ML23096A035

From kanterella
Jump to navigation Jump to search
Amendment 32 to Updated Final Safety Analysis Report, Chapter 7, Instrumentation and Controls
ML23096A035
Person / Time
Site: Saint Lucie NextEra Energy icon.png
Issue date: 04/01/2023
From:
Florida Power & Light Co
To:
Office of Nuclear Reactor Regulation
Shared Package
ML23096A089 List:
References
Download: ML23096A035 (1)
v  d  e


Text

{{#Wiki_filter:LIST OF EFFECTIVE PAGES CHAPTER 7 INSTRUMENTATION AND CONTROLS Page Amendment Page Amendment 7-1 30 7.2-5 15 7-2 30 7.2-6 15 7-3 30 7.2-7 15 7-4 30 7.2-8 22 7-5 30 7.2-9 16 7.2-10 21 7-i 28 7.2-11 18 7-ii 27 7.2-12 17 7-iii 28 7.2-13 24 7-iv 28 7.2-14 25 7-v 26 7.2-15 26 7-vi 27 7.2-16 15 7-vii 11 7.2-17 26 7-viii 22 7.2-18 3 7-ix 22 7.2-19 0 7-x 29 7.2-20 0 7-xi 29 7.2-21 15 7-xii 22 7.2-22 21 7-xiii 30 7.2-23 16 7-xiv 26 7.2-24 21 7.2-25 0 7.1-1 24 7.2-26 17 7.1-2 15 7.2-27 27 7.1-3 28 7.2-28 0 7.1-4 24 7.2-29 22 7.1-5 28 7.2-30 0 7.2-31 0 F7.1-1a 15 7.2-32 16 F7.1-1b 15 7.2-33 25 F7.1-1c 15 7.2-34 22 F7.1-1d 22 7.2-35 30 F7.1-1e 22 7.2-36 22 F7.1-1f 22 7.2-37 0 F7.1-1g 22 7.2-38 18 F7.1-1H 26 7.2-39 15 F7.1-1i 26 7.2-40 22 F7.1-2a 15 7.2-41 25 F7.1-2b 15 7.2-42 26 7.2-42a 26 F7.1-2c 15 7.2-43 26 F7.1-2d 22 7.2-44 18 F7.1-2e 15 7.2-45 18 F7.1-2f 15 7.2-46 8 F7.1-3a 15 7.2-47 15 F7.1-3b 15 7.2-48 26 F7.1-4 15 7.2-49 0 7.2-50 0 7.2-1 25 7.2-51 0 7.2-2 0 7.2-52 0 7.2-3 24 7.2-53 0 7.2-4 26 7.2-54 0 UNIT 1 7-1 Amendment No. 30 (05/20)

LIST OF EFFECTIVE PAGES (Contd) CHAPTER 7 Page Amendment Page Amendment 7.2-55 0 7.3-10d 17 7.2-56 0 7.3-10e 22 7.2-57 0 7.3-10f 20 7.2-58 0 7.3-11 0 7.2-59 0 7.3-12 23 7.2-60 0 7.3-13 29 7.2-61 0 7.3-14 24 7.2-62 0 7.3-15 24 7.2-63 0 7.3-16 21 7.2-64 0 7.3-17 0 7.3-18 23 F7.2-1 0 7.3-19 23 F7.2-2 26 7.3-20 24 F7.2-3 0 7.3-21 24 F7.2-4 16 7.3-22 24 F7.2-5 24 7.3-23 24 F7.2-6 15 7.3-24 22 F7.2-7 15 7.3-25 10 F7.2-8 22 7.3-26 22 F7.2-9 0 7.3-27 16 F7.2-10 19 7.3-27a 15 F7.2-11 0 7.3-28 23 F7.2-12 0 7.3-29 23 F7.2-13 0 7.3-30 23 F7.2-14 22 7.3-31 17 F7.2-15 19 7.3-32 17 F7.2-16 0 7.3-33 16 F7.2-17 0 7.3-34 17 F7.2-18 0 7.3-35 22 F7.2-19 0 7.3-36 22 F7.2-20 19 7.3-37 15 F7.2-21 0 7.3-38 24 F7.2-22 30 7.3-39 10 7.3-40 17 7.3-1 23 7.3-41 30 7.3-2 21 7.3-42 22 7.3-3 15 7.3-43 22 7.3-4 25 7.3-44 23 7.3-5 15 7.3-45 26 7.3-45a 26 7.3-6 25 7.3-46 20 7.3-7 25 7.3-47 30 7.3-8 20 7.3-48 24 7.3-9 24 7.3-49 24 7.3-10 18 7.3-50 24 7.3-10a 24 7.3-51 26 7.3-10b 24 7.3-52 29 7.3-10c 24 7.3-53 24 7.3-54 22 UNIT 1 7-2 Amendment No. 30 (05/20)

LIST OF EFFECTIVE PAGES (Contd) CHAPTER 7 Page Amendment Page Amendment 7.3-55 29 F7.3-4 1 7.3-56 18 F7.3-5 15 7.3-57 0 F7.3-6 15 7.3-58 24 F7.3-7 15 7.3-59 24 F7.3-8 15 7.3-60 0 F7.3-9 16 7.3-61 25 F7.3-9A 15 7.3-62 29 F7.3-10 15 7.3-63 17 F7.3-10a 15 7.3-64 25 F7.3-11 0 7.3-65 0 F7.3-12 15 7.3-66 0 F7.3-13 15 7.3-67 0 F7.3-14 0 7.3-68 0 F7.3-15a 15 7.3-69 29 F7.3-15b 15 7.3-70 25 F7.3-16 29 7.3-71 25 F7.3-17 29 7.3-72 25 F7.3-18 17 7.3-73 25 F7.3-19 22 7.3-74 25 F7.3-20 22 7.3-75 25 F7.3-21 0 7.3-76 25 F7.3-22 0 7.3-77 25 F7.3-23 0 7.3-78 25 F7.3-24 22 7.3-79 25 F7.3-25 25 7.3-80 25 F7.3-26 15 7.3-81 25 F7.3-26a 15 7.3-82 25 F7.3-27 0 7.3-83 25 F7.3-28 22 7.3-84 25 F7.3-29 22 7.3-85 25 F7.3-30 22 7.3-86 25 F7.3-31 22 7.3-87 25 F7.3-32 22 7.3-88 25 F7.3-33 22 7.3-89 25 F7.3-34 22 7.3-90 25 F7.3-35 22 7.3-91 25 F7.3-36 22 7.3-92 25 F7.3-37 22 7.3-93 25 F7.3-38 22 F7.3-39 29 F7.3-1 15 F7.3-40 10 F7.3-2 15 F7.3-41 0 F7.3-3 15 F7.3-42 0 F7.3-43 0 F7.3-44 0 F7.3-45 12 UNIT 1 7-3 Amendment No. 30 (05/20)

LIST OF EFFECTIVE PAGES ( Contd) CHAPTER 7 Page Amendment Page Amendment F7.3-46 26 F7.4-18 15 F7.3-47 26 F7.4-19 15 F7.3-48 0 F7.4-20 15 F7.4-21 15 7.4-1 22 F7.4-22 15 7.4-1a 18 F7.4-23 15 7.4-2 28 F7.4-23a 15 7.4-3 22 F7.4-24 15 7.4-4 24 F7.4-25 0 7.4-5 22 F7.4-26 4 7.4-6 18 7.4-7 17 7.5-1 18 7.4-8 18 7.5-1a 22 7.4-9 18 7.5-2 30 7.4-10 18 7.5-2a 30 7.4-11 15 7.5-3 30 7.4-12 24 7.5-4 22 7.4-13 28 7.5-5 25 7.4-13a 28 7.5-6 30 7.4-14 20 7.5-7 26 7.4-15 20 7.5-8 22 7.4-16 16 7.5-9 28 7.4-17 17 7.5-10 0 7.4-18 24 7.5-11 24 7.4-18a 9 7.5-12 24 7.4-19 0 7.5-13 18 7.4-20 18 7.5-14 24 7.4-21 18 7.5-15 24 7.4-22 0 7.5-16 24 7.4-23 28 7.5-17 26 7.4-24 15 7.5-18 22 7.4-25 24 7.5-19 22 7.5-20 21 F7.4-1 15 7.5-21 24 F7.4-2 15 7.5-22 24 F7.4-3 22 7.5-23 22 F7.4-4 22 7.5-24 22 F7.4-5 22 7.5-25 24 F7.4-6 15 7.5-26 25 F7.4-7 15 7.5-26a 30 F7.4-8 15 7.5-26aa 18 F7.4-9 22 7.5-26b 28 F7.4-10 22 7.5-26c 24 F7.4-11 22 7.5-26d 24 F7.4-12 15 7.5-27 30 F7.4-13 15 7.5-28 18 F7.4-14 15 7.5-29 25 F7.4-15 15 7.5-30 20 F7.4-16 15 7.5-31 18 F7.4-17 15 7.5-32 17 7.5-33 17 UNIT 1 7-4 Amendment No. 30 (05/20)

LIST OF EFFECTIVE PAGES (Contd) CHAPTER 7 Page Amendment Page Amendment 7.5-34 24 F7.5-26 15 7.5-35 24 F7.5-27 15 7.5-36 18 F7.5-28 25 7.5-36a 18 F7.5-29 15 7.5-36b 17 7.5-36c 18 7.6-1 18 7.5-36d 22 7.6-2 17 7.5-36e 22 7.6-3 20 7.5-36f 18 7.6-4 21 7.5-36g 18 7.6-5 30 7.5-36h 22 7.6-6 22 7.5-36i 23 7.6-6a 18 7.5-36j 23 7.6-6b 26 7.5-36k 25 7.6-7 18 7.5-36l 25 7.6-8 22 7.5-37 16 7.5-37a 24 7.7-1 30 7.5-38 30 7.7-2 18 7.5-39 23 7.7-3 30 7.5-40 24 7.7-4 30 7.5-41 25 7.7-5 30 7.5-42 4 7.7-6 18 7.7-7 24 7.7-8 26 F7.5-1 15 7.7-8a 21 F7.5-2 22 7.7-9 26 F7.5-3 22 7.7-10 0 F7.5-4 15 7.7-11 30 F7.5-5 15 7.7-12 11 F7.5-6 15 7.7-13 17 F7.5-7 15 7.7-14 26 F7.5-8 15 7.7-14a 8 F7.5-9 15 7.7-14b 8 F7.5-10 15 7.7-14c 25 F7.5-11 15 7.7-14d 22 7.7-14e 26 F7.5-12 15 7.7-14f 26 F7.5-13 15 7.7-15 0 F7.5-14 15 7.7-16 30 F7.5-15 15 F7.5-16 15 F7.7-1 18 F7.5-17 15 F7.7-2 30 F7.5-18 15 F7.7-3 18 F7.5-19 15 F7.7-4 26 F7.5-20 15 F7.7-5 26 F7.5-21 15 F7.7-6 deleted 26 F7.5-22 15 F7.5-23 15 F7.5-24 15 F7.5-25 22 UNIT 1 7-5 Amendment No. 30 (05/20)

INSTRUMENTATION AND CONTROLS CHAPTER 7 TABLE OF CONTENTS Section Title Page

7.1 INTRODUCTION

7.1-1 7.1.1 IDENTIFICATION OF SAFETY RELATED SYSTEMS 7.1-1 7.1.1.1 Reactor Protective System 7.1-1 7.1.1.2 Engineered Safety Features Actuation System 7.1-1 7.1.1.3 Systems Required for Safe Shutdown 7.1-1 7.1.1.4 Safety Related Display Instrumentation 7.1-1 7.1.1.5 All Other Systems Required for Safety 7.1-2 7.1.2 IDENTIFICATION OF SAFETY CRITERIA 7.1-3 7.1.2.1 Design Criteria 7.1-3 7.1.2.2 Quality Assurance 7.1-3 7.1.2.3 Electrical Cable Criteria 7.1-3 7.1.2.4 Qualification of Safety Related Components 7.1-4 7.1.2.5 Identification of Safety Related Components 7.1-4 7.1.2.6 Electrical Penetration Assemblies 7.1-4 7.1.2.7 Additional Regulatory Guidance 7.1-5 7.2 REACTOR PROTECTIVE SYSTEM 7.2-1 7.

2.1 DESCRIPTION

7.2-1 7.2.1.1 System Components 7.2-4 7.2.1.2 Reactor Trips 7.2-9 7.2.1.3 Trip Logic 7.2-19 7.2.1.4 Trip Bypasses 7.2-20 7.2.1.5 Trip Interlocks 7.2-22 7.2.1.6 Testing and Inspection 7.2-22 UNIT 1 7-i Amendment No. 28 (05/17)

CHAPTER 7 TABLE OF CONTENTS (Contd) Section Title Page 7.2.1.7 Redundancy 7.2-27 7.2.1.8 Diversity 7.2-28 7.2.1.9 Comparison 7.2-29 7.2.1.10 Sensors and Set Points 7.2-32 7.2.2 ANALYSIS 7.2-33 7.2.2.1 Conformance to General Design Criteria 7.2-33 7.2.2.2 Conformance to IEEE-279 7.2-36 7.2.2.3 Conformance to Testing Criteria 7.2-41 7.2.2.4 Effects of Other Associated Functions 7.2-41 7.2.2.5 Protection System Setpoint Methodology and Determination of Surveillance Procedure Acceptance Criteria 7.2-42 7.3 ENGINEERED SAFETY FEATURES SYSTEMS 7.3-1 7.

3.1 DESCRIPTION

7.3-1 7.3.1.1 Engineered Safety Features Actuation Systems 7.3-1 7.3.1.2 Engineered Safety Feature Systems Instrumentation and 7.3-10f Control 7.3.1.3 Engineered Safety Features Supporting Systems 7.3-14 Instrumentation and Control 7.3.1.4 Design Basis Information Required by Section 3 of 7.3-22 IEEE Std 279-1971 REFERENCES 7.3-25 7.3.2 ANALYSIS 7.3-26 7.3.2.1 Failure Mode and Effects Analysis 7.3-26 7.3.2.2 Conformance to General Design Criteria 7.3-26 UNIT 1 7-ii Amendment No. 27 (04/15)

CHAPTER 7 TABLE OF CONTENTS (Contd) Section Title Page 7.3.2.3 Conformance to IEEE-279 7.3-26 7.3.2.4 Conformance to Testing Criteria 7.3-35 7.3.2.5 Conformance of Supporting System Instrumentation and 7.3-40 Control to IEEE-279 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4-1 7.

4.1 DESCRIPTION

7.4-1 7.4.1.1 Auxiliary Feedwater System Instrumentation 7.4-3 7.4.1.2 Atmospheric Dump Valves Instrumentation and Control 7.4-4 7.4.1.3 Shutdown Cooling System Instrumentation 7.4-5 7.4.1.4 Component Cooling Water System Instrumentation 7.4-7 7.4.1.5 Intake Cooling Water System Instrumentation 7.4-9 7.4.1.6 Emergency Power System Instrumentation 7.4-10 7.4.1.7 Boron Addition and Charging Subsystems 7.4-11 7.4.1.8 Emergency Control Stations 7.4-13 7.4.2 ANALYSIS 7.4-17 7.4.2.1 Conformance to IEEE-279 7.4-17 7.4.2.2 Conformance to IEEE-308 7.4-20 7.4.2.3 Conformance to the Requirements of AEC GDC 19 7.4-21 7.4.2.4 Loss of Instrument Air Systems 7.4-22 7.4.2.5 Loss of Cooling Water to Vital Equipment 7.4-22 7.4.2.6 Plant Load Rejection, Turbine Trip and Loss of Off-Site Power 7.4-22 REFERENCES 7.4-23 7.5 SAFETY RELATED DISPLAY INSTRUMENTATION (INCLUDES 7.5-1 NON-SAFETY RELATED DISPLAY INSTRUMENTATION) 7.

5.1 DESCRIPTION

7.5-1 UNIT 1 7-iii Amendment No. 28 (05/17)

CHAPTER 7 TABLE OF CONTENTS (Contd) Section Title Page 7.5.1.1 Reactor Protective System Monitoring 7.5-1 7.5.1.2 ESFAS Monitoring 7.5-1 7.5.1.3 CEA Position Indication Systems 7.5-1 7.5.1.4 Boron Control Display Instrumentation 7.5-4 7.5.1.5 Reactor Coolant System Display Instrumentation 7.5-4 7.5.1.6 Control Panels and Annunciators 7.5-8 7.5.2 ANALYSIS 7.5-10 7.5.2.1 Reactor Protective System Monitoring 7.5-10 7.5.2.2 ESFAS Monitoring 7.5-10 7.5.2.3 CEA Position Indication Systems 7.5-19 7.5.2.4 Boron Control Display Instrumentation 7.5-20 7.5.2.5 Reactor Coolant System Process Display Instrumentation 7.5-20 7.5.2.6 Control Panels and Annunciators 7.5-23 7.5.3 TMI RELATED ADDITIONAL ACCIDENT MONITORING INSTRUMENTATION 7.5-23 7.5.3.1 Containment Pressure Monitors 7.5-23 7.5.3.2 Containment Water Level Monitors 7.5-24 7.5.3.3 Subcooled Margin Monitor System 7.5-25 7.5.3.4 High Range Containment Radiation Monitors 7.5-26 7.5.3.5 Noble Gas Effluent Radiation Monitors 7.5-26 7.5.4 SAFETY ASSESSMENT SYSTEM/EMERGENCY RESPONSE DATA ACQUISITION AND DISPLAY SYSTEM AND QUALIFIED SAFETY PARAMETER DISPLAY SYSTEM 7.5-26 7.5.4.1 Safety Assessment System/Emergency Response Data Acquisition and Display System 7.5-26 7.5.4.2 Qualified Safety Parameter Display System 7.5-26a 7.5.5 EXCORE NEUTRON FLUX MONITORING SYSTEM 7.5-26b 7.5.5.1 Boron Dilution Alarm 7.5-26c 7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR 7.6-1 SAFETY 7.

6.1 DESCRIPTION

7.6-1 7.6.1.1 Shutdown Cooling System Interlocks 7.6-1 UNIT1 7-iv Amendment No. 28 (05/17)

CHAPTER 7 TABLE OF CONTENTS (Contd) Section Title Page 7.6.1.2 Fuel Handling System Interlocks 7.6-2 7.6.1.3 Overpressure Mitigating System (OMS) 7.6-5 7.6.1.4 Anticipated Transient Without Scram (ATWS) 7.6-6 7.6.2 ANALYSIS 7.6-7 7.6.2.1 Shutdown Cooling System Interlocks 7.6-7 7.6.2.2 Fuel Handling System Interlocks 7.6-8 7.6.2.3 Overpressure Mitigating System (OMS) 7.6-8 7.6.2.4 Diverse Scram System 7.6-8 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY 7.7-1 7.

7.1 DESCRIPTION

7.7-1 7.7.1.1 Reactor Control Systems 7.7-1 7.7.1.2 Reactor Coolant Control System 7.7-6 7.7.1.3 Steam Generator Control System 7.7-8 7.7.1.4 Turbine Control System 7.7-10 7.7.2 ANALYSIS 7.7-13 7.7.2.1 Reactor Control System 7.7-13 7.7.2.2 Reactor Coolant Control System 7.7-13 7.7.2.3 Steam Generator Control System 7.7-13 7.7.3 SYSTEM EVALUATION - HUMAN FACTORS ENGINEERING 7.7-14 7.7.3.1 HFE Program 7.7-14 7.7.3.2 Detail Control Room Design Review Implementation 7.7-14a 7.7.3.3 DCRDR Implementation Evaluation 7.7-14d 7.7.4 Leading Edge Flow Meter 7.7-14e REFERENCES 7.7-15 7-v Amendment No. 26 (11/13)

INSTRUMENTATION AND CONTROLS CHAPTER 7 LIST OF TABLES Table Title Page 7.2-1 Monitored Plant Variable Instrumentation Ranges Response Times 7.2-43 7.2-2 Deleted 7.2-44 7.2-3 Reactor Protective System Bypasses 7.2-46 7.2-4 Reactor Protective System Sensors 7.2-47 7.2-5 Reactor Protective System Design Margins 7.2-48 7.2-6 Failure Mode, Effects and Criticality Analysis 7.2-49 7.3-1 ESFAS Sensor Parameters and Set Points 7.3-41 7.3-2 Components Actuated on SIAS 7.3-42 7.3-3 Components Actuated on RAS 7.3-48 7.3-4 Components Actuated on CSAS 7.3-49 7.3-5 Components Actuated on CIS 7.3-51 7.3-6 Components Actuated on MSIS 7.3-56 7.3-6A Auxiliary Building, Emergency Exhaust Fan HVE-9A (ECCS Area) 7.3-57 Conformance to IEEE-279-1971 Section 4.11 7.3-7 ESFAS Failure Analysis 7.3-59 7.3-8 ESF Signal Interconnections for 1AB Shared System Equipment Control 7.3-67 Failure Mode Analysis 7.3-9 Components and Actuated Devices Not Tested During Normal Operation 7.3-69 7.3-10 Auxiliary Feedwater Actuation System Failure Modes and Effects Analysis 7.3-70 7.4-1 Instruments Required to Monitor Safe Shutdown 7.4-24 7.4-2 Components Actuated by Auxiliary Feedwater Automatic Initiation System 7.4-25 7.5-1 CEA Position Light Matrix 7.5-27 7.5-2 Safety Related Display Instrumentation 7.5-28 UNIT 1 7-vi Amendment No. 27 (04/15)

CHAPTER 7 LIST OF TABLES (Cont'd) Table Title Page 7.5-3 Accident and Incident Instrumentation Requirements 7.5-37 7.5-4 Accident and Incident Instrumentation 7.5-38 7.5-5 Excore Neutron Flux Monitoring System 7.5-42 7.7-1 CEA Withdrawal and Motion Inhibit Interlocks 7.7-16 7-vii Am. 11-7/92

INSTRUMENTATION AND CONTROLS CHAPTER 7 LIST OF FIGURES Figure Title 7.1-1a Control Wiring Diagram List of Abbreviations thru 7.1-1i 7.1-2a Control Wiring Diagram Device Numbers and Definitions thru 7.1-2f 7.1-3a Control Wiring Diagram Graphical Symbols 7.1-3b Control Wiring Diagram Graphical Symbols 7.1-4 Control & Block Diagram 7.2-1 Simplified Functional Diagram of the Reactor Protective System 7.2-2 Reactor Protective System Functional Diagram 7.2-3 Typical Measurement Channel Functional Diagram (Pressurizer Pressure) 7.2-4 Control Wiring Diagrams - Out-of-Core Neutron Detectors 7.2-5 Deleted 7.2-6 Nuclear Inst and Reactor Protective System Cabinet 7.2-7 Nuclear Instrumentation Reactor Protective System Cabinet Assembly Front Panel Layout 7.2-8 Bistable Trip Unit Schematic 7.2-9 Variable High Power Trip Operation 7.2-10 Low Flow Protective System Functional Diagram 7.2-11 Steam Generator Protective Channel Block Diagram 7.2-12 Schematic Low Steam Generator Pressure Reactor Trip Bypass 7.2-13 Block Diagram Core Protection Trips 7.2-14 Thermal Margin Trip 7-viii Amendment No. 22 (05/07)

CHAPTER 7 LIST OF FIGURES (Cont'd) Figure Title 7.2-15 T Power Calculation 7.2-16 Local Power Density Trip 7.2-17 Basic RPS Testing System 7.2-18 Schematic Trip Test System 7.2-19 Trip Path Channel Independence Schematic Diagram 7.2-20 Typical Protective Channel Input Independence Functional Diagram 7.2-21 Typical Matrix Ladder with Trip Unit Bypass and Matrix Relay Test Circuit Schematic Diagram 7.2-22 Reactor Protective System Interface Logic Diagram 7.3-1 Control Wiring Diagram Pressurizer Pressure P-1102A Measurement Loop 7.3-2 Elec. Schematic - ESFAS MC 7.3-3 Elec. Schematic - ESFAS SA 7.3-4 SIAS Logic Diagram 7.3-5 Schematic Diagram LP Safety Injection Pump 1A 7.3-6 Schematic Diagram LP Safety Injection Pump 1B 7.3-7 Schematic Diagram HP Safety Injection Pump 1A 7.3-8 Schematic Diagram HP Safety Injection Pump 1B 7.3-9 Deleted 7.3-9A HPSI Pump Discharge Valve V-3655 (Control Wiring Diagram) 7.3-10 Schematic Diagram Safety Injection Flow Control Valves 7.3-10a Schematic Diagram Safety Injection Tank Isolation Valve V-3624 7.3-11 RAS and CSAS Logic Diagram 7.3-12 Schematic Diagram Containment Spray Pump 1A 7.3-13 Schematic Diagram Containment Spray Pump 1B 7-ix Amendment No. 22 (05/07)

CHAPTER 7 LIST OF FIGURES (Cont'd) Figure Title 7.3-14 CIS Logic Diagram 7.3-15A Schematic Diagram Reactor Containment Purge Isol Valves 7.3-15B Schematic Diagram Reactor Containment Purge Isol Valves 7.3-16 Schematic Diagram Shield Bldg. Vent Exhaust Fan HVE-6A 7.3-17 Schematic Diagram Shield Bldg. Vent Exhaust Fan HVE-6B 7.3-18 MSIS Logic Diagram 7.3-19 Schematic Diagram Main Steam Isolation Valve HCV-08-1A Opening Closing & Testing 7.3-20 Schematic Diagram Main Steam Isolation Valve HCV-08-1B Opening Closing & Testing 7.3-21 Time to SIAS Actuation vs LOCA Break Size 7.3-22 Time to CSAS Actuation vs LOCA Break Size 7.3-23 Time to CIS Actuation vs LOCA Break Size 7.3-24 Reactor Building Instrument Arrangement - Sheet 1 7.3-25 Reactor Building Instrument Arrangement - Sheet 2 7.3-26 Reactor Building Instrument Arrangement - Sheet 3 7.3-27 ESFAS Automatic Test Circuit 7.3-28 Control & Block Diagram (Reactor Auxiliary Building Supply Fan HVS-4A) 7.3-29 Control & Block Diagram (Reactor Auxiliary Building Supply Fan HVS-4B) 7.3-30 Control & Block Diagram (Emergency Exhaust Fan HVE-9A) 7.3-31 Control & Block Diagram (Emergency Exhaust Fan HVE-9B) 7.3-32 Control & Block Diagram (Control Room Fan HVA-3A) 7.3-33 Control & Block Diagram (Control Room Fan HVA-3B) 7.3-34 Control & Block Diagram (Control Room Fan HVA-3C) 7-x Amendment No. 29 (10/18)

CHAPTER 7 LIST OF FIGURES (Cont'd) Figure Title 7.3-35 Control & Block Diagram (Control Room Fan HVE-13A) 7.3-36 Control & Block Diagram (Control Room Fan HVE-13B) 7.3-37 Control & Block Diagram (Reactor Containment Air Recirc Unit - Fan HVS-1A) 7.3-38 Control & Block Diagram (Shield Building Ventilation System A Exhaust HVE-6A) 7.3-39 Control & Block Diagram (Shield Building Ventilation System B Exhaust HVE-6B) 7.3-40 Pressurizer Pressure and Containment Pressure ESFAS Measurement Channels 7.3-41 Containment Radiation and Pressure ESFAS Measurement Channels 7.3-42 Refueling Water Tank and Steam Generator ESFAS Measurement Channels 7.3-43 ESFAS Logic Channel 7.3-44 ESFAS Interconnections for AB Shared System Equipment 7.3-45 Component Cooling Water Surge Tank Vent Control 7.3-46 Auxiliary Feedwater Actuation System Simplified Functional Diagram 7.3-47 Auxiliary Feedwater Actuation System - Testing System Diagram 7.3-48 ATWS/DSS Block Diagram 7.4-1 Schematic Diagram Auxiliary Feedwater Pump 1A 7.4-2 Schematic Diagram Auxiliary Feedwater Pump 1B 7.4-3 Control & Block Diagram (Component Cooling Water Pump 1A) 7.4-4 Control & Block Diagram (Component Cooling Water Pump 1B) 7.4-5 Control & Block Diagram (Component Cooling Water Pump 1C) 7.4-6 Schematic Diagram Component Cooling Water Pump 1A 7.4-7 Schematic Diagram Component Cooling Water Pump 1B 7.4-8 Schematic Diagram Component Cooling Water Pump 1C 7.4-9 Control & Block Diagram (Intake Cooling Water Pump 1A) 7.4-10 Control & Block Diagram (Intake Cooling Water Pump 1B) 7.4-11 Control & Block Diagram (Intake Cooling Water Pump 1C) 7-xi Amendment No. 29 (10/18)

CHAPTER 7 LIST OF FIGURES (Cont'd) Figure Title 7.4-12 Schematic Diagram Intake Cooling Water Pump 1A 7.4-13 Schematic Diagram Intake Cooling Water Pump 1B 7.4-14 Schematic Diagram Intake Cooling Water Pump 1C 7.4-15 Schematic Diagram Charging Pump 1A 7.4-16 Schematic Diagram Charging Pump 1B 7.4-17 Schematic Diagram Charging Pump 1C 7.4-18 Schematic Diagram Charging Pumps - Level Control 7.4-19 Schematic Diagram Boric Acid Make-up Pump 1A 7.4-20 Schematic Diagram Boric Acid Make-up Pump 1B 7.4-21 Reactor Auxiliary Building Instrument Arrangement - Sheet 1 7.4-22 Reactor Auxiliary Building Instrument Arrangement - Sheet 2 7.4-23 Reactor Auxiliary Building Instrument Arrangement - Sheet 3 7.4-23a Reactor Auxiliary Building Instrument Arrangement - Sheet 4 7.4-24 Miscellaneous Instrument Arrangement 7.4-25 Charging Pump 1A, 1B, and 1C Interface with Normal Controls 7.4-26 Auxiliary Feedwater System Automatic Initiation Logic 7.5-1 Control Wiring Diagram Station Auxiliaries B Annunciator A SH1 RTGB-101 7.5-2 Control Wiring Diagram Station Auxiliaries B Annunciator A SH2 RTGB-101 7.5-3 Control Wiring Diagram Station Auxiliaries A Annunciator B SH1 RTGB-101 7.5-4 Control Wiring Diagram Station Auxiliaries A Annunciator B SH2 RTGB-101 7.5-5 Control Wiring Diagram Generator, Main and Auxiliary Transformer Annunciator C SH1 RTGB-101 7.5-6 Control Wiring Diagram Generator, Main and Auxiliary Transformer Annunciator C SH2 RTGB-101 7-xii Amendment No. 22 (05/07)

CHAPTER 7 LIST OF FIGURES (Cont'd) Figure Title 7.5-7 Control Wiring Diagram Circulating Intake and Cooling Water Annunciator-E SH1 RTGB-102 7.5-8 Control Wiring Diagram Circulating Intake and Cooling Water Annunciator-E SH2 RTGB-102 7.5-9 Control Wiring Diagram Condensate-Feedwater Annunciator-G SH1 RTGB-102 7.5-10 Condensate-Feedwater Annunciator-G SH2 RTGB-102 7.5-11 Control Wiring Diagram CEA Annunciator-K RTGB-104 7.5-12 Control Wiring Diagram Reactor Protection Annunciator-L RTGB-104 7.5-13 Control Wiring Diagram Waste Management Annunciator-N SH1 RTGB-105 7.5-14 Control Wiring Diagram Waste Management Annunciator-N SH2 RTGB-105 7.5-15 Control Wiring Diagram Engineered Safeguard Annunciator-P SH1 RTGB-106 7.5-16 Control Wiring Diagram Engineered Safeguards Annunciator-P SH2 RTGB-106 7.5-17 Control Wiring Diagram Engineered Safeguards Annunciator-Q SH1 RTGB-106 7.5-18 Control Wiring Diagram Engineered Safeguards Annunciator-Q SH2 RTGB-106 7.5-19 Control Wiring Diagram Engineered Safeguards Annunciator-R SH1 RTGB-106 7.5-20 Engineered Safeguards Annunciator-R SH2 RTGB-106 (Control Wiring Diagram) 7.5-21 Control Wiring Diagram Engineered Safeguards Annunciator-S SH1 RTGB-106 7.5-22 Control Wiring Diagram Engineered Safeguards Annunciator-S SH2 RTGB-106 7.5-23 Control Wiring Diagram Diesel Generator 1A - Annunciator Front View 7.5-24 Control Wiring Diagram Diesel Generator 1B - Annunciator Front View 7.5-25 Control Wiring Diagram Line Repeat Annunciator 7.5-26 Control Wiring Diagram Radiation Monitor Panel Annunciator -X Cabinet-E 7.5-27 Control Wiring Diagram Control Room Auxiliary Console Annunciator "Y" 7.5-28 Deleted 7.5-29 Ex-Core Neutron Monitoring System Channel SB 7.7-1 Reactor Regulating System - Block Diagram 7.7-2 Deleted EC291158 7-xiii Amendment No. 30 (05/20)

CHAPTER 7 LIST OF FIGURES (Cont'd) Figure Title 7.7-3 CEA Position Setpoints 7.7-4 Pressure Control Program 7.7-5 Feedwater Control System - Block Diagram 7.7-6 Deleted 7-xiv Amendment No. 26 (11/13)

CHAPTER 7 INSTRUMENTATION AND CONTROLS

7.1 INTRODUCTION

The instrumentation and control systems which monitor and perform safety related functions are discussed in this chapter. A complete description and analysis of these systems are provided in Sections 7.2 through 7.6. I&E Bulletin 79-24 titled, "Frozen Lines," required review of plant design to ensure adequate protection of safety-related process, instrument, and sampling lines from freezing during extremely cold weather. Insulation was added to selected instrument lines to protect against freezing. 7.1.1 IDENTIFICATION OF SAFETY RELATED SYSTEMS Identification of system builders and designers is provided by: Combustion Engineering, Inc. [CE] Ebasco Services Inc. [E] 7.1.1.1 Reactor Protective System [CE] The reactor protective system monitors selected nuclear steam supply system conditions and provides reliable and rapid reactor shutdown when required. Refer to Section 7.2. 7.1.1.2 Engineered Safety-Features Actuation System [CE], [E] The engineered safety features actuation system (ESFAS) monitors selected plant parameters and provides actuation signals to the actuated components in the ESF system when the plant parameters reach preselected setpoints. Refer to Section 7.3. 7.1.1.3 Systems Required for Safe Shutdown The following systems may be required for safe shutdown of the plant: a) Shutdown cooling system [CE) b) Auxiliary feedwater system [E] c) Atmospheric dump valves [E] d) Component cooling water system [E] e) Intake cooling water [E] f) Emergency power system [E] g) Emergency control stations [E] h) Boron addition of charging subsystems [CE] The instrumentation and controls associated with these systems are described in Section 7.4. 7.1.1.4 Safety Related Display Instrumentation The following non-safety and safety related display instrumentation is provided to enable the operator to monitor plant conditions and perform the required safety functions: 7.1-1 Amendment No. 24 (06/10)

a) Reactor Protective system monitoring (1E) [CE] b) Engineered safety features monitoring (1E) [E] c) CEA position indication (non 1E) [CE) d) Boron control display instrumentation (1E and non 1E) [E] e) Plant process display instrumentation (1E and non 1E) [E] f) Control Boards (1E) and Annunciators (non 1E) [E] This instrumentation is described in Section 7.5. 7.1.1.5 All Other Systems Required For Safety The following systems are required for plant safety: a) Refueling interlocks [CE] b) Shutdown cooling interlocks [CE] c) Overpressure Mitigating System (OMS) [CE] d) Diverse Scram System and Diverse Turbine Trip [CE] These systems are described in Section 7.6. 7.1-2 Amendment 15, (1/97)

7.1.2 IDENTIFICATION OF SAFETY CRITERIA 7.1.2.1 Design Criteria The design bases, criteria, safety guides, information guides, standards, and other documents that are implemented in the design of the systems listed in Section 7.1.1 are included in the subsections describing each system. (Refer to Sections 7.2 through 7.6). 7.1.2.2 Quality Assurance The quality control of design, fabrication, shipping, field storage, installation and component checkout for components of systems required for safety and emergency power systems and the documentation of such control measures is carried out in accordance with the quality assurance program. 7.1.2.3 Electrical Cable Criteria a) Control and instrumentation cables are not required to be derated since they do not normally carry significant currents. The general design guideline for cable tray fill is 40 percent, based on tray and cable areas; however, some trays may exceed this. Where the cable tray fill exceeds 40 percent an evaluation is performed for acceptability. In general, however, cable tray fill does not exceed 40 percent. b) Cable routing criteria for safety-related cables in congested areas are given in Section 8.3.1.2. c) Criteria for sharing of cable trays with non-safety-related cables or cables of the same or other systems are given in Section 8.3.1.2. d) Fire stops are provided on cable trays at wall and floor penetrations. A fire retardant material, flamemastic, is provided in cable trays which are not enclosed with solid bottoms and covers. Fire detectors are located in the control room cable spreading area and the containment electrical penetration areas, and where large groups of cable trays come together. A local panel contains the alarms from the fire detection monitoring system. A common alarm is annunciated in the control room. Portable fire extinguishers are provided at key locations including the control room and cable and relay room. Plant fire protection is discussed further in the Fire Protection Design Basis Document (Reference 4). e) Cable and cable tray markings are as described in Section 8.3.1.2. UNIT 1 7.1-3 Amendment No. 28 (05/17)

f) Redundant wiring and components in control panels and relay racks are separated by at least 12 inches or a fire barrier is installed between the redundant components. The quality assurance procedures are employed during design and installation of the cable system to ensure compliance with the design criteria. Design drawings and cable and conduit lists are prepared, reviewed and approved for construction and are kept current in the field in accordance with approved plant procedures. Cables are installed in accordance with written procedures which specify quality compliance, inspection and documentation requirements for all cable pulls. Upon completion of cable pulling, a quality control inspector verifies the cables have been installed in accordance with the design documents. 7.1.2.4 Qualification of Safety Related Components Purchase specifications identify safety related instrumentation and electrical components, specify required performance conditions and require demonstration that the components are capable of performing as specified. Such qualifications may be performed by type test, mathematical analysis, operating experience or a combination of these. Vendors are required to submit documentation of the component qualification. These provisions cover the general qualification requirements of IEEE-323-1971, "IEEE Trial Use Standard: General Guide for Qualifying Class I Electric Equipment for Nuclear Power Generating Stations," although the standard was issued after the July 1, 1970 Hutchinson Island Plant construction permit date and is therefore not included as a specific requirement in the component purchase specifications.* 7.1.2.5 Identification of Safety Related Components Safety related instrumentation and electrical cabling and components are identified according to the redundant channel or subsystem to which they belong. All components are given identifying letters. Cable terminations are color coded as given in Section 8.3.1.2.3. Operating and maintenance personnel will be instructed as to the identification scheme and any cable termination will be identifiable as to safety importance and channel by the color coding. 7.1.2.6 Electrical Penetration Assemblies The containment electrical penetration assemblies comply with the requirements of IEEE Standard 317-1971, "Electrical Penetration Assemblies in Containment Structures for Nuclear Fueled Power Generation Stations," although the standard was issued after the July 1, 1970 Hutchinson Island Plant construction permit date.

  • See Section 3.11 for referencing to responses pursuant to the requirements of IE Bulletin 79-01B.

