.7.1.2.2 Part Length Rod Control System The part length control rods have been deleted.

7.7.1.3 Plant Control Signals for Monitoring and Indicating 7.7.1.3.1 Monitoring Functions Provided by the Nuclear Instrumentation System The power range channels are important because of their use in monitoring power distribution in the core within specified safe limits. They are used to measure power level, axial power imbalance, and radial power imbalance. The channels are capable of recording overpower

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-5 excursions up to 200% of full power. Suitable alarms are derived from these signals as described below.

Basic power range signals are:

1. Total current from a power range detector (4 such signals from separate detectors); these detectors are vertical and have a total active length of 10 feet.
2. Current from the upper half of each power range detector (4 such signals).
3. Current from the lower half of each power range detector (4 such signals).

Derived from these basic signals are the following (including standard signal processing for calibration).

4. Indicated nuclear power (4 such signals).
5. Indicated axial flux imbalance, derived from upper half flux minus lower half flux (4 such signals).

Alarm functions derived are as follows:

6. Deviation (maximum minus minimum of 4) in indicated nuclear power.
7. Upper radial tilt (maximum to average of 4) on upper-half currents.
8. Lower radial tilt (maximum to average of 4) on lower-half currents.

Provision is made to continuously record, on the control board, the 8 ion chamber signals, i.e.,

upper and lower signals for each detector. Nuclear power and axial unbalance is selectable for recording as well.

The axial flux difference imbalance deviation alarms are derived from the plant process computer which determines the one minute averages of the excore detector outputs to monitor in the reactor core and alerts the operator where alarm conditions exist. Two (2) types of alarm messages are output. Above a preset (90%) power level, an alarm message is output immediately upon determining a delta flux exceeding a preset band (usually +/- 5%) about a target delta flux value. Below this preset power level, an alarm message is output if the exceeded its allowable limits for a preset cumulative (usually 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />) amount of time in the past 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Additional background information on the Nuclear Instrumentation System can be found in Reference 1.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-6 7.7.1.3.2 Rod Position Monitoring of Full and Part Length Rods Two (2) separate systems are provided to sense and display control rod position as described below:

1. Digital Rod Position Indication System The Digital Rod Position Indication System displays full length position. Part length rods and control are not used at V. C. Summer Nuclear Station. The Digital Rod Position Indication System senses the actual position of each full length rod using a detector which consists of discrete coils mounted concentrically with the rod drive pressure housing. The coils are located axially along the pressure housing and magnetically sense the entry and presence of the rod drive shaft through its center line. For each detector, the coils are interlaced into 2 data channels, and are connected to the containment electronics (Data A and B) by separate multi-conductor cables. By employing 2 separate channels of information, the Digital Rod Position Indication System can continue to function (at reduced accuracy) when 1 channel fails. Multiplexing is then used to transmit the digital position signals from the containment electronics to the control board display unit.

The control board display consists of two flat panel monitors that display the control rod position in a graphical and digital format. Each rod in the control and shutdown banks has its position displayed to +/-4 steps throughout its range of travel when the system is operating at full accuracy.

Included in the system is a rod at bottom signal for each rod that operates a local alarm. Also a control room annunciator is actuated when any shutdown rod or control bank A rod is at bottom.

2. Demand Position System - The Demand Position System counts pulses generated in the Rod Drive Control System to provide a digital readout of the demanded bank position.

The Demand Position and Digital Rod Position Indication Systems are separate systems, but safety criteria were not involved in the separation, which was a result only of operational requirements. Operating procedures require the reactor operator to compare the demand and indicated (actual) readings from the Rod Position Indication System so as to verify operation of the Rod Control System.

7.7.1.3.3 Control Bank Rod Insertion Monitoring When the reactor is critical, the normal indication of reactivity status in the core is the position of the control bank in relation to reactor power (as indicated by the Reactor Coolant System loop T) and coolant average temperature. These parameters are used to calculate insertion limits for the control banks. Two (2) alarms are provided for each control bank:

1. The low alarm alerts the operator of an approach to the rod insertion limits requiring boron addition by following normal procedures with the Chemical and Volume Control System.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-7

2. The low-low alarm alerts the operator to take immediate action to add boron to the Reactor Coolant System by any one of several alternate methods.

The purpose of the control bank rod insertion monitor is to give warning to the operator of excessive rod insertion. The insertion limit maintains sufficient core reactivity shutdown margin following reactor trip and provides a limit on the maximum inserted rod worth in the unlikely event of a hypothetical rod ejection, and limits rod insertion such that acceptable nuclear peaking factors are maintained. Since the amount of shutdown reactivity required for the design shutdown margin following a reactor trip increases with increasing power, the allowable rod insertion limits must be decreased (the rods must be withdrawn further) with increasing power. Two (2) parameters which are proportional to power are used as inputs to the insertion monitor. These are the T between the hot leg and the cold leg, which is a direct function of reactor power, and Tavg, which is programmed as a function of power. The rod insertion monitor uses parameters for each control rod bank as follows:

ZLL = A()median + B(Tavg)median + C where:

ZLL = Maximum permissible insertion limit for affected control bank.

()median = Median T of all loops.

Tavg)median = Median Tavg of all loops.

A,B,C= Constants chosen to maintain ZLL actual limit based on physics calculations.

The control rod bank demand position (Z) is compared to ZLL as follows:

If Z - ZLL D a low alarm is actuated.

If Z - ZLL E a low-low alarm is actuated.

Actuation of the low alarm alerts the operator of an approach to a reduced shutdown reactivity situation. Administrative procedures require the operator to add boron through the Chemical and Volume Control System. Actuation of the low-low alarm requires the operator to initiate emergency boration procedures. The value for E is chosen such that the low-low alarm would normally be actuated before the insertion limit is reached. The value for D is chosen to allow the operator to follow normal boration procedures. Figure 7.7-2 shows a block diagram representation of the control rod bank insertion monitor. The monitor is shown in more detail on the functional diagrams shown in Figure 7.2-1, Sheet 9. In addition to the rod insertion monitor for the control banks, the plant computer, which monitors individual rod positions, provides an alarm that is associated with the rod deviation alarm discussed in Section 7.7.1.3.4 is provided to warn the operator if any shutdown rod cluster control assembly leaves the fully withdrawn position.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-8 Rod insertion limits are established by:

1. Establishing the allowed rod reactivity insertion at full power consistent with the purposes given above.
2. Establishing the differential reactivity worth of the control rods when moved in normal sequence.
3. Establishing the change in reactivity with power level by relating power level to rod position.
4. Linearizing the resultant limit curve. All key nuclear parameters in this procedure are measured as part of the initial and periodic physics testing program.

Any unexpected change in the position of the control bank under automatic control, or a change in coolant temperature under manual control, provides a direct and immediate indication of a change in the reactivity status of the reactor. In addition, samples are taken periodically of coolant boron concentration. Variations in concentration during core life provide an additional check on the reactivity status of the reactor, including core depletion.

7.7.1.3.4 Rod Deviation Alarm The demanded and measured rod position signals are also monitored by the plant computer which provides a visual printout and an audible alarm whenever an individual rod position signal deviates from the other rods in the bank by a preset limit. The alarm can be set with appropriate allowance for instrument error and within sufficiently narrow limits to preclude exceeding core design hot channel factors.

Figure 7.7-3 is a block diagram of the rod deviation comparator and alarm system implemented by the plant computer.

7.7.1.3.5 Rod Bottom Alarms A rod bottom signal for the full length rods in the Digital Rod Position System is used to operate control relays, which generate the Rod Bottom alarms.

7.7.1.4 Plant Control System Interlocks The listing of the Plant Control System interlocks, along with the description of their derivations and functions, is presented in Table 7.7-1. It is noted that the designation numbers for these interlocks are preceded by C. The development of these logic functions is shown in the functional diagrams (Figure 7.2-1, Sheets 9 to 15).