Information is presented therein on the results of the reevaluation of the environmental qualification of electrical equipment. 7.1-4 Amendment No. 24 (06/10)

7.1.2.7 Additional Regulatory Guidance As a result of TMI, the NRC requested a review of St. Lucie Unit 1 instrumentation against Regulatory Guide 1.97, "Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident." This review was presented to the NRC via References 1 and 2. In these reports compliance was documented or exceptions noted. The NRC response is provided in Reference 3. References

1. FPL letter L-83-605 from J W Williams, Jr to D G Eisenhut dated December 29, 1983
2. FPL letter L-85-417 from J W Williams, Jr to E J Butcher dated November 18, 1985
3. NRC letter, J R Miller to J W Williams, Jr "Conformance to Regulatory Guide 1.97, Revision dated April 25, 1985"
4. NRC letter, J. A. Norris to J. H. Goldberg, Instrumentation To Follow The Course Of An Accident (Regulatory Guide 1.97), dated April 1, 1992
5. FPL letter to NRC, L-92-194, St. Lucie Unit 1 and Unit 2, Docket No 50-335 and 50-389, Regulatory Guide 1.97, dated July 14, 1992
6. FPL letter to NRC, L-92-28, St. Lucie Unit 1 and Unit 2, Docket No 50-335 and 50-389, Regulatory Guide 1.97 - Proposed Modifications - Wide Range Steam Generator Level Instrument, dated February 10, 1992
7. NRC letter, J. A. Norris to J. H. Goldberg, St. Lucie Units 1 and 2 - Proposed Modifications Related To Regulatory Guide 1.97 (TAC Nos. 64333 and 64334), dated November 12, 1991
8. DBD-FP-1, Fire Protection Design Basis Document UNIT 1 7.1-5 Amendment No. 28 (05/17)

Refer to drawing 8770-B-327 Sheet 9 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM LIST OF ABBREVIATIONS FIGURE 7.1-1a Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 10 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM LIST OF ABBREVIATIONS FIGURE 7.1-1b Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 11 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM LIST OF ABBREVIATIONS FIGURE 7.1-1c Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 12 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM LIST OF ABBREVIATIONS FIGURE 7.1-1d Amendment No. 22 (05/07)

Refer to drawing 8770-B-327 Sheet 13 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM LIST OF ABBREVIATIONS FIGURE 7.1-1e Amendment No. 22 (05/07)

Refer to drawing 8770-B-327 Sheet 14 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM LIST OF ABBREVIATIONS FIGURE 7.1-1f Amendment No. 22 (05/07)

Refer to drawing 8770-B-327 Sheet 15 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM LIST OF ABBREVIATIONS FIGURE 7.1-1g Amendment No. 22 (05/07)

A E L ACC AIR CONDITIONING COMPRESSOR EB EAST BUS LEFM LEADING EDGE FLOW METER ATM ATMOSPHERE, ATMOSPHERIC ECCS EMERGECY CORE COOLING SYSTEM LCV LEVEL CONTROL VALVE AWC AMERICAN WIRE GAUGE EH ELECTRO-HYDRAULIC LI LEVEL INDICATOR AWP AUTOMATIC WITHDRAWAL PROHIBITED ENERG ENERGIZE LIC LEVEL CONTROL DEVICE WITH INDICATION ES DC POWER SUPPLY LIS LEVEL INDICATING SWITCH B LPSI LOW PRESSURE SAFETY INJECTION BOR BORIC F LR LEVEL RECORDER BU BLUE LIGHT FCV FLOW CONTROL VALVE FF FLOW FUNCTION (SQ.ROOT EXTR-ADDER) M C FI FLOW INDICATOR MA SAFETY MEASUREMENT CHANNEL A CALIB CALIBRATE, CALIBRATION FIC FLOW CONTROL DEVICE WITH INDICATION MB SAFETY MEASUREMENT CHANNEL B CEA CONTROL ELEMENT ASSEMBLY FIS FLOW INDICATING SWITCH MC SAFETY MEASUREMENT CHANNEL C CEDM CONTROL ELEMENT DRIVE MECHANISM FR FLOW RECORDER, FREQUENCY RECORDER MD SAFETY MEASUREMENT CHANNEL D CEDS CONTROL ELEMENT DRIVE SYSTEM FS FLOW SWITCH MAN MANUAL CHG CHARGING FWP FEEDWATER PUMP MEAS MEASUREMENT CIS CONTAINMENT ISOLATION SIGNAL MOD MOTOR OPERATED DISCONNECT CLF CURRENT LIMITING FUSE H MR MULTI RATIO CONC CONCENTRATE, CONCENTRATOR HEPA HIGH EFFICIENCY PARTICLE ARRESTOR (FILTER) MSIS MAIN STEAM ISOLATION SIGNAL CONTD CONTINUED HIC MANUAL AUTOMATIC CONTROL STATION MTD MOUNTED CP CONDENSATE PUMP HPSI HIGH PRESSURE SAETY ENJECTION CPP COIL POWER PROGRAMMERS HS HAND SWITCH N CPS COUNTS PER SECOND HT HEAT NP NAMEPLATE CRT CATHODIC RAY TUBE HX HEAT EXCHANGER CSAS CONTAINMENT SPRAY ACTUATION SIGNAL O CST CONTROL TEMPERATURE I OOS OUT OF SERVICE CUB CUBICLE ICW INTAKE COOLING WATER CVCS CHEMICAL & VOLUME CONTROL SYSTEM IL INDICATING LIGHT P INCR INCREASE PDI PRESSURE DIFFERENTIAL INDICATOR D INTEG INTEGRATE, INTEGRATOR PDIL POWER DEPENDENT INSERTION LIMIT DCS DISTRIBUTED CONTROL SYSTEM IP ELECTRICAL PNEUMATIC PDIS PRESSURE DIFFERENTIAL INDICATING SWITCH DECR DECREASE ISOL ISOLATION PDS PRESSURE DIFFERENTIAL SWITCH DEV DEVELOPMENT, DEVIATION PI PRESSURE INDICATOR DG DIESEL GENERATOR K PIC PRESSURE CONTROL DEVICE WITH INDICATION DI DIGITAL INDICATION PIS PRESSURE INDICATING SWITCH DL DEVIATION LIGHTS PM PERMANENT MAGNET PP POWER PANEL PPDIL PRE-POWER DEPENDENT INSERTION LIMIT PPM PARTS PER MILLION PREC PRECISION PU PICKUP FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT LIST OF ABBREVIATIONS FIGURE 7.1-1H Amendment No. 26 (11/13)

R T RADIO RADIOACTIVE TAVG TEMPERATURE AVERAGE AT RAS RECIRCULATION ACTUATION SIGNAL TCV TEMPERATURE CONTROL VALVE  % PERCENT RCP REACTOR COOLANT PUMP TDC TIME DELAY CLOSE DIFFERENTIAL RCS REACTOR COOLANT SYSTEM TE THERMOCOUPLE RCV REHEATER CONTROL VALVE TERM TERMINAL RDT REACTOR DRAIN TANK TI TEMPERATURE INDICATOR REGEN REGENERATIVE TIC TEMPERATURE CONTROL DEVICE WITH INDICATOR RMW REACTOR MAKEUP WATER TIS TEMPERATURE INDICATING SWITCH RPS REACTOR PROTECTIVE SYSTEM TM ELAPSED TIME METER RR RADIATION RECORDER TRANSM TRANSMITTER RRS REACTOR REGULATING SYSTEM TRAV TRAVELLING RTGB REACTOR TURB GEN BOARD TREF TEMPERATURE REFERENCE RWT REGUELING WATER TANK W S WB WEST BUS SA SAFETY ACTUATION CHANNEL A WDG WINDING SB SAFETY ACTUATION CHANNEL B WMS WASTE MANAGEMENT SYSTEM SAB SAFETY ACTUATIO CHANNEL AB WTR WATER SEPR SEPARATOR SG STEAM GENERATOR SHLD SHIELD SI SAFETY INJECTION SIAS SAFETY INJECTION ACTUATION SIGNAL STM STEAM SJE STEAM JET AIR EJECTOR STAB STABILIZER SUB SUBTRACT SUPV SUPERVISORY FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT LIST OF ABBREVIATIONS SHEET 2 FIGURE 7.1-1I Amendment No. 26 (11/13)

Refer to drawing 8770-B-327 Sheet 16 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM DEVICE NUMBERS & DEFINITIONS FIGURE 7.1-2a Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 17 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM DEVICE NUMBERS & DEFINITIONS FIGURE 7.1-2b Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 18 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM DEVICE NUMBERS & DEFINITIONS FIGURE 7.1-2c Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 19 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM DEVICE NUMBERS & DEFINITIONS FIGURE 7.1-2d Amendment No. 22 (05/07)

Refer to drawing 8770-B-327 Sheet 20 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM DEVICE NUMBERS & DEFINITIONS FIGURE 7.1-2e Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 21 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM DEVICE NUMBERS & DEFINITIONS FIGURE 7.1-2f Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 22 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM GRAHICAL SYMBOLS FIGURE 7.1-3a Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 23 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM GRAPHICAL SYMBOLS FIGURE 7.1-3b Amendment No. 15 (1/97)

Refer to drawing 8770-B-276 Sheet 00.2 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM FIGURE 7.1-4 Amendment No. 15 (1/97)

7.2 REACTOR PROTECTIVE SYSTEM 7.

2.1 DESCRIPTION

The reactor protective system is designed to assure adequate protection of the fuel, fuel cladding and reactor coolant pressure boundary during anticipated operational occurrences. Those NSSS conditions which require protective system action are discussed in detail in Chapter 15. The system is designed on the following bases to assure performance of its protective function: a) The system is designed in compliance with AEC requirements as delineated in, "General Design Criteria for Nuclear Power Plants," (Appendix A of 10 CFR 50, July 15, 1971) presented in Section 3.1.1. b) Instrumentation, function and operation of the system conforms to the specific requirements of IEEE Standard 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations." c) System testing conforms to the requirements of IEEE Standard 338-1971, "Trial-Use Criteria for Periodic Testing of Nuclear Power Generating Station Protection Systems," and Safety Guide 22, "Periodic Testing of Protection System Actuation Functions." d) Monitor the following NSSS parameters:

1) Out of core neutron flux
2) Pressurizer pressure
3) Reactor coolant flow
4) Reactor coolant system temperatures
5) Steam generator pressure
6) Steam generator water level
7) Containment pressure
8) Axial flux shape index e) Monitor all plant parameters that are needed to assure adequate determination of the parameters given in (d) above, over the entire range of normal operation and transient conditions.

f) Design the system to alert the operator when a monitored plant condition is approaching a condition which would initiate protective action (pre-trip alarms). 7.2-1 Amendment No. 25 (04/12)

g) Design the system so that protective action will not be initiated during normal operation. h) Establish trip set points such that adequate protection is provided when all sensor and processing time delays and inaccuracies are taken into account. i) Qualify all system components for the environmental conditions addressed in Section 3.11. In addition, the system shall be capable of performing its intended functions under the most degraded conditions of the energy supply. j) Identify equipment, including panels, components and cables associated with the reactor protective system with colored markers or nameplates. k) Any single component failure will not prevent safety action. The reactor protective system consists of sensors, amplifiers, logic, and other equipment necessary to monitor selected nuclear steam supply system parameters and to effect reliable and rapid reactor shutdown if any one or a combination of parameters deviates from a preselected operating range. The system functions to protect the core and reactor coolant system pressure boundary. As shown in Figures 7.2-1 and 7.2-2, the reactor protective system consists of four trip paths operating through the coincidence logic matrices to maintain power to, or remove it from, the control element drive mechanisms (CEDM's). Four independent measurement channels normally monitor each parameter which can initiate a reactor trip. Individual channel trips occur when the measurement reaches a preselected value. The channel trips are combined in six two-out-of-two logic matrices. Each two-out-of-two logic matrix provides trip signals to four one-out-of-six logic units, each of which causes a trip of the breakers in the ac supply to the CEDM power supplies. Each CEDM power supply source is separated into two branches. As shown in Figure 7.2-2, a two-out-of-four logic operating on undervoltage relays on the CEDM power supply lines is used to provide an auxiliary signal coincident with reactor trip. This signal is utilized to trip the turbine. Reactor trip is accomplished by deenergizing the CEDM coils allowing the control element assemblies (CEA's) to drop into the core by gravity. The out-of-core nuclear instrumentation includes neutron detectors located around the reactor core and signal conditioning equipment located in the control room. Neutron flux is monitored from source levels through full power operation and signal outputs are provided for reactor control, reactor pro-7.2-2

tection, and for information display. There are ten channels of instrumentation. Four are start-up channels, four are safety channels and two are control channels (see Figure 7.2-4). Various pressures, water levels, and temperatures associated with the reactor coolant system are continuously monitored to provide signals to the reactor protective system trip bistables. All protective parameters are measured with four independent and isolated process instruments and channels. A typical protective channel, shown in Figure 7.2-3, consists of a sensor and transmitter, instrument power supply and current loop resistors, indicating meter and/or recorder, and trip bistable/calculator inputs. The piping, wiring, and components of each channel are separated from that of other like protective channels to provide isolation. The output of each transmitter is an ungrounded current loop which has a live zero. Signal isolation is provided for control room indicators. Each channel is powered from a separate ac instrument bus. (See Section 8.3.1.1.6) The protective portions of the system are designed in accordance with the criteria of IEEE 279-1971. In areas not covered or specifically identified by the criteria, the following criteria are used: a) the neutron detectors are located to detect representative core flux conditions; b) four independent channels are used in each flux range; c) the channel ranges overlap sufficiently to ensure that the flux is continually monitored from neutron source range to 200 percent of full power; d) power is supplied to the system from four separate ac buses, loss of one bus trips one safety channel and one wide range logarithmic channel; e) loss of power to channel logic results in a channel trip; and f) all channel outputs are buffered so that accidental connection to 120 volts ac, or to channel supply voltage, or shorting individual outputs has no effect on any of the other outputs. Ten channels of instrumentation are provided to monitor the neutron flux. The system consists of wide range logarithmic channels, power range safety and power range control channels. Each channel is complete with separate detectors, power supplies, amplifiers, and bistables to provide independent operation. The operating capability of the ten monitoring channels is greater than 10 decades of neutron flux and is adequate to monitor the reactor power from shutdown through start-up to 200 percent of rated power. 7.2-3 Amendment No. 24 (06/10)

The flux signals from the wide range logarithmic channels are generated by dual stacked fission chambers, amplified, and transmitted to the power and rate-of-change-of-power amplifiers located in the control room as shown on Figure 7.2-4. Count rate signals are audible in the control room. In addition to the information on the reactor neutron flux, the channels provide a rate-of-change-of-power signal to the reactor protective system for reactor trip, and to the CEDM control system for CEA withdrawal prohibit. Four channels, designated as power range safety channels, provide signal outputs to the reactor protective system as shown on Figure 7.2-4. These channels operate from 0 percent to 200 percent of full power. These four channels contain neutron detectors composed of dual section ion chambers which monitor the full axial length of the reactor core at four circumferential positions spaced around the core. This arrangement enables measurement of power tilts. Two separate power range control channels, which are similar to the power range safety channels, provide reactor power signals to the reactor regulating system. The channel output is a signal directly proportional to reactor power from 0 percent to 200 percent. The power signal is combined with the reactor average coolant temperature, HP turbine inlet pressure, and pressurizer pressure signals as the control parameters to the reactor regulating system described in Section 7.7.1.1.1. The gain of each channel is adjustable to provide a means for calibrating the output against a plant heat balance. Each control channel provides a power reference signal to one of the independent reactor regulating system channels. 7.2.1.1 System Components The nuclear instrumentation safety signals processing equipment is located in the reactor protective system cabinet in the control room, Figure 7.2-6. Four cabinets designated as A, B, C, and D each house one channel of the protective system, Figure 7.2-7. Each cabinet contains a combined power range safety channel and wide range logarithmic channel. Mechanical and thermal barriers between the cabinets reduce the possibility of common mode failure. The detector cables are routed separately from each other. This includes separation at the containment penetration areas. The nuclear instrumentation control signal processing equipment is located in the reactor regulating system cabinets. 7.2-4 Amendment No. 26 (11/13)

The reactor protective system is divided into four (4) separate bays as shown on Figure 7.2-6. Each bay contains one (1) separate and distinct trip path and supporting display and calculational instrumentation. Mechanical and thermal barriers are installed between the bays to accomplish the desired physical separation and independence. The vertical barriers of each cabinet, Figure 7.2-6, are constructed of a one-inch thick sheet of an incombustible panel of high thermal insulating value. The particular grade used in this application has a thermal conductivity of 0.77 BTU/ (hr) (sq. ft) (F/in) at 200°F. These thermal barriers are sandwiched by two sheets of ten gauge steel which supply cabinet structural strength as well as serving as mechanical barriers between bays. These barriers are uninterrupted for the full height and width of the cabinet except where penetrated by the four (4) interbay wireducts. The wire ducts are each four inches high and three and three-eighth inches wide and constructed out of twelve gauge steel for mechanical strength and integrity. The wire run itself requires approximately fifteen per cent of the total wire duct area. The wire run is routed down the middle of the duct and the remaining space is packed throughout the duct length with a ceramic fiber of high insulating quality. The thermal conductivity of this insulator is approximately .35 BTU/ (hr) (sq. ft) (F/in). The wire ducts are welded to each of the vertical barriers at each penetration to ensure that uninterrupted thermal and mechanical separation is maintained. The interface areas of the vertical barriers and the wire ducts have been designed so that no degradation of mechanical and thermal separation will occur by virtue of that interface. 7.2-5 Amendment 15, (1/97)

a) Wide Range Logarithmic Channel The wide range logarithmic channels shown in Figure 7.2-4 combine conventional pulse counting and mean square variation techniques to monitor power from source range to above 100 percent of full power. The lowest decades of power indication utilize the combined pulse signal from high sensitivity fission counters. Power information is presented in terms of counts per second. Scale indication lights indicate a range change and further power information is presented as percent full power. After approximately 5 decades of counting, the counting circuitry saturates and further power level information is obtained through detection of the mean square variation of the input count rate. Dual fission chambers within each detector assembly permit high sensitivity while operating in the gamma flux encountered following reactor shutdown. System reliability is enhanced through use of integral triaxial detector cables within the high flux region, eliminating connectors. The outputs of each counter are fed separately to an initial amplification stage in a preamplifier located in the containment but outside of the primary shield. The pulses are then combined, amplified, and transmitted to the signal processing drawer in the control room. The high frequency pulse signals pass through a conventional log count rate circuit utilizing a discriminator, pulse shaper, flip flop, and log diode pump circuit. A biased diode cuts off that portion of the response which is adversely affected by resolution counting loss. The low frequency components are separated by a bandpass amplifier. The ac output of the bandpass amplifier is in accordance with Campbell's Therorem and is proportional to the square root of the average pulse rate. This signal is rectified, filtered and applied to a logarithmic amplifier. As the lower portion of the output of the logarithmic amplifier is affected by gamma and alpha background, noise, imperfect rectification, and lack of pulse overlap (Campbell's Theorem applies only when pulse overlap is achieved), this portion of the response is cut off by a biased diode. 7.2-6 Amendment 15, (1/97)

By summing the two signals, a dc signal proportional to the logarithm of neutron flux over the range of approximately 10-8 percent full power to 200 percent full power is obtained. Count rate information from source level to approximately 10-7 percent of full power is displayed in the control room. The log power level signal is differentiated to provide rate-of-change of power information from -1 to +7 decades/minute. The rate signal feeds a front panel meter, the reactor protective system, and an indicator on the control board. Channel test and calibration are accomplished by internally generated test signals which are injected to the amplifier from the signal processor in the control room. Pulse rates controlled by a crystal oscillator check the counting portion of the circuitry. The mean square portion of the circuitry is checked by inserting a rectangular pulse of calibrated amplitude. During calibration a full scale output signal is substituted for the rate signal feeding the reactor protective system. A ramp signal is available for check of the rate-of-change circuitry. Three bistables are used in each wide range logarithmic channel. One bistable initiates an alarm on decrease of detector voltage, drawer calibration, or removal of any of the drawer modules. The second bistable is used by the reactor protective system to remove the zero power mode bypass above one percent power. The third bistable disables the rate-of-change of power output to the reactor protective system below 10-4 percent power. Lights on the drawer front panel indicate bistable condition. The zero power manually actuated bypass allows CEA drop testing, or CEA withdrawal for other tests during shutdown. The trips bypassed are low reactor coolant flow and thermal margin/low pressure. These trips are automatically reset above one percent full power by the wide range logarithmic channels. The high rate-of-change of power trip bypass above 15 percent full power is initiated by a bistable in the power range safety channel. The high rate-of-change of power pretrip alarm is active above 10-4 percent of full power. The pretrip alarm also initiates CEA withdrawal prohibit. 7.2-7 Amendment 15, (1/97)

b) Power Range Safety Channel The four power range safety channels shown in Figure 7.2-4 are capable of measuring flux linearly over the range of 0 percent to 200 percent of full power. The detector assembly consists of two uncompensated ion chambers for each channel. One detector extends axially along the lower half of the core while the other, which is located directly above it, monitors flux from the upper half of the core. The upper and lower sections have adequate length to monitor the full axial length of the reactor core. The dc current signal from each of the ion chambers is fed directly to the control room drawer without preamplification. Integral shielded cable is used in the region of high neutron and gamma flux. The signal from each ion chamber is fed to an independent amplifier. Within each channel the outputs of the two amplifiers are indicated, compared and summed. The range of indication is 0 to 100 percent subchannel power. The individual amplifier output is indicated on the amplifier drawer. This output is subtracted from the output of the other amplifier in the same channel to provide a deviation signal. The summed output of the two amplifiers feed bistables, an indicator and the reactor protective system. The 0 to 200 percent full scale output is always fed to an indicator and to the bistable which is used by the reactor protective system to disable the wide range logarithmic channel rate trip above 15 percent full power. Channel calibration and test is accomplished by an internal current source which checks amplifier gain and linearity. A check of the high flux trip set point is provided by a current signal which is added to the normal detector output. Each power range channel contains two bistables, one, previously mentioned, disables the rate of change of power trip signal; the other a failure monitor, initiates an alarm on decrease of detector voltages drawer calibration, or removal of any of the drawer modules. The condition of each bistable is shown by a front panel light. c) Power Range Control Channel The power range control channels are located in the reactor regulating system cabinets in the control room. These power level signals are connected only with the reactor regulating system and to remote indicators. 7.2-8 Amendment No. 22 (05/07)

d) Comparison Comparisons contained herein were considered valid at the time the operating license for St. Lucie Unit 1 was issued, and are being retained in the updated FSAR for document completeness and historical record. No present or future update of this subsection is required. The nuclear instrumentation and control systems are functionally identical to that provided for Calvert Cliffs Units 1 and 2 (AEC Docket No. 50-317 and 50-318). The reactor protective system for St. Lucie is different from Calvert Cliffs as described below. The particular trips (i.e., thermal margin, local power density and high power) have as their prime function the assurance that acceptable fuel design limits described in Section 4.4, are not exceeded during anticipated operational occurrences. The local power density trip for St. Lucie is a modified version of the axial flux offset trip described in the Calvert Cliffs FSAR. The name of the trip has been changed relative to the Calvert Cliffs FSAR in order to more accurately describe its function. The modifications made to the thermal margin, axial flux offset and high power trips can be categorized as follows:

1) Providing additional input to the trips, and
2) Providing additional processing equipment for the trips.

The modifications were made to increase the operating flexibility over that provided by the equivalent trips described in the Calvert cliffs FSAR. 7.2.1.2 Reactor Trips Signals from the process measurement loops are sent to voltage comparator circuits (bistables) where the input signals are compared to predetermined trip values. Whenever a channel parameter reaches the trip value, the channel bistable deenergizes the bistable output relay. The bistable output relay will deenergize trip relays. Outputs of the trip relays are in the trip logic (described in Section 7.2.1.3). Pretrip bistables and relays are also provided (Figure 7.2-8). a) High Power Level A reactor trip at high power level (Q) is provided to trip the reactor in the event of reactivity excursions which might be too rapid to be adequately terminated by a high pressure trip and to prevent violation of the CEA position vs. power level relationships assumed in the thermal margin and local power density trips. The high power trip setpoint can be set no more than a predetermined amount above the indicated plant power. Operator action is required to increase the setpoint as plant power is increased. The setpoint is automatically decreased as power decreases. 7.2-9 Amendment No. 16, (1/98)

The setpoint and Q (the higher of nuclear or thermal power as described in Section 7.2.1.2.g) are compared in a bistable trip unit in each of the four safety channels. The high power trip is initiated by two-out-of-four coincidence logic from the four safety channels. Figure 7.2-9 shows the operation of the system. If Q decreases, the setpoint QTR follows it, remaining above Q by a fixed, adjustable bias Qb. If Q now increases, the setpoint remains at the minimum value of Q + Qb last achieved, until reset by the operator. The system is capable of holding the setpoint QTR at the previous minimum of Q + Qb indefinitely. This requirement precludes storing QTR by purely analog means. For this reason, the signal is stored as a digital word. The reset circuit is designed to apply a momentary signal to the appropriate terminal of the digital storage device when a pushbutton outside of the reactor protective system cabinet is depressed. The signal QTR is limited so that, regardless of the logic described above, it cannot go above or below limits set by potentiometers. Other circuits generate a pretrip limit for the bistable trip as well as a contact closure to alert the operator when power increases after reaching a minimum. The pretrip alarm provides audible and visual annunciation in addition to CEA withdrawal prohibit signals. Q and QTR are processed and buffered for remote display in the control room, Q is also supplied to the CEA position indication system and the DCS (Distributed Control System) for use in power dependent insertion limit calculations. b) High Rate of Change of Power The high rate-of-change of power trip is not credited in any of the Chapter 15 accident analyses; however, the trip is considered in the safety analysis in that the presence of this trip function precluded the need for specific analyses of other events initiated from subcritical conditions (events not discussed in Chapter 15). The rate-of-change of power is monitored at startup by four wide range startup channels, as shown in Figure 7.2-4. The channels dual fission chambers cover a range of greater than ten decades. The wide range is effected by using a combination of counting and mean square variation techniques which also provide good rejection of background gamma signals in order to provide an operating range from 7.2-10 Amendment No. 21 (12/05)

start-up to full power. A reactor trip is initiated prior to the rate-of-change of reactor power exceeding 2.49 decades per minute over a range of 10-4 percent to 15 percent power, as measured by any two wide-range channels. The trip signal is automatically bypassed below 10-4 percent and above 15 percent power. A high rate-of-change of power pretrip alarm is generated from each channel bistable trip unit prior to the rate-of-change of power exceeding 1.5 decades per minute above a power level of 10-4 percent. This condition also initiates a CEA withdrawal prohibit action to prevent the further withdrawal, but not insertion, of any regulating CEA'S. Visual and audible annunciation is also provided. c) Low Reactor Coolant Flow The low reactor coolant flow trip is provided to protect the core against departure from nucleate boiling DNB in the event of a coolant flow decrease. The functional diagram is shown on Figure 7.2-10. The flow measurement signals are provided by summing the output of the differential pressure transmitters across each steam generator to provide an indication of the total coolant flow through the reactor. This measurement is indicated as a differential pressure (p) corresponding to actual flow. The flow reactor trip is actuated directly by the summed p signal. A reactor trip is initiated by two-out-of-four coincidence logic from the four independent measurement channels when the flow falls below a preselected value. 7.2-11 Amendment No. 18, (04/01)

Pretrip alarms are initiated if the coolant flow approaches the minimum required for reactor operation at the corresponding power level. The zero power mode bypass switch allows this trip to be bypassed for subcritical testing of control element drive mechanisms. The trip bypass is automatically removed above 1 percent power. d) Low Steam Generator Water Level An abnormally low steam generator water level indicates a loss of steam generator secondary water inventory. If not corrected, this would result in a loss of capability for removal of heat from the reactor coolant system. The low steam generator water level reactor trip protects against the loss of feedwater flow accident described in Section 15.2.8 and assures that the design pressure of the reactor coolant system will not be exceeded. The trip set point specified in Table 7.2-2 assures that sufficient water inventory will be in the steam generator at the time of trip. A reactor trip signal is initiated by two-out-of-four logic from four independent channels. Each channel actuates on the lower of two signals from two downcomer level differential pressure transmitters, one on each steam generator. Audible and visual pretrip alarms are actuated to provide for annunciation of the approach to reactor trip conditions. e) Low Steam Generator Pressure An abnormally high steam flow from one of the steam generators (e.g., that which would occur as the result of a steam line break) would be accompanied by a marked decrease in steam pressure. To protect against an excessive rate of heat extraction from the steam generators and subsequent cooldown of the reactor coolant following a steam line break, a reactor trip is initiated by low steam generator pressure. A reactor trip signal is initiated by two-out-of-four logic from four independent channels. A functional diagram of the measurement channels is shown in Figure 7.2-11. Each channel actuates on the lower of the two signals from two pressure transmitters; one on each steam generator. Audible and visual pretrip alarms are actuated to provide annunciation of approach to reactor trip conditions. A bypass is provided for the low steam generator pressure trip to allow performance of zero power physics testing. Bypass is accomplished manually by means of a key operated switch in each channel. The manual bypass is enabled only below a preset steam pressure and is automatically removed above this set point. Figure 7.2-12 is a functional diagram of this circuit. 7.2-12 Amendment No. 17 (10/99)

The trip bypass is initiated manually by turning a switch to the BYPASS position. The bypass is removed, regardless of the manual switch position if either of the steam generator pressures exceeds a predetermined set point. When the manual switch is in the "Off" position, steam generator pressure will not remove the trip as the pressure decreases. The reactor trip set point (Table 7.2-2) is sufficiently below the full load operating pressure not to interfere with normal operation, but still high enough to provide the required protection in the event of excessively high steam flow. f) High Pressurizer Pressure A reactor trip for high pressurizer pressure is provided to prevent excessive blowdown of the reactor coolant system by relief action through the pressurizer safety valves. A reactor trip is initiated by two-out-of-four coincidence logic from the four independent measuring channels if the pressurizer pressure exceeds 2385 psig. This signal simultaneously will open the power operated relief valves. The trip signals are provided by four independent narrow range pressure transducers measuring the pressurizer pressure at four independent instrument taps. Pretrip audible and visual alarms are initiated if the pressurizer pressure exceeds 2335 psig as indication of the approach to reactor trip conditions. g) Thermal Margin/Low-Pressure Trip The thermal margin/low pressure trip is provided for two purposes. The thermal margin portion of the trip, in conjunction with the low reactor coolant flow trip, is designed to prevent the reactor core safety limit on DNB from being violated during anticipated operational occurrences. The low pressurizer pressure portion of the trip functions to trip the reactor in the event of a loss of coolant accident. A reactor trip is initiated whenever the reactor coolant system pressure signal drops below either 1887 psia or a computed value as described below, whichever is higher. The computed value of low system pressure is a function of the higher of T power or neutron power, reactor inlet temperature, four (4) reactor coolant pumps operating and a factor representing axial flux shape. The computed value is independent of boron concentration. Consistent with the Technical Specifications, the minimum value of reactor coolant flow rate, the maximum azimuthal tilt and the maximum CEA deviation permitted for continuous operation are assumed in the generation of this computed trip function. CEA group sequencing in accordance with the Technical Specifications and the maximum insertion of CEA banks which can occur during any anticipated operational occurrence prior to a high power level trip is assumed in the computed pressure value. Figures 7.2-13, -14, -15, and -16 describe the operation of this trip system. The higher of the two inlet temperatures is added to a correction term proportional to thermal power. This feature 7.2-13 Amendment No. 24 (06/10)

compensates for temperature stratification error in the coolant piping. The power dependent CEA function is inversely proportional to the power to fuel design limit (Pfdn) and modifies the low pressure trip limit to account for potential increase in radial peaking allowed by the greater permissible insertion of the control element assemblies below full power. The effect of axial power distribution on the low pressure trip limit as accounted for by calculating the power to fuel design limit (Pfdn) using the most adverse axial power distribution allowed by the local power density trip. The variable low pressure Pvar limit is calculated as a function of the existing axial power distribution as shown by the equations on Figure 7.2-14. Figure 7.2-15 shows a logic diagram of the thermal power calculation. The calculation begins with the generation, by temperature transmitters, of currents representing the cold and hot leg temperatures in each loop. Voltages representing cold leg temperatures (Tc1 and Tc2) and the hot leg temperature (Th) are developed across precision resistors for calculator inputs. The latter signal is the average Th for the two loops, provided a pump is running in each loop(1). If a loop is idle, the active loop temperature only is used. In the calculator, the higher cold leg temperature signal is selected and subtracted from the hot leg temperature signal to determine the temperature rise. The calculator generates terms proportional to the first and second powers of the temperature rise and to the product of temperature rise and cold leg temperature. These three terms represent thermal power for four-pump operation and steady state conditions, accounting for coolant density, specific heat, and flow rate variations with temperature and power. To provide an adequate core power indication during mild transients, such as ramp load changes, a dynamic response term is added as shown. The sum of these terms represents the core thermal power (B on Figure 7.2-15) for four-pump operation under steady state or mild transient conditions. This sum is multiplied by a factor F, which is unity for four-pump operation and less than unity for other configurations(1). This factor compensates for the fact that, for a given power, the temperature rise is greater for reduced flow. The multiplying factor is selected by the flow dependent set point selector switch (S3), which also selects the low flow trip set points. The coefficient of the term which is proportional to the temperature rise (K) is set by the potentiometer labeled "T Power Calibrate" on the reactor protective system calibration and indication panel (RPSCIP) front panel. This factor is adjusted to make the thermal power calculation agree with the periodic plant calorimetric calculations. A cover is provided to ensure, in accordance with the requirements of Section 4.18 of IEEE 279- 1971, that the potentiometer setting cannot be inadvertently changed. The thermal power (B) is subtracted from the nuclear power () generated by the nuclear instrumentation channel and the difference is displayed on a meter relay with a range of -10 percentage to + 10 percent of full power. The meter has adjustable upper and lower set points. The contacts energize local indicator lights when the deviation goes outside the range defined by the set points. (1) Note: At power operation with less than four (4) Reactor Coolant Pumps is not allowed by plant Technical Specifications, and the Flow Dependent Setpoint Selector Switch has been hardwired in the 4-Pump position. 7.2-14 Amendment No. 25 (04/12)

In order to make the nuclear power signal agree with the thermal power and/or the plant calorimetric calculation, a potentiometer labeled "Nuclear Power Calibrate" is provided on the RPSCIP front panel. This potentiometer adjusts the gain of the nuclear instrumentation channel from 0.8 to 1.33. A plastic cover is installed over the potentiometer to satisfy the intent of Section 4.18, IEEE Std 279-1971 on administratively controlled access to setpoint adjustments. An auctioneering circuit selects the higher of nuclear power or thermal power for use in the remainder of the system. The signal Q, the maximum of nuclear or thermal power, is modified by a CEA position function. The resulting signal is then augmented by an axial factor which is generated in the local power density trip section as shown on Figure 7.2-16 and described in Section 7.2.1.2 Item j. The resulting signal is called QDNB. A pressure setpoint Pvar is calculated as a linear function of QDNB and of the modified inlet temperature described above. The flow dependent coefficients of the linear function are selected by the S3 switch1. This low pressure setpoint Pvar is calculated as a function of measured cold leg temperature, axial offset and core power using preset coefficients. These coefficients define the relationship between the measured parameters and the pre-determined trip value of pressure. The setpoints for the thermal margin/low pressure trip are obtained from the results of analyses similar to those discussed in Section 4.4.3.3.2. The same thermal and hydraulics codes are used to calculate the power at the fuel design limit on DNB. The number of axial power distributions and radial peaking factors considered in this analysis are greatly in excess of those typical distributions discussed in Section 4.4.3.3.2. A brief description of the analysis involved is given below. The power distributions, generated as discussed in Section 4.3.2.4 are analyzed to determine a correlation between peripheral axial shape index and the power level to the fuel design limit on DNB, Pfdn. Pfdn is defined as the core average power at the DNB fuel design limit for a given axial power distribution radial peak, core coolant inlet temperature, reactor coolant system pressure and reactor coolant flow rate. This correlation is generated parametrically in CEA insertion such that for each of a number of CEA insertions the relationship between peripheral axial shape index and Pfdn is determined. This Pfdn is determined at a base core coolant inlet temperature and reactor coolant system pressure. To complete the evaluation of the fuel design limit on DNB another parametric analysis is performed to relate the Pfdn at the above base core coolant inlet temperature and reactor coolant system pressure to the Pfdn at other conditions of core coolant inlet temperature and reactor coolant system pressure. Thus for any value of peripheral axial shape index and CEA insertion the power level to the fuel design limit on DNB is known for the values of core coolant inlet temperature and reactor coolant system pressure of interest. The correlation between peripheral axial shape index and the power level at the fuel design limit on DNB, Pfdn at a base core coolant inlet temperature and reactor coolant system is reduced by the appropriate calculational and measurement uncertainties and forms the basis of the Axial Function shown in Figure 7.2-14. The measured ex-core shape index is corrected for the effects of shape annealing by the Linear Function shown 7.2-15 Amendment No. 26 (11/13) 1 At power operation with less than four (4) Reactor Coolant Pumps is not allowed by plant Technical Specifications, and the Flow Dependent Setpoint Selector Switch has been hardwired in the 4-Pump position.

in Figure 7.2-16 to represent a measurement of peripheral axial shape index at axial offset. The output of the Axial Function thus defines the pre-determined relationship between peripheral axial shape index and Pfdn at the base core coolant inlet temperature and reactor coolant system pressure. The remaining step in the determination of Pfdn is the determination of CEA insertion. CEA insertion is inferred by the measurement of core power through the power dependent insertion limits. The power dependent insertion limits represent the maximum insertion allowed as a function of core power. The correlation between the maximum insertion possible during an anticipated operational occurrence and core power is defined by the maximum insertion allowed by the CEA block circuit and the variable high power trip. It is this last correlation that is used with the parametric analysis of Pfdn with CEA insertion to determine the CEA function of Figure 7.2-14. The output of this CEA Function thus defines the predetermined relationship between CEA insertion and Pfdn at the base coolant inlet temperature and reactor coolant system pressure. The outputs of the Axial Function and the CEA Function are then combined to generate QDNB a calculated function of core power and axial offset that defines the predetermined relationship between Pfdn, at the base core coolant inlet temperature and reactor coolant system pressure and CEA insertion and axial shape index. The remaining coefficients () that define Pvar are determined from the parametric analysis discussed above (, and ) that defines the Pfdn at other conditions of core coolant inlet temperature and reactor coolant system pressure. The results of this parametric analysis are reduced by the appropriate calculational, measurement and processing uncertainties to define the DNB fuel design limits. These limits are further reduced by an allowance that corresponds to the time delay associated with providing effective termination of the occurrence that exhibits the most rapid decrease in margin to the DNB fuel design limit. The , and coefficients are then derived from these limits. The coefficient defines the variation of Pvar with core power. The coefficient defines the variation of Pvar with core coolant inlet temperature and the coefficient is a biasing term. An auctioneering circuit selects the maximum of this calculated pressure setpoint and a constant Pmin, and sends the resulting signal to the trip unit as a downscale trip setpoint. Trip will occur if the primary pressure drops below the calculated setpoint or below 1887 psia, whichever is larger. A pretrip setpoint, 50 psi above the trip point, is also generated. These trip points can be driven to maximum value by the ASGT calculator creating a trip condition (see Section 7.2.1.2k). The trip signal is initiated by a two-out-of-four coincidence logic from four independent safety channels, and audible and visual pretrip alarms are actuated to provide for annunciation on approach to reactor trip conditions. The pretrip action also initiates a CEA withdrawal prohibit. 7.2-16 Amendment 15, (1/97)