7.7.1.4.1 Rod Stops Rod stops are provided to prevent abnormal power conditions which could result from excessive control rod withdrawal initiated by either a Control System malfunction or operator violation of administrative procedures.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-9 Rod stops are the C1, C2, C3, C4, and C5 control interlocks identified in Table 7.7-1. The C3 rod stop derived from overtemperature T and the C4 rod stop, derived from overpower T are also used for turbine runback, which is discussed below.

7.7.1.4.2 Automatic Turbine Load Runback Automatic turbine load runback is initiated by an approach to an overpower or overtemperature condition. This will prevent high power operation that might lead to an undesirable condition, which, if reached, will be protected by reactor trip.

Turbine load reference reduction is initiated by either an overtemperature or overpower T signal.

Two (2) out of 3 coincidence logic is used. A rod stop and turbine runback are initiated when:

> rod stop for both the overtemperature and the overpower condition.

For either condition in general:

rod stop = Tsetpoint - Bp where:

Bp = a setpoint bias.

Where Tsetpoint refers to the overtemperature T reactor trip value and the overpower T reactor trip value for the 2 conditions.

The turbine runback is continued until T is equal to or less than Trod stop. This function serves to maintain an essentially constant margin to trip.

7.7.1.5 Pressurizer Pressure Control The Reactor Coolant System pressure is controlled by using either the heaters (in the water region) or the spray (in the steam region) of the pressurizer plus steam relief for large transients.

The electrical immersion heaters are located near the bottom of the pressurizer. A portion of the heater group is proportionally controlled to correct small pressure variations. These variations are due to heat losses, including heat losses due to a small continuous spray. The remaining (backup) heaters are turned on automatically or manually to control pressure in conjunction with the control heaters and spray.

The spray nozzles are located on the top of the pressurizer. Spray is initiated when the pressure controller spray demand signal is above a given setpoint. The spray rate increases proportionally with increasing spray demand signal until it reaches a maximum value.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-10 Steam condensed by the spray reduces the pressurizer pressure. A small continuous spray is normally maintained to reduce thermal stresses and thermal shock and to help maintain uniform water chemistry and temperature in the pressurizer.

Power relief valves limit system pressure for large positive pressure transients. In the event of a large load reduction, not exceeding the design plant load rejection capability, the pressurizer power operated relief valves might be actuated for the most adverse conditions, e.g., the most negative Doppler coefficient, and the maximum incremental rod worth.

Diagrams of the pressurizer pressure control system are shown on Figures 7.7-4 and 7.2-1 Sheets 11 and 12.

7.7.1.6 Pressurizer Water Level Control The pressurizer operates by maintaining a steam cushion over the reactor coolant. As the density of the reactor coolant adjusts to the various temperatures, the steam water interface moves to absorb the variations with relatively small pressure disturbances.

The water inventory in the Reactor Coolant System is maintained by the Chemical and Volume Control System. During normal plant operation, the charging flow varies to produce the flow demanded by the pressurizer water level controller. The pressurizer water level is programmed as a function of coolant average temperature, with the highest average temperature (auctioneered) being used. The pressurizer water level decreases as the load is reduced from full load. This is a result of coolant contraction following programmed coolant temperature reduction from full power to low power. The programmed level is designed to match as nearly as possible the level changes resulting from the coolant temperature changes.

To control pressurizer water level during startup and shutdown operations, the charging flow is manually regulated from the Main Control Room.

A block diagram of the Pressurizer Water Level Control System is shown on Figure 7.7-5.

7.7.1.7 Steam Generator Water Level Control Each steam generator is equipped with a 3 element feedwater flow controller which maintains a programmed water level which is a function of reactor flux. The 3 element feedwater controller regulates the feedwater valve by continuously comparing the feedwater flow signal, the steam generator water level signal, the programmed level and the pressure compensated steam flow signal. In addition, the feedwater pump speed is varied to maintain a programmed pressure differential between the steam header and the feed pump discharge header. The speed controller continuously compares the actual P with a programmed Pref which is a linear function of steam flow. Continued delivery of feedwater to the steam generators is required as a sink for the heat stored and generated in the reactor following a reactor trip and turbine trip. An override signal closes the feedwater valves when the average coolant temperature is below a given temperature and the reactor has tripped. Manual override of the feedwater control system is available at all times. The Instrument Air system for each main feedwater control valve is equipped with the

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-11 necessary hardware to allow for local, manual control and locking of the main feedwater control valves in position with air pressure (air-gag), while maintaining the trip closed feature of the feedwater control valves.

When the plant is operating at very low power levels (as during startup), the steam and feedwater flow signals will not be usable for control. Therefore, a secondary automatic control system is provided for operation at low power. This system uses the steam generator water level and nuclear power signals in a feed forward control scheme to position a bypass valve which is in parallel with the main feedwater regulating valve. Switchover from the Bypass Feedwater Control System (low power) to the Main Feedwater Control System is initiated by the operator at approximately 25% power.

A block diagram of the Steam Generator Water Level Control System is shown in Figure 7.7-6 and 7.7-7.

7.7.1.8 Steam Dump Control The Main Steam Supply System was originally designed to follow a full load rejection, defined as a reduction from 100% of rated turbine generator load to plant auxiliary load, without reactor trip through actuation of the steam dump to the condenser and atmosphere. With the transition to longer fuel cycles and less negative moderator temperature coefficients at the beginning of the fuel cycle, a full load rejection can no longer be sustained without a reactor trip for all times in core life and all allowable values of full power, average coolant temperature within the Reactor Coolant System.

The Automatic Steam Dump System is able to accommodate this abnormal load rejection and to reduce the effects of the transient imposed upon the Reactor Coolant System. By bypassing main steam directly to the condenser and/or the atmosphere, an artificial load is thereby maintained on the primary system. The Rod Control System can then reduce the reactor temperature to a new equilibrium value without causing a reactor trip for most allowed operating conditions (See Section 10.3.2.1). The steam dump system flow capacity was designed to be at least 85% of full load steam flow at full load steam pressure. The actual capacity is ~ 93.6%, (See Table 10.4-2).

If the difference between the reference Tavg (Tref) based on turbine first stage pressure and the lead/lag compensated median Tavg exceeds a predetermined amount, and the interlock mentioned below is satisfied, a demand signal will actuate the steam dump to maintain the Reactor Coolant System temperature within control range until a new equilibrium condition is reached.

A lead/lag compensation to this Tref signal is provided to improve steam dump response and provide a stable steam dump control. This allows for reducing Thot, thereby opening the steam dumps at a lower temperature error.

To prevent actuation of steam dump on small load perturbations, an independent load rejection sensing circuit is provided. This circuit senses the rate of decrease in the turbine load as detected by the turbine first stage pressure. It is provided to unblock the dump valves when the rate of load

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-12 rejection exceeds a preset value corresponding to a 10% step load decrease or a sustained ramp load decrease of 5%/minute. Additional interlocks for steam dump are described in Table 7.3-3, designation P-12, and Table 7.7-1, designations C-7, C-8, C-9, C-15, and C-16.

Block diagrams of the Steam Dump Control System are shown on Figure 7.2-1, Sheet 10, and Figure 7.7-8.

7.7.1.8.1 Load Rejection Steam Dump Controller This circuit prevents large increase in reactor coolant temperature following a large, sudden load decrease. The error signal is a difference between the lead/lag compensated median Tavg and the reference Tavg is based on turbine first stage pressure.

The Tavg signal is the same as that used in the Reactor Coolant System. The lead/lag compensation for the Tavg signal is to compensate for lags in the plant thermal response and in valve positioning. Following a sudden load decrease, Tref is immediately decreased and Tavg tends to increase, thus generating an immediate demand signal for steam dump. Since control rods are available, in this situation steam dump terminates as the error comes within the maneuvering capability of the control rods.