The zero power mode bypass switch allows this trip to be bypassed for low power testing. The trip bypass is automatically removed above 1 percent power. The thermal margin trip setpoint is processed and buffered for remote display on the main control board in four recorders which compare the trip setpoint with indicated pressurizer pressure. h) Turbine Trip The reactor trip on a turbine trip is an equipment protective trip and is not required for reactor protection as shown in Section 15.2.7. However, this trip will precede the high pressurizer pressure trip if a turbine trip were to occur. This trip is initiated above a preset power level of 15 percent by actuation of 2 of 4 low hydraulic oil pressure switches associated with the turbine-generator control system. i) High Containment Pressure A trip is provided on high containment pressure in order to assure that the reactor is tripped prior to safety injection system actuation. Four pressure measurement channels provide analog signals to bistable trip units which are connected in a two-out-of-four coincidence logic to initiate the protective action if the containment pressure exceeds a preselected value. j) High Local Power Density Trip The high local power density trip is provided to prevent the peak local power density in the fuel from exceeding fuel centerline melt limit during anticipated operational occurrences thereby assuring that the melting point of the UO2 fuel will not be reached. Refer to Section 4.4.3.5 for discussion regarding fuel parameters. A reactor trip is initiated whenever the axial offset exceeds either a high or low calculated setpoint as described below. The axial offset is calculated from upper and lower out-of-core neutron detector channels. The calculated setpoints are generated as a function of the core power level with the CEA group position being inferred from the core power. The trip is automatically bypassed below 15 percent power. Consistent with the Technical Specifications, the maximum azimuthal tilt and the maximum CEA deviation permitted for continuous operation are assumed in generation of the setpoints. In addition, CEA group sequencing in accordance with the Technical Specification is assumed. Finally, the maximum insertion of CEA banks which can occur during any anticipated 7.2-17 Amendment No. 26 (11/13)

operational occurrence prior to a high power level trip is assumed. Figure 7.2-16 shows a block diagram of a typical channel. Circuits in the power range safety channel generate signals proportional to the sum of and the difference between the upper and lower detector outputs. An axial offset signal is formed as a linear function of the ratio of the difference to the sum and compared with upper and lower limits generated from a modified power signal described in Section 7.2.1.2g. If the axial offset exceeds either calculated limit, a contact in the calculator opens and deenergizes the trip relays in an auxiliary trip unit. The pretrip relay is similarly released if a narrower envelope is exceeded. Trip also occurs if either "trip test" knob on the power range safety channel is moved off the zero position. k) Asymmetric Steam Generator Transient Trip The Asymmetric Steam Generator Transient (ASGT) trip consists of steam generator pressure inputs to the TM/LP calculator, which causes a reactor trip when the difference in pressure between the two steam generators exceed the trip setpoint. The ASGT is designed to provide a reactor trip for those events associated with secondary system malfunctions which result in asymmetric primary loop coolant temperatures. The most limiting event is the loss of load to one steam generator caused by a single main steam isolation valve closure. The equipment trip setpoint and allowable values are calculated to account for instrument uncertainties, and will ensure a trip at or before reaching the analysis setpoint. 7.2-18 Am. 3-7/85

l) Manual Trip A manual reactor trip is provided to permit the operator to trip the reactor. Depressing two adjacent pushbutton switches at the reactor turbine generator board causes interruption of the ac power to the CEDM power supplies with a subsequent reactor trip. Two pairs of trip pushbutton switches are provided at different locations on the reactor turbine generator boards to enable more rapid operator action. The manual trip function is testable during reactor operation. 7.2.1.3 Trip Logic Each measurement channel which can initiate protective action operates a channel trip unit. Each trip unit includes three sealed, electromagnetically actuated reed relays and associated contacts. Four trip units are normally actuated for each trip condition. The relays in each of the four trip units provide a separate trip path for each trip condition; the trip paths are designated as channels A, B, C, and D on Figure 7.2-2. The relays in each trip unit are numbered 1, 2 and 3. The normally open contacts from the No. 1 relay group of channel A are connected into a two-out-of-two logic matrix with channel B relay contacts. The No. 2 and No. 3 relay contacts are similarly connected into two other two-out-of-two logic matrices with channel C and channel D relay contacts. With the two No. 2 and No. 3 relay contacts of channels B, C and D similarly arranged into BC, BD, and CD combinations of two-out-of-two logic matrices, there are a total of six two-out-of-two logic matrices, forming a two-out-of-four coincidence logic with respect to the input channels. A set of four sealed, electro-magnetically actuated relays are at the output of each logic matrix. The contacts from one relay of the logic trip set from each logic matrix output are placed in series with corresponding contacts from the remaining sets in each of the four trip paths. Each of these paths is in the power supply line to a trip breaker control relay whose contacts provide actuation of undervoltage and shunt trips on the trip circuit breakers, thus interrupting the ac power to the CEDM's power supplies. Deenergizing of any one trip breaker control relay interrupts (opens) one trip path and trips the two breakers controlled by that trip path. Deenergizing any set of four logic trip relays causes an interruption of all trip paths and a full trip. Each of the six logic trip matrices energizes one set of four logic trip relays. 7.2-19

If one of the trip units is to be removed for maintenance, the logic matrices may be changed from a two-out-of-four trip to a two-out-of-three trip by the manual operation of the logic bypass switch shown on the output of the trip module. One key operated switch is provided for each trip unit. Only one key is provided for the trips for any one variable to ensure that only one of a group of four could be bypassed at one time. Where the trip is to be allowed only in selected power ranges, a neutron flux signal is utilized to inhibit the action of the trip units. A manually actuated inhibit action may, under administrative control, be applied to the low reactor coolant flow, thermal margin and low steam generator pressure trips for zero power testing. The inhibits on reactor coolant flow and thermal margin are automatically removed above a preset power. The inhibit on steam generator pressure is automatically removed above a preset pressure. The high rate-of-change of power trip is automatically inhibited below about 10-4 percent power and above 15 percent power. Protective system criteria are met by the use of neutron flux signals to provide multiple independent inhibit or reset signals. The tripping CEDM's are separated into two groups. The CEDM power supplies in each group are supplied in parallel with three phase ac power from the motor-generator sets. Two full capacity motor-generator sets are provided so that the loss of either set does not cause a release of the CEA's. Each power supply source is separated into two branches. Each side of each branch line passes through two trip circuit breakers (each actuated by a separate trip path) in series so that, although both sides of the branch lines must be deenergized to release the CEA's, there are two separate means of interrupting each side of the line. This arrangement provides means for the testing of the protective system. Two sets of manual trip pushbuttons are provided to open the trip circuit breakers, if desired. The manual trip completely bypasses the trip logic. As can be seen in Figure 7.2-2, both manual trip pushbuttons in a set must be depressed to initiate a reactor trip; however, depression of the buttons need not be simultaneous. The reactor trip switch gear is housed in a cabinet separate from the reactor protective system and is located in the electrical equipment room below the control room. In addition to the trip circuit breakers, the cabinet also contains current monitoring devices for testing purposes, bus undervoltage relays for auxiliary functions, and a bus tie breaker. 7.2.1.4 Trip Bypasses Trip bypasses are provided for the protective system to allow certain parts of the system to be disabled to permit testing, maintenance and start-up. These bypasses are shown in Table 7.2-3. 7.2-20

The low steam generator pressure bypass is provided for two conditions: system tests at low power and low temperature, and heatup and cooldown with shutdown CEA's withdrawn. The zero power mode bypass is used in mode 3 and below consistent with the technical specifications and operating procedures. The bypasses are manually initiated and removed, with automatic removal as a backup to assure full system capability. The loss of load bypass is provided to remove this equipment protective trip below 15 percent power so that the reactor can be started up with the turbine tripped. A trip channel bypass capability is provided to remove a trip channel from service for maintenance or testing. The bypass is actuated by the use of a key operated switch. By the use of administrative controls only one key is available for each trip parameter. Therefore, only one channel of a given parameter can be bypassed at a time. The actuation of the bypass places the logic for the parameter in a two-out-of-three mode. All bypasses are visibly and audibly annunciated to ensure operator cognizance that an abnormal protective system mode is in effect. 7.2-21 Amendment 15, (1/97)

7.2.1.5 Trip Interlocks The following interlocks are provided. a) An electrical interlock will allow only one set of four matrix relays in one matrix to be held at a time during system testing. The same circuit will allow only one process measurement loop signal to be perturbed at a time. The matrix relay hold and process loop perturbation switches are interlocked so that only one or the other may be operated at any one time. b) Placement of a nuclear instrument drawer calibration switch to other than the "operate" position will cause a channel high power level trip. c) A mechanical interlock prevents the operator from bypassing more than one trip channel at a time for any one type of trip. Different type trips may be simultaneously bypassed, however, either in one channel or in different channels. 7.2.1.6 Testing and Inspection Since operation of the protective system will be infrequent, the system is periodically and routinely tested to verify its operability. A complete channel can be individually tested without initiating a reactor trip or violating the single failure criterion, and without inhibiting the operation of the reactor protective system. The testing system meets the criteria of IEEE Standard 338-1971, "IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems", and of Safety Guide 22, "Periodic Testing of Protection System Actuation Functions". The reactor protective system is capable of being checked from the trip unit input through the power supply circuit breakers of the control element drive mechanisms (Figure 7.2-17). The majority of the components in the protective system can be tested during reactor operation. The remainder of the components can be checked by comparison with similar channels or channels that involve related information. These components, which are not tested during reactor operation, will be tested during scheduled reactor shutdown to assure that they are capable of performing the necessary functions. Minimum frequencies for checks, calibration and testing of the reactor protective system instrumentation are given in the Technical Specifications. The use of individual trip and ground detection lights, in conjunction with those provided at the supply bus, assure that possible grounds or shorts to another source of voltage are detected. Overlap in the checking and testing is provided to assure that the entire channel is functional. The individual types of tests are described in the subsections below. The response time from an input signal to the protective system trip units from the measurement channel sensors through the opening of the trip circuit breakers is verified by measurement during plant startup testing. Testing of protective system response times is conducted in accordance with standard industry practice and requirements set forth in Section 13.8.2.1 and the Technical Specifications. 7.2-22 Amendment No. 21 (12/05)

Periodic testing can be carried out from the control room to ensure the continuity of the measurement loop. A supplementary signal is introduced into a measurement loop which has been bypassed and the response of the system to this signal is indicated on a meter on the protective system calibration and indication panel. This will verify the continuity of the loop and ensure its continued operability. The reactor protective system is manufactured under strict engineering and quality control specifications. These specifications require that the equipment be inspected for workmanship, proper materials and channel separation as required by IEEE 279-1971. Furthermore, all intra and interconnection wiring is tested for continuity and an insulation test is performed between each conductor and chassis ground and between each individual pair of connectors. An operational test is performed on the system during which time input signals are simulated to ensure that the protective system is capable of producing the proper trip signals. This system is included in the plant preventive maintenance program. a) Sensor Checks During reactor operation, the measurement channels providing an input to the reactor protective system are checked by comparing the outputs of similar channels and cross-checking with related measurements. During extended shutdown periods (i.e., refueling) these measurement channels (where possible) are checked and calibrated against known standards. The Instrument and Control Test Equipment which will be used to verify Reactor Protection System Instrumentation sensor accuracies is checked periodically against shop reference standards. The standards used for checking and calibration of the Reactor Protection System measurement channels are traceable to nationally recognized standards. The standards are at least four times more accurate than the devices to be calibrated. Shop reference standards will be returned periodically to calibration facilities for recertification. The exceptions considered to have no absolute standards are: a) Nuclear power range safety channels. b) Wide range logarithmic neutron monitors. c) Control element assembly position bank counters. d) Boric acid control logic channels. e) Seismograph. 7.2-23 Amendment No. 16, (1/98)

Table 7.2-1 provides sensor response times for instruments providing input to the reactor protection system, and Table 7.3-1 provides similar data for the engineered safety feature actuation system (ESFAS). The total delay time (sensor plus RPS delay) assumed for each RPS trip in the accident analysis of Section 15 is provided in Table 13.8.2-1. The latter table indicates the conservatism in the accident analysis by providing both expected and assumed delay times. Generally, sensor delay times are small compared to total RPS trip delay time assumed for accident analysis, e.g., Sensor Delay Total Delay Low Reactor Flow (Steam Generator P) 0.8 sec. 1.025 sec. High Pressurizer Pressure 0.032 sec. 0.90 sec. Low Steam Generator Level 0.025 sec. 0.90 sec. With regard to the response time of the sensor, there are three basic types of sensors to consider,

namely, a) Flux - The sensor itself responds to a nuclear event, thus its response is essentially instantaneous.

b) Thermoresistive Elements - The response time of a resistance thermometer element is much less than the response time of the protective well assembly housing the element, and the accident analyses utilize a simulation of the entire assembly. Thus, periodic checks of thermometer element response times are of questionable value. It should also be noted that RCS temperature does not provide a reactor trip directly. Hot and cold leg temperatures are one of several inputs to a computed trip function (Thermal Margin/ Low Pressure Trip - see Section 7.2.1.2(g)). c) Electromechanical Devices (pressure, level, flow) - Simple mechanical devices convert changes in the measured variable to small displacements that upset a balanced electrical circuit. With regard to response time, the mechanical portion of the device would be controlling. Factors that could conceivable affect response time, for example, friction and changes in material mechanical properties also affect accuracy and thus would be monitored by routine periodic calibrations. The possibility of inferring sensor response time by studying transients resulting from perturbations to the process system itself was considered. For minor system perturbations, sensor response times would generally be much less than the system response time. Perturbations large enough to reduce system response time to a point where sensor response time could conceivably be inferred from transient data would undoubtedly result in reliance on reactor protective functions, i.e., unit trip. Perturbations of this nature would not be created intentionally. Even for large perturbations, sensor and system response times are inseparable, and the ability to measure accurately the sum of sensor plus system response times is questionable. Nevertheless, testing is performed in accordance with Section 13.8.2.1 and the Technical Specifications. 7.2-24 Amendment No. 21 (12/05)

b) Trip Bistable Tests Testing of the trip bistables is accomplished by manually varying the trip input signal to the trip set point level and observing the trip action, one bistable at a time (Figure 7.2-18). Varying of the input signal is accomplished by means of a trip test circuit which consists of a digital voltmeter and a test circuit by which the magnitude of the signal supplied by the measurement channel to trip input can be varied. The trip test circuit is interlocked electrically so that it can be used in only one channel at a time. 7.2-25

A switch selects the measurement channel and a pushbutton applies the test signal. The digital voltmeter indicates the value of the test signal. The test circuit permits various rates of change of signal input to be used. Trip action (deenergizing) of each of the bistable trip relays is indicated by individual lights on the front of the cabinet, indicating that the contacts of these relays, which are located in the two-out-of-four logic matrices, operate as required for a trip condition. When one of the four trip bistables of a protective channel is in the tripped condition, a channel trip exists, which is annunciated on the control room annunciator panel. Under this condition, a reactor trip would take place upon receipt of a trip signal in one of the other three like trip channels. The trip channel under test would normally be bypassed for this test, converting the reactor protective system to a two-out-of-three logic for the particular trip parameter. In either case, full protection is maintained. c) Logic Matrix Tests This test is carried out to verify proper operation of the six two-out-of-four logic matrices, any of which will initiate a bona-fide system trip for any possible two-out-of-four trip condition from the signal inputs from each measurement channel. The matrix hold pushbutton switch permits only one of the two-out-of-four logic matrices to be tested at a time. As shown in Figure 7.2-2, only one set of four matrix relays in one of the six logic matrices can be held in the energized position during tests. If, for example, the AB logic matrix hold pushbutton is held depressed, actuation of the other matrix hold pushbuttons will have no effect upon their respective logic matrices. Actuation of the pushbutton will apply a test voltage to the test system hold coils of the selected four double coil matrix relays. This voltage will provide the power necessary to hold the relays in their energized position when deactuation of the bistable trip relay contacts in the matrix ladder being tested causes deenergization of the primary matrix relay coils. While holding the matrix hold pushbutton in its actuated position, rotating of the channel trip select switch will release only those bistable trip relays that have operating contacts in the logic matrix under test. The channel trip select switch applies a test voltage of opposite polarity to the bistable trip relay test coils so that the magnetic flux generated by these coils opposes that of the primary coil of the relay. The resulting flux will be zero, and the relays will release. Trip action can be observed by illumination of the trip relay indicating lights located on the front panel and by loss of voltage to the four matrix relays which is indicated by extinguished indicator lights connected across each matrix relay coil. Test equipment may be used for monitoring if status lights are not available. During this test, the matrix relay "hold" lights will remain on, indicating that a test voltage has been applied to the holding coils of the four matrix relays of the logic matrix under test. The test is repeated for all six matrices. This test will verify that the logic matrix relays will deenergize if the matrix continuity is violated. The opening of the matrix relays is tested in the trip path tests. 7.2-26 Amendment No. 17 (10/99)

d) Trip Path/Circuit Breaker Tests Each trip path is tested individually by depressing a matrix hold pushbutton (holding four matrix relays), selecting any trip position on the channel trip select switch (opening the matrix), and selecting a matrix relay on the matrix relay trip select switch (deenergizing one of the four matrix relays). This will cause one, and only one, of the trip paths to deenergize, causing two trip circuit breakers to open. CEDM's remain energized via the other trip circuit breakers. Proper operation of all coils and contacts is verified by lights on a trip status panel; final proof of opening of the trip circuit breakers is the lack of indicated current through the trip breakers. Test equipment may be used for monitoring if status lights are not available. The matrix relay trip select switch is turned to the next position, reenergizing the tested matrix relay and allowing the trip breakers to be manually reset. This sequence is repeated for the other three trip paths from the selected matrix. Following this, the entire sequence is repeated for the remaining five matrices. Upon completion of this test, all twenty-four matrix relay contacts, all four trip paths, and the eight trip breakers will have been tested. e) Manual Trip Tests The manual trip feature is tested by depressing one of the four manual trip pushbuttons, observing a trip of two trip breakers, and resetting the breakers prior to depressing the next manual trip pushbutton. In this fashion, proper operation of all four manual trip pushbuttons and the eight trip circuit breakers can be verified. f) Bypass Tests The system bypasses, as itemized in Table 7.2-3, are tested by appropriate test circuitry during the periodic system tests. Testing includes both initiation and removal features. 7.2.1.7 Redundancy Redundant features of the reactor protective system include: a) Four independent channels, from process sensor through and including channel trip relays UNIT 1 7.2-27 Amendment No. 27 (04/15)

b) Six logic matrices which provide the two-out-of-four logic. Dual power supplies are provided for the matrix relays c) Four trip paths, including four control logic paths and four trip path outlet relays d) CEDM power from two power buses, including two full capacity motor-generator sets e) Two sets of manual trip pushbuttons with either set being sufficient to cause a reactor trip f) AC power for the system from four separate instrument buses. DC power for trip path control logic is provided from two separate DC buses The result of the redundant features is a system which meets the single failure criterion, can be tested during reactor operation, and can be shifted to two-out-of-three logic for maintenance or system test. 7.2.1.8 Diversity The system is designed to eliminate credible multiple channel failures originating from a common cause. The failure modes of redundant channels and the conditions of operation that are common to them are analyzed to assure that a predictable common failure mode does not exist. The design provides reasonable assurance that: a) the monitored variables provide adequate information during design basis events b) the equipment can perform as required c) the interactions of protective actions, control actions and the environmental changes that cause, or are caused by, the design basis events do not prevent the mitigation of the consequences of the event d) the system will not be made inoperable by the inadvertent actions of operating and maintenance personnel. 7.2-28

In addition, the design is not encumbered with additional components or channels without reasonable assurance that such additions are beneficial. The limiting case for the unlikely event of a common mode failure concurrent with an anticipated operational occurrence has been addressed in a Combustion Engineering proprietary document titled, "Topical Report on Anticipated Transients Without Scram," issued in preliminary form dated December 30, 1971, and submitted to DRL on January 10, 1972. The system incorporates functional diversity to accommodate the unlikely event of a common mode failure concurrent with any of the trip conditions listed in Section 7.2.1.2. Refer to Section 7.6.1.4 for information on the design of the Diverse Scram System and Diverse Turbine Trip and resolution of 10 CFR 50.62 (ATWS Rule). Also refer to Section 7.3.1.1.13.9 for discussion on diversity between RPS and AFAS. 7.2.1.9 Comparison Comparisons contained herein were considered valid at the time the operating license for St. Lucie Unit 1 was issued, and are being retained in the updated FSAR for document completeness and historical record. No present or future update of this section is required. The reactor protective system is functionally identical to those provided for Calvert Cliffs Unit No. 1 and 2 (AEC Docket Nos. 50-317 and 50-318), except for the high power and thermal margin trips which have been modified to provide the functions described in the appropriate parts of Section 7.2.1.2 and the addition of a local power density trip, also described in Section 7.2.1.2. These systems represent functional evolutions of the Calvert Cliffs axial offset trip protection. The function of the St. Lucie high power level trip is to provide an upper power limit that is always a given percentage above the operating power level whereas for Calvert Cliffs the trip is set at 106.5% full power and the combination of thermal margin and axial flux offset assure not exceeding fuel design limits. The trip provides a means of limiting the radial peaking that can be "carried-up" during a power excursion starting below 100% power. When the initial power level is 100% of rated, the 106.5% high power trip setpoint provides this assurance. Since the maximum power excursion is always limited by a set amount, credit can be taken for the reduced radial peak that may be "carried-up". The credit is reflected in the generation of the thermal margin and local power density trip setpoints and results in increased operating margins. The modification of using the auctioneered higher of the T and neutron flux power as the trip variable for the high power trip is provided to increase system accuracy. In the Calvert Cliffs design, the combination of the thermal margin and axial flux offset trips assure the integrity of the fuel design limits. If during a power excursion an axial flux offset or thermal margin trip does not occur, in which case neither would be required, a high power trip eventually results if the indicated power reaches 106.5% of rated power. The thermal margin and axial offset trip setpoints are generated by assuming that worst case radial peaks can occur at various power levels. This analysis takes into consideration the possibility of "carrying-up" high radial peaks to high power levels. This effect may occur when CEA's are in manual control and a power excursion ensues and must be accommodated up to the point of the high 7.2-29 Amendment No. 22 (05/07)

power trip at 107% of rated power. The high power trip then essentially provides a mechanism by which to limit the radial peaking that must be assumed in generating the thermal margin and axial offset trip setpoints. The function of the thermal margin trip is the same on St. Lucie and Calvert Cliffs. The modification to the thermal margin trip for St. Lucie consists of adding the axial flux offset as a measured input and the processing equipment needed to relate axial offset to thermal margin limits. On Calvert Cliffs the combination of thermal margin and axial flux offset provides DNB and void fraction protection. This is accomplished by using the axial offset trip to limit the axial power distribution that can occur at any power level. This limiting distribution is then related to the thermal margin limit at that power level when generating the setpoints, since the thermal margin trip on Calvert Cliffs does not monitor the axial offset. The approach used on Calvert Cliffs does not allow credit to be taken for operation with axial offsets that are more favorable in terms of thermal margin than the offset that exists at the trip limit. Direct measurement of the axial offset in the thermal margin trip in St. Lucie allows this credit to be taken when it exists, thereby increasing margin to trip and improving operating flexibility while providing the same degree of protection as on Calvert Cliffs. The function of the axial flux offset trip on Calvert Cliffs is twofold:

1. assure that the fuel temperature limit (i.e., kw/ft limit) is not violated
2. limit the axial power distribution that can exist at any power level to that which was assumed in generating the thermal margin trip setpoints.

The modifications made to the axial offset trip in Calvert Cliffs for the St. Lucie local power density are:

1. a power dependent radial peaking penalty function has been included, and
2. the auctioneered higher of the T and neutron flux power is used as the power input to generate the trip limits.

The radial peaking factor is one parameter that offsets the kw/ft at which the plant is operating and is inferred from the sensed power level. In Calvert Cliffs the axial offset trip setpoints are determined for the worst core CEA insertion (radial peaking) that can occur at any power level. The trip functions to limit the axial peaking factor consistent with the assumed worst radial and measured power level such that the specified kw/ft limit is not exceeded. By generating trip setpoints in this manner, any change in CEA insertion limits during operation requires setpoints to be regenerated. The modification provided on St. Lucie is 7.2-30

done to facilitate the regeneration of setpoints in the event that CEA insertion limits are modified. In generating trip system setpoints, all measurement errors and uncertainties are included. On Calvert Cliffs, the neutron flux power is used as the power input to the axial offset trip. One uncertainty factor that is considered in generating trip setpoints is the degree of signal distortion during transients that require this trip. Two major phenomena that result in neutron flux power measurement error are:

1. CEA shadowing: This effect results from the distortion of the radial power distribution. The out-of-core detectors "see" the fast neutron flux escaping from the peripheral fuel assemblies. As CEAs are inserted or removed the power produced in the peripheral fuel assemblies will vary relative to the core average power. The result is that out-of-core detectors may indicate a power level different from the core average power.
2. Inlet temperature shadowing: This effect results from a change in density of the cold leg coolant which passes between the peripheral fuel assemblies and the out-of-core detectors. As cold leg temperature decreases from that value at which the out-of-core detectors had last been calibrated, the detectors will indicate a power level below the core average power. This is due to the fact that the incident neutron flux at the detectors will be decreased due to the increased coolant density.

The T power, from a calculation of hot and cold RTD measurements, is not influenced by these two phenomena. The use of the auctioneered high of the T power and neutron flux power provides a means of decreasing the uncertainty imposed on the core power measurement when generating the local power density trip setpoints. The modifications to the Calvert Cliffs axial flux offset trip to provide the St. Lucie local power density trip results in increased operating margin, and increased system flexibility, while satisfying the same criteria (i.e., kw/ft) protection and providing the same degree of protection. 7.2-31

Listed below is a comparison of trip variables monitored and the trips providing protection to maintain acceptable fuel design limits for the Calvert Cliffs and St. Lucie reactor protection systems. TRIP FUNCTIONS ST. LUCIE CALVERT CLIFFS ACCEPTABLE FUEL DESIGN LIMIT DNBR Thermal margin trip Thermal margin trip And High power trip Axial flux offset trip Void Fraction Low flow trip Low flow trip Kw/ft Local power density trip Axial flux offset trip (Fuel Temperature) High power trip TRIP Thermal margin Pressurizer pressure Pressurizer pressure Neutron flux power Neutron flux power T Power T Power Core inlet temperature Core inlet temperature Axial flux offset Axial flux offset Neutron flux power Axial flux offset Local power density Neutron flux power T Power Axial flux offset High power Neutron flux power Neutron flux power T Power Low flow Steam generator Steam generator differential pressure differential pressure 7.2.1.10 Sensors and Set Points The type, number and location of the reactor protective system sensors are given in Table 7.2-4. The nominal full power values of monitored conditions and their corresponding protective action (trip) set points are given in Table 7.2-5. System response times are discussed in Section 15.1.3. 7.2-32 Amendment No. 16, (1/98)

7.2.2 ANALYSIS 7.2.2.1 Conformance to General Design Criteria Appendix A of 10 CFR 50, "General Design Criteria for Nuclear Power Plants," established minimum requirements for the principal design criteria for water cooled nuclear power plants. This section describes how the requirements that are applicable to the reactor protective system are satisfied as designated by the appropriate General Design Criteria (GDC). The quality assurance program for the plant is described in Chapter 17. Compliance with the program assures that the reactor protective system is designed in accordance with recognized codes and standards (GDC 1). The requirements for protection against natural phenomena are described in Sections 3.10 and 3.11 (GDC 2). Accident environmental requirements are described in Section 3.11. Missile protection requirements are described in Section 3.5. Where protective action is required under adverse environmental conditions during postulated accidents, the components of the system are designed to function under such conditions (GDC 4). No reactor protective system components are shared with future or existing reactor facilities (GDC 5). The reactor protective system, in conjunction with the plant control systems and technical specification requirements, provides sufficient margin to trip setpoints so that, 1) during normal operation protective action will not be initiated, and 2) during abnormal conditions fuel design limits will not be exceeded. Typical margins for each trip parameter are shown in Table 7.2-5 (GDC 10). The axial power distribution is continually monitored by the reactor protective system power ratio signal calculator. This calculator provides instantaneous indication of core power imbalance to enable the operator to counteract the development of an undesirable condition. Axial flux maldistribution is also an input to the reactor protective system which will cause automatic protective action if it exceeds the safety limits (GDC 12). Sensor ranges are sufficient to monitor pertinent plant parameters over the expected range of plant operation for normal and transient conditions. Variables that affect plant and fuel design limits are monitored by the reactor protective system. The safety related plant monitoring indication is described in Section 7.5.1.5 (GDC 13). The high pressurizer pressure trip and high power level trip are provided to help assure the integrity of the reactor coolant system boundary (GDC 15). The reactor is protected from reaching a condition that could result in exceeding acceptable fuel design limits by the reactor protective system. The protective system is designed to monitor the reactor operating conditions and initiate a fast shutdown if any of the measured parameters exceed the operating limits. The signals which will provide automatic reactor trip are identified in Section 7.2.1.2 (GDC 20). 7.2-33 Amendment No. 25 (04/12)

Functional reliability is ensured by compliance with the requirements of IEEE 279-1971, as described in Section 7.2.2.2. Testing is in compliance with IEEE 338-1971 and Safety Guide 22, as described in Section 7.2.2.3 (GDC 21). Reactor protective system independence is assured as described in Sections 7.2.1.7 and 7.2.1.8 (GDC 22). The protection system is designed to fail into a safe state in the event of loss of power supply, disconnection of the system, or module removal, as noted in Section 7.2.2.3 (GDC 23). The protection system is separated from the control systems. No single failure of any control system component can impair the safety functions performed by the reactor protective system (GDC 24). The control element drive system contains interlocks or design features that ensure the following actions (GDC 25): a) The shutdown CEA's are fully withdrawn before withdrawal of the regulating CEAs. b) The shutdown CEA's are inserted after the regulating CEAs. c) Simultaneous withdrawal of no more than two groups of CEAs. d) Proper sequential withdrawal and overlap of regulating CEAs. A single failure of any of the interlocks or design features alone will not cause safety limits to be violated. The operator is apprised of the malfunction by an alarm and has sufficient time to take corrective action as prescribed by approved administrative procedures. Specifically, the following conditions would have to exist concurrently for each of the actions discussed below to occur: a) Improper insertion of shutdown CEAs.

1) A failure in the interlock logic circuitry
2) Failure of the operator to follow approved procedures
3) Failure of the operator to observe the alarm provided or failure of the alarm itself.

The interlocks are generated from reed switch networks mounted on each control element drive mechanism. These switches are magnetically actuated by the drive shaft. One interlock prevents withdrawal of the regulating CEAs when one or more of the shutdown CEAs are not fully withdrawn. The administrative procedures and Technical Specifications stipulate that the shutdown CEAs are fully withdrawn before the regulating CEAs can be withdrawn. 7.2-34 Amendment No. 22 (05/07)

Another interlock is generated which prevents insertion of the shutdown CEAs until all regulating CEAs have been inserted. Administrative procedures and Technical Specifications require that all regulating CEAs be fully inserted before the shutdown CEAs can be inserted. EC291158 b) Simultaneous withdrawal of more than two groups of CEAs or out-of-sequence withdrawal of CEAs.

1) A failure of the sequential permissive contact with a specific operational situation requiring CEA withdrawal.
2) Failure of the CEA motion inhibit interlock upon an out-of-sequence or improper overlap maintenance condition.
3) Failure of the operator to terminate CEA motion in response to out-of-sequence alarms or the failure of these alarms.

The CEA control system contains sequential permissive logic that determines which group or groups of CEAs will be moved in the manual sequential mode. The CEA control system also generates an out-of- EC291158 sequence condition. An alarm independent of the CEA control system is generated by a separate system that determines CEA position from a reed switch voltage divider network mounted on each control element drive mechanism. This alarm is actuated if a logic network detects an out-of-sequence, more-than-two-group withdrawal of CEAs, or an improper group over-lap condition. This same circuit also institutes a CEA motion inhibit interlock on these conditions. EC291158 All of the interlocks and design features are testable by moving CEAs and verifying that the proper alarm and prohibits are actuated. In summary, three lines of defense are utilized to insure that safety limits are not exceeded. First, the reactor is operated under strict administrative controls which dictate the proper CEA motion. Second, alarms are provided to warn the operator if CEA motion is improper. The third line of defense is the interlocks and design features described above. All three lines of defense must fail to cause safety limits to be violated (GDC 25). The reactor protective system is designed to assure an extremely high probability of accomplishing the required protective functions under all conditions. A detailed discussion of the requirements which provide this assurance is given in Section 7.2.2.2 (GDC 29). 7.2-35 Amendment No. 30 (05/20)

7.2.2.2 Conformance to IEEE-279 IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," establishes minimum requirements for safety related functional performance and reliability of the reactor protective system. This section describes how the requirements as listed in Section 4 of IEEE 279 are satisfied. 7.2.2.2.1 General Functional Requirement The reactor protection system is designed to limit reactor fuel, fuel cladding and coolant conditions to levels within the plant and fuel design limits. Instruments performance characteristics, response time, and accuracy are selected for compatibility with and adequacy for the particular function. Trip setpoints are established by analysis of the system parameters. Factors such as instrument inaccuracies, bistable trip times, CEA travel times, circuit breaker trip times, and pump starting times are considered in the design of the system. 7.2.2.2.2 Single Failure Criterion Table 7.2-6 is a failure modes and effects analysis for the reactor protective system. Figure 7.2-22 shows the interface logic diagram of the reactor protective system. The reactor protection system is designed so that any single failure within the system will not prevent proper protective action at the system level. No single failure will defeat more than one of the four protective channels associated with any one trip function. The wiring in the system is grouped so that no single fault or failure, including either an open or shorted circuit, will negate protective system operation. Signal conductors are protected and routed independently. The following is an evaluation of the effects of specific single faults in the analog portion of the system: a) A loss of signal in a measurement channel initiates channel trip action for all trips except high rate of change of power, high pressurizer pressure, and high power. b) An open circuit in a measurement channel initiates channel trip action for all trips except low steam generator water level and low steam generator pressure. c) Shorting of the signal leads to each other has the same effect as a loss of signal. Shorting a lead to a voltage has no effect since the signal circuit is ungrounded. The periodic testing includes checks for possible grounds or applications of potential to the signal circuit. d) Single grounds of the signal circuit have no effect. Periodic checking of the system will assure that the circuit remains ungrounded. The following is an evaluation of the effects of specific single faults in the logic portion of the system: 7.2-36 Amendment No. 22 (05/07)

a) Inadvertent operation of the relay contacts in the matrices will be identified by indicating lights. b) Shorting of the pairs of contacts in the matrices will prevent the matrix relay sets from being released. Such shorts are detectable in the testing process by observing that the matrix relays cannot be dropped out. Testing is accomplished by successive opening of the logic matrix contact pairs. c) Shorting of the matrices to an external voltage has no effect since the matrix is ungrounded. The testing process will indicate accidental application of potential to the matrix. Equipment is provided to detect grounds on the matrices. d) The logic matrices are each supplied by two power sources. Loss of a single power source has no effect on operation. Loss of power to a logic matrix initiates a trip condition. e) Failure of any matrix relay contact in series in the trip path and any one contact initiating trip action will cause the action to be completed. f) The failure of one trip breaker or control circuit has no effect since there are two trip breakers with independent control circuits in series, either of which will provide the necessary action. g) Single grounds or accidental application of potential in the trip path circuits have no effect since the circuit is ungrounded. Testing and observation of ground detectors will indicate these problems. h) The CEDM power supply circuits operate ungrounded so that single grounds have no effect. The CEDMs are supplied in two groups by separate pairs of power supplies to further reduce the possibility of a CEA being improperly held. The CEDM load requirements are such that the application of any other local available voltage would not prevent CEA release. 7.2.2.2.3 Quality Control of Component and Modules The reactor protective system is manufactured under strict engineering and quality control specifications. The specifications require that the equipment be inspected for workmanship, proper materials and channel separation as required by IEEE-279. Furthermore, all intra- and inter-connection wiring is tested for continuity and an insulation test is performed between each conductor and chassis ground and between each individual pair of connectors. An operational test is performed on the system during which input signals are simulated to ensure that the protective system is capable of producing the proper trip signals. The system is packaged for shipment in accordance with specifications. The quality assurance program in described in Chapter 17. 7.2-37

7.2.2.2.4 Equipment Qualification The reactor protective system meets the equipment qualification requirements as described in Sections 3.10 and 3.11. 7.2.2.2.5 Channel Integrity Type testing of components, separation of sensors and channels, and qualification of cabling are utilized to ensure that the channels will maintain the functional capability required under applicable extremes of conditions relating to environment, energy supply, malfunctions, and accidents. Loss of or damage to any one path will not prevent the protective action. Sensors are piped so that blockage or failure of any one connection does not prevent protective system action. The process transducers located in the containment building are specified and rated for the intended service. Components which must operate in the LOCA environment are rated for the LOCA temperature, pressure, and humidity conditions. Results of type test are used to verify these ratings. In the control room the nuclear instrumentation and protective system, trip paths are located in four separate compartments (Figure 7.2-19). Mechanical and thermal barriers between these compartments reduce the possibility of common event failure. Outputs from the components in this area to the control boards are isolated so that shorting, grounding, or the application of the highest available local voltage does not cause channel malfunction. Where signals originating in the reactor protective system feed annunciators, isolation is ensured through the use of relay contacts. 7.2.2.2.6 Channel Independence The locations of the sensors and the points at which the sensing lines are connected to the process loop have been selected to provide physical separation of the channels, thereby precluding a situation in which a single event could remove or negate a protective function. The routing of cables from protective system transmitters is arranged so that the cables are separated from each other and from power cabling to minimize the likelihood of common event failures. This includes separation at the containment penetration areas. In the control room, the four nuclear instrumentation and protective system trip channels are located in individual compartments. Mechanical and thermal barriers between these compartments minimize the possibility of common event failure. Outputs from the components in this area to the control boards are isolated so that shorting, grounding, or the application of the highest available local voltages do not cause channel malfunction. The criteria for separation and physical independence of channels are based on the need for decoupling the effects of accident consequences and energy supply transients and for reducing the likelihood of channel interaction during testing or in the event of a channel malfunction. 7.2-38 Amendment No. 18, (04/01)

7.2.2.2.7 Control and Protection System Interaction No portion of the reactor trip system is used for both control and protection functions. 7.2.2.2.8 Derivation of System Inputs Insofar as is practicable, system inputs are derived from signals that are direct measures of the desired parameters. Parameters which are measured directly include neutron flux, temperatures, and pressures. Level information is derived from appropriate differential pressure measurements. Flow information is derived from steam generator differential pressure measurements. 7.2.2.2.9 Capability for Sensor Checks Reactor protective system sensors are checked by cross-checking between channels. The channels bear a known relationship to each other, and this method ensures the operability of each sensor during reactor operation. 7.2.2.2.10 Capability for Test and Calibration Testing is described in Section 7.2.1.6 and is in compliance with IEEE 338-1971. 7.2.2.2.11 Channel Bypass or Removal from Operation Any one of the four protective system channels may be tested, calibrated, or repaired without detrimental effects on the system. Individual trip channels may be bypassed to effect a two-out-of-three logic on remaining channels. The single failure criterion is met during this condition. 7.2.2.2.12 Operating Bypasses Operating bypasses are provided as shown in Table 7.2-2 and 7.2-3. The operating bypasses are automatically removed when the permissive conditions are not met. The circuitry and devices which function to remove these inhibits are designed in accordance with IEEE Standard 279-1971. 7.2.2.2.13 Indication of Bypasses Indication of test or bypass conditions or removal of any channel from service is given by lights and annunciation. Bypasses that are automatically removed at fixed set points are alarmed and indicated. 7.2-39 Amendment 15, (1/97)

7.2.2.2.14 Access to Means for Bypassing A key is required to bypass a protective system channel (Refer to Figure 7.2-21). Only one key is available for bypassing the channels of a given parameter. Therefore, only one of the four channels of any one type trip may be bypassed at any one time. All bypasses are visibly and audibly annunciated. 7.2.2.2.15 Multiple Set Points Manual set point changes will not be required during normal plant operation. During abnormal operating conditions, administrative control will be used to ensure that set point changes, as specified in the Technical Specification for the particular condition, are performed to maintain plant safety. 7.2.2.2.16 Completion of Protective Action Once it is Initiated The system is designed to ensure that protective action (reactor trip) will go to completion once initiated. Operator action is required to clear the trip and return to operation. 7.2.2.2.17 Manual Initiation A manual trip is affected by depressing either of two sets of two pushbuttons. No single failure will prevent a manual trip. 7.2.2.2.18 Access to Set Point Adjustments, Calibration and Test Points Set point or calibration adjustments are either internal to the protective system or under direct administrative control. 7.2.2.2.19 Identification of Protective Action Indication lights are provided for all protective actions, including identification of channel trips. 7.2.2.2.20 Information Readout Means are provided to allow the operator to monitor all trip system inputs, outputs, and calculations. The specific displays that are provided for continuous monitoring are described in Section 7.5. 7.2.2.2.21 System Repair Identification of a defective channel is accomplished by observation of system status lights or by testing as described in Section 7.2.1.6. Replacement or repair of components is accomplished with the affected channel bypassed. The affected trip function then operates in a two-out-of-three trip logic. 7.2-40 Amendment No. 22 (05/07)

7.2.2.2.22 Identification All equipment, including panels, modules, indicators, and cables associated with the trip system, are marked in order to facilitate identification. Interconnecting cables are color coded on a channel basis. 7.2.2.3 Conformance to Testing Criteria IEEE 338-1971, "Trial Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protective Systems," September, 1971, and Safety Guide 22, "Periodic Testing of Protection System Actuation Functions," provide guidance for development of procedures, equipment, and documentation of periodic testing. The basis for the scope and means of testing are described in this section. Test intervals and their bases are included in the Technical Specifications. The organization for testing and for documentation is described in Chapter 13. Since operation of the reactor protective system will be infrequent, the system is periodically and routinely tested to verify its operability. A complete channel can be individually tested without initiating a reactor trip, without violating the single failure criterion, and without inhibiting the operation of the system. The system can be checked from the input signal through the power supply circuit breakers of the control element drive mechanisms. The reactor protective system functional modules can be tested during reactor operation. The sensors can be checked by comparison with similar channels or channels that involve related information. Minimum frequencies for checks, calibration, and testing of the reactor protective system instrumentation are given in the Technical Specification. Overlap in the checking and testing is provided to assure that the entire channel is functional. The use of individual trip and ground detection lights, in conjunction with those provided at the supply bus, assure that possible grounds or shorts to another source of voltage can be detected. The testing scheme is presented in detail in Section 7.2.1.6. The response time from an input signal to the protective system trip bistables through the opening of the trip circuit breakers is verified by measurement during plant startup testing. Sensor responses are measured during factory acceptance tests. 7.2.2.4 Effects of Other Associated Functions 7.2.2.4.1 Plant Instrument Air Systems The loss of plant instrument air systems has no effect upon the safety channel sensors, reactor protective system or actuated devices. 7.2-41 Amendment No. 25 (04/12)

7.2.2.4.2 Cooling Water to Vital Systems Loss of cooling water can in no way degrade the safety channel sensors, reactor protective system or actuated devices. 7.2.2.4.3 Plant Load Rejection As part of the EPU project, the steam dump and bypass system was refurbished to exceed the original system design capacity of 45% rated steam flow. Analysis shows that the system design is capable of mitigating a plant load rejection, initiated from full power, of at least 30% without a reactor trip. A load rejection of greater magnitude will be reflected into the reactor coolant system and, if severe enough, will initiate a reactor protective system response by either a high pressurizer pressure trip (Section 7.2.1.2 f) or a low thermal margin trip (Section 7.2.1.2 g) to prevent the occurrence of an unacceptable approach to the DNB limit. 7.2.2.4.4 Turbine Trip A reactor trip on turbine trip (Section 7.2.1.2 h) has been provided as an equipment protective feature and is not required for reactor protection. However, this trip will mitigate the consequences of a turbine trip by anticipating the effects which, were it not for this trip, would result in a high pressurizer pressure trip for reactor protection. 7.2.2.5 Protection System Setpoint Methodology and Determination of Surveillance Procedure Acceptance Criteria The RPS low SG level trip setpoint was changed for the extended power uprate (EPU). In accordance with references 1 & 2, this section was added to document the methodology used to determine the trip setpoint, the as-found acceptance criteria band, and the as-left acceptance criteria. A combination of three documents is used to initially establish, and subsequently maintain compliance with, each TS setpoint value. These three documents are the instrument channel uncertainty calculation, the safety analysis plant parameters document, and the instrument channel setpoint calculation. An instrument uncertainty calculation exists for each safety system input parameter. These calculations determine the various elements of uncertainty applicable to each component within that instrument channel from the sensor/transmitter up to the protection system cabinet input. These loop uncertainty calculations have been prepared in accordance with FPL discipline standard IC-3.17, Instrument Setpoint Methodology. IC-3.17 is in turn based on ISA Standard 67.04, Setpoints for Nuclear Safety Related Instrumentation, and Regulatory Guide (RG) 1.105, Instrument Setpoints for Safety Related Systems. Elements of uncertainty for individual components, such as setting tolerance, measuring & test equipment (M&TE) and drift are specifically based on associated surveillance procedure requirements and test frequencies. Environmental effects for both normal and harsh conditions are determined for each loop component as applicable. The safety analysis plant parameters (SAPP) document serves as a bridge between the instrument channel setpoint calculations and the safety analysis. The bounding uncertainty allowance applicable to each protection system function is documented and managed in the SAPP. Where applicable, the SAPP includes individual bounding uncertainty allowances for both normal and harsh conditions. The rationale for managing the trip function uncertainty allowances in the SAPP is as follows:

  • All inputs used for the safety analysis are managed in the SAPP. This organization facilitates the safety analysis work required for each reload.
  • Including bounding trip function uncertainty allowances in one common document promotes consistent use of analytical limit values throughout the safety analysis which facilities effective margin management.

7.2-42 Amendment No. 26 (11/13)

  • Including bounding trip function uncertainty allowances in the SAPP eliminates the need for documenting the analytical limits in the setpoint calculations. Therefore the purpose of the setpoint calculations is to verify that the trip function uncertainty allowances in the SAPP are bounding with respect to the calculated total channel uncertainty.

A second calculation exists for each safety system input parameter. Each of these calculations combines the loop component uncertainties with the protection system cabinet uncertainties to determine an overall total loop uncertainty (TLU). These setpoint calculations also verify that the uncertainty allowances defined in the SAPP are bounding. Further, these setpoint calculations determine operability limits (IL) for the related actuation functions. These calculations have been prepared in accordance with IC-3.17, ISA Standard 67.04, and RG 1.105. NRC guidance provided in RIS 2006-17 stipulates that as-left setting tolerance should be explicitly accounted for in the setpoint determination. Since the walk-away equipment setpoint may be left anywhere within the as-left band, this allowed setting tolerance must be treated as a bias in the setpoint determination. RIS 2006-17 further stipulates that the surveillance procedures must ensure that the trip setpoint is restored to within the as-left band before the channel is returned to service. To address this NRC guidance, the setpoint calculations are structured to ensure that TLU plus setting tolerance (ST) is less than or equal to the SAPP allowance (TLU + ST SAPP uncertainty allowance). The ST is also included as a random / independent term in the root-sum-square TLU calculation. Protection system surveillance procedures require that trip setpoints are restored to within the as-left band before the channel is returned to service. Additional NRC guidance provided in RIS 2006-17 stipulates use of an as-found acceptance criteria band centered about the nominal equipment setpoint as a measure of instrument channel operability. To address this NRC guidance, the setpoint calculations are structured to include determination of an operability limit (OL) band. The OL band is synonymous with the as-found acceptance criteria band. The OL band is based on 2 times the ST and is normally centered about the nominal equipment setting. For trip functions where the ST is non-symmetrical about the nominal trip setpoint, the OL band is structured to provide equal tolerance above and below the ST limits. NRC guidance also required the addition of two notes to TS Table 4.3-1 pertaining to the monthly functional surveillance requirement for the Low Steam Generator Level function. For the Low SG Level function, Note #6 of TS Table 4.3-1 requires that if the as-found setpoint is outside of the as-found tolerance bad then the channel must be declared inoperable and must be evaluated under the corrective action program (CAP). The CAP evaluation must conclude that the channel is functioning as required before returning the channel to service. For the Low SG Level function, Note #7 of TS Table 4.3-1 requires that this trip setpoint be reset to a value within the as-left band before the channel is returned to OPERABLE status. In addition, Note 7 required specificity of the Field Trip Setpoint along with the as-found acceptance criteria band and the as-left acceptance criteria. Those values are: Field Trip Setpoint 35.5% (-2.420 VDC) Trip Setpoint As-Found Band 35.0 to 36.0% (-2.400 to -2.440 VDC) Trip Setpoint As-Left Band 35.25 to 35.75% (-2.410 to -2.430 VDC)

References:

1. NRC Regulatory Issue Summary (RIS) 2006-17, NRC Staff Position on the Requirements of 10 CFR 50.36, Technical Specifications, Regarding Limiting Safety System Settings During Periodic Testing and Calibration of Instrument Channels
2. TSTF-493, Clarify Application of Setpoint Methodology for LSSS Functions
3. FPL Letter L-2011-341, Response to NRC Instrumentation & Controls Branch Request for Additional Information Regarding Extended Power Uprate License Amendment Request, Dated August 25, 2011 7.2-42a Amendment No. 26 (11/13)

TABLE 7.2-1 MONITORED PLANT VARIABLE INSTRUMENTATION RANGES RESPONSE TIMES SENSOR FULL POWER CHANNEL RESPONSE MONITORED VARIABLE MINIMUM(1) NOMINAL MAXIMUM(1) ACCURACY(1) TIME2 Neutron Flux Power, 100 <1 msec3 percent of full power 4.0 sec4 Cold Leg Temperature, F 551 2.5 sec5 Hot Leg Temperature, F 601 2.5 sec5 Pressurizer Pressure, psig 2235 32 msec Steam Generator P, psi 25**(meas) 800 msec Steam Generator 64.7 25 msec Water Level, % Steam Generator 878**(drum) 32 msec Pressure, psig Containment Pressure, psig 0 0.5 sec Axial Shape Index 0 1 msec. Notes:

1. Instrument ranges are selected in accordance with standard engineering practices. Instrument accuracies are selected such that existing instrument loop performance and safety analysis assumptions remain valid. Where applicable, instrument accuracies are also evaluated for their impact on setpoints in accordance with the FPL Setpoint Methodology.
2. Response time defined in terms of reaching 63% of 4. Logarithmic power channel response at 10-8% power --4.0 sec final value for a step change input. Logarithmic power channel response at 1% power --2 msec
3. Linear power channel response 5. Correlated to 40 feet per second flow rate
    • Replacement Steam Generators with 0% Plugging 7.2-43 Amendment No. 26 (11/13)

TABLE 7.2-2 REACTOR PROTECTIVE INSTRUMENTATION TRIP SETPOINT LIMITS (See Tech. Spec. Table 2.2-1) 7.2-44 Amendment No. 18, (04/01)

DELETED 7.2-45 Amendment No. 18, (04/01)

TABLE 7.2-3 REACTOR PROTECTIVE SYSTEM BYPASSES TITLE FUNCTION INITIATED BY REMOVED BY NOTES Zero Power Mode Disables low pressurizer Key Operated Switch Automatic if power Temperature channel range pressure and low flow (1 per channel) is > one % limit would cause incorrect trips; removes T power com- T power signals & false ponent from computation of trips during low power testing. Low SG Pressure Disables low steam Key Operated Switch Automatic whenever Bypass generator trip (1 per channel) if SG pressure is SG pressure is above 685 psig below 685 psig Turbine Trip Disables turbine Automatic if power Automatic if power Trip is equipment Bypass trip is <15% is >15% protective only Trip Channel Disables any given Manually by Same switch Interlocks Bypass trip channel controlled access allow only one switch channel for any one type trip to be bypassed at one time 7.2-46 Am. 8-7/89

TABLE 7.2-4 REACTOR PROTECTIVE SYSTEM SENSORS MONITORED VARIABLE TYPE NUMBER OF LOCATION SENSORS Neutron Flux Power Fission Chamber multiple Reactor Vessel Cavity Ion Chamber 4 Cold Leg Temperature Precision RTD 8 Cold Leg Piping Hot Leg Temperature Precision RTD 8 Hot Leg Piping Pressurizer Pressure Pressure Transducer 4 Pressurizer Steam Generator Delta P Differential Pressure 4 Between Hot Leg and Steam Transducer per steam Generator Outlet Plenum Generator Steam Generator Water Level Differential Pressure 4 Steam Generator per steam generator Steam Generator Pressure Pressure Transducer 4 Steam Generators per steam generator Containment Pressure Differential Pressure 4 Containment, Outside Transducer Secondary Shield Wall 7.2-47 Amendment 15, (1/97)

TABLE 7.2-5 REACTOR PROTECTIVE SYSTEM DESIGN MARGINS NOMINAL FULL POWER TRIP MARGIN TRIP NOMINAL VALUE SETPOINT TO TRIP High Linear Power Level, percent 100 107.0 7.0 Reactor Coolant Flow, percent 100 95 5 High Pressurizer Pressure, psig 2235 2385 150 Low Pressurizer Pressure 2235 1872 363 (Variable), psig Low Steam Generator Water Level, percent 64 35 29 Low Steam Generator Pressure,* psig 878 585 293 Containment Pressure, psig 0 3.3 3.3

  • Cycle 15 with Replacement Steam Generators - 0% Plugging 7.2-48 Amendment No. 26 (11/13)

INPUTS FROM NSSS MEASUREMENT 12345678N 1 2 3 4 56 7 BN 12345678N 12345678N CHANNELS TRIP UNI TS LOGIC MATRICES 4 LOGIC MATRIX RELAYS TOI20Vac--------~ TO 120Vac TO 120Vac - - - - - - , 10 120Vac VITAL VITAL VITAL 'V ITAL 01 eus*t eus*z BUS 3 BUS **4 480Vo~-3# 480Voc-311 eus 1 eusu2 TRIP PATHS 

                                                                                                                     *\81): :..     :.:;:""~!~
                                                                                                                    ~                                "2 TRIP CIRCUIT BREAKER                          IIL_5K2                      -240Va~-311-CONTROL RELAYS
                                                                                              +125Vd-c BUS'* IB               )~R2~~~~~)          J tn
             ~
             -u      -n                     i MANUAL Q-j                 +12SVd-cBUS"IA UV-:     -=- :!_:-_::J-i_ ::l r       r                   (}-J TRIP "'I (}-,                                       T                        =1                     !   ~ _
u- 0 m~  :::0 MAIWAL I I Kl - f--

V'- TRIP *z 

       >m        -tO
       ....no,.. .> I

, Oc r., c:o =-; _=_=_=  :=-::_ ='[ l-"'"

Uz O=e
                                                                                                                                  ~RC"." ~~-=-~ j-]-------- -                           1 ra.L-------~ ~::         -1 ~ ~=-=-:: ~

C'l -un mm -.

0-1  :::0 UV ST i y:..1 f - - - - - - - -- ~~- --~

c: "'0 E -Y- - - -- - - - - llY?;sr

c .. a
      .o-mz         r-9'>

m ....., n> ~!: 

      -tr        -IC>
.., -o ffifnlvoou"A'CcEo M

..... m><- c::x: CEDM POWER SUPPLIES z-t [_2R_ST~s (I> G) 

      -<:::0 tn>                                                                                                  o-~,.- -'tc - ,.                                     CONTROL ELE~ENT
      -13::      ~2-u                                                                                  EDM     :cEOM* :

mo ~ ~!~~ :COILS;; DRIVE MECHANISMS 3::,.. ~ 

             -1      -<
X:

m

Refer to Drawing 8770-1287 FLORIDA FIGURE POWER & LIGHT CO. REACTOR PROTECTIVE SYSTEM FUNCTIONAL DIAGRAM St. Lucie Plant 7.2-2 Unit 1 Amendment No. 26 (11/13) 

              *
  • To 2/4 logic Matrices of Reactor Protective System Bypass Key Switch To Sequence of 71 II II II II ~Trip Alarm Events Recorder Test Inputs _.... High Pressu re Bistable Trip Unit Note:

Solid State Individual All oc Power 8 75 Vdc Power Supply Connected to (Fused 120 Vac Vital Both Sides Instrument Bus Capped Ungrounded ) Manval Test Power Setpoirt Supply and Fill Adiust Connection 

                                   ~ .,...,--.-,~      ~ ... a   1     I

( t -.: de Power To Sequence of Boord Term i na I s Supply Events Recorder Precision Resistor Pressurizer Manual Bypass 

                     .,   Steam                  Pressure                                                                            Key Switch
            -1       r
            -<       0    Pressure               Transmitter                                                          -----" "1 "1)      ;o                                                                                                                    To 2/4 l ogic "1)   n "'-                                                                                                                          Matrices of
      ;o""11)>  *-tCJ )>

mer ,..."1) Reactor V>Z . , V>()!: co - C-tm n::E } G) ;o- )>  ;;;m CI lif ~~~~=~tive c: - 0 V> ;o

uNzc mm)>;o ~!.>"
      ;orm

....., "1) CJ!: ~c

,.., ;o-m -tG>
  • mJ>Z I w V>G>-1 C-t ' - - - - Variable TM-Pressure
      ~;on       z
      ;o)>I      -n                                                                                                               Setpoint Signal m!:J>                                                                                                Pre- Trip z   :2    "1) z                                                                                              Alarm m

r ?Z

REFER TO DRAWING 8700-B-327, SHEETS 60, 61, 62 & 63 Amendment No. 16, (1 /98) FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAMS OUT-OF-CORE NEUTRON DETECTORS Figure 7.2-4

THIS FIGURE HAS BEEN DELETED Amendment No. 24 (06/1 0) FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 NEUTRON FLUX MONITORING SYS-POWER RANGE-CHANNELS FIGURE 7.2-5

Refer to drawing 8770-1295 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 NUCELAR INST & REACTOR PROTECTIVE SYSTEM CABINET FIGURE 7.2-6 Amendment No. 15 (1/97)

Refer to drawing 8770-1288 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 NUCLEAR INST & REAC PROT SYS CAB ASSY FR PNL LAY FIGURE 7.2-7 Amendment No. 15 (1/97)

Refer to drawing 8770-5314 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 BISTABLE TRIP UNIT SCHEMATIC FIGURE 7.2-8 Amendment No. 22 (05/07)

MAXIMUM TRIP LIMIT 100%1- ---- QTR TRIP MARGIN Q . 80% (LARGER OF NUCLEAR OR THERMAL POWER) 60% 

                                                                 'V 7-\.
              ,r                  4~  r                                 \_ MANUAL RESET 0

Vt~ RESET PE J 

          -tO                                    ANNUNc~XffJNIVE
          *    )>
          ,..."'0 "T1        co                      20%

Cl 

          !:!=E mm c          "'0::0
tl m r-P'>
~         ?Z~

N -fC> I "U C z -I t I 0 I 

"'                                                                               TIME 0    ::fn "U        0 m    .-3:
0 "U
     )>
     -f        ~

0 z

FLUX SENSOR FLOW SENSORS SIGNAL PROCESSOR 

                                                                                                 '[   58,-l                        4     '

so PRESS* SG-~ j:1' ' I ' I 

                   '            r - --         ___!~fR.!!' _!!!4~ -.      -l                             r. .- - ' - - - - - - - - -*- 1 I           '                      '          I
                                                                                                                         .                        . I
                                                                                                        .I I                                             I                          I     *        . POWER                  1 I         TRIP                  PRf-           I                         I         TRIP        TRIP        PRE-lRIP                                      I                     UNIT .      TRIP      I I                                             I                                       -                             .I L        - _. _ _ _ _ _ _ _ _ _ _j L                        --    ~     _:_ _l_j
                                                                                                   *         *-vARIABLE SETPOINTS ___ ..__._~
                        ;t>
                     '  ~                                                       SHPOINT SElECTOR
                ,r                                SHPOINT r        o
  • REDUCTION 0 OP[N 14P JP 2P' 2P 2P I
E "'~* ta >~
     ,,     -tO '
            * ' )1-                                                                                                        CHANNH A SHOWN.
    .cr                  z0       POWER                                                        Lll ll2 zo     ,-,           .....

T TI CtiANNEl B, C, D SIMILAR n:E 

     -4 c:o           \.0                                         ..,

G'l """ _, O:E ...--._ c O;;o mm ;lg

u zo m )I-_. ~

~ rm on 

            ~roo-       ~
                                                                            -~~~J-i;-t  --4    ~t:
     )>-    -tc;')                ClOSED

.... (;')< :I: 0  ;;om c..,. >61}1.. 

     >c.n   z                     POWI'H
     ~-<    -n
            -to V>
        -4  -~

m "'U 

        ~

HOTE: At power. operation with less than fou~ {4) Reactor Coolant Pumps 

                ~                                         is not allowed by plant Teclmical Specifications, and lhe Flow Dependent Setpoint Selector Switch has been hardwired in the 4-Pump position.
  • i-I c

c- ---------------------------------- 

                                                                          --~*-*
                                                                         ~         i------ ------------ --------------~;
                                                                --@- ----*+--@l                                                             :'
                                                                         ~         ~-------r------------l                                   ::

I I I' 01 

                                                                                                     ~

11'1 II .llll 

                            ~
                            ;  "'; 5 >"'                                                    <
                                                                                                     ~~ ~ ol 171
                                                                                                                           '~
                                                                     ~                       ~ ilHI  ~~ ~        ~       I     f                   z 0

w w l 

                                                                     ~~                     'i
                                                                                             ~     -l~!
                                                                                                      ; ~ ~~i.   -~ -.I i?~          I
                                                                      ~                       ~       t~;         ~         I  i           ~
                                                                                              ~       ~~*tw    ~~               ~          ~

v 

                                                                      "'r:~'

I . I i !;! ~~~ 

                                                                                                      ~~ ~

i 1:1 tr\ ' ~ ih w'e u c. I l I I I I I  ! I I ! R G r-----l+----f-----~ I~ I I I I  ::I : I i; r---ID><~f---G>-----~t-~  :  : 1 I . 1 

                                                                                           -:-----t-------t----:------:

1 ! 1 I 

                                                                       ---,.~-*                 :         I           :

1 

                                                                                                                                           'I~
                                                                            ~ ~----------~----~-------+----~-----~!I I r----- -+-- --~-------J
: J  : I 1

_____ l_I ___________ l; _______ ~: 1  : ' 

                                                   ~-r-*t~~---             !

I,_------------- -+---------- -+------- , 

                                        '---~..!....~;o:;,.::!~--..
                                                                        ---... @-*                         I I

L./____ I i c:::: i L ~ I --$,--------' I L_ ---------------- _._ ~----------------- ~ L---- ---------- ____ ..J

  • FLORIDA POWER & LIGHT CO.

St. Lucie Plant Unit 1 STEAM GENERATOR PROTECTIVE CHANNEL BLOCK DIAGRAM Figu~

7. 2-11 I
                         + 15 V DC TU 5 PWR SUPPLY AUTO TEST

_s:__ OFF BYPASS 0 ,rLATC H MAN. sw UNLATC H 52 MAN. TEST 

         ~ lo----~

I _j I AUTO K22 I PRESS PRESS SG-1 SG-2

  • PWR SUPPLY COMMON L +

I NORMAL 0 1 TEST 0 2 TEST 1 + 15V, N 

                              ~--,r NO TRIP  I I
                                                        ---,          I I              OPEN, TRIP       I I    OPEN FOR SG              I 1I    PRESS URE >

ALLOWED I I L_ _j L SETPO INT _j 

               -   - -   -    -    -      -BISTA BLEDE VICE -

TRIP UNIT 5 IN AUX. LOGIC DRAWER LOW PRESS, SG FLORIDA POWER & LIGHT COMPANY

  • ST. LUCIE PLANT UNIT 1 SCHEMATIC LOW STEAM GENERATOR PRESSURE TRIP BYPASS FIGURE 7.2-12
      ~~       ~
  • m -.,

Cr""'r PRIMARY

2. ~ 90 0
      ~--  * * ;;:o PRESSURE "G) 0)>                                                                            r-----
      -:r g-t                    I                                                                                  -    I
      ...,.()

p *c ~ THERMAL THERMAL POWER LOW MARGIN POWER MAX TH .. CALCULATION POWER SEL ~PRESSURE TRIP 

                                                                ~                            LIMIT     PTRIP NUCLEAR              ~

POWER to 0 ...-ol+ 2: IL +. u'\..lf.A-0

o;
-

r-ei+ GAIN 0

0) ADJ c.o
         ...,                                                                               AXIAL                ~~    LOCAL 0) 3             UPPER -~ ~LOWER                                     L.- -
  • l l o l rt~m I o~2~ffv

(") DET. (u ) I I DET. ( L) 

         ...,0                                                                                                         TRIP CD
          ...,""0                                         ,, AXIAL I       I         ~                            ~I         I
g. '->1+2: L-U ; OFFSET CD Cl 1--:.J-0
J
          -i
          ...,                                                                                                          HIGH
        "'0                                                                                    ,

en POWER TRIP HIGH POWER ~ MANUP.L 

                                                                                  ~~~                TRIP
                                                                            -:.1                 t   SETPOINT
                   -n                                             RESET
'l c*

N I c (REF: Fig 7.2-10) w .o

z 0 CD

Y--1)>

ruCD.- 

                             *o-o C.. :::yo
E ~- ::E S3: FLOW DEPENDENT SETPOINT
  • ()CD SELECTOR SWITCH IN RPSCIP CD Ql '

0..-0 Tc 

                             -* (J) "0                                                                              POSITIONS 1. 4  PUMPS
J "0 CD ~b" 2 2. 3 PUMPS
fCDQ3 3. 2 PUMPS OPP. LOOPS CD Q. ~ 4. 2 PUMPS LOOP1
!!o z $3
                                                                                              --4~~ (RP~CIP)                   5. 2 PUMPS LOOP2 f"£:::J               0 "0 ~ ::E               j::                                   TCAL           ~ CAL c 0 -*                SIB                                             X  ~-------~,

3:::J:f  ::::> =Tc+KcB 

                            -oen_                  g
                                  -        CD                      Kc "Oruen                 ct                                                          AXIAL o :::J en             (...)                                    QA
                             ~- 0.. .......        0::                            AXIAL                        FNCT
                             ~r-+-:::J"'                    (RPSCIP) 0     :::y Q)                                       OFFSET
J CD :::J ~ y QA
                                                                                                                                                       '~~

0 

                             .     "Tl     0'      Q.
                                                   .....                                                                                             "Y 0       c        <J
E '

0~

E My ~ TCAL
                                                   ~                  QR1
                                  ~;a CD CD
J Q) 0..()

CD ,...... QR1 QDNB a QDNB

J 0 Q--_,
                       "T1 r          (J)0 CD 0                                              Q 0           .-o "0-
0 0 Q) ~ 4~ S3 (RPSCIP) cnC -*
J :::J
              -1                                                       CEA FNCT
I: :-1> . . . . -u m (J)c r""D CD 3 ASGT ~~0, "T1  :::0 c:O TRIP
       - s::                       CD-o                  (FIG 43)

G) )> o:E $len c: r mm 0 -* 

                   ""D:::o         ' en
0 s:: (J):::J ALARM PVAR = a QDNB +~TCAL + ""f m )> rQO  ::E s. P\P PRE TRIP WHERE T CAL - TC + KcB,Q- MAX (<D ~)
       ...... :::0 >r              ;:::;:Q) z-              ()_

N G) -IG)  :::y - 0 100 TRIP PTR IP = MAX (PVAR

  • PMIN 'ASGT TRIP)
       ~ z         c:::I:          :::Y:;E                               ASGT                  ---           P\P TRIP ol:oo  -1   z-1             Ql      CD eno..                                 TRIP                                                PPRETRIP = MAX (PVAR
  • PMIN 'ASGT TRIP)
                   -(")                                           PMIN    (FIG43)
0 -to O""o-
              ""D                  CD'<

z ~s:: 

 <:)                   ""D
                                   ~"0 1\.)

Q) 

                       )>

1\.)  :::J z ....... 0 -< 

 ~

0

z 00 z ,... 

                          ...J'----"'~"v---1 0                 ::>

z ooa ** za. O...J r<"l VJ CfJ 

                                                                                                        <l:

as 

                                                                                                        +
                                                                                                      "01~
                                                                                                         ~
                                                                                                        +
                                                                                                        ~
                                                                                                        ~
                                                                                                        )I; en.

N 

                                                                                                        +

t II

X::
                                                                                                  ;z+

O'<i J: i= 

                                                                                                  <l:     )I; 1-                     _J L..-.J t()

0  ::> 1..1.. 

                                                                                                   ~       II
                                                                                                   <l: 0::.

uw ' . u 

                                                                                                   ~~
                     )---                                                                          ~~

a:

a. 00 II Amendment No. 19 (10/02)

FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLAN.T UNIT 1 At power operation vvith less than four (4) Reactor Coolant Pumps is not allowed by plant Technical Specifications, and the Flow Dependent t. T POWER CALCULATION Setpoint Selector Switch has been hardwired in the 4-Pump position. FIGURE 7.2-15

X

>:::::>~---
               <( 1- ...
  • co z

0 0 1-0.. 

                           ~

0 u 0... 

                                                               ~

0 u 0... z 1-UJ Vl N 0<: u.. u.. 0 0 0 

             ~~

0 0.. 0 z 0 

  ~~--+

0 wU zz 

  -LL X_,                       "'

0<: 

                   <Cw                     0
                   ~Vl co I

I I I I I .-----.., I I I __, I I Z I + I I I:;:{() I<!)<( I lz L----.J I I I

  • FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 LOCAL POWER DENSITY TRIP FIGURE 7.2-16
   ~~
           '"0 t"'~"'TI c:::c: po,...

a~ rt It ,... o

Q 1-'0U (5 s CHANNEL A CHANNEL B
   .... :C)>                        SIGNAL                                 SIGNAL ftn (-*)                               -----1                               -------,

TRIPUNIT Bl I p '--- __ !_ ----' I r----1---. SETPOINT I UATRIX MATRIX~ AB MATRIX fA ~ J!.AT~IX RELAY POWER SU?PLYL-, ~I l " FOWER SUPPLY HOLO UATRIX 01' RELAY 

       )>                                                                          TRIP
       ~                                                                          SREC T RPS
      -()                                                                                                                TEST
                                                                                                           ....J    (+I POWER
       '"0                                                                                                              SUPPLY
       ~
       "'                                                  +MATRIX
  • RELAY
  • Me?
       -t                                   AB-1                      HOLD                      OUT m                                                    (OOU3LE
       ~                                                     COIL)
       -t                                          AD-I AD*I
      -z G)
       ~                                           120 Voc          +                           tAG-1     MG-2
       ~
       -t m                                                                                                                 ll
       ~
  • D-0 6 120 Vac AB-18-- BUS TIE
                                                                               ----1        1 ST
                                                                               -----~

CEm., CEO~.l POWER SUPA..Y POWER SUPPLY "Tl 

       ~        t.O N

I c 

        --.)

CD

  • ~

p 

                       ~KL_      ------
                       "3
                                                              .---~+

DVM OTHER POSITIONS 56 NOT RELATED 

                                                          ~    <(., 0 TO TE:TER t

TESTER 9 ? ~-- 

                   ~              T~IP                          ..,.
                                                        \TRIP PRETRIP,     -:

I f +15 UNIT SET POINTS I

  • +8.4 TO TESTER Figure
  • FLORIDA POWER & LIGHT CO.

St. Lucie Plant Unit 1 SCHEMATIC TRlP TEST SYSTEM 7. 2- 18

iR.IP PATH NO I 

                         ""':H-**

G'-> __t___1 T~*ll' 

                                        ~--*'-:1
                                                                                                        . . a.

TRIP P...1H llO 

                                                                                                                    ~:,._ ~

ca-& ', ---~~ Z 

                                                                                                                                     !HfiiiJC.oD~T"
                                                                                                                                       ""Q><;,.!D c;.OottooJt\'"

I I I 

                                                                                                                                                                 \

I TR\1" P>-TH >-10 3 

                                                                                                                                                                                               ,.,. . rr . .         ..... ,,

I ICJIIe-c,~ .... 

                                                                                                                                                                                                                 ;--~t.*-*
                                                                                                                                                                                                               ~ '"""~~T
                                                                                                                                                                                                              't:Q:J
                                                                                                                                                                                                                                     ~
                                                                                                                                                                                                                                  ~l'hfoiOC ~
                                                                                                                                                                                                                                                    \

I I I ~..... i~!-- ~ . I r.;---~**-* TRIP PAl\1 110 4 

                                                                                                                                                                                                                                                                                         ~  . .TO...,.-,,
                                                                                                                                                                                                                                                                                                . . . .o ....

L-.:1 *.- 

                                                                                                                                                                                                                                                                                                              .. MG..         ~
                         --~~

__,T 

                                                                                                                                                                                                                                                                                        ~

l l - ITit I TT- .J~ 1:1 I i::~: ("*-* I  ::::::~ I 

                                                                                                                                                                                                  --*r                                                                I -*~n~=~
                                                                                                                                                                                                                                                                              ---~*y I t_. l...,..                                                                         i:::                               I I
                                                                                                                                                                                                  =:.:t                                                                I :.l.,+*f

_.:...1 E I liW'l-~1- . f~*rn*** I 

                                                                                                                                                                                                  ~**-*r
                                                                                                                                                                                                    ...,_,T                                                            I ..... ...,.,..1
r I -..,,.1 KleoP *l r
                                                ~-...                                                                           r:::*:                            I
                                                                                                                                                                                                    .... . ...(1 E"~

1_ 

                                                                                                                                !;::~*.:.                                                         eK~:;;:~!

t""--.J._c.T I l("'~r 

                                                                                                                                                                                                                                                                                      * 'I
                                               +/-;""

1( . . .,"" "' i**cn** I  :::I I -*" *~*~I c: t.*'J*J4*1 I  ::.:1 I """'r I :=t lo..oc;.-J*** .......I E,.* f **rn*-* I I  :::::~*Iw.h . "' t 

                                                                                                                    ,...~                                                                                                                                               I                 .
                                                                                                          . r**f**:J~ l~"-~*-                                      II
                                                                                                                                                                                              ~-~:. ~J~:J ]1c**~~

1  :~ u 

                                                                                                      *'N"
                                                                                                          **         "' I~*
                                                                                                                      . . . . 8U.L__,
                                                                                                                                        ~-
                                                                                                                                               ,,.,. . (_

I 1 

                                                                                                                                                                                                                                  ~. -~"                                1       -
                                                                                                                                                                                                                                                                                 *~

1""'-..... 

                                                                                                                                                                                                                                                                                          ~*I~*

T::.~* I \,_** icw,_.,._..n 

                                                                                                                                               ~*"<&~"*-* I JI I            I I

r - ~""] I I .'  :~..,..: '"'"** i _ __ __j I I 

                                                                                                                                                                                                                    ..,_,                                              II c           *~-* !f----.

I 

               ,-----1                                                                                                                                                              N==~

I 

                                                                                                                                                                                                                                       }'" ' ~'"'""                                             I                   Tll(l:lU*!    }  u ... .... , ....,. ...

I l '11((\l* l 

                                                                                                                                                                                                                                                                                                ~tw(f>>J-t                                              -

c:~:---~~ I 0~;-~ l 

                                                                                    *r -...:**    II
                                                                                    ,--c..:r,~.-----<>,~.,,.,                            } "' . " '"'""

I  :: *,.r::--"*** *** . 

                                                                                                                                                                                                       *'r':..._c-.**'$**11>           ) '" "~
                                                                                                                                                                                                                                          "\looc ..~ ..... L HI ~I I                        I  'L'~,,.,_,,                    }"" n""'~

I 

                                                    }""~, K~c I '      '          (W I*'1N*I't      '"'"'"'" "'"'
                                                                                                 ~: -c*~*'O****
                                                   ) ..... ..

J 

              ~~ - ~ .... "

l'  ::______.,- hll.'l ...~o.,.. ,e_.,., ._,,..., , 

                                                                                                        ~: OW* '" "'                     l.
                                                                                                                                            *::.~.. ~:**~:~         I               l:~i'-----~.::::*.:                               }" '"                        I F 'f----.              ~

I 

                                                                                                                                                                                                                                                                                                                   , .1>\J
  • l Tt(O}J**
                                                                                                                                                                                                                                                                                                                                  }-n:*      4    vvc r"""'---;:1----"--o-<<....                                                                                                                         }........;,,.,                  II
~ ~~~---- I L2-..,1~)J*4
                              ..  ).J-J j~.. ,. .,                       l--~------<-*fl(** **
                                                                                                                                         ~"**--*

J . 1

c:::*.:.: **~ * :I ,~w**nH>
                                                                                                                                                                                                                                                                                                    ,Y.,__~owo .,,.,.
                                                                                                                                                                                                                                                                                                                                  }"' * " 
                                                                                                                                                                                                                                                                                                                                  ) '"""" " ,,._,
(r**o:::.:::.-~ 1"" ""  ;: .':.':..L.-4 ------.o,.,.. ,. -r
                                                                                                                                                                                                                                      )** ' ""~"
                                                  )"" --*                                                                                                                                                                                                                         [- '-'---9-***H*>

I *!{'--*.,.,.,,, ~'"'"" 

                                                                                                                                                                                                                                                                                   -+-------'

T<a

  • J - * * ~*~
  • I  :

c'---ct }., ...... I

~..... -r.,H ... o ..;.*t* ON ._u; .. T llf*OIC*f 1~--T W<)J *J'
                                                                                                           ~:::~*.                                         _,,.,
                                                                                                                                                                                                   '*F- .,.. ... ~
                                                                                                                                                                                                                     ....             }" ***~--                     I                        I   ~<w****n                       } " ' 0 " ' " ' ""

c~T8~*- .- .~.., 

                                                                                                                                                                                                   ; *'{___, "                           ... O<< .o t ....... u<.
  • t I ,~~ -* - n*.t* ' " ""' '<'~otLI*"'
                                                  )"""""                                         :-~*w***> * <o                                                                                                                                                     I           <<* ~* "lit--
                                                  ).... .. . ..............                          *'t___.,                            k.::.:.::**~;~"                           ~~~--!-. -~~=~ :::~J~                              }. . ' ~*                                   r----                 ---..l¥_ 1j)J J
                                                                                                                                                                                                                                                                                                                                  } T( I! I)

L I, VV( 

                                                                      ~,                         I                  ' *' *lr                                                                                                11                                                   L_ _ _.........
                             ... .....~

11 ""'

~...- ..:.

r~'~- ~:~~. - 

                                                                                                                                        )
                                                                                                                                                                                                                     ...... ..                                        I
                                                                                                                                                                                                                                      }~:~. :::::. ' ...                                                                          i '" *~<
                                                                                                                                                                                                      -,.~, -,

f'{---'t w** '" T< c:' . . . 