7.7.1.8.2 Turbine Trip Steam Dump Controller Following a turbine trip, as monitored by the turbine trip signal, the load rejection steam dump controller is defeated and the turbine trip steam dump controller becomes active. Since control rods are not available in this situation, the demand signal is the error signal between the lead/lag compensated median Tavg and the no load reference Tavg. When the error signal exceeds a predetermined setpoint the dump valves are tripped open in a prescribed sequence. As the error signal reduces in magnitude indicating that the Reactor Coolant System Tavg is being reduced toward the reference no load value, the dump valves are modulated by the plant trip controller to regulate the rate of decay heat removal and thus gradually establish the equilibrium hot shutdown condition.

Following a turbine trip only sufficient steam dump capacity is necessary to maintain steam pressure below the steam generator relief valve setpoint (approximately 40% capacity to the condenser); therefore, only the first 2 groups of valves are opened. The error signal determines whether a group is to be tripped open or modulated open. The valves are modulated when the error is below the trip-open setpoints.

7.7.1.8.3 Steam Header Pressure Controller Residual heat removal is maintained by the steam generator pressure controller (manually selected) which controls the amount of steam flow to the condensers. This controller operates a portion of the same steam dump valves to the condensers which are used during the initial transient following a turbine and reactor trip.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-13 7.7.1.9 Incore Instrumentation The Incore Instrumentation System consists of Chrome-Alum-el thermocouples at fixed core outlet positions and movable miniature neutron detectors which can be positioned at the center of selected fuel assemblies, anywhere along the length of the fuel assembly vertical axis. The basic system for insertion of these detectors is shown in Figure 7.7-9.

7.7.1.9.1 Thermocouples This section deleted by Amendment 1, August 1985.

7.7.1.9.2 Movable Neutron Flux Detector Drive System Miniature fission chamber detectors can be remotely positioned in retractable guide thimbles to provide flux mapping of the core. The stainless steel detector shell is welded to the leading end of helical wrap drive cable and to stainless steel sheathed coaxial cable. The retractable thimbles, into which the miniature detectors are driven, are pushed into the reactor core through conduits which extend from the bottom of the reactor vessel down through the concrete shield area and then up to a thimble seal table. Their distribution over the core is nearly uniform with about the same number of thimbles located in each quadrant.

The thimbles are closed at the leading ends, are dry inside, and serve as the pressure barrier between the Reactor Coolant System and the atmosphere. Mechanical seals between the retractable thimbles and the conduits are provided at the seal line. During reactor operation, the retractable thimbles are stationary. They are extracted downward from the core during refueling to avoid interference within the core. A space above the seal line is provided for the retraction operation.

The Drive System for the insertion of the miniature detectors consists basically of drive assemblies, 5 path rotary transfer assemblies, and 10 path rotary transfer assemblies, as shown in Figure 7.7-9. The Drive System pushes hollow helical wrap drive cables into the core with the miniature detectors attached to the leading ends of the cables and small diameter sheathed coaxial cables threaded through the hollow centers back to the ends of the drive cables. Each drive assembly consists of a gear motor which pushes a helical wrap drive cable and detector through a selective thimble path by means of a special drive box and includes a storage device that accommodates the total drive cable length.

Manual isolation valves (1 for each thimble) are provided for closing the thimbles. When closed, the valves form a 2500 psig barrier. The manual isolation valves are not designed to isolate a thimble while a detector/drive cable is inserted into the thimble. The detector/drive cable must be retracted to a position above the isolation valve prior to closing the valve.

A small leak would probably not prevent access to the isolation valves and thus a leaking thimble could be isolated during a hot shutdown. A large leak might require cold shutdown for access to the isolation valve.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-14 7.7.1.9.3 Control and Readout Description The Control and Readout System provides means for inserting the miniature neutron detectors into the reactor core and withdrawing the detectors while plotting neutron flux versus detector position. The Control System is located in the Control Room. Limit switches in each transfer device provide feedback of path selection operation. Each gear box drives an encoder for position feedback. One (1) 5 path operation selector is provided for each drive unit to insert the detector in one of 5 functional modes of operation. One (1) 10 path operation selector is also provided for each drive unit that is used to route a detector into any 1 of up to 10 selectable paths. A common path is provided to permit cross calibration of the detectors.

The Control Room contains the necessary equipment for control, position indication, and flux recording for each detector.

A flux-mapping consists, briefly, of selecting (by panel switches) flux thimbles in given fuel assemblies at various core quadrant locations. The detectors are driven to the top of the core and stopped automatically. An x-y plot (position versus flux level) is initiated with the slow withdrawal of the detectors through the core from top to a point below the bottom. In a similar manner other core locations are selected and plotted. Each detector provides axial flux distribution data along the center of a fuel assembly.

Various radial positions of detectors are then compared to obtain a flux map for a region of the core.

The number and location of these thimbles have been chosen to permit measurement of local to average peaking factors to an accuracy of +/- 5% (95% confidence). Measured nuclear peaking factors will be increased by 5% to allow for this accuracy. If the measured power peaking is larger than acceptable, reduced power capability will be indicated.

Operating plant experience has demonstrated the adequacy of the incore instrumentation in meeting the design bases stated.

7.7.1.9.4 Power Distribution Monitoring System An alternative to the Movable Incore Detector System for developing full core flux maps while above 25% power, is the BEACON Power Distribution Monitoring System (Reference 3). This system obtains data from the plant computer and processes the data into a 3-dimensional core model. The inputs into this system are core exit thermocouples, control rod bank position, Tcold, Reactor power level, and the nuclear instrumentation Power Range section signals. Per Technical Specifications, there is a minimum number of each type of input necessary to consider the system operable.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-15 7.7.2 Analysis The plant control systems are designed to assure high reliability in any anticipated operational occurrences. Equipment used in these systems is designed and constructed with a high level of reliability.

Proper positioning of the control rods is monitored in the Control Room by bank arrangements of the individual position columns for each rod cluster control assembly. A rod deviation alarm alerts the operator of a deviation of 1 rod cluster control assembly from the other rack in that bank position. There are also insertion limit monitors with visual and audible annunciation. A rod bottom alarm signal is provided to the Control Room for each full length rod cluster control assembly. Four (4) excore long ion chambers also detect asymmetrical flux distribution indicative of rod misalignment.

Overall reactivity control is achieved by the combination of soluble boron and rod cluster control assemblies. Long term regulation of core reactivity is accomplished by adjusting the concentration of boric acid in the reactor coolant. Short term reactivity control for power changes is accomplished by the Plant Control System which automatically moves rod cluster control assemblies. This system uses input signals including neutron flux, coolant temperature, and turbine load.

The Plant Control Systems will prevent an undesirable condition in the operation of the plant that, if reached, will be protected by reactor trip. The description and analysis of this protection is covered in Section 7.2. Worst case failure modes of the Plant Control Systems are postulated in the analysis of off-design operational transients and accidents covered in Chapter 15, such as, the following:

1. Uncontrolled rod cluster control assembly withdrawal from a subcritical condition.
2. Uncontrolled rod cluster control assembly withdrawal at power.
3. Rod cluster control assembly misalignment.
4. Loss of external electrical load and/or turbine trip.
5. Loss of all a-c power to the station auxiliaries.
6. Excessive heat removal due to Feedwater System malfunctions.
7. Excessive load increase incident.
8. Accidental depressurization of the Reactor Coolant System.

These analyses show that a reactor trip setpoint is reached in time to protect the health and safety of the public under those postulated incidents and that the resulting coolant temperatures produce a departure from nucleate boiling (DNBR) well above the limiting value of 1.30. Thus, there will be no cladding damage and no release of fission products to the Reactor Coolant System under the assumption of these postulated worst case failure modes of the plant control system.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-16 7.7.2.1 Separation of Protection and Control System In some cases, it is advantageous to employ control signals derived from individual protection channels through isolation amplifiers contained in the protection channel. As such, a failure in the control circuitry does not adversely affect the protection channel. Test results have shown that a short circuit or the application (credible fault voltage from within the cabinets) of 120 volt a-c +/-

1% or 140 volt d-c on the isolated output portion of the circuit (nonprotection side of the circuit) will not affect the input (protection) side of the circuit.