                                                 }" ,_,                                                                               }" ""'                                                       '('.::___.,<"' *** r~
                                                                                                                                                                                                                                                                                                   /~=-- ~~~s_ _J_:~::-.~:-~*-~~-~ ---*-
L::::::: }.~:-~..:::~ *""'
                                                                                                                                                                                          ---.,':2..__ ** ------*<',tfi.~IU
                                                                                                                                                                                                                                                                                             -~--~-*

c:.*"-' - --. h~,.~~- **** lL__ ""'"' }"' ' 1l0)1 

                                                                                                                                                                                                                   .... .J- ..           (<U~ C       c_,._                        _ _ __ _                _      ?lt(t&J-*

1"' "'- 

                                                                                                                                                                                                                                      ).., .. ~'                                 c=..
                                                                                                                                                                                                                     ,,1*-*                                                                    ~----
  • 1,..
  • l... '

Q ~~ *~-~--l'll(l'!j '* "' _ "____ _ .,~ llf>>*'S 1{.~01.1 ...... ~L-...___ ,--~,~~=::,_*,~ UO.UC:C.L 

                                                                                    ~ .. --~     ..                                      ) .. ,. ">>'
                                                                                                                                                                                                                                                                                               --*-*--*~*-**
  • TWI:4'--o r FLORIDA FigJre

~~ fll(iU - *2 c::~*w*, *e.:*Jt ***<, ,,..,.....,..__ POWER & LIQlT co. I niP PATH CHANNEL INDEPENDENCE SCHEMATIC DIAGRAM LL:=_"'_"__**__ }" I TCQS(II} *I. 7.2- 19 T!(<}J *o) <.'..:>u* = ,.._ "' 0 

                                                                                                                                          )

St. Lucie Plant Unit 1

f - l A~ 

                                    ~~~,
                                                  ~-.:loW~
                                                       ~ * -I! A NCASv.u-MI"NT l"MKNJZ3 D
                                                   .-"ZI><ofJonl(,r-
  • N.rAI,w£.-wt!"',vr C 1 f'(f .. JOq--.JfMYM#"Kr £~W c
                                                                                                                                                                                                                                                                                                                               ~e-..wa
                                                                                                                                                                                                                              ~- ~                                                                                                 .itt-~ 0
                                                                                                                                            ~ - j...,......n_
                                                                                                                                                                                                                                                                                                  ~4W .:!I"M.S~
                                                                                                                                               ~-a*..: 1/J                                                                        lf-#IIIJ~ ~
                                                                                                                                                                                                                               ~<v*JY"'J""'
                                                                                                                                                                                                                                                                                             ~             .......... *~

l"l.¥/fJ~ l 

                                                                                                                                           -~Jr*(~

() 

                                                                                                                                           ~..                                                                                               ...""

r -- 1 A l I 

                                                                                                                                                                                         ~--
                                                                                                                                                                                                            ----==J                              I I

1 I 1 I I I. I I I I I I I 

                                                                             /*

I I I I I I iI I I I I I I I_ I n £~""'/,,. .~orKneM. ,., t"MNNn. .4 

                                                                                                                                                                                                                                                                                                                                          )
                                                                                                                                                                                                  ---                                              _I                                                                 ----
                                                                                        "AI"~/IC',#<<.  "' .,............ ....,...,.....:. ...

L L-- J 

                                                                                                                                                                />fJ,wt"";l!JI
                                                                            ..,.,.,.,._                                                                                                     ~~~~'Df>

I. 1 

                                                                                                                                                                                                                                        ;1!11   CCA ,,~_,.,._,
                                                                                                                                                                                                                                        ;-<~~.~r*4'*<t1   IP<';,/C
                                                                                                                                                                                                                                                 ? *bvr-c;. **
                                                                                                                                                                                                                                                                      .IW-tUr_,I<<CNrw !Y       ,.,...,.~N
                                                                                                                                                                                                                                                                      #ArKI~~f~ I*I,Jf.'*~/1..,.,)
                                                                                                                                                                                                                                                                             ,.;-_,r,t~l'5:, A!~~
                                                                                                                                                                                             ,.,                                          nJ                    ..t.&J<;.I'C
                                                                                                                                                                                                                                          ~rrcrtVI" .JYJITK .r.-.,:>rtiWA,(, JY~4AI,

( t.M"t4 #* O.J6 1 - N/* -'t'J) ""+'~*.I* J1' ... 1.1" 1'11'J'J' LM,r 1\ote: At power operation with less than four (4) Reactor Coolant P'.lmps i! not allowed by plant Technical Specifications, and the FIQW Dependent Setpoint Selector Switch. has been hardwired in the 4-Pump position. FLORIDA Figure Amendment No.l9.(10/02) POWER 1\ LIGHT CO, TYPICAL PROTECTIVE CHANNEL INPUT lNDEPENDENCE 

                       /AIJ17/l'   ~-""""'-
                                                                                                                                                                                .* St. Led e Plant                                                FUNCTION AL DIAGRAM                                                                    7. 2-20
                     ~~~I'WM          <-.-,,,..,r s,-:,I'Wr.l>ll .Nr.nvrr Urit 1
                                                                                                                                                                                                                                                                                                                                                   ,. _,~
~~
                                                                                                  !!!h                                                                                                                                                        J!~-,
                                                                                                                                                                                                                                                             ~      J_

I~ - L 1 

       '1;~
       £ *
                   .~,.-
Hu,,
                    ~~~,    -

j; 

                                 *+-l~-j
                                 -\d~;:;.
                                 i~'
                                               *~
                                                  ~
                                                 ! : _j_
                                               **-~<:i
                                               ' ~

1 

                                                                  -~"*  :7.-l. -t+-
                                                                        ~1

_.A_ 

                                                                                     '\'~;*;.
                                                                                        ~

llli! i_ IT l-L- ;i ; ; ~ --=_j_~ :; ;':!~ 1 

                                                                                                 -~*- i r - j r . - l ' '; ***'.
                                                                                                 ;,r;;:i.
                                                                                                  ')~.
                                                                                                                    -*-1~d.
                                                                                                                    ' ~-
                                                                                                                                  *'\I-;!L~; ~;'i.
                                                                                                                                  'C'~J
                                                                                                                                                                                '* '( :-.;,
                                                                                                                                                                                >-1
                                                                                                                                                                                                ' ,\-;,7-J'
                                                                                                                                                                                                                ~If
                                                                                                                                                                                                              !*/
                                                                                                                                                                                                             ~,....

i I II I 

                                                     ;,}*:: ;,l~~> ;;fl_~\q~*, Vf~<ir*r/~-?:~~--r¢ I~ -~=~~L~*'ft6~1-,:~                                                                                                                                                                            ~L*~~~--~v 11:--

m*' l-+* ' 

        -~-';-:'-L~ ~l___l}._:_rr=;l__~~~r ... ' -~
t. ... ~ ' )I I  :;. t  ! ' 1 ~  !
                                                                                                                                      ;'l
                                                                                                                                      -; ~
                                                                                                                                              ;l__1F"': ; ;::::;;.L_J-_~~91'!
                                                                                                                                                           ~        1        $              "      I           ;.'>;        ~

I ' 

            '                I                                '                              I                 I               i                 !                  I               I              '                  ll/:0        I' ..   !A -*+---h i                  I           I                 i               I                                    I               i                                 l'fl-}                   \**:]           II
                                                                                                                                                                                                                                                                                    !!iiii\iii!l 1-i~_;.__jJ
            ;L;~~,)-

r~~~--~Lh_+.-<_**-;. P. li 

                                          ;}.,u_.j.J J.Q--J-~ J~ **~)bJ;-r-J~i.J~-~--r~h'=.J.G~.~--l~ ;~ *db)~ , -

H~-;_;~~-( *_,--~~.:.+:Ji; -.-:.t,ll,..:.,.;*..Jl.ljr.-- 

                                                                                ,,;1                              1                                          '.;< .ft.<**;,LBB:-                ~*J> t>*,-~4,ml7 ~-                                1
                                                                                                                                                                                                                                                     \lI
                                                                                                                                                                                                                                                                                    ~!~i§Hi~!~!
                                                                                                                                                                                 ~..; ~: .+.z :t,:J.!1f l * ; ,~ ~*~
 !~r ;:_+A~:                 :  ~::r~;     ;  ~:3'.~" ~:.~-~-                   i    ;:J,~~ -;~l,ffl~~.~0~~l ~J~~t.:~ **.Jr:~>+i ~:

l'+_ ,yfi'j* :ii&0~ :Rr:;:,~ -,~.w.'r  :~G;:i~ +-.-1 

                                                                                                 ~-**~:;,ii' '*+*-'1'-J            ?.~<. * ' ::rs*.*.:*,
                                                                                                                      -li-,:;, L;-1                                   :; ~*:;* ,,, ,_;;,~:'d'*i~.,~                           '=====

Tc=-p ._r::::-_~iH!~=--=p-- --~*=-=-~ T* *.. T} C 

   ._;,             L;._~-*      L~.lf.J        I;,;..J+'_J       l ..._-~;_,         ~1'-j                                               ..1           ~t'"'>~---~~--~~---*..t.t ~~~--4*\
   ~J~=--fL n---tr.-

1~;~1 h~h 

   ~LJ t~-;--:---                                    ;;                                   ; ,';-.:___ ______ ; ----;--*-:*------;*------:--}

iqp I 

 .*fl 1                        ---~- ---r-*                                                                                                                                               j                     ";jt*----

f.:::*-------  ; 

                                                                                    *r-ttl -~i-.--.;--~~-.--~~fi:-,---tb--t+;- -Ir~,,

I ___________,... 

,r~                    ~-:::1 ~I,L:.:. ".j;;:;'tj*G.;v :{rr;~;. ~~;: . *~~~~:~ *~.r~!*~¥ *~r::
                                                                                                                     -s ~t~---ji
                                                                                                                                                                    .   . .~-1:
                                                                                                                                                                          **;.~
                                                                                                                                                                                        ,bL -
                                                                                                                                                                                    ..: ., -*     l~                                                     ~~ ..

I' 

                                                                                                                                                                                                              .\-!]

I' *';;f*i ;;$::J->-: '*~ ;' ~;>*<<~l .:ll;~l *4*<fr."1 -'?b:;r-, :~~: * .,......., ,, ,__! ***', r_-; . --1  :,:* . c.,_._,_,_-~:" hft-::-Jqi!:A: ~ l ' ,_;J:"lf~~-=rJ:t*::-f; --f1+*-7-rrt":"-;'J: H 

                                                                                                                                                        ~r, .~:    *';! t    ~J! f*l'- ;. ".>;__.:~-'1;-T ~
                                                                                                                                                                                                                                    !i' I    . n:,                  I                   'kLJ
                                                                               ,i'l;J=U:t *-r~c:..rr::r=.'----i~~            .

I -! I. 1.. *

  • __.., -~~4 ~~* , "~., ~-="".,.-it' -="i___*.f'!j=?,,ll *~
        ~, ~~~R~~~~v#-r~~~~t=~- V>~~~t7;,=j--- -v::: ~~ ~----r-~~~ 1---*j ~~~~ ~ _:~~-, -~! j[                                                                                                                                                      I~         q :~

m~ 1 -

  • wt~ :c9~;  !  ; ~ ~-~-..2!L'-.,----~

jo1 I lf'l I *in 1 -~---~-- ;IJ: * ,1,; , ~*~1 -:- , '¢' 

                                                                                                                                       ~;---~ --r----------t--"- ~-- ** ~-1
                                                                                                                                                                                            .;: , ';, ~A-
  • I
*~
                                                                                                                                                                                                                                                                                    ;~~~;;~;i;tt i             !                 '                                        /

I I I I I I ' ' I I I i I I l l i i II i 

                                                                                                                                                                              ~                                        ~~--v:

_ '. . . ¥  :  : I I 

                                                                                                               !           :    !      ;                    :                       1        '        :             *                *-d                                             '~~l~~::-.:-:~;:.~*~.*=~~:.( ......
        ~*:r~~--;      -~.!.,::l/'.  *rrl:fb.;l~*:                          *,;oi'l'; .,;,:r*:** - -~J~,--,r;r::-:-.,.;l:r;:" .*. -*----,;
  • h~d:-.f'"'=-*.s*i-:--r~v.-=::r~~J  : *.:-,.;.:!.-__._hF1~~?-=i~?,J 11;- ~J r][Jo
1  : I  : I I  ;  ; l 1
                                                                                                                                                                                               *,, r:;r,o*,,-;=-                           '---'111 r
                                                                                                                                                                                                                                           ,                                      0
     ~~                           r."~~                                  ~~~ . . ~~. . ~~~1----'J}_JU~                                                                           ~*-t            ~~ ~*~J*wb-,                     ,;;~: __j                               :...:v~

I : *-sx:~:ri ~~rrt:ri ~:~t-iri :..fttri 

                                                              -11'                   *~-~~ *~~~ *-*~*~~ *-?~~-i \~r~t ,rrt ._ .. ri .;JH, -~~ &-__jll . ;ll
  • W Ill I ;
                   'T - ' ' L~ "

l  ; ll i; 1 

                                                                                     '~~*~* +** _11~---t:1-J-~ ~-'__::-~__ "-v,J-:,~_ _ _=.J J                i'          i"' ---~                               I !            p                 N~ ~~~Jij

_ 1.1 

                                                                                                                                                                                                                                                               ;:_ i~
                                                                                                                                                                                  --------                                                                      ~~~
                                                                                                           !:.:1,                                                                                 FLORDA                                TYPICAL MATRIX LADDER WITH TRIP UNIT BYPASS                                      Figure Hli!

t~H POWER & Ll:rllT CO. AND MATRIX 7.2- 21 St, Lucie Plant RELAY TEST CIRCUIT SCHEMATIC DIAGRAM 

                                                                                                                                                                                 '------Unit 1

EC291158

  • The Turbine Runback feature has been deleted.

This item is maintained for historical purposes. FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1

    • All capability for automatic operation has been eliminated from the CEA Control System. The RPS AWP function is no longer utilized.

REACTOR PROTECTIVE SYSTEM INTERFACE LOGIC DIAGRAM FIGURE 7.2-22 Amendment No. 30 (05/20)

7.3 ENGINEERED SAFETY FEATURES SYSTEMS 7.

3.1 DESCRIPTION

The engineered safety features (ESF) are described in three functional subdivisions in this chapter. Section 7.3.1.1 describes the protective action provided by the engineered safety features actuation system (ESFAS). The actuation signal includes all equipment from the initiating sensor through the contact of the output relays. Section 7.3.1.2 describes the instrumentation and control of the engineered safety features that are not part of the actuation signal. The instrumentation and control of supporting systems to the engineered safety features are discussed in Section 7.3.1.3. The system flow and control diagrams for the ESF are found in Figures 6.2-28, 6.3-1, 6.3-2, 9.4-1, 9.4-2, 9.4-3, and 10.1-2. 7.3.1.1 Engineered Safety Features Actuation Systems The engineered safety features actuation system (ESFAS) consists of devices and circuitry needed to actuate the following signals: a) Safety Injection Actuation Signal (SIAS) b) Recirculation Actuation Signal (RAS) c) Containment Spray Actuation Signal (CSAS) d) Containment Isolation Signal (CIS) e) Main Steam Isolation Signal (MSIS) f) Auxiliary Feedwater Actuation Signal-1 (AFAS-1) g) Auxiliary Feedwater Actuation Signal-2 (AFAS-2) The circuitry includes: a) Initiating signal devices b) Four measurement channels (MA, MB, MC, MD) c) Trip bistables for converting analog to digital signal d) 2-out-of-4 matrices and actuation modules e) Output relays f) Auto test circuitry g) Manual test circuitry h) Four measurement channel cabinets (MA, MB, MC, MD) i) Two logic cabinets (SA, SB for SIAS, RAS, CSAS, CIS and MSIS) i) A separate cabinet for AFAS-1, AFAS-2 containing items c, d, e, g and h Solid state circuitry is used throughout the system. 7.3.1.1.1 Initiating Circuits The ESFAS are initiated by the following parameters: a) Pressurizer pressure b) Containment pressure 7.3-1 Amendment 23 (11/08)

c) Containment radiation d) Refueling water tank level e) Steam generator pressure f) Steam generator level 7.3.1.1.2 Logic and Bypasses The following discussion applies to all ESFAS functions except AFAS which is described in Subsection 7.3.1.1.13 Each of the engineered safety features actuation systems consist of four measurement channels (designated MA, MB, MC, and MD) for each input parameter, two logic matrix systems (SA and SB) and two actuation channels (A and B). Each measurement channel consists of a sensor, power supply and bistable unit arranged in a current flow loop circuit as shown on Fig. 7.3-1. The bistable unit provides a digital signal to logic matrices where signals from all four measurement channels for that parameter are combined in a two-out-of-four logic network. Isolation devices are provided to maintain separation between the measurement channels and the logic matrices. Logic matrices (SA or SB) provide initiation signals to their associated actuation channels (A or B) when the logic for the particular signal is satisfied. The logic, design and bypasses of each of the ESFAS signals are discussed in Section 7.3.1.1.8 through 7.3.1.1.13. 7.3.1.1.3 Interlocks To prevent accidental manual actuation of the engineered safety features, manual actuation switches are interlocked with "think" pushbuttons. The operator must turn the actuating switch while simultaneously pressing the "think" pushbutton and manually initiating the ESFAS safety channel. The "think" pushbuttons are located on the control board above the manual initiation switches. All ESF equipment starts automatically on an ESFAS if the component had been stopped by local push button before the ESF signal was present. However, if the equipment was previously running or had already been started by an ESFAS, the component will not restart after release of the local "stop" pushbutton. They would restart if the local "start" button were pushed. Although no interlock is provided on ESF equipment started by an ESFAS the plant alarms would alert plant personnel that an accident signal had been generated. Annunciation is present in the control room to indicate the equipment started by an ESFAS was stopped locally. Equipment can be manually restarted from the control room. 7.3.1.1.4 Sequencing Each ESFAS signal simultaneously actuates all components listed in Tables 7.3-2, 3, 4 and 5 and Table 7.4-2, unless otherwise noted in the tables. However, to prevent emergency diesel generator overloading in the event of loss of off-site power, individual time relays are provided either in the emergency switchgear, or in the motor control centers to delay starting of the equipment in accordance with the emergency diesel generator loading (see Table 8.3-2). 7.3-2 Amendment No. 21 (12/05)

7.3.1.1.5 Redundancy Redundant features of the ESFAS include: a) four independent channels (MA, MB, MC and MD), from process sensor through and including trip bistables-b) four measurement channel cabinets (MA, MB, MC and MD), each cabinet containing the associated measurement channel power supplies, and bistable trip units for each of the parameters used for ESFAS actuation. The AFAS-1 and AFAS-2 functions (from bistable trip to output relays) are contained in a separate compartmentalized cabinet, the measurement channel power supplies are located elsewhere. c) two engineered safety feature actuation channel cabinets (SA and SB) containing logic matrices, actuation modules and output relays for each channel. The AFAS-1 and AFAS-2 functions (from bistable trip to output relays) are contained in a separate compartmentalized cabinet, the measurement channel power supplies are located elsewhere. d) the manual instrument switches and pushbuttons for each ESFAS channel. e) a separate instrument bus providing ac power for each measurement and logic channel. The result of the redundant features is an ESFAS which meets the single failure criterion, can be tested during reactor operation, and can be shifted to two-out-of-three logic for maintenance. 7.3.1.1.6 Diversity The system is designed to eliminate credible multiple channel failures originating from a common cause. The failure modes of redundant channels and the conditions of operation that are common to them are analyzed to assure that a predictable common failure mode does not exist. The design provides reasonable assurance that: a) the monitored variables provide adequate information during design basis events. b) the equipment can perform as required. c) the interactions of protective actions, control actions and the environmental changes that cause, or are caused by, the design basis events do not prevent the mitigation of the consequences of the event. d) the system will not be made inoperable by the inadvertent actions of operating and maintenance personnel. The system incorporates functional diversity to accommodate the unlikely event of a common mode failure concurrent with any of the trip conditions listed in the following sections. 7.3-3 Amendment 15, (1/97)

7.3.1.1.7 Actuated Devices The ESFAS actuates the components listed in Tables 7.3-2, 3, 4, 5 and 7.4.2 through devices such as relays, switchgear and motor control centers. 7.3.1.1.8 Safety Injection Actuation Signal (SIAS) The safety injection actuation signal (SIAS) logic is shown in Figure 7.3-4. There are four independent pressurizer transmitters (PT-1102A, B, C, D) and four independent containment pressure transmitters (PT-07-2A, B, C, D) to provide signal inputs. Safety injection is initiated either by two-out-of-four low-low pressurizer pressure signals (1585 psig) or two-out-of-four high containment pressure signals (5 psig). Safety injection is actuated by two independent systems of diverse principle (low-low pressurizer and high containment pressure). Manual actuation may be initiated from a single combination control switch and pushbutton for each actuation channel or by individual pump and valve control switches located in the control room. A list of components actuated by SIAS is given in Table 7.3-2. In addition, a SIAS initiates a Containment Isolation Signal (CIS). Electrical schematic diagrams for the safety injection pumps and flow control valves are shown on Figures 7.3-5 through 7.3-10. Pursuant to an NRC request in IE Bulletin 80-06 (See Reference 1 for response) concerning ESFAS reset controls, a study of whether each component actuated by ESFAS remains in emergency mode upon ESFAS reset was performed. The results are reproduced on Tables 7.3-2, -4, -5 and -6. The control switches for the equipment are located on the main control panel in the control room. Automatic actuation of the equipment is initiated by relays controlled by the safety injection logic system. A safety injection block is provided to permit shutdown depressurization of the reactor coolant system without initiating safety injection. Block is accomplished manually. This process will be under strict administrative control with block and block permissive annunciated and indicated in the control room. It will not be possible to block above a preset pressure; and if the system is blocked and pressure rises above this point, the block is automatically removed. The block circuit is designed to comply with the single failure criterion in IEEE 279. The control circuit design for the safety injection tank motor operated valves (V3614, 3624, 3634, 3644 shown on Figures 6.3-2 and 7.3-10A) is in accordance with the intent of IEEE 279 and incorporates the following features: a) The valves open automatically when reactor coolant pressure exceeds 350 psia. This interlock can be bypassed in order to measure SIT Check Valve leakage. However, per the technical specifications they are required to be operable only when pressurizer pressure 1750 psia. 7.3-4 Amendment No. 25 (04/12)

The length of time a SIT may be isolated is defined in the Technical Specifications. 7.3-5 Amendment 15, (1/97)

b) The valves receive safety injection actuation signals to open if not in the fully open position. The SIAS signal can not be blocked irrespective of control switch position. c) Control room visual indication of valve position. d) An audible alarm, independent of the visual indication circuitry, functions when a valve is not in the fully open position. A complete list of components actuated by SIAS is given in Table 7.3-2. 7.3.1.1.9 Recirculation Actuation Signal (RAS) The coincidence of two low water level signals from any of four independent level sensing devices (LT-07-2A, 2B, 2C, 2D) on the refueling water tank initiates the recirculation actuation signal (RAS). The refueling water tank level switch (LIS-07-3) provides sufficient diverse information to enable manual initiation of RAS. The RAS logic is shown on Figure 7.3-11. RAS automatically transfers the suction of the safety injection and containment spray pumps to the containment sump by opening the two sump outlet valves, closing the refueling water tank outlet valves, and closing the pump miniflow recirculation valves to the refueling water tank. Concurrent with transfer of pump suction from the refueling water tank to the containment sump, the low pressure safety injection (LPSI) pumps are automatically stopped on RAS. The RAS measurement channels and logics are designed to "energize to actuate" 7.3-6 Amendment No. 25 (04/12)

due to the special requirements of the actuated components. The refueling water tank valves (I-MV-07-1A, 1B) and containment sump suction valves (I-MV-07-2A, 2B) are required to change position to accomplish transfer to the recirculation mode of post-accident cooling. It is essential that the refueling water tank valves remain open, the sump valves remain closed, and the safety injection pumps continue operating during the injection phase to ensure that the required quantity of refueling water is injected into the containment sump prior to recirculation. By designing the RAS as "energize to actuate," a loss of power on one 125v dc bus will not cause spurious RAS initiation which could possibly interrupt cooling to the core and containment before adequate water is available in the sump for recirculation. Valve circuitry permits closing any containment sump suction line or RWT outlet line after an RAS from either the control room or from a local control station. Control room annunciation is provided to alarm: failure of the sump suction valve to open or of the RWT outlet valve to close after an RAS; valve overload; power failure; opening of a sump valve or closure of a RWT outlet valve without receipt of an RAS; or, closure of any header after an RAS. Section 6.2.2.2.1 discusses the sequencing between the RWT valves and the containment sump valves which is provided to ensure sufficient NPSH to the safety injection pumps. As the system is designed, in the event of loss of power on one 125v dc bus, the RAS logic and actuation channel which is not associated with the faulted dc bus is initiated at the proper time by the two measurement channels served by the unaffected bus. No single failure can prevent initiation of both RAS channels. Based on the following considerations, Technical Specification action statements pertaining to one inoperable RAS (RWT level) measurement channel were revised (via Technical Specification Amendment #188 and Engineering Evaluation PSL-ENG-SENS-00-024) to restrict the amount of time an inoperable channel could remain in either trip or bypass. With one inoperable channel in bypass, RAS actuation could be precluded by a single failure (i.e., failure of a DC Bus that results in loss of both associated 120 VAC measurement channel busses) due to the energize to actuate RAS design. The second consideration is that with one inoperable channel in trip, premature RAS actuation could occur due to single failure of another channel. The sequencing between the refueling water tank valves (I-MV-07-1A, 1B) and the containment sump valves (I-MV-07-2A, 2B) is provided to ensure sufficient NPSH to the safety injection pumps during transfer from refueling tank water supply to containment sump. The containment sump valves (I-MV-07-2A, 2B) have motor operators that open the valves in 40 seconds and the refueling water tank outlet valves (I-MV-07-1A, 1B) have motor operators that close the valves in 90 seconds. Each RAS actuation channel can also be initiated manually from the control room. A list of components actuated on RAS is given in Table 7.3-3. 7.3.1.1.10 Containment Spray Actuation Signal (CSAS) The containment spray actuation signal (CSAS) is initiated by a coincidence of containment high-high pressure (10 psig) and SIAS. The CSAS logic is shown in Figure 7.3-11. Containment atmosphere pressure is monitored by four independent measurement channels. Measurement channel signals are combined in two-out-of-four logic matrices. The output signals from logic matrices (A or B) are combined with the corresponding signal from the two SIAS actuation channels (A or B) to provide two independent actuation channels for CSAS. Each CSAS channel (A or B) initiates operation of the associated spray pump (A or B) and the associated valving (see Figure 6.2-28). Each spray system isolation valve (FCV-07-1A and 1B) is opened by its associated CSAS actuation channel (A or B). The electrical schematic diagrams for the containment spray 7.3-7 Amendment No. 25 (04/12)

pumps are shown on Figure 7.3-12 and 7.3-13. The CSAS containment pressure measurement channels and CSAS logics are designed as "energize to actuate" to prevent spurious spray system operation on loss of power to one 125v dc bus. The 125v dc system is designed such that no single failure will result in loss of power to both buses (see Section 8.3.2.2). In the event of loss of power to one bus, CSAS is initiated when required by the two measurement channels associated with the unaffected bus. Thus, no single failure can prevent proper CSAS actuation when required. Based on the following consideration, Technical Specification action statements pertaining to one inoperable CSAS (containment pressure) measurement channel were revised (via Technical Specification Amendment #188 and Engineering Evaluation PSL-ENG-SENS-00-024) to restrict the amount of time an inoperable channel could remain in bypass. With one inoperable channel in bypass, CSAS actuation could be precluded by a single failure (i.e., failure of a DC Bus that results in loss of both associated 120 VAC measurement channel busses) due to the energize to actuate CSAS design. Each CSAS actuation channel can also be initiated manually from the control room. The diverse containment heat removal function is also performed by the containment cooling system which is actuated by SIAS. A list of devices actuated by CSAS is given in Table 7.3-4. 7.3-8 Amendment 20 (4/04)

7.3.1.1.11 Containment Isolation Signal (CIS) The logic which initiates the containment isolation signal (CIS) is shown on Figure 7.3-14. CIS is actuated on high containment pressure (5 psig) or high containment radiation (10R/hr). The CIS measurements channels include four independent containment pressure transmitters and four independent containment radiation monitors. The measurement channels for each of these two diverse parameters are combined into a two-out-of-four logic. The output signals from the high containment and high radiation logic matrices are combined in an "or" logic circuit to form the containment isolation signal (CIS). There are two independent CIS actuation channels (A and B). The CIS channels close all the containment isolation valves that are not required for operation of the engineered safety features following an accident. In addition per NRC Post TMI requirement, CIS is actuated by a Safety Injection Actuation Signal (SIAS) as described in Section 6.3. A list of components actuated on CIS is given in Table 7.3-5. Electrical schematic diagrams for typical containment isolation valves are shown on Figures 7.3-15A and 15B. A listing of the isolation valves with valve size, type of actuator, normal position, and position of loss of power is given in Table 6.2-16. Each CIS actuation channel (A or B) actuates a shield building ventilation system (SBVS) fan (A or B) and its associated dampers and valves. Electrical schematic diagrams for the SBVS fans are shown on Figures 7.3-16 and 7.3-17. Each CIS actuation Channel (A or B) actuates a control room ventilation system booster fan (A or B) and its associated damper and control room isolation valves as discussed in Section 7.3.1.3.5. Each CIS actuation Channel may be initiated manually from the control room. 7.3.1.1.12 Main Steam Isolation Signal (MSIS) The function of the MSIS is to terminate blowdown of steam from the steam generators and normal feedwater flow to the steam generators in the event of a steam line break accident. The logic which initiates MSIS is shown on Figure 7.3-18. The MSIS measurement channels include four steam generator pressure transmitters for each steam generator. The signals from the four sensors for each steam generator are combined in a two-out-of-four logic to provide closure of both main steam isolation valves, both main feedwater isolation valves, and both main feedwater pump discharge valves on low steam generator pressure (585 psig). The logic also trips both main feedwater pumps, both condensate pumps and both heater drain pumps. The two feedwater isolation valves also close on SIAS as discussed in Section 7.3.1.1.8. The measurement channels, logic and actuation channel associated with steam generator A are separated from those associated with steam generator B. 7.3-9 Amendment No. 24 (06/10)

A MSIS signal on either channel will close the MSIV, the main feedwater isolation valve (MFIV), and main feedwater pump discharge valve on that channel and send a signal through Train A/Train B isolation relay to close the MSIV, the MFIV, and the main feedwater pump discharge valve of the other channel. A MSIS signal on either channel will also trip both main feedwater pump 1A/1B, condensate pumps 1A/1B, and heater drain pump 1A/1B through a safety to non-safety isolation relay. Each isolation device is designed as a energize to actuate device and is powered from a safety related dc power source. The effects of ac or dc power loss in combination with the isolation device have been evaluated to ensure conformance to single failure criteria for the MSIS features. In addition annunciation is provided to alert the operator of power loss to the isolation device. In the event of a steam line break accident at least one MSIV closes, limiting blowdown to a single steam generator. The consequences of such an occurrence are evaluated in Section 15.4. An MSIS actuation block is provided to permit shutdown depressurization of the main steam system without initiating MSIS. Block is accomplished manually. This process is under strict administrative control with block and block permissive annunciated and indicated in the control room. lt is not possible to block above a preset pressure; and if the system is blocked and pressure rises above this point, the block is automatically removed. The block circuit is designed to comply with the single failure criterion specified in IEEE 279. A list of components on MSIS is given in Table 7.3-6. Electrical schematic diagrams for the main steam isolation valves are shown on Figures 7.3-19 and 7.3-20. 7.3.1.1.13 Auxiliary Feedwater Actuation Signals (AFAS-1 & AFAS-2) The auxiliary feedwater actuation signal logics for AFAS-1 and AFAS-2 are shown in Figure 7.4-26. A separate auxiliary feedwater actuation signal is generated for each Steam Generator (AFAS-1, AFAS-2). For each AFAS-1 and AFAS-2 there are four independent level transmitters for Steam Generator level, four independent Steam Generator pressure transmitters, and four independent Feedwater Reader pressure transmitters. The AFAS actuation logic actuates auxiliary feedwater to a Steam Generator on low level after a time delay period unless that Steam Generator or its associated auxiliary feedwater supply header have been identified as being ruptured. A Steam Generator is identified as being ruptured when its pressure is approximately 275 psi below the other Steam Generator coincident with its own low level signal and with the other Steam Generator and auxiliary feedwater header being identified as not ruptured. An auxiliary feedwater supply/header is identified as ruptured when its pressure is approximately 150 psi below the other auxiliary feedwater header pressure coincident with its associated steam generator low level signal and with the other steam generator and auxiliary feedwater header being identified as not ruptured. 7.3-10 Amendment No. 18, (04/01)

The AFAS actuation logic isolates auxiliary feedwater flow to a steam generator upon recovery of steam generator level. Manual actuation may be initiated from the control room. A list of components actuated by AFAS-1 and AFAS-2 is given in Table 7.4-2. A failure modes and effects analysis is given in Table 7.3-10. Automatic actuation of the equipment is initiated after an appropriate time delay, by the relays controlled by the AFAS logic system. The AFAS actuation logic from bistable comparators to output relay contact is housed in a separate cabinet distinct from the SA and SB ESFAS cabinets. The logic is similar to the RPS logic and is described in more detail in the following sections. 7.3.1.1.13.1 Bistables, Logic Matrixes and Initiation Circuits The monitored parameters of Steam Generator A and B pressure, Feedwater Header Pressure 1 and 2 and Steam Generator Level A and B are shown in Figure 7.3-46. The steam generator low level initiation signals generated in the four measurement channels (MA, MB, MC, MD) are received by four bistable comparators for each parameter. At the bistables, the signals are compared to predetermined setpoints. Whenever a channel parameter reaches the predetermined setpoint, the bistable initiates a channel trip which is characterized by the deenergization of three bistable trip relays. Channel trip reset, characterized by the energization of the bistable relays, occurs whenever a channel parameter returns to a value representing the setpoint plus a predetermined bistable hysteresis resetpoint. Two bistable hysteresis resetpoints operate to reset the channel trip before and after completion of a predetermined initiation time delay period. Contacts from the bistable relays of the same system in the four protective channels are arranged into six logic AND'S, designated AB, AC, AD, BC, BD and CD, which represent all possible coincidence of two combinations. To form an AND circuit, the bistable trip relay contacts associated with the same AFAS are connected in parallel (e.g., one from A and one from B). This process is continued until all combinations have been formed. Each logic matrix is connected in series with a set of four matrix output relays. Each logic matrix is powered from two separate 120v Class 1E instrument power supply buses through dual dc power supplies. The contacts of the matrix relays are combined into four initiation circuits, one circuit per channel per AFAS. Each initiation circuit is formed by connecting six contacts (one matrix relay contact from each of the six logic matrixes) in series. The six series contacts are in series with the initiation delay circuit and the initiation relay. The initiation relay outputs are combined to form the actuation logic. 7.3-10a Amendment No. 24 (06/10)

7.3.1.1.13.2 Actuation Logic The actuation logic is formed by combining the initiation circuit output signals from the four channels into a selective two-out-of-three logic within each channel. Upon actuation of this logic the appropriate (AFAS-1 or 2) AFAS actuation relays will deenergize to control the individual AFWS components. The actuation relays are subdivided into two categories as follows: a) Cycling Relays - These relays control the auxiliary feedwater isolation valves and will automatically reset when the steam generator has refilled or a steam generator or feedwater header has been identified as being ruptured. b) Latching Relays - These relays control the auxiliary feedwater pumps, and the AFW systems turbine inlet valves and will remain in the actuated condition until manually reset. 7.3.1.1.13.3 Trip Generation (Output Relays) Signals from the process measurement loops are sent to bistables where the input signals are compared to the predetermined trip setpoints. Whenever a parameter reaches the trip value, the bistable output deenergizes. This and other similar signals form the AFAS logic signal which deenergizes three bistable relays when the appropriate conditions are met. The bistable relay contacts change state, effecting the appropriate coincidence logic. The bistable and differential bistable setpoints are adjusted at the AFAS cabinet. Access to the adjustments is administratively controlled by means of a key locked cover. The initiation delay time setpoints and bistable hysteresis resetpoints are adjusted internal to the AFAS cabinet. The setpoints within each channel can be monitored on a meter located on the AFAS cabinet. 7.3.1.1.13.4 Testing Circuitry Provisions for testing the AFAS are similar to those described in Subsection 7.2.1.6(a), except as discussed below. a) Bistable Comparator Test - Operation of bistable hysteresis resetpoints are verified using hysteresis test switches for each low steam generator level bistable (see Figure 7.3-47). The bistable is placed in a tripped condition by test methods defined in Subsection 7.2.1.6(c) then the test input signal is increased until reset occurs. 7.3-10b Amendment No. 24 (06/10)

b) Actuation Logic Test - This test verifies the proper operation of the AFAS actuating logic circuits (refer to Figure 7.3-46). The selective two-out-of-three logic circuit, located in AFAS Cabinet, of each AFAS channel is tested in a manner identical to the Trip Path/Circuit Breaker System (see Subsection 7.2.1.6 (d)). One current leg of the selective two-out-of-three logic matrix is interrupted by opening one of the current legs contacts and loss of current in that current leg is verified. Each contact in both current legs is checked in this manner. c) Initiation Delay Logic - Initiation delay operation is tested using an initiation delay test switch (see Figure 7.3-47). One current leg of the selective two-out-of-three logic matrix is interrupted and loss of current in that leg is verified by the extinguishing of an AFAS panel indicator. Upon completion of the delay time period, the initiation delay function under test is automatically reset and the restoration of current is verified by the illumination of the panel indicator. The manual trips are checked one at a time from the AFAS Cabinet and the lockout relay contacts are checked via the individual relay test system. d) Actuating Device Test - Proper operation of the AFAS relays in the AFAS Cabinet is verified by deenergizing the relays one at a time via a test relay contact (see Figures 7.3-46 and 7.3-47), and noting the proper operation of all actuated components in that trip function (AFAS-1 or AFAS-2). The relay will automatically reenergize and return its components to the pretest condition when the test pushbutton is released. The design of the test system is such that only one relay may be deenergized at a time. The test switch must be positioned to the function relays (AFAS-1 or AFAS-2) to be tested; selection of more than one function is impossible. The test circuit is electrically locked out upon actuation of a particular AFAS function. 7.3.1.1.13.5 Bypasses a) Trip Channel Bypass - A bypass is provided to remove an AFAS function from one of the channels from service for maintenance or testing. The requisite two-out-of three trip logic is unaffected by this bypass. The remaining trip functions in that channel are unchanged. The bypass is manually initiated and manually removed. The bypass is initiated by use of a pushbutton behind a key locked panel. When an AFAS is bypassed there is an audible and visible alarm to indicate which channel is being bypassed. 7.3-10c Amendment No. 24 (06/10)

b) Battery Fail Bypass - A bypass is provided upon battery failure (defined as the loss of inverter output power to two AFAS channels). The bypass is automatically initiated and removed. Upon loss of power, the bypass is applied in one affected channel while the other affected channel trips. This results in a one-out-of-two trip logic for the remaining two unaffected channels. There is an audible and visible alarm to indicate which channel is bypassed. The automatic bypass operates on a priority basis in conjunction with a trip channel bypass to preclude bypassing of more than one channel at a time. 7.3.1.1.13.6 Interlocks Two interlocks are provided within the AFAS cabinet as follows: a) Bypass Interlock - A priority bypass system prevents the operator from bypassing more than one AFAS function in a channel at a time. b) Test System Interlock - A priority interlock prevents more than one channel of the AFAS from being tested at a time. 7.3.1.1.13.7 Sequencing a) The AFAS simultaneously actuates the following AFW components: i) The AFWS pumps and the Auxiliary Feedwater turbine inlet valves are latched on. ii) The AFWS Isolation valves supplying feedwater to Steam Generator 1A and 1B are opened but are not latched. If a minimum pressure differential exists between steam generator or feedwater header indicating a rupture, the associated AFWS isolation valves will remain closed. Once the steam generator level has reached its high level setpoint, the AFAS trip condition will no longer be generated, and the AFWS isolation valves will close. b) Each AFAS actuates the components listed on Table 7.4-2. However, to ensure that the emergency diesel generator loads are properly assigned in the event of loss of offsite power, individual time relays are provided to delay starting of the equipment in accordance with the diesel generator sequence in Table 8.3-2. 7.3.1.1.13.8 Redundancy Redundancy features for the AFAS-1 and AFAS-2 are similar to those described in Subsection 7.2.1.7 (with the exception of Item (d), (e) and the statement on DC power in item (f)). 7.3-10d Amendment No. 17 (10/99)