Where a single random failure can cause a control system action that results in a generating station condition requiring protective action and can also prevent proper action of a protection system channel designed to protect against the condition, the remaining redundant protection channels are capable of providing the protective action even when degraded by a second random failure. The loop Tavg and Delta-T channel required inputs to the Steam Dump System, Reactor Control System, the Control Rod Insertion Monitor and the Pressurizer Level Control System are electrically isolated prior to being routed to the control cabinets. A median signal is then calculated for Tavg and Delta-T in the control cabinets utilizing a Median Signal Selection (MSS) for input to the appropriate control systems. This meets the applicable requirements of Section 4.7 of IEEE Standard 279-1971.

The pressurizer pressure channels needed to derive the control signals are electrically isolated from protection.

7.7.2.2 Response Considerations of Reactivity Reactor shutdown with control rods is completely independent of the control functions since the trip breakers interrupt power to the full length rod drive mechanisms regardless of existing control signals. The design is such that the system can withstand accidental withdrawal of control groups or unplanned dilution of soluble boron without exceeding acceptable fuel design limits. The design meets the requirements of the 1971 General Design Criteria 25.

No single electrical or mechanical failure in the Rod Control System could cause the accidental withdrawal of a single rod cluster control assembly from the partially inserted bank at full power operation. The operator could deliberately withdraw a single rod cluster control assembly in the control bank; this feature is necessary in order to retrieve a rod, should one be accidentally dropped. In the extremely unlikely event of simultaneous electrical failures which could result in a single rod cluster control assembly withdrawal, rod deviation would be displayed on the plant annunciator, and the individual rod position readouts would indicate the relative positions of the rods in the bank. Withdrawal of a single rod cluster control assembly by operator action, whether deliberate or by a combination of errors, would result in activation of the same alarm and the same visual indications.

Each bank of control and shutdown rods in the system is divided into 2 groups (group 1 and group

2) of 4 mechanisms each. The rods comprising a group operate in parallel through multiplexing thyristors. The 2 groups in a bank move sequentially such that the first group is always within 1 step of the second group in the bank. The group 1 and group 2 power circuits are installed in

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-17 different cabinets as shown in Figure 7.7-15, which also shows that 1 group is always within 1 step (5/8 inch) of the other group. A definite schedule of actuation or deactuation of the stationary gripper, moveable gripper, and lift coils of a mechanism is required to withdraw the rod cluster control assembly attached to the mechanism. Since the 4 stationary gripper, moveable gripper, and lift coils associated with the rod cluster control assemblies of a rod group are driven in parallel, any single failure which could cause rod withdrawal would affect a minimum of 1 group of rod cluster control assemblies. Mechanical failures are in the direction of insertion, or immobility.

Figure 7.7-15 is provided for a discussion of design features that assure that no single electrical failure could cause the accidental withdrawal of a single rod cluster control assembly from the partially inserted bank at full power operation.

The Figure 7.7-15 shows the typical parallel connections on the lift, movable and stationary coils for a group of rods. Since single failures in the stationary or movable circuits will result in dropping or preventing rod (or rods) motion, the discussion of single failure will be addressed to the lift coil circuits. 1) Due to the method of wiring the pulse transformers which fire the lift coil multiplex thyristors, 3 of the 4 thyristors in a rod group could remain turned off when required to fire, if for example the gate signal lead failed open at point 1. Upon up demand, 1 rod in group 1 and 4 rods in group 2 would withdraw. A second failure at point 2 in group 2 circuit is required to withdraw 1 rod cluster control assembly; 2) Timing circuit failures will affect the 4 mechanisms of a group or the 8 mechanisms of the bank and will not cause a single rod withdrawal; 3) More than 2 simultaneous component failures are required (other than the open wire failures) to allow withdrawal of a single rod.

The identified multiple failure involving the least number of components consists of open circuit failure of the proper 2 out of 16 wires connected to the gate of the lift coil thyristors. The probability of open wire (or terminal) failure is 0.016 x 10-6 per hour by MIL-HDB217A. These wire failures would have to be accompanied by failure, or disregard, of the indications mentioned above. The probability of this occurrence is therefore too low to have any significance.

Concerning the human element, to erroneously withdraw a single rod cluster control assembly, the operator would have to improperly set the blank selector switch, the lift coil disconnect switches, and the in hold out switch. In addition, the indications would have to be disregarded or ineffective. Such series of errors would require a complete lack of understanding and administrative control. A probability number cannot be assigned to a series of errors such as these.

The Rod Position Indication System provides direct visual displays of each control rod assembly position. The plant computer alarms for deviation of rods from their banks. In addition a rod insertion limit monitor provides an audible and visual alarm to warn the operator of an approach to an abnormal condition due to dilution. The low-low insertion limit alarm alerts the operator to follow emergency boration procedures. The facility reactivity control systems are such that acceptable fuel damage limits will not be exceeded even in the event of a single malfunction of either system.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-18 An important feature of the Control Rod System is that insertion is provided by gravity fall of the rods.

In all analyses involving reactor trip, the single, highest worth rod cluster control assembly is postulated to remain untripped in its full out position.

One means of detecting a stuck control rod assembly is available from the actual rod position information displayed on the control board. There is a control board rod position readout with one for each full length rod, to provide the plant operator actual position of the rod in steps. The indications are grouped by banks (e.g., control bank A, control bank B, etc.) to indicate to the operator the deviation of one rod with respect to other rods in a bank. This serves as a means to identify rod deviation.

The plant computer monitors the actual position of all rods. Should a rod be misaligned from the other rods in that bank by more than 15 inches, the rod deviation alarm is actuated.

Misaligned rod cluster control assemblies are also detected and alarmed in the Control Room via the Flux Tilt Monitoring System which is independent of the plant computer. Isolated signals derived from the Nuclear Instrumentation System are compared with one another to determine if a preset amount of deviation of average power level has occurred. Should such a deviation occur the comparator output will operate a bistable unit to actuate a control board annunciator. This alarm will alert the operator to a power imbalance caused by a misaligned rod. By use of individual rod position readouts, the operator can determine the deviating control rod and take corrective action. The design of the Plant Control Systems meets the requirements of the 1971 General Design Criteria 23.

Refer to Section 4.3.2.1 for additional information on response considerations due to reactivity.

7.7.2.3 Step Load Changes Without Steam Dump The Plant Control System restores equilibrium conditions, without a trip, following a plus or minus 10% step change in load demand, over the 15 to 100% power range for automatic control.

Steam dump is blocked for load decrease less than or equal to 10%. A load demand greater than full power is prohibited by the turbine control load limit devices.

The Plant Control System minimizes the reactor coolant average temperature deviation during the transient within a given value and restores average temperature to the programmed setpoint.

Excessive pressurizer pressure variations are prevented by using spray and heaters and power relief valves in the pressurizer.

The control system must limit nuclear power overshoot to acceptable values following a 10%

increase in load to 100%.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-19 7.7.2.4 Loading and Unloading Ramp loading and unloading of 5% per minute can be accepted over the 15 to 100% power range under automatic control without tripping the plant. The function of the control system is to maintain the coolant average temperature as a function of turbine generator load.

The coolant average temperature increases during loading and causes a continuous insurge to the pressurizer as a result of coolant expansion. The sprays limit the resulting pressure increase.

Conversely, as the coolant average temperature is decreasing during unloading, there is a continuous outsurge from the pressurizer resulting from coolant contraction. The pressurizer heaters limit the resulting system pressure decrease. The pressurizer water level is programmed such that the water level is above the setpoint for heater cut out during the loading and unloading transients. The primary concern during loading is to limit the overshoot in nuclear power and to provide sufficient margin in the overtemperature T setpoint.

The automatic load controls are designed to adjust the unit generation to match load requirements within the limits of the unit capability and licensed rating.

7.7.2.5 Load Rejection Furnished by Steam Dump System When a load rejection occurs, if the difference between the required temperature setpoint of the Reactor Coolant System and the actual average temperature exceeds a predetermined amount, a signal will actuate the steam dump to maintain the Reactor Coolant System temperature within control range until a new equilibrium condition is reached.

The reactor power is reduced at a rate consistent with the capability of the Rod Control System.

Reduction of the reactor power is automatic. The steam dump flow reduction is as fast as rod cluster control assemblies are capable of inserting negative reactivity.

The Rod Control System can then reduce the reactor temperature to a new equilibrium value without causing a reactor trip for most allowed operating conditions (See Section 10.3.2.1). The steam dump system flow capacity was designed to be at least 85% of full load steam flow at full load steam pressure. The actual capacity is ~ 93.6%, (See Table 10.4-2).

The steam dump flow reduces proportionally as the control rods act to reduce the average coolant temperature. The artificial load is therefore removed as the coolant average temperature is restored to its programmed equilibrium value.

The dump valves are modulated by the reactor coolant average temperature signal. The required number of steam dump valves can be tripped quickly to stroke full open or modulate, depending upon the magnitude of the temperature error signal resulting from loss of load.

7.7.2.6 Turbine Generator Trip with Reactor Trip Whenever the turbine generator unit trips at an operating power level above 50% power, the reactor also trips. The unit is operated with a programmed average temperature as a function of

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-20 load, with the full load average temperature significantly greater than the equivalent saturation pressure of the steam generator safety valve setpoint. The thermal capacity of the Reactor Coolant System is greater than that of the Secondary System, and because the full load average temperature is greater than the no load temperature, a heat sink is required to remove heat stored in the reactor coolant to prevent actuation of steam generator safety valves for a trip from full power. This heat sink is provided by the combination of controlled release of steam to the condenser and by makeup of feedwater to the steam generators.

The Steam Dump System is controlled from the reactor coolant average temperature signal whose setpoint values are programmed as a function of turbine load. Actuation of the steam dump is rapid to prevent actuation of the steam generator safety valves. With the dump valves open, the average coolant temperature starts to reduce quickly to the no load setpoint. A direct feedback of temperature acts to proportionally close the valves to minimize the total amount of steam which is by-passed.

Following the turbine trip, the feedwater flow is cut off when the average coolant temperature decreases below a given temperature or when the steam generator water level reaches a given high level.

Additional feedwater makeup is then controlled manually to restore and maintain steam generator water level while assuring that the reactor coolant temperature is at the desired value. Residual heat removal is controlled by the steam (manually selected) which controls the amount of steam flow to the condensers. This controller operates a portion of the same steam dump valves to the condensers which are used during the initial transient following turbine and reactor trip.

The pressurizer pressure and level fall rapidly during the transient because of coolant contraction.

The pressurizer water level is programmed so that the level following the turbine and reactor trip is above the heaters. However, if the heaters become uncovered following the trip, the Chemical and Volume Control System will provide a full charging flow to restore water level in the pressurizer. Heaters are then turned on to restore pressurizer pressure to normal.

The Steam Dump and Feedwater Control Systems are designed to prevent the average coolant temperature from falling below the programmed no load temperature following the trip to ensure adequate reactivity shutdown margin.

7.7.3 Technical Support Complex (TSC) 7.7.3.1 Description In response to the recommendations issued post-TMI (e.g., NUREG-0578, NUREG-0585), South Carolina Electric & Gas will incorporate into the Virgil C. Summer Nuclear Power Plant a Technical Support Complex (TSC). This complex will improve the information available to operating and technical personnel. The 3 elements of the Technical Support Complex are:

1. ON-SITE Technical Support Center (OSTS).

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-21

2. Bypass and Inoperable Status Indication (BISI)
3. Safety Parameter Display System (SPDS)

The ON-SITE Technical Support Center is at a location adjacent to but separate from the Control Room. Key plant information can be displayed in and transmitted from the ON-SITE Technical Support Center to those technical personnel who are responsible for engineering support during post accident recovery. The center has the capability to receive, process, and display analog and digital signals from both the Nuclear Steam Supply System and balance of plant parts of the plant.

Bypass and Inoperable Status Indication provides the operator with a clear indication of the availability of plant safety systems. It provides the operator and OTSC personnel with a continuous systems level indication of bypasses or inoperable status of the systems comprising the Engineered Safety Features.

The purpose of the safety parameter display system (SPDS) is to assist operating personnel in evaluating the safety status of the plant. The safety parameter display system provides a continuous indication of plant parameters or derived variables which are representative of the safety status of the plant during both normal and emergency use except in the case that a seismic event results in the loss of the Integrated Plant Computer System (IPCS). The primary function of the SPDS is to aid in the rapid detection of abnormal operating conditions. Secondary functions include analyzing and diagnosing the abnormality, and providing an informational basis for corrective action execution.

The Technical Support Complex is located in the Control Building, elevation 4630, separate from but next to, the Control Room and is capable of accommodating a minimum of 25 persons (see Figure 1.2-15). Access to the Control Room is available through connecting doors between the Technical Support Complex and the Control Room. Print storage and plant information will be available in the Technical Support Center. The Technical Support Complex contains the following areas:

1. Data Display Room - This contains the communications and monitoring equipment necessary to provide the engineering and management support functions during an accident condition. The Communications, monitoring, and display equipment in this area includes:
a. Communications Network including plant telephones, dedicated lines to external parties, and radio systems.
2. SCE&G Co. Technical Area - Office and communications facilities for SCE&G assigned personnel.
3. NRC Office - Office and communications for 5 NRC assigned personnel.
4. Operations Conference Room - Conference Room facilities.
5. Westinghouse Office - Office and communications facilities for plant personnel to communicate with Westinghouse.
6. GAI Office - Office and communications facilities for plant personnel to communicate with GAI.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-22

7. Emergency Monitoring Team Office - Office facilities for the SCE&G Co. emergency monitoring team.

The Technical Support Complex is habitable to the same environmental conditions as the Control Room for postulated accident conditions. (The Technical Support Complex has the same air supply and exhaust system as the Control Room, see Section 9.4.1.2.1).

Installed radiation monitors (RM-G1 and RM-A1) will detect direct radiation and airborne radioactive contaminants for both the Control Room and the Technical Support Complex. The monitors will alarm when high radiation levels are being approached. SCE&G Co. has established in the plants emergency procedures the necessary precautionary protective measures to be taken for high levels of radiation.

7.7.3.2 Analysis

1. The Technical Support Complex is located on elevation 4630" of the Control Building, which is a Seismic Category I structure.
2. The environmental conditions within the Technical Support Complex are the same as those in the Control Room.
3. Installed radiation monitors (RM-G1 and RM-A1) will detect direct radiation and airborne radioactive contaminants for both the Control Room and the TSC. The monitors will alarm when high radiation levels are being approached.
4. Equipment within the Technical Support Complex is designed to assure reliability in the recovery of data.
5. The Technical Support Complex and equipment located in the Technical Support Complex are not required to initiate actuation of safety related systems. Loss of the Technical Support Complex or any equipment within the TSC will not prevent safe shutdown of the plant.

7.7.4 Critical Systems Leak Monitoring System 7.7.4.1 Description An acoustical type leak monitoring system is provided to detect through the wall and valve seat leakage downstream of the pressurizer safety valves.

The sensors and preamps for the system are located inside the Reactor Building, with all other conditioning components located outside.

A leak through a valve seat generates metal borne acoustic waves which are detected by acoustic transducers mounted on the piping adjacent to the valves. The transducers convert the acoustic waves into electrical signals which are amplified and then transmitted to the Leak Detection System.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-23 The Control Room is provided with indication which relates to the size of the leak and an alarm which alerts the operator of the occurrence of a leak. The system is provided with multiple sensors to enable the plant operator to determine which pressurizer safety valve is open.

7.7.4.2 Analysis The Critical Systems Leak Monitoring System is powered from a vital instrument bus. The system will be qualified to IEEE 323-1971 and IEEE 344-1975. Seismic and environmental qualification is discussed in Section 3.10 and 3.11, respectively.