7.3.1.1.13.9 Diversity The system is designed to eliminate credible multiple channel failures originating from a common cause. The failure modes of redundant channels and the conditions of operation that are common to them are analyzed to assure that a predictable common failure mode does not exist. The design provides reasonable assurance that the protective system cannot be made inoperable by the inadvertent actions of operating or maintenance personnel. The design is not encumbered with additional channels or components without reasonable assurance that such additions are beneficial. The bistable and matrix relay cards found in the AFAS cabinets have a high level of diversity with respect to the relays found in the RPS. In general the AFAS relays have different types of reed switch assemblies than the RPS relays. These relays are the only area of concern identified by the NRC relevant to the mitigation requirement of the ATWS Rule (10 CFR 50.62) and they maintain diversity between the RPS and AFAS. It has been concluded that the different relay cards are sufficient to effect compliance with the NRC ATWS Rule as it applies to auxiliary feedwater initiation (see Section 7.6.1.4 for further discussion on ATWS Diversity). 7.3.1.1.13.10 Auxiliary Supporting Systems Required The auxiliary supporting systems required are described in Subsection 7.3.1.3. 7.3.1.1.13.11 Analysis Table 7.3-10 presents a Failure Mode and Effects Analysis for the AFAS-1 and AFAS-2 functions. Figure 7.3-46 shows the bistables, matrix logic, initiation logic and actuation logic for the AFAS-1 and AFAS-2 actuation system. Figure 7.3-47 shows the testing system for the AFAS-1 and AFAS-2 actuation systems. Section 7.3.2.3 discusses the conformance of the ESFAS to IEEE-279. The physical configuration of the AFAS-1 and AFAS-2 circuitry differs somewhat from the remainder of the ESFAS. The AFAS-1 and AFAS-2 circuitry conforms closely to the RPS circuitry and has previously been described earlier in this section. The AFAS-1 and AFAS-2 equipment (from bistables to actuation relays) is located in a compartmentized cabinet. Separate compartments exist for the four channels and the two trains or actuation relays. Mechanical and thermal barriers between these compartments minimize the possibility of common event failures. Interchannel wiring is fused in both the originating and destination channel. Input/output field cabling access to each channel is provided through fireproof ducts or cabinet openings in the top or bottom of the cabinet. 7.3.1.1.13.12 Capability for Test and Calibration AFAS-1 and AFAS-2 testing and calibration is discussed in Subsection 7.3.2.4 and are in compliance with IEEE 338-1971. 7.3.1.1.13.13 Access to Means for Bypassing The AFAS-1 and AFAS-2 bypass switches for the four channels are series connected in a channel A, B, C, D order of priority. Depressing any bypass switch enables the appropriate bypass and disables all downstream bypass switches. All bypasses are visually and audibly annunciated. The bypass switches for each channel are located behind separate keylocked doors. 7.3-10e Amendment No. 22 (05/07)

7.3.1.1.13.14 Channel Bypass or Removal From Operation For the AFAS-1 and AFAS-2, aside from the channel bypass, a battery fail bypass exists. This bypass is described in Subsection 7.3.2.3.11. Based on the following consideration, Technical Specification action statements pertaining to one inoperable AFAS or AFW Isolation measurement channel were revised (via Technical Specification Amendment #188 and Engineering Evaluation PSL-ENG-SENS-00-024) to restrict the amount of time an inoperable channel could remain in a tripped condition. With one inoperable channel placed in trip, single failure of another AFW Isolation logic channel could compromise the rupture detection logic. This same Technical Specification Amendment also restricted the amount of time that either AFAS-1 or AFAS-2 could remain in bypass without bypassing both AFAS actuation functions in the affected channel. This change was also required to ensure the rupture detection logic could not be compromised by a postulated single failure. 7.3.1.1.13.15 Conformance to Testing Criteria The information given in Section 7.3.2.4 applies to the AFAS-1 and AFAS-2 function except as discussed below. a) Bistables, Logic and Actuation Manual Testing - The AFAS-1 and AFAS-2 functions are tested by means of a manual test system (Ref Figure 7.3-46). No capability for automatic testing is provided for AFAS-1 and AFAS-2. b) Actuation Device and Actuated Equipment Testing - Each actuation relay for the AFAS-1 and AFAS-2 functions can be individually tested utilizing the test system. 7.3.1.2 Engineered Safety Feature Systems Instrumentation and Control 7.3.1.2.1 Safety Injection System In the event of LOCA, the SIAS automatically: a) starts two high pressure pumps and two low pressure pumps b) opens four high pressure, four auxiliary high pressure and four low pressure header valves. The valve control circuit permits manual adjustment of the safety injection water flow to satisfy emergency core cooling requirements. c) closes four safety injection tank recirculation/drain valves and opens four safety injection tank outlet isolation valves if not fully open. d) closes FW isolation valves. e) sends a START signal to the emergency diesel generators (EDGs) and a momentary TRIP signal to the EDG output breakers. f) starts three charging pumps, two boric acid pumps and actuates associated valves. The automatic pump trip circuits are inhibited by SIAS. g) actuates component cooling, intake cooling water pumps and associated valves. h) actuates emergency core cooling system (ECCS) pump area ventilation system. 7.3-10f Amendment No. 20 (4/04)

i) actuates containment cooling fan j) actuates miscellaneous equipment as listed in Table 7.3-2. k) initiates the Containment Isolation Signal (CIS). Separate control switches are provided for manual actuation of each valve and pump in the control room. The control room process instrumentation such as flow, temperature and pressure of the processed liquids is pro-7.3-11

vided to enable the operator to evaluate system performance. Alarms are provided for low flow, pump failure to start on SIAS, and valve or pump circuit failures. The safety injection pump control switch "off" position is also annunciated. The safety injection header valves have position indicating lights (open/closed). The pumps and all remote operated valves are provided with status lights. The annunciator and position indicating lights are located on the control room panel. In the event of loss of offsite power, all pumps and motor operated valves are powered from the emergency diesel generators. Their loading sequencing is shown in Table 8.3-2. The solenoid valves are powered from the 125v dc batteries. 7.3.1.2.2 Containment Cooling System The containment cooling system function is performed by the containment fan cooler units HVS-1A, HVS-1B, HVS-1C and HVS-1D. The four fan cooler units provide 100 percent back-up for the containment spray system. The system is discussed in Section 6.2.2.2.2 and the system control diagram is shown on Figure 9.4-2. The system logic is shown on Figure 7.3-37. During normal operation, three of the four fan coolers are in continuous operation. They are started manually from the control room. In the event of a LOCA, the unit which is not running is automatically started upon SIAS. The actuating instrumentation and controls for SIAS are part of the ESFAS and are discussed in Section 7.3.1.1.8. Control room process indication alarms, status indicating lights and process instrumentation including post-LOCA qualified air inlet and outlet temperature monitoring, is provided to enable the operator to evaluate system performance. Upon loss of offsite power, all four units are automatically started and loaded on the emergency diesel generator. Their sequencing is shown in Table 8.3-2. Separate switches and actuation circuitry are provided for redundant components. Component cooling water for the containment air recirculating unit heat exchangers is supplied from the redundant cooling water headers through normally open-motor operated valves and manually operated valves. The motor operated valves have control switches and position indicating lights in the control room. The component cooling water flow and temperature is monitored in the control room and post-LOCA qualified flow switches provide low flow annunciation. Refer to Table 6.2-12 for a listing of containment cooling system instrumentation application. 7.3.1.2.3 Containment Spray System In the event of a LOCA, the containment spray pumps and the associated valves are actuated automatically from the CSAS. The component actuating controls and instrumentation is part of the CSAS and is discussed in Section 7.3.1.1.10. The control room process indication alarms, component status indicating lights and process instrumentation is provided to enable the operator to evaluate the system performance. 7.3-12 Amendment No. 23 (11/08)

The running spray pumps, upon loss of offsite power, are restarted automatically and loaded on the emergency diesel generator power. Their sequencing is shown in Table 8.3-2. The solenoid operated valves are powered from 125V dc batteries. Separate manual control switches and automatic actuation circuitry is provided for each redundant pump or valve. The component cooling water shutdown heat exchangers are used for cooling of the containment spray water. Each shutdown heat exchanger is supplied from one of two redundant component cooling water headers. The component cooling water outlet valves from shutdown heat exchangers are automatically opened by SIAS. The valves have manual control switches and position indicating lights in the control room. The component cooling water temperature and flow is monitored in the control room and low flow is annunciated. 7.3.1.2.4 Shield Building Ventilation System The Shield Building Ventilation System is discussed in Section 6.2-3. The system control diagram is shown on Figures 9.4-1 and 9.4-3. Location of system components are shown on the plant general arrangement drawings. The system logic is shown on Figures 7.3-38 and 7.3-39. The system instrumentation and controls necessary to prevent the uncontrolled release of radioactivity following a LOCA are as follows: a) Starting of shield building exhaust fans. b) Opening of cooling air inlet valve. c) Monitoring of charcoal adsorber filter temperatures, Shield Building to atmosphere differential pressure, differential pressure across HEPA filters. d) Regulating of exhaust fan outlet damper. e) Energizing electric heaters. In the event of a LOCA, the shield building exhaust fans are started automatically upon CIS. The instrumentation and controls for CIS are part of the ESFAS and are discussed in Section 7.3.1.1.11. The cooling air valves are automatically opened at 1 in. w.g. negative pressure in the annulus and EC288994 cooling air flow is controlled through self regulating check valves. Normally the shield building exhaust fan discharge dampers are open. They partially close to a pre-set throttled position at 2 in. EC288994 w.g. negative and reopen at 1 in. w.g. negative pressure in the annulus. The cross tie valve (FCV-25-13) between the two redundant shield building ventilation subsystems is manually operated from the control room and the open position permits the cooldown of the charcoal adsorbing filters for the standby system. The electric heaters are automatically controlled by temperature controllers and by fan operation. There are two heaters per train, a high power heater which energizes anytime the corresponding fan is started and a low power heater which energizes when the alternate fan is started. 7.3-13 Amendment No. 29 (10/18)

Control room indication alarm and status instrumentation is provided to enable the operator to evaluate system performance and detect malfunctions. The manual control switches and equipment status lights are provided in the control room for system manual control and indication. Redundant and diverse instrumentation is provided for annulus pressure indication. Annulus high pressure (+5 inches w.g.) and low pressure (-4.5 inches w.g.) are annunciated in the control room. The differential pressure across the HEPA filters is indicated in the control room and high differential pressure is annunciated. High heater element temperature is monitored by a local controller and high temperatures are alarmed in the control room. High humidity in the system is locally indicated and alarmed in the control room. The charcoal adsorber filter and air flow temperatures are recorded and high temperatures are alarmed. The shield building exhaust fan failure, low air flow, or failure to start on CIS is also alarmed. Refer also to Section 6.2.3.5. Upon loss of offsite power, the fans are automatically restarted and loaded on the emergency diesel generators. Their sequencing is shown in Table 8.3-2. The electrical bypass circuit is provided to permit stopping of one redundant fan when systems were started automatically upon CIS. This bypass automatically resets when CIS is reset. The standby system is restarted automatically upon failure of the running system. This interlock is designed to meet IEEE-279 separation criterion as discussed in Section 7.3.2.3.2. Separate actuation switches and circuitry is provided for redundant components. Physical and electrical separations are provided as discussed in Section 7.3.2.2. 7.3.1.3 Engineered Safety Features Supporting Systems Instrumentation and Control 7.3.1.3.1 Component Cooling Water System Instrumentation The Component Cooling Water System is discussed in Section 9.2.2. The system P&ID is shown on Figure 9.2-2. Location of system components is shown on the plant general arrangement drawings. The system instrumentation and control necessary to support ESF are as follows: a) Actuation of System Components To support ESF, the system component actuation steps required are:

1) automatic starting of the component cooling water pumps,
2) automatic opening of the outlet valves from the shutdown heat exchangers.

In the event of a LOCA, the component cooling water pumps, heat exchanger and header isolation valves are actuated automatically upon SIAS. The actuating instrumentation and controls for SIAS actuation are part of the Engineered Safety Features Actuation System and are discussed in Section 7.3.1.1. The pumps can also be started manually by means of control switches located on the main control panel or by means of control switches at the respective switchgear. Pump logic and control diagrams are shown on Figures 7.4-3 through 7.4-5. Electrical schematic diagrams of pump control circuits are shown on Figures 7.4-6 through 7.4-8. 7.3-14 Amendment No. 24 (06/10)

Control panel switches are provided to actuate the shutdown heat exchanger outlet valves (HCV 3A and B). The component cooling water surge tank is normally vented to the atmosphere through a three way valve (RCV-14-1) in the tank vent line. Upon a high radiation signal, the valve will change position and venting will be diverted to the waste management system. The high radiation signal is derived from either of the two radioactivity monitors RE-26-56 and RE-26-57 which sample at the component cooling water supply headers. The operation of this interlock is not required for safe shutdown and is not designed as seismic Class I. Refer to Figure 7.3-45. b) Control of System Operation The component cooling water system is designed to operate without automatic or manual process control after the system is actuated. The pumps, heat exchangers and components operate with unmodulated flow. Accordingly there are no control valves, controllers or other control instrumentation which are required for support of ESF. c) Monitoring of System Operation Control room process indication alarm and status diverse instrumentation (flow, pressure) is provided to enable the operator to evaluate system performance and detect malfunctions. Component cooling water surge tank low level is alarmed in the control room by redundant instrumentation. The outlet temperature, pressure and flow from each component cooling water heat exchanger is indicated in the control room. High temperature, low flow, high flow and low pressure are alarmed. Shutdown heat exchanger low flow and high flow are similarly indicated and alarmed. The shutdown heat exchanger outlet valves and header isolation valves are provided with position indicating lights in the control room. Component cooling water pump operating status is also indicated in the control room. Refer to Section 7.5 for further discussion of safety related monitoring instrumentation. d) Interlocks, Bypasses and Sequencing Upon loss of offsite power, the pumps are automatically restarted and loaded on the emergency diesel generators. Their sequencing is shown in Table 8.3-2. As discussed in Section 8.3.1.2.4, if all three pumps are available for starting, pump 1C which is part of electrical load group AB is not started if offsite power is lost to avoid overloading the diesel generator. If either pump 1A or 1B is out of service, pump 1C replaces that pump and starts automatically as part of the corresponding electrical load group. 7.3-15 Amendment No. 24 (06/10)

e) Redundancy Separate switches and actuation circuitry are provided for redundant components. Physical and electrical separations are provided as discussed in Section 7.4.2.1. f) System Supporting Equipment Control switches are also provided locally and in the control room to operate the cross-connection valves (I-MV-14-1,2,3,4) on the suction and discharge pump headers. This allows the operator to control alignment of pump flow to each of the redundant headers. 7.3.1.3.2 Intake Cooling Water System Instrumentation The intake cooling water system is discussed in Section 9.2.1. The system P&ID is shown on Figure 9.2-1. Location of system components is shown on the plant general arrangement drawings. The system instrumentation and controls necessary to support ESF are discussed as follows: a) Actuation of System Components To achieve safe shutdown the only system component actuation step required is starting the intake cooling water pumps. As discussed in section 9.2.1.2, the CCW heat exchanger debris discharge valve is also closed via a SIAS trip of the debris discharge valve solenoid to prevent ICW flow diversion past the heat exchanger. In the event of a LOCA, the intake cooling water pumps and essential header isolation valves are actuated automatically upon SIAS. The actuating instrumentation and controls for SIAS actuation are part of the engineered safety features actuation system and are discussed in Section 7.3.1.1.8. The pumps may also be started manually either by means of switchgear or control room switches. Pump logic and control diagrams are shown on Figures 7.4-9 through 7.4-11. Electrical schematic diagrams of pump operation are shown on Figures 7.4-12 through 7.4-14. b) Control of System Operation Following actuation of the pumps, the intake cooling system is designed to operate with automatic temperature controlled modulation of the intake cooling water flow through the component cooling heat exchangers. The heat exchanger outlet flow control valves (TCV-14-4A and TCV-14-4B) are controlled by temperature controllers TIC-14-4A and TIC-14-4B which sense outlet temperature on the component cooling water side of the heat exchangers. As temperature increases, intake cooling water flow is automatically increased. The control valves are pneumatically operated and fail wide open on loss of instrument air. In the event of loss of air, the intake cooling system will operate in the full unmodulated flow mode. The temperature controllers are provided only for efficient system operation during normal plant operation. No other automatic or manual control of system operation is required to support ESF. 7.3-16 Amendment No. 21 (12/05)

c) Monitoring of System Operation Control room process indication, alarm and status instrumentation is provided to enable the operator to evaluate system performance and detect malfunctions. Pump discharge pressure to the essential redundant headers is indicated and low pressure is alarmed. Separate instrumentation serves each of the redundant headers. Outlet flow for each of the component cooling heat exchangers is indicated and low flow is alarmed by separate instrumentation. Intake cooling water pump operating status and header isolation valve position are indicated in the control room. Pump failure is alarmed in the control room. Refer to Section 7.5. d) Interlocks, Sequencing and Bypasses Upon loss of offsite power, the pumps are automatically restarted and loaded on the emergency diesel generators. Their sequencing is shown in Table 8.3-2. If all three pumps are available for starting, pump 1C which is part of electrical load group AB, is not started to avoid overloading the diesel generator. Refer to Section 8.3.1.2.4. If either pump 1A or 1B is out of service, pump 1C replaces that pump and starts automatically as part of the corresponding electrical load group. e) Redundancy Separate control panel switches and actuation circuitry are provided for starting the pumps. Physical and electrical separation are provided as discussed in Section 7.3.2.2. 7.3.1.3.3 Emergency Power System Instrumentation The emergency power system is discussed in Section 8.3. Location of system components is shown on the plant general arrangement drawings. The system instrumentation and control required to support ESF are discussed as follows: a) Actuation of System Components:

1) starting the emergency diesel generators
2) tripping the circuit breakers between the normal and emergency 4.16 kv buses
3) tripping the circuit breakers for non-essential loads an the emergency busses
4) closing the diesel generator circuit breakers to the 4.16 kv buses
5) closing the circuit breakers for loads requiring ESF operation 7.3-17

In the event of a LOCA, the emergency diesel generators are automatically started on SIAS. The actuating instrumentation and controls for these signals are part of the engineered safety features actuation system and are discussed in Sections 7.3.1.1.8, 7.3.1.1.10 and 7.3.1.1.11. b) Control of System Operation Once the system is actuated the diesel generator voltage and frequency are automatically controlled. Each diesel generator set has its own speed control system and voltage regulator. No other manual or automatic controls are necessary for proper system functioning. Manual backup for voltage and frequency controls are provided locally and in the control room. Control switches are also provided locally and in the control room for manually starting the diesel generators and operating the generator breakers. c) Monitoring of System Operation Control room indication, alarm and status instrumentation is provided to enable the operator to evaluate system performance and detect malfunctions. Diesel generator current voltage and frequency are indicated. Alarms are provided to indicate diesel generator malfunction or trip. Refer to Sections 7.5 and 8.3.1.1.7. d) Bypasses, Interlocks, and Sequencing Upon loss of offsite power, the emergency diesel generators are automatically started, the breakers between normal and emergency buses are automatically tripped and loads are automatically stripped from the emergency buses. When the emergency diesel generators reach operating frequency and voltage, the diesel generator breakers are automatically closed and the loads required for safe shutdown which were previously running are automatically restarted and loaded on the diesel generators in the proper sequence as shown in Table 8.3-2. Additional loads are manually connected as required. The automatic starting and loading sequence is discussed fully in Section 8.3.1.1.7. Diesel generator logic and electrical schematic control diagrams are shown in Section 8.3. e) Redundancy Separate control switches and actuation circuitry is provided for starting emergency diesel generators and actuating emergency bus breakers. Physical and electrical separations are provided as discussed in Section 7.3.2.2. 7.3.1.3.4 ECCS Area Ventilation System The auxiliary building ECCS pump area ventilation system control diagram is shown on Figure 9.4-3. The locations of the system components are shown on the plant general arrangement drawings and system logic is shown on Figures 7.3-28 through 7.3-31. The system is also discussed in Section 9.4.3. 7.3-18 Amendment No. 23 (11/08)

a) Actuation of System Components

1) start the auxiliary building supply fans HVS-4A, 4B
2) start the auxiliary building ECCS pump area exhaust fans HVE-9A, 9B
3) open dampers; (a) 4 inlet dampers to ECCS pump area (D-1, D-2, D-3, D-4)

(b) 2 inlet dampers to HEPA and charcoal adsorber filters (D-13, D-15) (c) 2 outlet dampers from HEPA and charcoal adsorber filters (D-14, D-16) (d) 2 exhaust fan HVE-9A, 9B outlet dampers

4) close dampers; (a) 2 inlet dampers to pipe tunnel (D-8A, D-8B)

(b) 4 inlet dampers to selected sections of reactor auxiliary building (D-7A, D-7B, D-11A, D-11B) (c) 2 outlet dampers from ECCS pump area to main exhaust system (D-9A, D-9B) (d) 2 outlet dampers from pipe tunnel to main exhaust system (D-12A, D-12B) (e) 4 outlet dampers from shutdown heat exchanger area to main exhaust system (D-5A, 5B, 6A, 6B)

5) monitor differential pressure across the HEPA filters and ECCS pump area temperatures.

In the event of a LOCA, the auxiliary building ECCS pump area ventilating system is actuated automatically upon SIAS. The SIAS is part of the engineered safety feature actuation system, which is discussed in Section 7.3.1.1.8. b) Control of System Operation Control switches are provided in the control room and locally for the manual actuation of the supply and exhaust fans. The dampers are then automatically actuated from the exhaust fan HVE-9A, 9B interlocks. The dampers are also independently actuated from the SIAS signal. c) Monitoring of System Operation For the operator to evaluate system performance in the control room, the following indication is provided: 7.3-19 Amendment No. 23 (11/08)

1) supply and exhaust fan status lights and failure alarms
2) auxiliary building ECCS pump area isolation dampers to main exhaust system status lights
3) HEPA and charcoal absorber inlet and outlet damper status lights
4) auxiliary building ECCS pump area temperature recording and high temperature alarm
5) HEPA filter differential pressure indication Refer to Section 9.4.2.5 for additional information on the ECCS area ventilation system instrumentation.

d) Bypasses, Interlocks and Sequencing Upon loss of off-site power, the fans are automatically restarted and loaded onto the emergency diesel generators. Their sequencing is shown in Table 8.3-2. The electrical bypass circuit is provided to enable the operator to stop one redundant supply fan and one redundant exhaust fan if the system is actuated automatically upon SIAS. This by-pass interlock is annunciated in the control room. The interlock is self-resetting. e) Redundancy Separate actuation switches and circuitry are provided for redundant components. Physical and electrical separations are provided as discussed in Section 7.3.2.2. 7.3.1.3.5 Control Room Ventilation The design of the control room ventilation system is discussed in Section 9.4.1. The system P&I diagram and the flow diagram are shown in Section 9.4. The logic diagrams are shown on Figures 7.3-32 through 7.3-36. The system instrumentation and control necessary to provide the control room habitability are as follows: a) CIS (Unit 1 or 2) and/or control room outside air intake high-high radiation signal starts booster fans HVE-13A and HVE-13B, and opens fan inlet dampers b) CIS (Unit 1 or 2) and/or control room outside air intake high-high radiation closes control room outside air intake isolation valves FCV-14, 15, 16, 17 C) CIS (Unit 1 or 2) and/or control room outside air intake high-high radiation closes toilet room and kitchen ventilation isolation valves d) Control the air conditioning indoor units HVA-3A, -3B, -3C e) North side outside air intake valves FCV-25-14 and FCV-25-16 close automatically by temperature elements detecting high temperature 7.3-20 Amendment No. 24 (06/10)

caused by an auxiliary steam line break in the vicinity of the north side. This is further discussed in Appendix 3D. In the event of a Design Basis Accident resulting in radiation release, either CIS (from Unit 1 or 2) or detection of high-high radiation at a control room outside air intake isolates both outside air intake ducts and the control room air is recirculated by booster fans HVE-13A and HVE-13B through HEPA and charcoal absorber filters. Upon receiving a CIS (from either Unit) or a high-high radiation signal, the booster fans are automatically started and their inlet dampers are opened. The control room outside air isolation/makeup flow control valves and the toilet and kitchen area exhaust isolation valves are also automatically closed. The CIS instrumentation and control is part of the engineered safety features system and is discussed in Section 7.3.1.1.11. Redundant seismically qualified radiation monitor channels are provided at both the north and the south control room outside air intakes. These radiation monitor channels are designed to seismic Category I and Class 1E requirements and are qualified in accordance with IEEE 323-1974 and IEEE 344-1975 and meet the requirements of IEEE 279-1971 and IEEE 308-1971. Each radiation monitor channel consists of a duct-mounted beta-scintillation detector and a remote digital ratemeter mounted in the control room Radiation Monitoring Panel. The detectors are equipped with an internal LED to test the beta-scintillation detector in lieu of a radiological check source. The duct radiation detectors are seismically mounted and are not susceptible to flood, missile threat, or harsh environment due to the mounting location. The redundant radiation monitor channels are provided with uninterruptible power supplied by the instrument power buses MA and MB which are described in Subsection 8.3.1.1.6. One set of radiation monitor channels in the north and south air intake ducts will be powered from safety train A and the other set of radiation monitor channels in the north and south outside air intake ducts will be powered from safety train B. High radiation detected by any of the four outside air intake radiation monitor channels will provide an alarm in the control room. High-high radiation detected by any of the four outside air intake radiation monitor channels or monitor failure will actuate the associated train of the control room ventilation system to the isolation/recirculation mode. The high-high radiation setpoint for actuation is 320 CPM which is significantly lower than the activity expected during any Design Basis Accident yet well above background to prevent false actuation. Each of the radiation monitor channels is equipped with its own test switch which bypasses actuation during channel maintenance, calibration, and testing. Use of the test switch is alarmed. 7.3-21 Amendment No. 24 (06/10)

The air conditioning indoor section fans are started manually by control switches in the control room. The outdoor section of the air conditioning unit is controlled by the control room thermostat. Manual control switches are also provided in the control room for manual actuation of the booster fans and the outside air intake isolation valves. System component status indicating lights, system failure alarms, and control room and outside air intake radiation monitoring are provided in the control room to enable the operator to evaluate the system performance. Upon loss of off-site power, the fans are automatically restarted and loaded on the emergency diesel generators. This sequence is shown in Table 8.3-2. Electrical bypass circuits are provided to enable the operator upon CIS to: a) stop one of two redundant booster fans. The stopped booster fan will restart automatically upon failure of the running fan. b) restore outside air makeup to the control room by opening the outside air intake isolation valves. These electrical bypass circuits will automatically reset upon CIS reset. Separate system actuation switches and circuitry are provided for redundant system components. Physical and electrical separation are provided as discussed in Section 8.3.1.2. 7.3.1.4 Design Basis Information Required by Section 3 of IEEE Std 279-1971 The engineered safety features actuation systems (ESFAS) conforms to IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations (IEEE Std 279-1971) Section 3 and is discussed below: Basis 1: Instrumentation systems designated as engineered safety features actuation systems (ESFAS) include the instrumentation and circuitry necessary to generate the following signals: a) Safety Injection Actuation Signal (SIAS) b) Recirculation Actuation Signal (RAS) c) Containment Spray Actuation Signal (CSAS) 7.3-22 Amendment No. 24 (06/10)

d) Containment Isolation Signal (CIS) e) Main Steam Isolation Signal (MSIS) f) Auxiliary Feedwater Actuation Signal (AFAS-1) g) Auxiliary Feedwater Actuation Signal (AFAS-2) These signals actuate the engineered safety features and their supporting systems which are needed to mitigate the consequences of a design basis accident. Basis 2: The station variables which must be monitored to provide protective actions are listed in Table 7.3-1. Basis 3: None of the station variables referred to in Basis 2 are spatially dependent. The locations of the ESFAS sensors are listed in Table 7.3-1. Locations are also shown on Figures 7.3-24 through 7.3-26. Bases 4, 5, 6: Table 7.3-1 lists normal operating limits, pre-trip alarm setpoints, and alarm set points for the ESFAS monitored variables. Bases 7, 8: The ESFAS is designed to function so that: a) Any single failure will not prevent system action when required. Single failure criteria are discussed in Section 7.3.2.3.2 and 7.3.1.1.13. b) A loss of power to the measurement channels and/or to the logic system causes system actuation except for the containment spray and recirculation actuation signals. Refer to Section 7.3.1.1.9. c) The environmental conditions that accompany the design basis accident will not interfere with the ability of the systems to perform their safety function. Environmental design conditions for ESFAS instrumentation is discussed in Section 7.3.2.3.4. d) The systems are designed to withstand design basis earthquake loads without loss of their safety functions as discussed in Section 3.10. Basis 9: a) ESFAS response times for the spectrum of break sizes are shown on Figures 7.3-21, 22 and 23. b) The accuracies of the engineered safety features actuation system are maintained as described in Table 7.3-1. 7.3-23 Amendment No. 24 (06/10)

c) The ranges of the sensed variables that are accommodated by the ESFAS until proper conclusion of the protective action is assured as described in Table 7.3-1. In addition to conforming to IEEE-279, the ESFAS meets the following design bases: a) The systems meet the applicable criteria of 10 CFR 50, Appendix A, AEC General Design Criteria as discussed in Section 7.3.2. b) Channel independence is maintained by electrical and physical separations between redundant channels. Refer to Sections 7.3.2 and 7.3.1. c) All equipment, including panels, components and cables associated with the protection system is identified with colored markers or nameplates as described in Section 7.1.2.5. d) The systems can be tested during reactor operation as far as practical without interrupting operation. Refer to Section 7.3.2.4. 7.3-24 Amendment No. 22 (05/07)

REFERENCES:

SECTION 7.3.1

1. R. E. Uhrig (FPL) to R. A. Clark (NRC) Re: St. Lucie Unit 1 Docket No. 50-335, IE Bulletin 80-06 "Engineered Safety Feature (ESF) Reset Controls" 1-81-203 dated 5/13/81.
2. Title 10 Code of Federal Regulations, Part 50.62.

7.3-25 Am. 10-7/91

7.3.2 ANALYSIS 7.3.2.1 Failure Mode and Effects Analysis Table 7.3-7 presents a failure mode and effects analysis for a typical ESFAS. Figures 7.3-40, 41 and 42 show the bistables, bistable inputs and isolation modules for the typical ESFAS. Figure 7.3-43 shows typical logic. 7.3.2.2 Conformance to General Design Criteria Appendix A to 10 CFR 50, "General Design Criteria for Nuclear Power Plants," contains minimum requirements for the principal design criteria for water cooled nuclear plants. The design of the ESFAS conforms to the requirements of the applicable criteria (GDC 1 through 5, 13, 20 through 24 and 29). For the ESFAS, conformance to IEEE-279 ensures conformance to the applicable GDC. The analysis in Section 7.3.2.3 demonstrates this conformance. 7.3.2.3 Conformance to IEEE-279 7.3.2.3.1 General Functional Requirements Each of the engineered safety features actuation signals provides for timely and reliable actuation of the associated systems and equipment. The parameters selected for signal actuation are directly related to conditions which indicate a need for system actuation and provide a response time in accordance with the plant safety analysis. Each signal is discussed below: a) Safety Injection Actuation Signal (SIAS) The safety injection system must be started automatically upon occurrence of a LOCA to limit fuel cladding failures. The parameters used for SIAS initiation (low pressurizer pressure or high containment pressure) give direct and rapid indication of a loss of reactor coolant pressure boundary integrity. Figure 7.3-21 shows the time to SIAS actuation for the spectrum of LOCA break sizes. b) Recirculation Actuation Signal (RAS) The safety injection and containment spray systems must be automatically transferred to the containment sump recirculation mode of operation upon low level in the refueling water tank. RAS is actuated by low level in the refueling water tank. Since this parameter is a direct indication that a transfer to recirculation mode is required, there is no significant delay time between the occurrence of the required condition and the initiation of RAS. c) Actuation of Containment Heat Removal Systems Containment pressure reduction and heat removal is required upon occurrence of a design basis accident to limit containment pressure to with-7.3-26 Amendment No. 22 (05/07)

in the design value. The containment spray system is actuated upon CSAS and the containment fan cooling system is actuated on SIAS. The parameters used for CSAS (containment high-high pressure and SIAS) give direct indication of a LOCA. The time to actuate CSAS depends on the break size. The containment high-high pressure set point (10 psig) is the controlling parameter since for all break sizes it takes longer to reach this set point than any SIAS set point. Figure 7.3-22 shows the time to reach CSAS for the spectrum of break sizes. For all sizes greater than 0.7 ft2 , CSAS is actuated within 30 seconds, the time delay assumed in Section 15.4.1. For transient analysis of break sizes below 0.7 ft2 , operation of the containment spray system is assumed to be delayed until the CSAS set point is reached. For these cases, operation of the containment spray system at the CSAS set point is adequate to limit containment pressure to within the design value. Actuation of the containment cooling system on SIAS provides diversity of initiation of the containment heat removal systems. Even if CSAS should fail to actuate, operation of the containment fan coolers on SIAS provides for 100 percent heat removal capacity. The component cooling water system provides the heat sink for the containment heat removal systems. d) Containment Isolation Signal (CIS) Containment isolation and SBVS actuation is required to reduce off-site doses in the event of a LOCA. CIS is actuated on either high pressure (5 psig) or high radiation (10 R/hr) in the containment. Both of these diverse parameters are directly related to the occurrence of a LOCA. The time it takes to reach the pressure set point for CIS depends on the break size. The time it takes to reach the radiation set point depends on both break size and the amount of radioactivity contained in the coolant. Figure 7.3-23 shows the time it takes to reach either of these set points for the spectrum of break sizes. The radiation levels were calculated assuming noble gas activity release equivalent to that which would be contained in the reactor coolant system due to operation with 1.0 percent failed fuel. In addition, in accordance with NRC post TMI requirements, CIS is actuated by a Safety Injection Actuation Signal (SIAS) as described in Section 6.3. e) Main Steam Isolation Signal (MSIS) Main steam line isolation is required upon occurrence of a steam line break accident to limit the uncontrolled cooldown of the reactor coolant system. The steam line break accident is analyzed in Section 15.4. The worst case steam line break is complete rupture of the main steam line at no load conditions. The analysis assumed actuation of MSIS on low steam generator pressure. For the worst case accident this occurs within 10 seconds. The analysis assumes that uncontrolled blowdown continues for 6.9 seconds after MSIS actuation, to account for the closing time of the main steam line isolation valves. The results of the accident analysis demonstrate the response time at the MSIS set point is sufficient to maintain offsite doses within acceptable limits. 7.3-27 Amendment No. 16, (1/98)

f) Auxiliary Feedwater Actuation Signal (AFAS) The auxiliary feedwater system must be started automatically to respond to a loss of steam generator inventory due to main feedwater pump failure or loss of offsite power. The auxiliary feedwater system activates automatically upon low steam generator level (19%) following a preset time delay and delivers makeup feedwater to the intact steam generator(s) to ensure primary to secondary system decay heat removal capability. The AFAS time delay setpoint is established to ensure adequate primary to secondary heat transfer characteristics. 7.3-27a Amendment 15, (1/97)

7.3.2.3.2 Single Failure Criterion In accordance with IEEE-279, the instrumentation and circuitry for each of the ESFAS signals is designed and arranged so that no single failure can prevent system actuation when required. Single failures considered include electrical faults (e.g. open, shorted or grounded circuits) and physical events (e.g., fires, missiles) resulting in mechanical damage. Compliance with the single failure criterion is accomplished by providing redundancy of sensors, measurement channels, logic matrices and actuation channels and separating these redundant elements electrically and physically to achieve the required independence. Each of these provisions are discussed below: a) Redundancy Each of the parameters which provide an input to an actuation signal is monitored by four sensors. Each of the sensors is associated with a separate measurement channel which consists of an instrument power supply bus, remote readout devices, and a bistable unit with associated circuitry. Only two out of four sensors and measurement channels are required for signal actuation. The measurement channel signals are taken to two separate logic matrix systems, for each actuation signal. only one of the logic matrix systems is required to provide an actuation signal. Two actuation channels, one from each logic matrix system, are provided for each actuation signal. Either of these channels can actuate the minimum complement of equipment required. b) Electrical Separation Electrical separation is achieved through the provision of independent power supplies and elimination of electrical interconnection between the redundant elements of the system. Four separate instrument buses are provided (designated MA, MB, MC and MD) fed from four separate inverters. Two of the inverters (A and C) are supplied from 125 v dc bus 1A and the other two (B and D) from 125 v dc bus 1B. Electrical faults or loss of power on a single 125 v dc bus could affect no more than two measurement channels. Each of the actuation channels are supplied from a separate 120 v ac instrumentation bus. Logic matrices channel SA is supplied from instrument busses MA & MC through an isolated auctioneering circuit and similarly, channel SB from instrument busses MB & MD. Electrical faults or loss of power on one bus can affect only one logic matrix or actuation channel. The remaining matrix and actuation channel is sufficient to perform the safety function for the system. The elimination of electrical interconnections between the redundant channels MA, MB, MC and MD and logic matrices for channels SA and SB limits open or short circuits to a single channel or matrix. A single ground in a channel or logic matrix will not affect the remaining channels, or matrix. Grounds on the 125 v dc system are detected by the continuous ground detection system which annunciates the ground condition to alert the operator of the fault. Where measurement or actuation channels provide signals for alarm or test lights, electrically separate contacts are provided to prevent faults on the alarm or test circuit from affecting the actuation circuit. The measurement channels are not used for any control or auxiliary plant function other than safety 7.3-28 Amendment No. 23 (11/08)

features actuation, thereby eliminating the possibility of faults on such circuits from affecting the safety features channels. c) Physical Separation Protection against the possibility of mechanical damage to both redundant portions of the engineered safety features actuation system has been achieved by spatial separation and/or the provision of physical barriers between redundant portions of the system. Physical separation between sensors, sensing lines and electrical circuitry associated with the four measurement channels has been maintained as follows:

1) Sensors - 4 feet minimum between all sensors.
2) The electrical cables from the sensors are run in physically separated conduits and enter their respective tray systems. The MA and MC cables enter physically separated trays in the A tray system. Similarly the MB and MD cables enter the B tray system. The physical separation of redundant cable runs is discussed in Section 8.3.1.2.3.
3) Sensing lines - Channel pairs MA and MC, as well as channel pairs MB and MD can be routed together. Each channel pair MA and MC is physically separated from channel pair MB and MD by a minimum of four feet from as close to process taps as practical out of the sensor.