7.7.5 Reactor Vessel Level Instrumentation System This section deleted by Amendment 4.

7.7.6 Core Subcooling Monitor This section deleted by Amendment 1, August 1985.

7.7.7 References

1. Lipchak, J. B. and Stokes, R. A., Nuclear Instrumentation System, WCAP-8255, January, 1974.
2. Calculation of Distance Factors for Power and Test Reactor Sites, J. J. Dinunno, et al, U. S.

Atomic Energy Commission, Washington, D. C., March, 1962.

3. BEACON Core Monitoring and Operations Support System, WCAP-12472-P-A, August, 1994.
4. WCAP-12472-P-A, Addendum 1-A, BEACON Core Monitoring and Operations Support System, January 2000, (W Proprietary)

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-24 Table 7.7-1 Plant Control System Interlocks DESIGNATION DERIVATION FUNCTION C-1 1/2 Neutron flux (intermediate Blocks automatic and manual range) above setpoint control rod withdrawal C-2 1/4 Neutron flux (power range) Blocks automatic and manual above setpoint control rod withdrawal C-3 2/3 Overtemperature T above Blocks automatic and manual setpoint control rod withdrawal Actuates turbine runback via load reference Defeats remote load dispatching (if remote load dispatching is used)

C-4 2/3 Overtemperature T above Blocks automatic and manual setpoint control rod withdrawal Actuates turbine runback via load reference Defeats remote load dispatching (if remote load dispatching is used)

C-5 1/1 Turbine first stage pressure Defeats remote load dispatching below setpoint (if remote load dispatching is used)

Blocks automatic control rod withdrawal C-7 1/1 Time derivative (absolute Makes steam dump valves value) of turbine first stage available for either tripping or pressure (decrease only) above modulation setpoint

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-25 Table 7.7-1 Plant Control System Interlocks (continued)

DESIGNATION DERIVATION FUNCTION C-8 Turbine trip, 2/3 turbine Blocks steam dump control via emergency trip fluid pressure load rejection Tavg Controller below setpoint or Makes steam dump valves 4/4 turbine valves closed available for either tripping or modulation No turbine trip, 2/3 turbine emergency trip fluid pressure Blocks steam dump control via above setpoint and 1/4 turbine turbine trip Tavg controller inlet line stop valves not closed.

C-9 Any condenser pressure above Blocks steam dump to condenser setpoint, or circulation water pump breakers open C-11 1/1 Bank D control rod position Blocks automatic rod withdrawal above setpoint C-15 1/1 Generator loss of stator Block steam dump to one pair of coolant, runback has occurred the four pairs of condenser steam dump valves (not the cooldown valves)

C-16 1/1 Condenser pressure above Block steam dump to one pair of 4.5 inches of mercury condenser steam dump valves (not cooldown valves or valves blocked by designation C-15, above)

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-26 Table 7.7-2 Intentionally Blank

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-27 Figure 7.7-1 SIMPLIFIED BLOCK DIAGRAM OF REACTOR CONTROL SYSTEM

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-28 Figure 7.7-2 CONTROL BANK ROD INSERTION MONITOR

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-29 Figure 7.7-3 ROD DEVIATION COMPARATOR

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-30 Figure 7.7-4 BLOCK DIAGRAM OF PRESSURIZER PRESSURE CONTROL SYSTEM

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-31 Figure 7.7-5 BLOCK DIAGRAM OF PRESSURIZER LEVEL CONTROL SYSTEM

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-32 Figure 7.7-6 BLOCK DIAGRAM OF STEAM GENERATOR WATER LEVEL CONTROL SYSTEM

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-33 Figure 7.7-7 BLOCK DIAGRAM OF MAIN FEEDWATER PUMP SPEED CONTROL SYSTEM Amendment 0 August 1984

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-34 Figure 7.7-8 BLOCK DIAGRAM OF STEAM DUMP CONTROL SYSTEM

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-35 Figure 7.7-9 BASIC FLUX-MAPPING SYSTEM Amendment 0 August 1984

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.7-36 Figure 7.7-10 (DELETED PER RN 99-085)

Figure 7.7-11 (DELETED PER RN 99-085)

Figure 7.7-12 (DELETED PER RN 99-085)

Figure 7.7-13 (DELETED PER RN 99-085)

Figure 7.7-14 Revision 22--Updated Online 05/27/22 SIMPLIFIED BLOCK DIAGRAM ROD CONTROL SYSTEM 6/$9( 32:(5 &21752/

&<&/(5 &$%,1(7  %$1.'

%' %' *5283

5($&725 /,)7&2,/

0$67(5

&21752/ 38/6(5 ',6&211(&7

&<&/(5 6<67(0 6:,7&+(6 6/$9( 32:(5 &21752/

&<&/(5 &$%,1(7  %$1.'

0$18$/ %' %' *5283

6:,7&+

%$1.  %$1.

6(/(&725 29(5/$3 08/7,3/(;

&,5&8,76 127( 21/<&$%,1(76%'

$1'%'6+2:1

W

/,)7,1*

VC SUMMER FSAR

  • 5283



³³ W 2))

³³



/,)7,1*

³³

  • 5283

³³ 2)) 6287+&$52/,1$(/(&75,& *$6&2

9,5*,/&6800(518&/($567$7,21 6LPSOLILHG%ORFN'LDJUDP5RG

&RQWURO6\VWHP

)LJXUH



$PHQGPHQW

7.7-37

$SULO

Figure 7.7-15 Revision 22--Updated Online 05/27/22 CONTROL BANK D PARTIAL SIMPLIFIED SCHEMATIC DIAGRAM POWER CABINETS 18D AND 28D VC SUMMER FSAR Amendment 0 August 1984 7.7-38

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.8-1 7.8 ATWS MITIGATION SYSTEM ACTUATION CIRCUITRY (AMSAC) 7.8.1 Description 7.8.1.1 System Description The ATWS (Anticipated Transient Without Scram) Mitigation System Actuation Circuitry (AMSAC) provides a backup to the Reactor Trip System (RTS) and Engineered Safety Features Actuation System (ESFAS) for initiating turbine trip and emergency feedwater flow in the event an anticipated transient results (e.g., in the complete loss of main feedwater). The AMSAC is independent of and diverse from the Reactor Trip System and the Engineered Safety Features Actuation System with the exception of the final actuation devices and is classified as quality related equipment. It is a highly-reliable, microprocessor-based, single train system powered by a non-Class 1E source with battery backup.

The AMSAC continuously monitors level in the steam generators, which is an anticipatory indication of a loss of heat sink, and initiates certain functions when the level drops below a predetermined setpoint for at least a preselected time and for 2 of the 3 steam generator levels.

These initiated functions are the tripping of the turbine, the initiation of emergency feedwater, and isolation of the steam generator blowdown and sample lines.

The AMSAC is designed to be highly reliable, resistant to inadvertent actuation, and easily maintained. Reliability is assured through the use of internal redundancy and continual self-testing by the system. Inadvertent actuations are minimized through the use of internal redundancy and majority voting at the output stage of the system. The time delay on low steam generator level and the coincidence logic used also minimize inadvertent actuations.

The AMSAC automatically performs its actuations when above a preselected power level, determined using turbine impulse chamber pressure, and remains armed sufficiently long after that pressure drops below the setpoint to ensure that its function will be performed in the event of a turbine trip.

7.8.1.2 Equipment Description The AMSAC consists of a single train of equipment located in a seismically qualified cabinet.

The design of the AMSAC is based on the industry standard Intel multibus format, which permits the use of various readily available, widely used microprocessor cards on a common data bus for various functions.

The AMSAC consists of the following:

1. Steam Generator Level Sensing SG level is measured with 3 existing differential pressure-type level transmitters, for each of the main steam generators.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.8-2

2. Turbine Impulse Pressure Turbine Impulse Pressure is measured with 2 existing pressure transmitters located in the steam supply line near the turbine.
3. System Hardware The system hardware consists of 2 primary systems: the Actuation Logic System (ALS) and the Test/Maintenance System (T/MS).