Figures 7.3-24 through 7.3-26 show the arrangement of sensors used for ESFAS signal output. For sensing pressurizer pressure for SIAS input, four separate pressure taps are provided for pressure transmitters (PT 1102A, B, C, D) spaced over 150 degrees of the circumference of the pressurizer. Each tap serves a separate measurement channel. The arrangement prevents rupture or blockage of a single tap from affecting more than one measurement channel. The pairs of sensing lines run in opposite directions from the pressurizer through the secondary shield wall to the pressure transmitters which are mounted on the outside of the shield wall. The secondary shield wall serves as a barrier against missiles generated within the shield wall. The sensing lines within the secondary shield are protected by a separate concrete missile barrier around the pressurizer. The containment pressure transmitters (PT-07-2 A, B, C, D) used for SIAS, CSAS and CIS inputs are mounted outside of the containment in the reactor auxiliary building. Figure 7.4-23 shows the location of these sensors. The four containment radiation monitors (RE-26-2A, B, C, D) used for CIS input 7.3-29 Amendment No. 23 (11/08)

are placed in the upper containment 90 degrees apart. Four separate taps are used for sensing refueling water tank level for RAS input. The arrangement and physical separation of the level sensors (LT-07-2 A, B, C, D) are shown on Figure 7.4-24. Four separate taps on each steam generator are provided for the steam generator pressure transmitters (PT-8013 A, B, C, D for steam generator 1A and PT-8023 A, B, C, D for steam generator 1B) used for MSIS actuation. In addition, the transmitters for steam generator 1A are located on the secondary shield wall 180 degrees removed from those serving steam generator 1B. In the penetration area, redundant pairs of cables are run in separate penetration rooms separated as discussed in Section 8.3.1.2.3. Four separate measurement channel cabinets are provided separated by metal barriers. Two separate actuation cabinets are provided for the redundant logic matrices and output relays. The AFAS-1 and AFAS-2 logics are located in separate cabinets and are discussed in Subsection 7.3.1.1.13. The four measurement channels are located between the two actuation cabinets. In each measurement channel cabinet, there are separate Isolation modules for each actuation channel SA and SB. The isolation modules are located in separate sections of the cabinet. Wires connecting isolation modules are brought up to the top of the cabinet with all A outputs on one side of the cabinet and all B outputs on the other side, where they enter A or B conduits respectively. the result of this routing is that the bistable output is directed through the isolation modules where separation into A and B channels originates. The appropriate actuation cabinet separation is maintained from this point of origin by the conduit. Two separate actuation cabinets are provided for the redundant logic matrices and output relays. The four measurement channel cabinets are located between the two actuation cabinets. The redundant electrical cables from the actuation cabinets to the actuated equipment are separated as described in Section 8.3.1.2.3. 7.3.2.3.3 Quality Control of Components and Modules The quality control enforced during design, fabrication, shipment, field storage, installation and component checkout for engineered safety features systems and components and the documentation of control is in accordance with the quality assurance program described in Section 17.1. 7.3.2.3.4 Equipment Qualification The manufacturers of components of the ESFAS components perform production shop tests to verify proper operability, circuit continuity and insulation. resistance. Evidence of compliance with the single failure criteria is demonstrated by performance of a fault analysis for each component in the ESFAS. This analysis is performed by subjecting each system component to a short and open failure mode and analyzing system response. 7.3-30 Amendment No. 23 (11/08)

Seismic qualification tests as described in Unit 1, Appendix 3B were performed on the original St. Lucie Unit 1 ESFAS panels verifying proper relay actuation before and after application of seismic forces. In addition, the vendor has qualified the Unit 1 relays by test and has completed a seismic analysis affirming their suitability for operation within the cabinet structure. The AFAS-1 and AFAS-2 cabinets were seismically qualified separately. 7.3-31 Amendment No. 17 (10/99)

Additional qualification or type testing is performed to demonstrate the capability of certain equipment to function under special requirements such as seismic loading, post-accident containment environment and loss of control room air conditioning. Seismic qualification testing is discussed in Section 3.10. Environmental qualification testing is discussed in Section 3.11. Results of the original equipment are presented in Appendices 3B and 3A respectively. Seismic qualification testing of the original ESFAS cabinets and relays is given in Appendix 3B, Section E. 7.3.2.3.5 Channel Integrity All components of the engineered safety features actuation systems are designed to operate in the environment which would be expected in the area in which they are located during and following a LOCA in addition to the effects of operation in the normal service environment. The ESFAS measurement and actuation cabinets are located in the control room which is normally air conditioned. Section 3.11 discusses the environmental design considerations and vendor qualification requirements for the environmental conditions in the containment following a LOCA and in the control room following loss of air conditioning. All components of the engineered safety features actuation systems are designed as seismic Class I equipment to ensure their ability to function during and following a design basis earthquake. All components have Class I supports and are located in Class I structures. The level instrumentation used for RAS is mounted on the Class I refueling water tank. Purchase specifications specify the horizontal and vertical acceleration forces associated with the design basis earthquake based on the floor response spectra for the equipment location. Seismic design and qualification requirements are discussed in Section 3.10. 7.3.2.3.6 Channel Independence Channel independence is achieved by electrical and physical separation between channels as described in Section 7.3.2.3.2. Engineered safety features A and B actuating circuits are maintained independent with respect to signal interconnections for the AB shared system equipment control by both physical separation and electrical isolation. Figure 7.3-44 shows this arrangement. A welded sheet metal box is located in each ESFAS logic cabinet and contains AB equipment actuation relays. These relays with 24 volt dc coils are hermetically sealed. The AB cables are routed from an AB tray through steel conduit to the AB1 and AB2 boxes and connected to the terminal boards. Teflon insulated wires connect the terminal board and relay contacts. The two relay coils are connected to a 2 out-of 4 actuation module which is used for the AB relays only. A failure mode and effects for ESFAS AB system is given in Table 7.3-8. 7.3-32 Amendment No. 17 (10/99)

7.3.2.3.7 Control and Protection System Interaction No portion of the ESFAS is used for both control and protection functions. 7.3.2.3.8 Derivation of System Inputs The adequacy of the ESFAS input parameters as indications of the desired variable is demonstrated by the response time analysis given in Section 7.3.2.3.1. 7.3.2.3.9 Capability for Sensor Check ESFAS sensors are checked by cross-checking between channels. The channels bear a known relationship to each other, and this method ensures the operability of each sensor during reactor operation. 7.3.2.3.10 Capability for Test and Calibration Testing and calibration are described in Section 7.3.2.4. 7.3.2.3.11 Channel Bypass or Removal from Operation Any one of the four ESFAS measurement channels may be tested, calibrated, or repaired without detrimental effects on the system. Individual channels may be bypassed to effect a two-out-of-three logic on remaining channels. The single failure criterion is met during this condition. The provisions for manually stopping one SBVS or ECCS area exhaust fan following actuation of both redundant trains of each system on ESFAS signals were made to limit fission product build-up and resultant decay heat loading to one set of filter elements. Such a manual stop provision is not considered a channel bypass as referred to in IEEE 279 Section 4.11 since this feature cannot prevent actuation of the component by an ESFAS but is utilized only after the ESFAS channel signal has gone to completion and actuated its associated components. Restarting of the SBVS fans is not bypassed or blocked since provisions are made for automatic restarting of the fans upon subsequent failure, as signaled by low filter train flow, of the operating components of the redundant subsystem. The design of the automatic restart circuitry is such that no single failure can result both in failure of the operating subsystem and in failure of the stopped subsystem to restart. The ECCS area and shield building ventilation systems can be tested during normal power operation without initiating an ESFAS. Table 7.3-6A demonstrates that the active components of both systems meet the single failure criterion during testing. 7.3.2.3.12 Operating Bypasses Operating bypasses are provided for SIAS and MSIS as discussed in Section 7.3.1. The operating bypasses are automatically removed when the permissive conditions are not met. The circuitry and devices which 7.3-33 Amendment No. 16, (1/98)

function to remove these inhibits are designed in accordance with IEEE 279. 7.3.2.3.13 Indication of Bypasses Indication of test or bypass conditions or removal of any channel from service is given by lights or annunciation. Bypasses that are automatically removed at fixed set points are alarmed and indicated. Operating status for each SBVS and ECCS exhaust fan is indicated in the control room by the following: a) actuated device indicating lights b) HEPA filter differential pressure indicators c) manual stop alarm 7.3.2.3.14 Access to Means for Bypassing The design of the ESFAS logic cabinets permits the administrative control of the means for manually bypassing measurement or actuation channels. The cabinets are located in the control room adjacent to the RTG boards. An administratively controlled key is required to permit only authorized access to the logic cabinets. Any channel that is bypassed is visibly indicated or annunciated. 7.3.2.3.15 Multiple Set Points There are no multiple set points used for the ESFAS. 7.3-34 Amendment No. 17 (10/99)

7.3.2.3.16 Completion of Protective Action Once It Is Initiated The system is designed to ensure that protective action will go to completion once initiated. Operator action is required to clear the trip and return to operation. 7.3.2.3.17 Manual Initiation Each ESFAS actuation channel may be initiated manually. No single failure will prevent a manual trip. 7.3.2.3.18 Access to Set Point Adjustments, Calibration, and Test Points Set point or calibration adjustments are either internal to the protective system or under direct administrative control. 7.3.2.3.19 Identification of Protective Action Indication lights or annunciators are provided for all protective actions, including identification of actuation channel trips. 7.3.2.3.20 Information Readout All ESFAS measurement channel signals are indicated in the control room. The specific displays that are provided for continuous monitoring are described in Section 7.5. 7.3.2.3.21 System Repair Identification of a defective channel is accomplished by observation of system status lights or by testing as described in Section 7.3.2.3 and 7.3.2.4. Replacement or repair of components is accomplished with the affected channel bypasses. 7.3.2.3.22 Identification Identification of ESFAS channels is as described in Section 7.1.2.5. 7.3.2.4 Conformance to Testing Criteria a) Sensor Checks The operability of the measurement channel sensors is verified during reactor operation by cross-checking between sensor output signals. Each of the ESFAS sensors has a control room readout and the operator can detect sensor malfunction through anomalous indication of the failed sensor. 7.3-35 Amendment No. 22 (05/07)

During refueling the ESFAS sensors are checked and calibrated against known standards. The test equipment which is used to verify the sensor accuracies is checked periodically against shop reference standards traceable to nationally recognized standards. The pressure and electronic calibration standards are as accurate or better than the devices to be checked. Testing of ESFAS sensor response times will be in accordance with the requirements of Section 13.8.2.2 and the Technical Specifications as set forth for St. Lucie Unit 1. Table 7.3-1 lists the standards used for each ESFAS sensor. b) Bistable, Logic and Actuation Module Testing Automatic testing is utilized to verify operability of the ESFAS bistable, logic matrix and actuation module circuits during plant operation. An autotest instrument provides a pulse signal which is used to test system response. The AFAS-1 and AFAS-2 bistable, logic and actuation relays can be manually tested during plant operation. Automatic testing is not provided for AFAS-1 and AFAS-2. 7.3-36 Amendment No. 22 (05/07)

The autotest instrument automatically indicates and identifies faults and verifies the calibration of the bistable modules associated with each channel. Each bistable is tested by the autotest instrument to check that the trip setpoint of the bistable is properly functioning. This is accomplished by inserting two pulses, one after the other, into the bistable input. The first pulse is 5 percent less than sufficient to trip the bistable, and the second is 5 percent greater than sufficient to trip the bistable. After each test pulse, the output of the bistable is inspected by the autotest instrument. The control room annunciator does not have reflash capability, therefore, the annunciator "locks in" after the first detected fault. A fault is indicated by lamps on the autotest instrument and an annunciator on the control panel.

1) System Description A clock oscillator generates a 2 cps, square wave reference frequency and a 4 cps pulse train used to establish the time sequence and logic function necessary for automatic testing.

The system employs 6 binary counters to generate the necessary logic counts to interrogate the 36 bistables in the system. Each bistable is provided with a magnetic inserter coil which couples the two interrogation pulses into the bistable input. The logic circuitry in the bistable decodes the proper count from the pulse train and counters, generates precise test pulse amplitudes and responds to system return signals with a visual output. Each module generates two successive test pulses; the first determining that the bistable will not trip for a signal less than that required to trip; and, the second demonstrating that the bistable will trip for signals large enough to require bistable action.

2) Autotest Inserter An autotest instrument adds the least possible complexity to the signal channel, has no failure mode that is not detected by itself and no failure that interferes with the proper operation of the channel.

The system fulfills these three requirements by adding a single saturating inductor in series with the bistable input and by inserting a pulse through this saturating inductor. Only an open winding in the signal path can interrupt the channel signal chain, and this is annunciated by the autotest instrument. In order to overcome the difficulty in obtaining a precise pulse height on top of an unknown signal level, means are provided to suppress the unknown signal level during the time the channel is being interrogated. This is accomplished in the system by saturating the inductor (LI) and associated circuitry (see Figure 7.3-27). Twice during every cycle, all the logic count levels are zero for a 2 millisecond interval. When this occurs, a two millisecond pulse is applied to the autotest lamp "flip-flop" and test circuitry. The first pulse turns the lamp on and simultaneously interrogates the signal channel with an undertest 7.3-37 Amendment 15, (1/97)

pulse. Since the undertest pulses are below the bistable trip point, no reset pulse is returned to the autotest "flip-flop" circuit and the lamp remains on. The second interrogation is a two millisecond overtest pulse. Since the pulse is higher than the bistable trip point, a reset pulse is returned to the autotest lamp "flip-flop" turning off the lamp. Since the duration of the interrogating pulse is only 2 milliseconds, the protective relays are not actuated. If the undertest pulse tripped the bistable, the autotest lamp would receive power for only 2 milliseconds and would not be illuminated. This occurs because the interrogation would change the state of the bistable and reset pulse would immediately be returned to the autotest "flip-flop" circuit. If the overtest pulse does not trip the bistable, a reset pulse is not applied to the autotest "flip-flop" circuit and the autotest lamp remains lighted.

3) Performance The autotest instrument is capable of continuously monitoring the performance of the ESFAS and proving the calibration of the bistables to within 5 percent of the ideal trip setpoint. Its calculated and proven reliability is comparable to that of the ESFAS itself.

As the consecutive pulses are routed to the individual channels, a lamp associated with each automatic test unit flashes on for a quarter second during the undertest and remain off for the rest of the testing cycle. A failure of the undertest is indicated by a lamp not flashing on in its proper sequence. A failure of the overtest is indicated by a lamp remaining on steady. Each failure mode is identifiable to an individual channel and is obvious to the operator because of the physical arrangement of the lamps on the front of the autotest instrument. In the autotest instrument the cycle of testing is not interrupted by a fault but automatically advances independent of the condition of the individual channels. A decoder circuit checks on the proper operation of the ESFAS by gathering fault information from the actuation modules and transmitting any fault to the central annunciator. The design is capable of coincidence testing the 2 of 4 logic for the six combinations of input faults. This scheme proves that each bistable is operating properly and also that tripping of any two bistables (the six combinations) will transmit proper signals through the system.

4) Reliability To appreciate the significant increase of system reliability with the inclusion of automatic testing an accurate understanding of the following 7.3-38 Amendment No. 24 (06/10)

definition is essential. MTBF - (Mean Time Between Failures) is the mean of the exponential function R = e-ct, where R is the reliability, c is the failure rate constant, and t the time starting at time to when the system is known to be 100 percent operable (no faults). This means that if one has a system of 100 parts and the MTBF is determined to be 100 hours, then at t = 100 hours the probability is that 63 percent of the 100 parts will have failed and that only 37 percent or 37 parts are still operable. It is obvious that at such a point an ESFAS has long since failed to perform its function. Since the probability of success curve is decreasing exponentially from 1.0 downward with the time t, the method for obtaining a highly reliable system is directly dependent on keeping the time t after to at a minimum. The automatic testing system completely checks out the system and verifies that all parts are operating (i.e. 100 percent reliable) every 27 seconds. Therefore, every 27 seconds that time is re-initialized to to. With automatic testing every 27 seconds t reverts to to and system reliability goes back to 1.0 or a failure is detected within 27 seconds. c) Actuation Device and Actuated Equipment Testing All actuation devices and actuated equipment are testable in discreet test groups as indicated on Tables 7.3-2 through 7.3-6. With the exception of actuated equipment and their associated actuation devices listed in test group OA or OB, all actuation devices and actuated equipment are testable during reactor operation without affecting the operability or safety of the plant. These devices are tested by imposing an ESFAS during reactor operation. Test groups OA and OB include isolation valves whose closure during reactor operation would seriously perturb operating conditions or result in unsafe conditions. These components are testable during plant shutdown. Each of the components involved is redundant in that its failure does not result in loss of the required safety function. With the exception of the actuation devices in test groups OA and OB, the requirements of AEC Safety Guide 22, "Periodic Testing of Protection System Actuation Functions" are satisfied for the ESFAS. With the exception of the component cooling and intake cooling water header isolation valves, all components in test groups OA and OB are designed to fail in the position required after receipt of an accident signal. The failure of any one of these components in other than its post-accident condition does not adversely affect the ability to safely shut down the plant or mitigate the consequences of an accident. Refer to Table 7.3-9. 7.3-39 Am. 10-7/91

7.3.2.5 Conformance of Supporting System Instrumentation and Control to IEEE-279 The following specific criteria are applied as appropriate to the design of the instrumentation and control of ESF supporting systems which are identified and discussed in Section 7.3.1.3: a) The ESF supporting systems comply with the requirements of IEEE-279. b) The operator has means to initiate actions manually. c) Each train of ESF supporting systems instrumentation and control circuits is provided with diverse parameter monitoring instrumentation. Instrumentation between trains are electrically independent of each other. At least one parameter is recorded for each train. Criteria e, g, h, i below are not applicable to recording instrumentation. However, adequate isolation is provided to prevent a failure of the recording instrumentation from inhibiting operation of the monitoring instrumentation. d) A single failure in the monitoring instrumentation does not prevent the supporting system from performing its minimum required safety function. e) Performance of the monitoring instrumentation is verified during reactor operation subject to the following:

1) testing will not adversely affect the safety or operability of the plant
2) normal system operation or periodic testing of the system is considered an acceptable method of verifying monitoring instrumentation performance if system operating parameters are similar to those anticipated following a LOCA
3) in the event that the monitoring instrumentation performance cannot be verified under the conditions of 1) and 2) above, periodic testing, using simulated signals, will be performed.

f) Instrumentation and controls are covered by the quality assurance program. g) Audible and visual control room alarms are provided. h) Instrumentation is designed to withstand normal and post-accident environmental conditions for the post-accident time periods required. i) Instrumentation required to actuate, maintain operation of, or detect failures in essential portions of ESF supporting systems is designed to seismic Class I standards. 7.3-40 Amendment No. 17 (10/99)

TABLE 7.3-1 ESFAS SENSOR PARAMETERS AND SET POINTS Response Times Pre-Trip Standard For Instrument Normal Operating Sensor Alarm Actuation Testing Response Sensor Location Tag Nos. Range(4) Conditions Accuracy(4) Set Point Set Point Times Pressurizer See Fig. 7.3-24 PT-1102 A,B,C,D 2155-2315 psig - 1600 psia (SIAS) 32 sec - Note 1. Pressure Containment See Fig. 7.3-25 PT-07-2 A,B,C,D 0 2.5 psig 5 psig (SIAS) 0.5 sec. - Note 1. Pressure 5 psig (CIS) 10 psig (CSAS) Steam Generator See Fig. 7.3-25 PT-8013 A,B,C,D 800-885 psig 585 psig (MSIS) 0.2 sec - Note 1. Pressure PT-8023 A,B,C,D Containment El. 90 ft RE-26-3-2A 5-100 mR/hr 3.0 R/hr 10 R/hr (CIS) 4 sec - Note 2. Radiation Sec RE-26-4-2B Figures 1.2-8 & RE-26-5-2C 1.2-10 RE-26-6-2D Refueling Water See Fig. 7.4-24 LT-07-2 A,B,C,D 33-37.5 ft. - Note 3. - 4 ft (RAS) 0.5 sec Note 1. Tank Level Steam Generator See Fig. 7.3-25 LT-9013 A,B,C,D 64% 19%(AFAS) 0.5 sec Note 1. EC289028 Low Level LT-9023 A,B,C,D Notes: (1) For 63% of final value for step change. - ISA Standards and Practices for Instrumentation, ISA-S-26 Dynamic Response Testing of Process Control Instrumentation, 1968. (2) For a 0-10R ramp input in 2 seconds from N This sensor is a GM tube. Its response time is insignificant compared to its associated integration circuit. The time constant for this circuit is periodically tested through a test switch in the control room. GM tube accuracy is determined according to ANS N42.3. (3) Minimum tank level per Technical Specifications is 477,360 gallons, equivalent to 32.5 ft according to calculation PSL-1FJI-92-009. (4) Instrument ranges are selected in accordance with standard engineering practices. Instrument accuracies are selected such that existing instrument loop performance and safety analysis assumptions remain valid. Where applicable, instrument accuracies are also evaluated for their impact on setpoints in accordance with the FPL Setpoint Methodology. UNIT 1 7.3-41 Amendment No. 30 (05/20)

TABLE 7.3-2 COMPONENTS ACTUATED ON SIAS (12) Returns Safety To Normal ESFAS ESFAS Channel Upon ESF Test Action Component A B AB As Reset Group CWD Start Low Pressure Safety Injection Pump 1A X No 1A 251 Start Low Pressure Safety Injection Pump 1B X No 1B 252 Start High Pressure Safety Injection Pump 1A X No 1A 237 Start High Pressure Safety Injection Pump 1B X No 1B 238 Open LPSI Disch. Valve to Loop 1A-2 HCV-3615 X No 2A 257 Open LPSI Disch. Valve to Loop 1A-1 HCV-3625 X No 2B 260 Open LPSI Disch. Valve to Loop 1B-1 HCV-3635 X No 2A 263 Open LPSI Disch. Valve to Loop 1B-2 HCV-3645 X No 2B 266 Open HPSI Hdr. A Disch. Valve to Loop 1A-2 HCV-3617 X No 2A 262 Open HPSI Hdr. A Disch. Valve to Loop 1A-1 HCV-3627 X No 2A 259 Open HPSI Hdr. A Disch. Valve to Loop 1B-1 HCV-3637 X No 2A 265 Open HPSI Hdr. A Disch. Valve to Loop 1B-2 HCV-3647 X No 2A 268 Open HPSI Hdr. B Disch. Valve to Loop 1A-2 HCV-3616 X No 2B 261 Open HPSI Hdr. B Disch. Valve to Loop 1A-1 HCV-3626 X No 2B 258 Open HPSI Hdr. B Disch. Valve to Loop 1B-1 HCV-3636 X No 2B 264 Open HPSI Hdr. B Disch. Valve to Loop 1B-2 HCV-3646 X No 2B 267 Close Boron Load Control Valve V2525 X No 8B 190 Open SI Tank 1A1 Outlet Isolation Valve V3624 X Yes(2) 7A 269 Trip Non Essential Loads 480V Swgr 1B2 X No 3B 992 Trip Non Essential Loads 480V Swgr 1A2 X No 3A 990 Status Input to SAS X Yes(3) 1A 1534 Status Input to SAS X Yes(3) 1B 1539 7.3-42 Amendment No. 22 (05/07)

Components Actuated on SIAS TABLE 7.3-2 (Contd) (12) Returns Safety To Normal ESFAS ESFAS Channel Upon ESF Test Action Component A B AB As Reset Group CWD Close SI Tank 1A1 Valve X Yes OA 281 HCV-3628 Open SI Tank 1B2 Outlet Isolation Valve V3644 X Yes(2) 7A 272 Close SI Tank 1A2 Recirc/Drain Valve X Yes OB 280 HCV-3618 Open SI Tank 1B1 Outlet Isolation Valve V3634 X Yes (2) 7B 271 Close SI Tank 1B1 Recirc/Drain Valve X Yes OB 282 HCV-3638 Open SI Tank 1A2 Outlet Isolation Valve V3614 X Yes(2) 7B 270 Close SI Tank 1B2 Recirc/Drain Valve X Yes OA 283 HCV-3648 Block Trip Diesel Generator Lockout Relay 1A X Yes(3) 7A 956 Block Trip Diesel Generator Lockout Relay 1B X Yes(3) 7B 966 Close FWP 1A Discharge Valve MV-09-1 X Yes(17) OA 616 Close FWP 1B Discharge Valve MV-09-2 X Yes(17) OA 621 Close Feedwater Isolation Valve HCV-09-8 Train A Sol. X No OA 633 Close Feedwater Isolation Valve HCV-09-8 Train B Sol. X No OB 633 Close Feedwater Isolation Valve HCV-09-7 Train A Sol. X No OA 614 Close Feedwater Isolation Valve HCV-09-7 Train B Sol. X No OB 614 Start Diesel Generator 1A X No 7A 957 Start Diesel Generator 1B X No 7B 967 7.3-43 Amendment No. 22 (05/07)

Components Actuated on SIAS TABLE 7.3-2 (Contd) (12) Returns Safety To Normal ESFAS Channel Upon ESFAS Test Action Component A B AB Reset Group CWD Load Shedding Diesel Generator Breaker 1A X No(5) 8A 957 Load Shedding Diesel Generator Breaker 1B X No(5) 8B 967 Start Charging Pump 1A X No(5) 4A 177 Start Charging Pump 1B X No(5) 4B 178 Start Charging Pump 1C X No(5) 9A, 9B 179 Start Boric Acid Makeup Pump 1A X Yes(4) 5A 174 Start Boric Acid Makeup Pump 1B X Yes(4) 5A 175 Close Boric Acid Makeup Valve to VCT V2512 X No 6B 163 Open Boric Acid Tank 1A Gravity Feed Valve X No 5B 166 To Charging Pumps V2509 Open Boric Acid Tank 1B Gravity Feed Valve X No 5B 165 to Charging Pumps V2508 Close Boric Acid Tank IA Recirc. Line Valve X Yes(8) 6A 159 V2510 Close Boric Acid Tank 1B Recirc. Line Valve X Yes(8) 6A 159 V2511 Open Boric Acid Pumps Disch. Valve to X No 6A 167 Charging Close Boric Acid Control Isolation Valve X Yes 6A 176 FCV-2161 Initiate (11) Containment Isolation Signal (CIS) - - - Yes - Close Letdown Line Isolation Valve V2516 X No OA 159 Close Letdown Line Isolation Valve V2515 X No OB 159 Close VCT Discharge Valve V2501 X Yes(7) OB 161 Start Component Cooling Water Pump 1A X No 5A 201 7.3-44 Amendment No. 23 (11/08)

Components Actuated on SIAS TABLE 7.3-2 (Contd) (12) Returns Safety To Normal ESFAS ESFAS Channel Upon ESF- Test Action Component A B AB AS Reset Group CWD Start Component Cooling Water Pump 1B X No 5B 205 Start Component Cooling Water Pump 1C X No 9A,9B 209 Close CCW Hdr. A Supply to N Header Isolation Valve HCV-14-8A X 13 6A 202 Close CCW Hdr. Supply B to N Header Isolation Valve HCV-14-8B X 13 6B 202 Close CCW N Header Return to Hdr. A Isolation Valve HCV-14-9 X 13 6A 202 Close CCW N Header Return to Hdr. B Isolation Valve HCV-14-10 X 13 6B 202 Open CCW Outlet Valve from Shutdown HX 1A HCV-14-3A X No 5A 211 Open CCW Outlet Valve from Shutdown HX 1B HCV-14-3B X No 5B 211 Start Intake Cooling Water Pump 1A X No 5A 832 Start Intake Cooling Water Pump 1B X No 5B 833 Start Intake Cooling Water Pump 1C X No 9A,9B 834 Close ICW Hdr. A Disch. to TCW Heat Exchange Isolation Valve X No OA 835 MV-21-3 Close ICW Hdr. B Disch. to TCW Heat Exchange Isolation Valve X No 0B 836 MV-21-2 Start RCP 1A-1 Oil Lift Pmp P-1A1-B X Yes(9) OB 103 Inhibit Start RCP 1B-1 Oil Lift Pump P-1B1-B X Yes(9) 0A 107 Inhibit Stop Feedwater Pump 1A X(18) No 3A,8A 615 Stop Feedwater Pump 1B X(18) No 3B,6B 620 7.3-45 Amendment No. 26 (11/13)

Components Actuated on SIAS TABLE 7.3-2 (Contd) (12) Returns Safety To Normal ESFAS ESFAS Channel Upon ESF- Test Action Component A B AB AS Reset Group CWD Stop Heater Drain Pump 1A X(18) No 3A,8A 625 Stop Heater Drain Pump 1B X(18) No 3B,6B 626 Trip MCC 1A5 Non-Essential Loads X(18) No 3A,8A 1011 Trip MCC 1B5 Non-Essential Loads X(18) No 3B,6B 1013 Trip MCC 1A6 Non-Essential Loads X(18) No 3A,8A 1012 Trip MCC 1B6 Non-Essential Loads X(18) No 3B,6B 1014 Trip Generator Main Leads (IPB) Fan 1A X(18) No 3A,8A 1936 Trip Generator Main Leads (IPB) Fan 1B X(18) No 3B,6B 1936 Trip Main Transformer 1A Coolers (Normal) X(18) No 3A,8A 987 Trip Main Transformer 1B Coolers (Normal) X(18) No 3B,6B 989 Trip Main Transformer 1A Coolers (Alternate) X(18) No 3B,6B 989 Trip Main Transformer 1B Coolers (Alternate) X(18) No 3A,8A 987 Notes (18) Through isolation device 7.3-45a Amendment No. 26 (11/13)

Component Actuated on SIAS TABLE 7.3-2 (Cont'd) (12) Returns Safety To Normal ESFAS ESFAS Channel Upon ESF- Test Action Component A B AB AS Reset Group CWD Start RCP 1A-2 Oil Lift Pump P-1A2-B X Yes(9) 0A 111 Inhibit Start CP 1B-2 Oil Lift Pump P-1B2-B X Yes(9) 0B 115 Inhibit Start Reactor Aux Bldg. Main Supply Fan X No 1A 505 HVS-4A Start Reactor Aux. Bldg. Main Supply Fan X No 1B 506 HVS-4B Start ECCS Area Exhaust Fan HVE-9A X No(14) 1A 503 Start ECCS Area Exhaust Fan HVE-9B X No(14) 1B 504 Open Air Supply Dampers to ECCS Pump Room A X No(10) 1A 465 D-1, D-2 Open Air Supply Dampers to ECCS Pump Room B X No(10) 1B 465 D-3, D-4 Close ECCS Area Isolation Dampers D-8A, D-9A X No(10) 1A 465 Close ECCS Area Isolation Dampers D-8B, D-9B X No(10) 1B 465 Close ECCS Area Isolation Dampers D-7A, D-5A X No(10) 1A 466 Close ECCS Area Isolation Dampers D-7B, D-5B X No(10) 1B 466 Close ECCS Area Isolation Dampers D-11A, D-6A X No(10) 1A 467 Close ECCS Area Isolation Dampers D-11B, D-6B X No(10) 1B 467 Close ECCS Area Isolation Dampers D-12A X No(10) 1A 466 Close ECCS Area Isolation Dampers D-12B X No(10) 1B 466 Start Containment Fan Cooler HVS-1A X No 8A 307 Start Containment Fan Cooler HVS-1B X No 8A 308 Start Containment Fan Cooler HVS-1C X No 8B 309 Start Containment Fan Cooler HVS-1D X No 8B 310 7.3-46 Amendment No. 20 (4/04)

Components Actuated on SIAS TABLE 7.3-2 (Contd) (12) Returns Safety To Normal ESFAS ESFAS Channel Upon ESFAS Test Action Component A B AB Reset Group CWD Trip CEDM Cooling Fan HVE-21A X No 2 507 Trip CEDM Cooling Fan HVE-21B X No 2 508 Trip Reactor Cavity Cooling Fan HVS-2A X No 2 522 Trip Reactor Cavity Cooling Fan HVS-2B X No 2 523 Trip Reactor Support Cooling Fan HVE-3A X No 2 524 Trip Reactor Support Cooling Fan HVE-3B X No 2 525 Close RCP Cooling Water Supply Isolation Valve X No (13) 0A 212 HCV-14-1 Close RCP Cooling Water Supply Isolation Valve X No (13) 0B 212 HCV-14-7 Close RCP Cooling Water Supply isolation Valve X No (13) 0A 212 HCV-14-2 Close RCP Cooling Water Supply Isolation Valve X No (13) 0B 212 HCV-14-6 Close Reactor Cavity Sump Pump Isolation Valve X No 5A 576 LCV-07-11A Close Reactor Cavity Sump Pump Isolation Valve X No 5B 576 LCV-07-11B Trip Pressurizer Htr Xfmr Fdr Bkr from 1A3 X No 2 943 Trip Pressurizer Htr Xfmr Fdr Bkr from 1B3 X No 2 944 Trip MCC 1A8 Non-Essential Load Breaker (15) X No 2 1015 Trip MCC 1B8 Non-Essential Load Breaker (16) X No 2 1016 Close CCW Heat Exchanger Inlet Strainer Debris X No 2 840 Discharge Valve HCV-21-7A Close CCW Heat Exchanger Inlet Strainer Debris X No 2 843 Discharge Valve HCV-21-7B

1) Deleted
2) Valve(s) may be closed following SIAS reset if pressurizer pressure close interlock satisfied.
3) On SIAS, all L.O. relay trips except overspeed and differential current are disconnected. L.O. relay trips will be reinstated when bus tie breakers are reclosed and SIAS reset.
4) Returns to auto control.
5) Requires operator action to return equipment to normal.
6) Deleted.
7) Returns valve to level controller (signal isolated).
8) SIAS reset returns valve to pre-SIAS position.
9) SIAS inhibits auto loading of RCP oil lift pumps on loss of DG power. Reset of SIAS will return pumps to auto control.
10) Dampers are actuated by HVE 9A and 9B and will not return to normal upon reset of SIAS. Operator has to stop fan HVE-9A, 9B in order to return dampers to normal position.
11) See Table 7.3-5 for components actuated on CIS.
12) See Section 7.3.1.1.8. "Returns to Normal" means, for active components, a return to that status they were in prior to the ESFAS initiation.
13) Valve(s) can be overridden open with SIAS present.
14) The starting of ECCS area exhaust fans HVE-9A & 9B is delayed seventeen (17) seconds following a SIAS EC 205055 actuation. This delay was added via PC/M 04014 to provide degraded voltage protection.
15) Tripping the Non-Essential Load breaker de-energizes the CCW Heat Exchanger inlet strainer control panel.

This results in loss of air to HCV-21-7A (Fail Close). Reference Section 9.2.1.2.

16) Tripping the Non-Essential Load breaker de-energizes the CCW Heat Exchanger inlet strainer control panel.

This results in loss of air to HCV-21-7B (Fail Close). Reference Section 9.2.1.2.

17) The closing of MV-09-1 and MV-09-2 is delayed 30-seconds following a SIAS actuation. This delay was added via PC/M to provide degraded voltage protection.