Actuation Logic System The Actuation Logic System monitors the analog and digital inputs, performs the functional logic required, provides actuation outputs to trip the turbine and initiate emergency feedwater flow, and provides status information to the Test/Maintenance System. The Actuation Logic System consists of 3 groups of input/output (I/O) modules, 3 actuation logic processors (ALPs), 2 majority voting modules, and 2 output relay panels. The I/O modules provide signal conditioning, isolation, and test features for interfacing the Actuation Logic System and Test/Maintenance System. Conditioned signals are sent to 3 identical actuation logic processors for analog-to-digital conversion, setpoint comparison, and coincidence logic performance. Each of the actuation logic processors perform identical logic calculations using the same inputs and derive component actuation demands, which are then sent to the majority voting modules. The majority voting modules perform a 2 out of 3 vote on the actuation logic processor demand signals. These modules drive the relays providing outputs to the existing turbine trip and emergency feedwater initiation circuits. A simplified block diagram of the AMSAC Actuation Logic System architecture is presented in Figure 7.8-1.

Test/Maintenance System The Test/Maintenance System provides the AMSAC with automated and manual testing as well as a maintenance mode. Automated testing is the continuously performed self-checking done by the system during normal operation. Actuation Logic System status is monitored by the T/MS and sent to the plant computer and the main control board. Manual testing of the system by the maintenance staff can be performed on-line to provide assurance that the Actuation Logic System is fully operational. The maintenance mode permits the maintenance staff, under administrative control, to modify channel setpoints, channel status and timer values, and initiate channel calibration.

The Test/Maintenance System consists of a test/maintenance processor, a digital-to-analog conversion board, a memory board, expansion boards, a self-health board, digital output modules, a test/maintenance panel, and a portable terminal/printer.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.8-3

4. Equipment Actuation The output relay panels provide component actuation signals through isolation relays, which then drive the final actuation circuitry for initiation of emergency feedwater and for turbine trip. Existing actuation devices of the component are used.

7.8.1.3 Functional Performance Requirements The AMSAC automatically initiates emergency feedwater, trips the turbine, and isolates steam generator blowdown and sampling lines. Analyses have shown that the most limiting Anticipated Transient Without Scram event is a loss of feedwater event without a reactor trip. Therefore, the AMSAC performs its mitigative actuations:

1. In order to ensure a secondary heat sink following an anticipated transient (ANS Condition II) without a reactor trip.
2. In order to limit core damage following an anticipated transient without a reactor trip, and
3. To ensure that the energy generated in the core is compatible with the design limits to protect the reactor coolant pressure boundary by maintaining the reactor coolant pressure to within ASME Stress Level C.

7.8.1.4 AMSAC Interlocks A single interlock, designated as C-20, is provided to allow for the automatic arming and blocking of the AMSAC system. The system is blocked below 40% turbine power when the actions taken by the AMSAC following an Anticipated Transient Without Scram need not be automatically initiated. Turbine impulse chamber pressure in a 2-out-of-2 logic scheme is used for this permissive. Turbine impulse chamber pressure above the setpoint will automatically defeat any block, i.e., will arm the AMSAC system. Dropping below this setpoint will automatically block the AMSAC system. Removal of the C-20 permissive is automatically delayed for a predetermined time. The operating status of the AMSAC is displayed on the main control board.

7.8.1.5 Steam Generator Level Sensor Arrangement Steam generator level is determined by a differential pressure transmitter, measuring the level drop in the steam generator. These steam generator level signals are used as input to the AMSAC and are isolated signals from the Process Protection Cabinets.

7.8.1.6 Turbine Impulse Chamber Pressure Arrangement Turbine impulse chamber pressure is determined by a differential pressure transmitter, measuring the pressure rise in the turbine. These pressure signals are used as input into AMSAC and are isolated signals from the Process Protection Cabinets.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.8-4 7.8.1.7 Trip System The differential pressure that is measured in the steam generator is used by the AMSAC to determine trip demand. Signal conditioning is performed on the transmitter output and used by each of the actuation logic processors to derive a component actuation demand. If 2 of the 3 steam generators have a low level at a power level greater than the C-20 permissive, then a trip demand signal is generated. This signal drives output relays for performing the necessary mitigative actions.

7.8.1.8 Isolation Devices AMSAC is independent of the Reactor Trip and Engineered Safety Features Actuation Systems.

The AMSAC inputs for measuring turbine impulse chamber pressure and narrow range steam generator water level are derived from existing transmitters and channels within the process protection system. Connections to these channels are made downstream of Class 1E isolation devices which are located within the process protection cabinets. These isolation devices ensure that the existing protection system continues to meet all applicable safety criteria by providing isolation. Buffering of the AMSAC outputs from the safety related final actuation device circuits is achieved through qualified relays. A credible fault occurring in the non-safety-related AMSAC will not propagate through and degrade the RTS and ESFAS.

7.8.1.9 AMSAC Diversity from the Reactor Protection Systems Equipment diverse from the Reactor Trip System and Engineered Safety Features Actuation System is used in the AMSAC to prevent common mode failures that might affect the AMSAC and the Reactor Trip System or Engineered Safety Features Actuation System. The AMSAC is a digital, microprocessor-based system with the exception of the analog steam generator level and turbine impulse pressure transmitter inputs, whereas the Reactor Trip System utilizes an analog based protection system. Also where similar components are utilized for the same function in both AMSAC and the Reactor Trip System, the components used in AMSAC are provided from a different manufacturer.

Common mode failure of identical components in the analog portion of the Reactor Trip System that results in the inability to generate a reactor trip signal will not impact the ability of the digital AMSAC to generate the necessary mitigative actuations. Similarly, a postulated common mode failure affecting analog components in Engineered Safety Features Actuation System, affecting its ability to initiate emergency feedwater, will not impact the ability of the digital based AMSAC to automatically initiate emergency feedwater.

7.8.1.10 Power Supply The AMSAC power supply is a non-Class 1E vital bus, which is independent from the RTS power supplies, and is backed by batteries which are independent from the existing batteries which supply the RTS.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.8-5 7.8.1.11 Environmental Variations AMSAC equipment is not designed as safety related equipment; therefore, it is not required to be qualified as safety related equipment. The AMSAC equipment is located in a controlled environment such that variations in the ambient conditions are minimized. No AMSAC equipment is located inside containment. The transmitters (steam generator level and turbine impulse chamber pressure) that supply the input into AMSAC are located inside containment and the Turbine Building, respectively.

7.8.1.12 Setpoints The AMSAC makes use of 2 setpoints in the coincidence logic in order to determine if mitigative functions are required. Water level in each steam generator is sensed to determine if a loss of secondary heat sink is imminent. The low level setpoint is selected in such a manner that a true lowering of the level will be detected by the system. The normal small variations in steam generator level will not result in a spurious AMSAC signal.

The C-20 permissive setpoint is selected in order to be consistent with Anticipated Transient Without Scram investigations showing that the mitigative actions performed by the AMSAC need not be automatically actuated below a certain power level. The maximum allowable value of the C-20 permissive setpoint is defined by these investigations.

To avoid inadvertent AMSAC actuation on the loss of 1 main feedwater pump, AMSAC actuation is delayed by a defined amount of time. This will ensure the Reactor Protection System will provide the first trip signal.

To ensure that the AMSAC remains armed sufficiently long to permit its function in the event of a turbine trip, the C-20 permissive is maintained for a preset time delay after the turbine impulse chamber pressure drops below the setpoint.

The setpoints and the capability for their modification in the AMSAC are under administrative control.

7.8.2 Analysis 7.8.2.1 Safety Classification/Safety-Related Interface The AMSAC is not safety related and therefore need not meet the requirements of IEEE 279-1971. The AMSAC has been implemented such that the Reactor Trip System and the Engineered Safety Features Actuation System continue to meet all applicable safety-related criteria. The AMSAC is independent of the Reactor Trip System and Engineered Safety Features Actuation System. The isolation provided between the Reactor Trip System and the AMSAC and between the Engineered Safety Features Actuation System and the AMSAC by the isolator modules and the isolation relays ensures that the applicable safety-related criteria are met for the Reactor Trip System and the Engineered Safety Features Actuation System.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.8-6 7.8.2.2 Redundancy System redundancy has not been provided. Since AMSAC is a backup non-safety related system to the redundant Reactor Trip System, redundancy is not required. To ensure high system reliability, portions of the AMSAC have been implemented as internally redundant, such that a single failure of an input channel or Actuation Logic Processor will neither actuate nor prevent actuation of the AMSAC.

7.8.2.3 Diversity from the Existing Trip System Diverse equipment has been selected in order that common cause failures affecting both the Reactor Trip System and the AMSAC or both the Engineered Safety Features Actuation System and the AMSAC will not render these systems inoperable simultaneously. A more detailed discussion of the diversity between the Reactor Trip System and the AMSAC and between the Engineered Safety Features Actuation System and the AMSAC is presented in Section 7.8.1.9.

7.8.2.4 Electrical Independence The AMSAC is electrically independent of the Reactor Trip System and Engineered Safety Features Actuation System from the sensor output up to the final actuation devices. Isolation devices are provided to isolate the non-safety AMSAC circuitry from the safety-related actuation circuits of the Emergency Feedwater System.

7.8.2.5 Physical Separation from the Reactor Trip System and Engineered Safety Features Actuation System AMSAC needs to be and is physically separated from the existing protection system hardware.

The AMSAC outputs are provided from separate relay panels within the cabinets. The 2 trains are separated within the AMSAC cabinet by a combination of metal barriers, conduit and distance.

7.8.2.6 Environmental Qualification Equipment related to the AMSAC is qualified to operate under conditions resulting from anticipated operational occurrences for the respective equipment location. The AMSAC equipment, with the exception of the isolation devices, located outside containment in a mild environment follows the same design standard that currently exists for non-Class 1E control grade equipment.

7.8.2.7 Seismic Qualification It is required that only the isolation devices comply with seismic qualification. The AMSAC output isolation device is qualified in accordance with a program that was developed to implement the requirements of IEEE Standard 344-1975, IEEE Standard for Seismic Qualification of Class 1E Electrical Equipment for Nuclear Power Generating Stations.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.8-7 7.8.2.8 Test, Maintenance, and Surveillance Quality Assurance NRC Generic Letter 85-06, Quality Assurance Guidance for Anticipated Transient Without Scram Equipment that is not Safety Related, requires quality assurance procedures commensurate with the quality related classification of the AMSAC. The quality controls for the AMSAC are, at a minimum, consistent with existing plant procedures or practices for non-safety-related equipment.

Design of the AMSAC followed procedures relating to equipment procurement, document control, and specification of system components, materials and services. In addition, specifications also define quality assurance practices for inspections, examinations, storage, shipping and tests as appropriate to a specific item or service.

A computer software verification program and a firmware validation program have been implemented commensurate with the quality related classification of the AMSAC to ensure that the system design requirements implemented with the use of software have been properly implemented and to ensure compliance with the system functional, performance and interface requirements.

System testing is completed prior to installation and operation of the AMSAC, as part of the normal factory acceptance testing and the validation program. Periodic testing is performed both automatically through use of the system automatic self-checking capability, and manually, under administrative control via the AMSAC test/maintenance panel.

7.8.2.9 Power Supply Power to the AMSAC is from a battery-backed, non-Class 1E vital bus independent of the power supplies for the Reactor Trip System and Engineered Safety Features Actuation System. The station battery supplying power to the AMSAC is independent of those used for the Reactor Trip System and Engineered Safety Features Actuation System. The AMSAC is an energize-to-actuate system capable of performing its mitigative functions with a loss of offsite power.

7.8.2.10 Testability at Power The AMSAC is testable at power. This testing is done via the system test/maintenance panel. The capability of the AMSAC to perform its mitigative actuations is bypassed at a system level while in the test mode. Total system testing is performed as a set of 3 sequential, partial, overlapping tests. The first of the tests checks the analog input portions of the AMSAC in order to verify accuracy. Each of the analog input modules is checked separately. The second test checks each of the actuation logic processors to verify that the appropriate coincidence logic is sent to the majority voter. Each actuation logic processor is tested separately. The last test exercises the majority voter and the integrity of the associated output relays. The majority voter and associated output relays are tested by exercising all possible input combinations to the majority voter. The integrity of each of the output relays is checked by confirming continuity of the relay coils without operating the relays. The capability to individually operate the output relays, confirm

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.8-8 integrity of the associated field wiring, and operate the corresponding isolation relays and final actuation devices at plant shutdown is provided.

7.8.2.11 Inadvertent Actuation The AMSAC has been designed such that the frequency of inadvertent actuations is minimized.

This high reliability is ensured through use of 3 redundant Actuation Logic Processors and a majority voting module. A single failure in any of these modules will not result in a spurious AMSAC actuation. In addition, a 2 out of 3 low steam generator level coincidence logic and a time delay have been selected to further minimize the potential for inadvertent actuations.

7.8.2.12 Maintenance Bypasses The AMSAC is blocked at the system level during maintenance, repair, calibration or test. While the system is blocked, the bypass condition is continuously indicated in the Main Control Room.

7.8.2.13 Operating Bypasses The AMSAC has been designed to allow for operational bypasses with the inclusion of the C-20 permissive. Above the C-20 setpoint, the AMSAC is automatically unblocked (i.e., armed); below the setpoint, the system is automatically blocked. The operating status of the AMSAC is continuously indicated in the Main Control Room via a status light.

7.8.2.14 Indication of Bypasses Whenever the mitigative capabilities of the AMSAC are bypassed or deliberately rendered inoperable, this condition is continuously indicated in the Main Control Room. In addition to the operating bypass, any manual maintenance bypass is indicated via the AMSAC general warning sent to the Main Control Room.

7.8.2.15 Means for Bypassing A permanently installed system bypass selector switch is provided to bypass the system. This is a 2-position selector switch with NORMAL and BYPASS positions. At no time is it necessary to use any temporary means, such as installing jumpers or pulling fuses, to bypass the system.

7.8.2.16 Completion of Mitigative Actions Once Initiated The AMSAC mitigative actions go to completion as long as the coincidence logic is satisfied and the time delay requirements are met. If the flow in the feedwater lines is re-initiated before the timer expires and the steam generator water level increases to above the low setpoint, then the coincidence logic will no longer be satisfied and the actuation signal disappears. If the coincidence logic conditions are maintained for the duration of the time delay, then the mitigative actions go to completion. The emergency feedwater initiation signal is latched in at the component actuating devices and the turbine trip is latched in at the turbine electro-hydraulic control system. Deliberate operator action is then necessary to terminate emergency feedwater

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.8-9 flow, clear the turbine trip signal using the main control board turbine master reset, and proceed with the reopening of the turbine stop valves.

7.8.2.17 Manual Initiation Manual initiation of the AMSAC is not provided. The capability to initiate the AMSAC mitigative functions manually, i.e., initiate emergency feedwater, trip the turbine, and isolate steam generator blowdown and sampling lines, exists at the main control board.

7.8.2.18 Information Readout The AMSAC has been designed such that the operating and maintenance staffs have accurate, complete and timely information pertinent to the status of the AMSAC. A system level general warning alarm is indicated in the Control Room. Diagnostic capability exists from the test/maintenance panel to determine the cause of any unanticipated interoperability or deviation.

7.8.3 Compliance With Standards and Design Criteria The AMSAC meets the applicable requirements of Part 50.62 of Title 10 of the Code of Federal Regulations and the quality assurance requirements of NRC Generic Letter 85-06. No other standards currently apply to the AMSAC.

Revision 22--Updated Online 05/27/22 VC SUMMER FSAR 7.8-10 Figure 7.8-1 ACTUATION LOGIC SYSTEM ARCHITECTURE

Retrieved from "https://kanterella.com/w/index.php?title=ML22194A220&oldid=3519096"