7.3-47 Amendment No. 30 (05/20)

TABLE 7.3-3 COMPONENTS ACTUATED ON RAS (1) Returns To Normal ESFAS ___Safety Channel____ ESFAS Upon ESFAS Test Action Component A B AB Reset Group CWD Stop LPSI Pump 1A X No 1A 251 Stop LPSI Pump 1B X No 1B 252 Close SI Pump Recirc. Line Valve to RWT V3659 X No 2A 244 Close SI Pump Recirc. Line Valve to RWT V3660 X No 2B 245 Open Containment Sump Outlet Valve to Recirc. X No 4A 299 Header A MV-07-2A Open Containment Sump Outlet Valve to Recirc. X No 4B 300 Header B MV-07-2B Close RWT Outlet Valve to SI Header A MV-07-1A X No 3A 297 Close RWT Outlet Valve to SI Header B MV-07-1B X No 3B 298 (1) See Section 7.3.1.1.8. "Returns to Normal" means, for active components, a return to that status they were in prior to the ESFAS initiation. 7.3-48 Amendment No. 24 (06/10)

TABLE 7.3-4 COMPONENTS ACTUATED ON CSAS (3) Returns To Normal ESFAS ESFAS Safety Channel______ Upon ESFAS Test Action Component A B AB Reset Action CWD Start Containment Spray Pump 1A X No 1A 287 Start Containment Spray Pump 1B X No 1B 290 Open Containment Spray Header A Inlet Valve X No 2A 289 FCV-07-1A Open Containment Spray Header B Inlet Valve X No 2B 289 FCV-07-1B Resequence Diesel Generator Loading 1A X (2) 1A 629 block 6&7 Resequence Diesel Generator Loading 1B X (2) 3B 630 block 6&7 Open Caustic Spray Valve SE-07-1A X No 1A 292 7.3-49 Amendment No. 24 (06/10)

COMPONENTS ACTUATED ON CSAS TABLE 7.3-4 (Contd) (3) Returns To Normal ESFAS ESFAS Safety Channel Upon ESFAS Test Action Component A B AB Reset Group CWD Open Caustic Spray Valve SE-07-1B X No 2B 292 Open Caustic Spray Valve SE-07-2A X No 2A 292 Open Caustic Spray Valve SE-07-2B X No 2B 292 (1) On SIAS all L.O. relay trips except overspeed and differential current are disconnected. L.O. relay trips will be reinstated when bus tie breakers are reclosed and SIAS is reset. (2) Circuit is self-resetting. (3) See Section 7.3.1.1.8. "Returns to Normal" means, for active components, a return to that status they were in prior to the ESFAS initiation. 7.3-50 Amendment No. 24 (6/10)

TABLE 7.3-5 COMPONENTS ACTUATED ON CIS (3) Returns To Normal ESFAS Safety Channel ESFAS Upon ESFAS Test Action Component A B AB Reset Group CWD Start Shield Building Vent System Fan HVE-6A X No 7A 513 Start Shield Building Vent System Fan HVE-6B X No 7B 516 Start Control Room Emerg. Filtration Fan X No 7A 490 HVE-13A Start Control Room Emerg. Filtration Fan X No 7B 491 HVE-13B Close Letdown Line Isolation Valve V2516 X No 0A 159 Close Letdown Line Isolation Valve V2515 X No 03 159 lose RCP Control Bleed Off Isolation Valve X No 1A 159 ISE-01-1 Close RCS Sample Line Isolation Valve V5200 X No (2) 1A 578 Close RCS Sample Line Isolation Valve V5203 X No (2) 1B 578 Close PRZR Surge Line Sample Isolation Valve X No 1A 579 V5201 Close PRZR Surge Line Sample Isolation Valve X No 1B 579 V5204 Close Pressurizer Steam Space Sample Line Isolation Valve X No 1A 580 V5202 Pressurizer Steam Space Sample Line Isolation Valve X No 1B 580 V5205 Trip Non-Essential Loads 480V Switchgear 1A2 X No 2A 990 Trip Non-Essential Loads 480V Switchgear 1B2 X No 2B 992 Close Primary Containment Isolation Valve FCV-25-20 X No 6A 1931 Close Secondary Containment Isolation Valve FCV-25-21 X No 5B 1931 7.3-51 Amendment No. 26 (11/13)

COMPONENTS ACTUATED ON CIS TABLE 7.3-5 (Contd) (3) Returns ____Safety Channel___ To Normal ESFAS ESFAS Upon ESFAS Test Action Component A B AB Reset Group CWD Close Primary Water Line Isolation Valve MV-15-1 X No 5B 849 Close RCP Control Bleed Off Isolation Valve X No 0A 159 V2505 Close Steam Generator A Blowdown Isolation X No(2) 3A 319 Valve FCV-23-3 Close Instrument Air Isolation Valve MV-18-1 X No(4) 0A 317 EC288593 Close Purge Inlet Isolation Valve FCV-25-1 X No 2A 511 Close Purge Inlet Isolation Valve FCV-25-3 X No 2A 511 Close Purge Inlet Isolation Valve FCV-25-2 X No 2B 512 Close Purge Outlet Isolation Valve FCV-25-5 X No 2A 511 Close Purge Outlet Isolation Valve FCV-25-4 X No 2B 512 Close Purge Outlet Isolation Valve FCV-25-6 X No 2B 512 Stop Containment Purge Exhaust Fan HVE-8A X No 2A 509 Stop Containment Purge Exhaust Fan HVE-8B X No 2B 510 Close Nitrogen Supply Isolation Valve V6741 X No 2B 566 Close Waste Gas Header Isolation Valve V6554 X No 3A 564 Close Waste Gas Header Isolation Valve V6555 X No 3B 564 Close Reactor Cavity Sump Pump Disch. Isolation X No 4A 576 Valve LCV-07-11A 7.3-52 Amendment No. 29 (10/18)

COMPONENTS ACTUATED ON CIS TABLE 7.3-5 (Contd) (3) Returns To Normal ESFAS __ Safety Channel___ ESFAS Upon ESF- Test Action Component A B AB As Reset Group CWD Close Reactor Cavity Sump Pump Disch. Isolation X No 4B 576 Valve LCV-07-11B Close Control Room Outside Air Inlet Valve X No 6A 1172 North FCV-25-16 Close Control Room Outside Air Inlet Valve X No 6B 1170 North FCV-25-14 Close Control Room Outside Air Inlet Valve X No 6A 1173 South FCV-25-17 Close Control Room Outside Air Inlet Valve X No 6B 1171 South FCV-25-15 Close Control Room Toilet Air Exhaust Valve X No 7A 1174 FCV-25-18 Close Control Room Toilet Air Exhaust Valve X No 7B 1175 FCV-25-19 Close Control Room Kitchen Air Exhaust Valve X No 3A 1182 FCV-25-24 Close Control Room Kitchen Air Exhaust Valve X No 3B 1183 FCV-25-25 7.3-53 Amendment No. 24 (06/10)

COMPONENTS ACTUATED ON CIS TABLE 7.3-5 (Contd) (3) Returns To Normal ESFAS Safety Channel___ ESFAS Upon ESFAS Test Action Component A B AB Reset Group CWD Close Containment Sample Isolation Valves: 7A 320 FCV-26-2 X No FCV-26-4 X No FCV-26-6 X No Close Containment Sample Isolation Valves: 7B 320 FCV-26-1 X No FCV-26-3 X No FCV-26-5 X No Close RDT Discharge Isolation Valve V6301 X No(2) 4A 563 Close RDT Discharge Isolation Valve V6302 X No(2) 4B 563 Close Steam Generator B Blowdown Isolation X No(2) 3A 319 Valve FCV-23-5 Close Steam Generator A Blowdown Sample X No(2) 6A 461 Isolation Valve FCV-23-7 Close Steam Generator B Blowdown Sample X No(2) 6A 461 Isolation Valve FCV-23-9 7.3-54 Amendment No. 22 (05/07)

COMPONENTS ACTUATED ON CIS TABLE 7.3-5 (Contd) (3) Returns To Normal ESFAS ___Safety Channel____ ESFAS Upon ESF- Test Action Component A B AB As Reset Group CWD Close Safety Injection Tanks Sampling Isolation Valves FCV-03-1E X Yes 1A 322 Close Safety Injection Tanks Sampling Isolation Valves FCV-03-1F X Yes 6B 322 Close Steam Generator Blowdown Line Flow Control Valve FCV-23-12 X No (2) 3A 639 Close Steam Generator Blowdown Line Flow Control Valve FCV-23-14 X No (2) 3A 639 Start Unit 2 Control Room Air Conditioning Unit HVA/ACC-3A (Note 1) X No 7A 500 Start Unit 2 Control Room Air Conditioning Unit HVA/ACC-3B (Note 1) X No 7B 500 (Note 1) CRAC fan start required to support control room emergency filtration system function. (1) On SIAS, all L.O. relay trips except overspeed and differential current are disconnected. L.O. relay trips will be reinstated when bus tie breakers are reclosed and SIAS is reset. (2) Operator can manually override CIS (TMI Shielding). (3) See Section 7.3.1.1.8. "Returns to Normal" means, for active components, a return to that status they were in prior to the ESFAS initiation. EC (4) Operator can manually override CIS on MV-18-1. 288593 7.3-55 Amendment No. 29 (10/18)

TABLE 7.3-6 COMPONENTS ACTUATED ON MSIS Returns(2) Safety To Normal ESFAS ESFAS ______Channel______ Upon ESF- Test Action Component A B AB As Reset Group CWD Stop Feedwater Pump 1A X X(4) No 0A/0B 615 Stop Feedwater Pump 1B X(4) X No 0A/0B 620 Stop Heater Drain Pump 1A X X(4) No 0A/0B 625 Stop Heater Drain Pump 1B X(4) X No 0A/0B 626 Stop Condensate Pump 1A X X(4) No 0A/0B 605 Stop Condensate Pump 1B X(4) X No 0A/0B 606 Close Main Steam Line A Isolation Valve HCV-08-1A X X(4) No 0A/0B 312 Close Main Steam Line B Isolation Valve HCV-08-1B X(4) X No 0A/0B 315 Close Main Steam Isolation Valve A Bypass Valve MV-08-1A X X(4) No 1A1B 311 Close Main Steam Isolation Valve B Bypass Valve MV-08-1B X(4) X No 1A/1B 314 Close Feedwater Isolation Valve HCV-09-7 Train A Sol. X X(4) No 0A/0B 614 Close Feedwater Isolation Valve HCV-09-7 Train B Sol. X(4) X No 0A/0B 614 Close Feedwater Isolation Valve HCV-09-8 Train A Sol. X X(4) No 0A/0B 633 Close Feedwater Isolation Valve HCV-09-8 Train B Sol. X(4) X No 0A/0B 633 (1) Close FWP 1A Discharge Valve MV-09-1 X X(4) No 0A/0B 616 (1) Close FWP 1B Discharge Valve MV-09-2 X X(4) No 0A/0B 621 (3) Status Input to SAS X Yes 1A 1534 Status Input to SAS X Yes(3) 1B 1539 Trip Non Essential Loads 480 V Switchgear 1A2 X No 1A 990 Trip Non Essential Loads 480 V Switchgear 1B2 X No 1B 992 (1) Valve will automatically open if associated FW Pump running following MSIS and SIAS reset. (2) See Section 7.3.1.1.8 "Returns to Normal" means, for active components a return to that status they are in prior to the ESFAS initiation. (3) This MSIS input to SAS computer is to record status of ESFAS only. (4) Through isolation device. 7.3-56 Amendment No. 18, (04/01)

TABLE 7.3-6A AUXILIARY BUILDING, EMERGENCY EXHAUST FAN HVE-9A (ECCS AREA)

  • CONFORMANCE TO IEEE-279-1971 SECTION 4.11 SINGLE TEST PROCEDURE ESF EQUIPMENT FAILURE (ALL TESTS INITIATED ACTUATES ON SIAS CONTROL ROOM CRITERION SYSTEM IN CONTROL ROOM) DURING TEST INDICATION VIOLATION COMMENTS ESFAS SIAS Actuate SIAS Group 1A HVE-9A starts. Indicating lights: No SIAS Channel B Group 1A signal from ESF logic Red-On not affected.

Test cabinet Green-Off SIAS Channel A-Differential press Group 1A actuated. meter reading across Other group not HEPA filter affected. Aux. Building Manually start with HVE-9B starts. Indicating lights: No Both redundant Emergency control switch* on Red-On fans running. Exhaust Fan RTGB-106 redundant Green-Off HVE-9A fan HVE-9B Differential press manual stop meter reading across interlock test HEPA filter Manually stop with HVE-9A stops. Indicating lights: No One redundant control switch* on Manual stop Red-Off fan is running. RTGB-106 redundant interlock Green-On fan HVE-9A prevents starting. No differential press meter reading across HEPA filter and alarm Manually start with HVE-9A starts. Indicating lights: No Both redundant control switch* on Manual stop Red-On fans running. RTGB-106 HVE-9A also resets. Green-Off Differential press meter reading across HEPA filter

  • controls for SBVS fans are arranged in a similar manner.

7.3-57

TABLE 7.3-6A (Contd) SINGLE TEST PROCEDURE ESF EQUIPMENT FAILURE (ALL TESTS INITIATED ACTUATES ON SIAS CONTROL ROOM CRITERION SYSTEM IN CONTROL ROOM) DURING TEST INDICATION VIOLATION COMMENTS ESFAS SIAS Actuate SIAS Channel A SIAS Group 1A ESF SIAS Channel A No ESFAS signals Group 1A manual initiation resets & manual Indicating lights: are not blocked Reset switch to reset. stop interlock is Red-Off during logic out of service. Green-On reset. HVE-9B Manually stop with HVE-9B stops. Indicating lights: No One redundant Stop control switch* on Manual stop inter- Red-Off fan running RTGB-106 HVE-9B. lock not actuated. Green-On No differential press meter reading across HEPA filter HVE-9A Manually stop with HVE-9A stops. Indicating lights: No Stop control switch* on Manual stop Red-Off RTGB-106 HVE-9A. interlock not Green-On actuated. No differential press meter reading across HEPA filter

  • Spring return to automatic mode.

7.3-58 Amendment No. 24 (06/10)

TABLE 7.3-7 ESFAS FAILURE ANALYSIS Number of Component Effects on Failure Components Identification Function Failure Mode ESFAS Logic Detection Mechanism Remarks 4 Pressurizer Pressure Sensor Converts pressure One spurious Makes both channel logics Measurement channel Open circuit, dc PT-1102 A,B,C,D to analog current low signal 1-out-of-3 (Sensors PT- pre-trip & trip alarms; power failure, or 1102, -8013 and -8023 meters indicate trip open resistor RL also make SIAS & MSIS condition 4 Containment Pressure Sensor block logic 2-out-of-3) Wear, corrosion, A,B PT-07-2 A,B,C,D mechanical damage 4 Refueling Water Tank Level Spurious system trip if 2 fail Sensor LT-07-2 A,B,C,D 4 Steam Generator 1A Pressure One spurious Makes both channel Test and comparison Misadjustment A,C Sensor PT-8013 A,B,C,D high signal logics 2-out-of-3 (Sensors with redundant PT-1102, channel indicators Wear, corrosion, 4 Steam Generator 1B Pressure -8013, and -8023 mechanical damage, Sensor PT-8023 A,B,C,D also make SIAS & or shorted MSIS block logic resistor RL 3-out-of-3) NOTES: A - Single failure does not prevent system actuation B - Immediate detection C - Possible immediate detection 7.3-59 Amendment No. 24 (06/10)

TABLE 7.3-7 Continued) Number of Component Effects on Components Identification Function Failure Mode ESFAS Logic Detection Failure Remarks Mechanism 4 Sensor PT-1102 A,B,C,D Provides power One fails low Makes both channel Measurement channel Open circuit, A,B Power Supply for analog cur- logics 1-out-of-3 trip & pre-trip ac supply failure rent loop alarms; indicating 4 Sensor PT-07-2 A,B,C.D (Power supplies meters read low Transformer failure, Power Supply for sensors diode failure, PT-1102, -8013, Spurious system heat effects 4 Sensor LT-07-2 A,B,C,D and -8023 also trip if 2 fail Power Supply make SIAS & MSIS block logic 2-out 

                                                                          -of-3) 4      Sensor PT-8013 A,B,C,D                      One fails high      Makes both channel Test and comparison Misadjustment          A,C Power Supply                                                    logics 2-out-of-3  with redundant channel indicators  Transformer failure, 4      Sensor PT-8023 A,B,C,D                                          (Power supplies                        diode failure Power Supply                                                    for sensors                            heat effects PT-1102, -8013, and -8023 also make SIAS & MSIS block logic 3-out-of-3) 4      Containment Radiation     Provides radia-   One spurious        Makes both channel Test and comparison Open circuit,          A,B Detector CH-A,B,C,D       tion signal to    low signal          logics 2-out-of-3  with redundant      ac supply failure ratemeter                                                channel indicators; meters read low     Mechanical damage, 4      Containment Radiation Lag Provides power                                                               electronic circuit Ratemeter                 supply for detec-                                                            failure tor, converts detector signal to mv One spurious        Makes both channel Measurement channel Misadjustment          A,C high signal         logics 1-out-of-3  pre-trip & trip 4      Containment Radiation     Converts radia-                                          alarms; indicating  Mechanical damage MV/I Converter            tion signal from                                         meters read high    electronic circuit mv to ma (4-20)                                                              failure Spurious system trip if 2 fail 7.3-60

TABLE 7.3-7 (Continued) Number of Component Effects on Failure Components Identification Function Failure Mode ESFAS Logic Detection Mechanism Remarks 4 I/I Converter PY-1102 A,B,C,D Amplifies analog One fails low Makes both channel logics Measurement channel pre- Open circuit, ac supply A,B current loop signal 1-out-of-3 (PY-1102, - trip & trip alarm; indicating failure 8013, and -8023 also make meters read low SIAS &-MSIS block logic 2-4 I/I Converter PY-8013 A,B,C,D Transformer or out-of-3) (Steam Generator 1A) Spurious system trip if 2 fail diode failure, heat effects 4 I/I Converter PY-8023 A,B,C,D One fails high Makes both channel Test and comparison with Misadjustment (Steam Generator 1B) logics 2-out-of-3 (PY-1102, redundant channel 

                                                                               -8013, and -8023 also        indicators                     Transformer or make SIAS & MSIS block                                      diode failure, logic 3-out -of-3)                                          heat effects              A,C 4      Resistor R-1 A,B,C,D          Converts analog     One fails open     Makes both channel           Open resistor indicator        Mechanical damage, current ma signal                      logics 1-out-of-3 (Resistors reads high; reactor            heat effects 4      Resistor R-2 A,B,C,D          to volts                               R-1,2, 3,4,15 also make      protection channel trip                                  A,B 4      Resistor R-3 A,B,C,D                                                 SIAS & MSIS block logic 2-   alarm out-of-3) 4      Resistor R-4 A,B,C,D                                                                              Spurious system trip if 2 open 4      Resistor R-6 A,B,C,D                              One shorts         None                         Indicator reads                Short circuit low; pre-trip 4      Resistor R-7 A,B,C,D                                                                              alarm                          Mechanical damage,        A,B heat effects 4      Resistor R-9 A,B,C,D 4      Resistor R-12 A,B,C,D 4      Resistor R-13 A,B,C,D 4      Resistor R-15 A,B,C,D 7.3-61                                                                Amendment No. 25 (04/12)

TABLE 7.3-7 (Continued) Number of Component Effects on Failure Components Identification Function Failure Mode ESFAS Logic Detection Mechanism Remarks 4 Resistor R-5 A,B,C,D Converts analog One fails open Makes both channel logics Bistable indicator high Mechanical damage, current ma signal to 1- 2-out-of-3 (Resistors R- reading heat effects 4 Resistor R-8 A,B,C,D 5 volts for ESFAS 5,14,16 make SIAS & MSIS block logic 3-out-of- Test and comparison with 4 Resistor R-10 A,B,C,D

3) redundant channel indicators 4 Resistor R-11 A,B,C,D A,C 4 Resistor R-14 A,B,C,D One shorts Makes both channel logics Bistable indicator low Short circuit 1-out-of-3 (Resistors R-5, reading, channel trip alarm 4 Resistor R-16 A,B,C,D 14, 16 also make SIAS Mechanical damage, A,B
                                                                                     & MSIS block logic 2-out-  Spurious system trip if 2   heat effects of-3)                      shorted 4      Pressurizer Pressure SIAS Trip  Converts analog signal  One fails off      Makes both channel logics  Manual test                 Open circuit, dc supply          A Block Bistable A,B,C,D          to digital on-off                          2-out-of-3                                             failure Physical damage 4      Steam Generator 1A                                      One fails on       Makes both channel logics                                                         Detection Pressure MSIS Trip Block                                                   3-out-of-3                                             Set point not adjusted,    only during Bistable A,B,C,D                                                                                                                  electronic circuit failure manual test 4      Steam Generator 1B Pressure MSIS Trip Block                                Module removed     Makes both channel logics  Alarm when cabinet door                                     A,B Bistable A,B,C,D                                                           2-out-of-3                 opened; module removed alarm 16     Isolation Module for Trip Block Provide optical         One fails off      Makes one channel logic    Manual test                 Electronic circuit               A Bistables                       separation between                         2-out-of-3                                             damaged logic channel inputs                                                                                                         Detection Open circuit               only during manual test One fails on       Makes one channel blocks   Manual test                 Bad photo transistor logic 3-out -of-3                                      Physical damage Makes one channel logic Module removed     1-out-of-3                 Alarm when cabinet door                                     A,B opened; module removed alarm 7.3-62                                                           Amendment No. 29 (10/18)

TABLE 7.3-7 (Continued) Number of Component Effects on Failure Components Identification Function Failure Mode ESFAS Logic Detection Mechanism Remarks 4 Pressurizer Pressure Converts analog signal One fails off Makes both channel logics Bistable indicator low Open circuit, dc supply A,B SIAS Trip Bistable A,B,C,D to digital on-off 1-out-of-3 reading failures 4 Containment Pressure Channel trip alarm auto test Physical damage SIAS Trip Bistable, A,B,C,D alarm 4 Containment Pressure CIS Trip Bistable A,B,C.D One fails on Makes both channel logics Manual and automatic test Electronic circuit failure A,B 2-out-of-3 4 Containment Pressure Automatic test alarm CSAS Trip Bistable A,B,C,D 4 Refueling Tank Level Bistable removed Makes both channel logics Alarm when cabinet door A,B RIS Trip Bistable A,B,C,D 2-out-of-3 opened 4 Steam Generator 1A Automatic test alarm Pressure MSIS Trip Bistable A,B,C,D 4 Steam Generator 1B Module removed alarm Pressure MSIS Trip Bistable A,B,C,D 64 Isolation Module Provides optical One fails off Makes one channel logic Manual and automatic test, Open circuit A for Trip Bistables separation between 1-out-of-3 auto test alarm Immediate logic channel inputs Bad photo transistor detection with One fails off Makes one channel logic Automatic and manual test Physical damage automatic 2-out-of-3 tester Electronic circuits shorted Module removed Makes one channel logic Alarm when cabinet door A,B 1-out-of-3. opened Module removed alarm; automatic test alarm 7.3-63 Amendment No. 17 (10/99)

TABLE 7.3-7 (Continued) Number of Component Effects on Failure Components Identification Function Failure Mode ESFAS Logic Detection Mechanism Remarks 2-out-of-4 Matrix and Energizes output One fails on Energizes output ESFAS channel Electronic cir- A,B Actuation Module relays when relays and starts actuation alarm cuits shorted 2-out-of-4 inputs components listed 2 CSAS A,B Test Group 1 satisfied in Tables 7.3-3, Physical damage 7.3-4 associated 2 CSAS A,B Test Group 2 with failed Test Open circuit, Group dc supply failure 2 CSAS A,B Test Group 3 One fails off Prevents auto Manual auto test A 2 RAS A,B Test Group I start of compo- Immediate nents listed in Auto test alarm detection 2 RAS A,B Test Group 2 Tables 7.3-3, with auto 7.3-4 associated tester 2 RAS A,B Test Group 3 with failed Test Group 2 RAS A,B Test Group 4 2 RAS A,B Test Group 5 Module removed Prevents auto Alarm when A,B start of compo- cabinet door nents listed in opened Tables 7.3-3, Automatic test 7.3-4 associated alarm with failed Test Group 3-out-of-4 Matrix and Energizes block One fails on Permits SIAS or Block permissive Electronic circuit A,B Actuation Module permissive relays MSIS channel block alarm shorted dc supply failure 2 SIAS A,B Block Provides block One fails off Prevents SIAS or Manual test A signal MSIS channel block Open circuit Possible detection 2 MSIS A,B Block Physical damage Module removed Prevents SIAS or Alarm when cabinet MSIS channel block door opened A,B Auto test alarm 7.3-64 Amendment No. 25 (04/12)

TABLE 7.3-7 (Continued) Number of Component Effects on Failure Components Identification Function Failure Mode ESFAS Logic Detection Mechanism Remarks 2-out-of-4 Matrix and Deenergizes out- One fails off Deenergizes output ESFAS channel Open circuit A,B Actuation Module put relays when relays and starts actuation alarm 2-out-of-4 in- components listed dc supply failure 2 SIAS A,B Test Group 0 puts satisfied in Tables 7.3-2, 7.3-5, 7.3-6 asso- Physical damage 2 SIAS A,B Test Group 1 ciated with failed test group Electronic circuit 2 SIAS A,B Test Group 2 shorted 2 SIAS A,B Test Group 3 One fails on Prevent auto start Manual and A of components automatic test Immediate 2 SIAS A,B Test Group 4 listed in Tables detection 7.3-2, 7.3-5 Auto test alarm with auto 2 SIAS A,B Test Group 5 associated with tester failed test group 2 SIAS A,B Test Group 6 2 SIAS A,B Test Group 7 2 SIAS A,B Test Group 8 2 SIAS A,B Test Group 9 Module removed Deenergizes output Alarm when cabinet A,B relays and starts door opened 2 CIS A,B Test Group 0 components listed in Tables 7.3-2, 2 CIS A,B Test Group 1 7.3-5, 7.3-6 asso-ciated with failed 2 CIS A,B Test Group 2 test group 2 CIS A,B Test Group 3 2 CIS A,B Test Group 4 2 CIS A,B Test Group 5 2 CIS A,B Test Group 6 2 CIS A,B Test Group 7 2 MSIS A,B Test Group 0 2 MSIS A,B Test Group 7.3-65

TABLE 7.3-7 (Continued) Number of Component Effects on Failure Components Identification Function Failure Mode ESFAS Logic Detection Mechanism Remarks Pushbutton "think" Permits manual One fails Blocks ESFAS Manual test Wear, corrosion, A,C actuation of open channel manual mechanical damage 2 SIAS A,B ESFAS actuation Pushbutton and control switch 2 CIS A,B actuated alarm 2 RAS A,B 2 CSAS A,B One fails None Pushbutton and Wear, Corrosion A,B closed control switch mechanical damage 2 MSIS A,B actuated alarm Control switch Manual actuation One fails Blocks ESFAS Manual test Wear, corrosion A,C of ESFAS channel open channel manual mechanical damage 2 CS A,B actuation Pushbutton and control switch 2 CIS A,B actuated alarm 2 RAS A,B 2 CSAS A,B One fails None Pushbutton and Wear, corrosion, A,B 2 MSIS A,B closed control switch mechanical damage actuated alarm Output relays Deenergize to One relay coil Starts components Component running Heat effects, A,C start components fails open or assigned to this lights on control physical damage, 36 SIAS A,B listed in Tables shorted relay board on corrosion, wear 7.3-2, 7.3-5, 4 CIS A,B 7.3-6 4 MSIS A,B One relay's contacts fail to open One relay's Prevents automatic Manual test Heat effects, A,B contacts fail start of compo- physical damage, in actuating nents assigned to corrosion, wear position this relay Output relays Energize to start One relay coil Prevents auto Manual test components listed fails open to start of compo-6 CSAS A,B in Tables 7.3-3 shorted nents assigned to 7.3-4 this relay A 10 RAS A,B One relay's Prevents auto Heat effects, contacts fail start of compo- physical damage, to actuate nents assigned to corrosion, wear this relay One relay's Starts components Component running Heat effects, A,C contacts fail assigned to this lights on control physical damage, in actuated relay board on corrosion, wear position 7.3-66

TABLE 7.3-8 ESF SIGNAL INTERCONNECTIONS FOR 1AB SHARED SYSTEM EQUIPMENT CONTROL FAILURE MODE ANALYSIS Effects on Failure Component Function Failure Mode ESF System Detection Mechanism Remarks AB Equipment Centralized AB Control AB Equipment Circuit Open Circuits Immediate Control Board Control of Power Control Lost Monitoring Or Cables Detection AB Equipment Failure Alarms, Power Supply Indicating Failure ESF A and B Lights Not Effected Control AB Equipment Imposed High Possible Power High Control Lost Voltage on AB Immediate Voltage or Including Circuit Detection Fire Relay Contact Relay Coils, Failure in Shorted Wires ESF A & B System Relay Boxes Not Effected AB1 & AB2 ESF Logic Centralized Control Failure or Various Power Supply Immediate Cabinet SA ESF A & B Power ESF A & B Alarms Failure Detection Initiation Failure Initiation, Electronic or Spurious Components ESF B System Initiation Shorted Not Effected Fire Shorted Wires ESF Logic Centralized Control Failure of Various Power Supply Immediate Cabinet SB ESF B & AB Power ESF B & AB Alarms Failure Detection Initiation Failure Initiation Electronic or Spurious Components ESF A System Initiation Shorted Not Effected Fire Shorted Wires 7.3-67

TABLE 7.3-8 (Contd) Effects on Failure Component Function Failure Mode ESF System Detection Mechanism Remarks Box AB1 Provides Fire Failure of Various Shorted Wires Immediate Located in Separation ESF AB Alarms Faulty Relays Detection ESF Cabinet Between Initiation SA A & AB ESF A & B System Not Effected Box AB2 Provides Failure of Immediate Located in Separation ESF AB Detection ESF Cabinet Between Initiation SB B & AB ESF A & B System Not Effected 7.3-68

TABLE 7.3-9 COMPONENTS AND ACTUATED DEVICES NOT TESTED DURING NORMAL OPERATION Status Effect Signal Normal Valve Actuating Position on Failure Required After of Failure of Component Degree of Testing During Actuated Component Received Position Power of Actuating Power Accident Signal to Assume Accident Position Operation EC 290695 Letdown line containment isolation SIAS Open Air Closed Closed None. Redundant valve Autotest of SIAS and valve V2515, 2516 CIS provided CIS logic Volume control tank discharge SIAS Open As is Closed and open Less concentrated insertion of Autotest of SIAS ac valve V2501 inhibit boron to reactor via charging power supply for pumps. Does not affect safe valve motor is plant shutdown monitored Intake cooling water header SIAS Open AC As is Closed Reduced capability or loss of Autotest of SIAS isolation valve MV-21-3, 21-2 one redundant cooling water logic. AC power header. One 100% capacity supply for valve Header remains. motor monitored Reactor coolant pump oil lift pump SIAS Runs during start and Stop Start inhibit None. Diesel generator can Autotest of SIAS logic 1A-1, 1A-2, 1B-1, 1B-2 stop of reactor coolant accept the additional 10 HP pump load Reactor coolant pump cooling SIAS Open Air Closed Closed None. Redundant valves Autotest of SIAS logic water containment Isolation valve provided HCV-14-1,2,6,7 Instrument air containment CIS Open AC As is Closed None. Two redundant check Autotest of CIS logic. EC Isolation valve MV-18-1 valves provided AC supply to valve 288593 Motor monitored Reactor coolant pump controlled CIS Open Air Closed Closed No effect on plant safety Autotest of CIS logic bleedoff containment isolation valve V2505 Main steam line containment MSIS Open Gas / Air Accumulator Failure: As- Closed Refer to Section 15.4.6 of Autotest of MSIS isolation valve HCV-08-1A, 1B Hydraulic is* FSAR Logic. Test of closing Hydraulic Failure: Closed Solenoids. Valve Electrical Failure: Open Stroke is tested. Loss of Nitrogen Pressure: Monitor of DC supply Open Main feedwater line containment MSIS Open AC As is Closed None. Redundant valves Autotest of MSIS MSIS isolation valves MV-09-1 & 2 Provided. See FSAR 15.4.6 logic. Main feedwater line containment MSIS Open Air As is Closed None. FW isolation on SIAS not Autotest of MSIS & MSIS isolation valves HCV-09-7 & 8 SIAS credited. Redundant valves provided SIAS logic. for MSIS. See UFSAR 15.4.6 Safety Injection tank motor SIAS Open AC As Is Open Locked open Autotest of SIAS operated stop valves logic. AC power supply for valve motor monitored

  • Valve is closed once residual hydraulic pressure is depleted.

7.3-69 Amendment No. 29 (10/18)

TABLE 7.3-10 AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects Of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

1. Feedwater header a. Fails off Sensor fail- Low P1 pressure signal to Annunciating, pre- 3-channel redun- Actuation logic for To restore the pressure sensor (low pressure ure, open P1 < P2 differential pres- trip and trip dancy (4th chan- AFAS1 becomes 2- system logic to
  -1(Channel A,    signal)        circuit, DC     sure bistable. Bistable              alarms.            nel in bypass). out-of-2 coincident. 2-out-of-3 con-Typical)                        Power supply     changes logic state and init-                                            The block logic        cidence, the failure          iates input to the Channel A                                             becomes 1-out-of-2     operator must AFAS1 block circuit.                                                     coincident.            restore the by-passed channel to operation and then bypass the failed channel function
b. Fails as is Sensor fail- Erroneous P1 pressure signal Periodic test, 3-channel redund- Actuation logic for Same as above.

ure, compo- to P1 < P2 differential 3-channel com- ancy (4th channel AFAS1 becomes 2-out nent failure pressure bistable during parison in bypass). of-2 coincident. actual SG1 trip. Bistable The block logic will not change logic state. becomes 2-out-of-2 coincident.

c. Fails on Sensor fail- Erroneous P1 pressure signal Annunciating 3-channel redund- Actuation logic for Same as above (high pressure ure, compo- to P2 < P1 differential pre-trip and trip ancy (4th channel AFAS2 becomes 2-out signal) nent failure pressure bistable. Bistable alarms in bypass). of-2 coincident.

changes logic state and The block logic initiates input to channel A becomes 1-out-of-2 AFAS2 block circuit. coincident.

2. Feedwater header a. Fails off sensor fail- Low P2 pressure signal to Annunciating, pre- 3-channel redund- Actuation logic for Same as above pressure sensor (low pressure ure, open P2<P1 differential pres- pre-trip and trip ancy (4th chan- AFAS2 becomes 2-
  -2 (channel A,    signal)       circuit, DC      sure bistable. Bistable             alarms.            nel in bypass). of-2 coincident.

Typical Power Supply changes logic state and init- dent. The block failure iates input to the Channel A logic becomes 1-out of-2 coincident.

b. Fails as is Sensor fail- Erroneous P2 pressure signal Periodic test, 3-channel redund- Actuation logic for Same as above ure, compo- to P2< P1 differential 3-channel com- ancy (4th channel AFAS2 becomes 2-out nent failure pressure bistable during parison in bypass). of-2 coincident.

actual SG2 trip. Bistable becomes 2-out-of-2 coincident. 7.3-70 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

c. Fails on Sensor fail- Erroneous P2 pressure signal Annunciating 3-channel redund- Same as above. Same as above.

(high pressure ure,compo- to P1 < P2 differential pre-trip and trip ancy (4th channel signal) nent failure pressure bistable. Bistable alarms. in bypass). changes logic state and initiates input to channel A AFAS1 block circuit.

3. Steam a. Fails off Sensor fail- Low P1 pressure signal to Annunciating,pre- 3-channel redun- Actuation logic for Same as above.

Generator 

       -1 pressure                    ure, open         P1 < P2 differential pres-           trip and trip     dancy (4th chan-   AFAS1 becomes 2-sen-sor (Channel A,                circuit, DC       sure bistable. Bistable              alarms.           nel in bypass). out-of-2 coinci-Typical)                       Power Supply      changes logic state and init-                                             dent. Block failure           iates input to the Channel A                                              logic becomes 1-out AFAS1 block circuit.                                                      -of-2 coincident.
b. Fails as is Sensor fail- Erroneous Pl pressure signal Periodic test, 3-channel redund- Actuation logic for Same as above.

ure,compo- to P1 < P2 differential 3-channel com- ancy (4th channel AFAS1 becomes 2-out nent failure pressure bistable during parison in bypass). of-2 coincident. actual Sg1 trip. Bistable the block logic will not change logic state. becomes 2-out-of-2 coincident.

c. Fails on Sensor fail- Erroneous P2 pressure signal Annunciating 3-channel redund- Same as above. Same as above.

ure,compo- to P2 < P1 differential pre-Trip and trip ancy (4th channel nent failure pressure bistable. Bistable alarms. in bypass). changes logic state and initiates input to channel A AFAS2 block circuit.

4. Steam a. Fails off Sensor fail- Low P2 pressure signal to Annunciating pre- 3-channel redun- Actuation logic for Same as above.

Generator 2 pressure sen- ure, open P2 < P1 differential pres- trip and trip dancy (4th chan- AFAS2 becomes 2-sor (Channel A, circuit, DC sure bistable. Bistable alarms. nel in bypass) . out-of-2 coinci-Typical) Power Supply changes logic state and init- dent. Block failure iates input to the Channel A logic becomes 1-out AFAS2 block circuit. -of-2 coincident.

b. Fails as is Sensor fail- Erroneous P2 pressure signal Periodic test, 3-channel redund- Actuation logic for Same as above ure, compo- to P2 < P1 differential 3-channel com- ancy (4th channel AFAS2 becomes 2-out nent failure pressure bistable during parison in bypass). of-2 coincident.

actual SG2 trip. Bistable The block logic will not change logic state. becomes 2-out-of-2 coincident. 7.3-71 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

c. Fails on Sensor fail- Erroneous high P2 pressure Annunciating 3-channel redund- Same as above. Same as above.

ure,compo- signal to P1 < P2 diffe- pre-trip and trip ancy (4th channel nent failure rential pressure bistable. alarms. in bypass). Bistable changes logic state and initiates input to channel A AFAS1 block circuit.

5. Steam a. Fails off Sensor fail- Low steam generator level Annunciating,pre- 3-channel redun- Actuation logic for Same as above.

Generator 1 low-level sen- ure, compo- signal Low LVL SG1 bistable. trip and trip dancy (4th chan- AFAS1 becomes 1-sor (Channel A, nent fail- Bistable changes logic state alarms. nel in bypass). out-of-2 coinci-Typical) ure and initiates input to channel dent. No effect on A AFAS1 block circuit and act- block logic uation logic.

b. Fails on Sensor fail- High steam generator level Periodic test, 3-channel redund- AFAS logic becomes Same as above ure,compo- signal to Low LVL SG1 bistable 3-channel com- ancy (4th channel 2-out-of-3 coinci-nent failure Will not trip for actual parison in bypass). dent.

Low level.

6. Steam a. Fails off Sensor fail- Low steam generator level Annunciating,pre- 3-channel redund- Actuation logic for Same is above.

Generator 2 low-level sen- ure, compo- signal Low LVL SG2 bistable. trip and trip dancy (4th chan- AFAS2 becomes 1-sor (Channel A, nent fail- Bistable changes logic state alarms. nel in bypass). out-of-2 coinci-Typical) ure and initiates input to channel dent. No effect on A AFAS2 block circuit and act- Block logic. uation logic.

b. Fails on Sensor fail- High steam generator level Periodic test, 3-channel redund- AFAS logic becomes Same as above ure,compo- signal to Low LVL SG2 bistable 3-channel com- ancy (4th channel 2-out-of-2 coinci-nent failure Will not trip for actual parison in bypass). dent.

Low level.

7. SG1 low level a. Setpoint power Component SG1 level setpoint drops to Power supply 3-channel redund- AFAS1 actuation To restore the bistable and fails off failure, zero. Bistable will not change annunciator. ancy (4th channel logic becomes 2-out system logic bistable relay open circuit state on valid low level in bypass) -of-2 coincident. to 2-out-of-3 card (Channel Signal. coincident, the A Typical) operator must restore the by-passed channel and then by-pass the failed channel function
b. Trip setpoint Component Same as 7a Same as 7a Same as 7a Same as 7a Same as above failed low failure 7.3-72 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

c. Trip setpoint Component Bistable will trip at greater Annunciation if 3-channel redund- AFAS1 actuation Same as above.

fails high failure than desired SG1 level. bistable is trip- ancy (4th channel logic becomes 1-ped. Periodic in bypass). out-of 2 coincident. test.

d. Trip voltage Open circuit Bistable relays will de-ener- Annunciating 3-channel redund- AFAS1 actuation Same as above.

comparator component gize resulting in half trips ancy (4th channel logic becomes 1-fails off failure of the AB, AC and AD actuation in bypass). out-of-2 coincident. logic matrices.

e. trip voltage Component Bistable relays will not de- Periodic test. 3-channel redund- AFAS1 actuation Same as above.

comparator failure, energize for valid SG1 lo 3-channel com- ancy (4th channel logic becomes 2-fails on short cir- level signal parison. in bypass). out-of-2 coincident. cuit

f. Pre-trip set- Component Pre-trip setpoint decreases Periodic test, 3-channel redund- No impact on AFAS1 Same as above.

point fails failure, Pretrip relays will not de- 3-channel com- ancy (4th channel actuation logic. low or off open circuit energize when SG1 at desired parison. in bypass). pre-trip level.

g. Pre-trip set- Component Pre-trip relays will de-ener- Pre-trip alarm and None required. Spurious pre-trip. Same as above.

point fails failure gize at higher than desired test. 3-channel alarms. No impact high SG1 level. comparison. on AFAS1 actuation logic.

h. Pre-trip set- Open circuit Same as 7g. Same as 7g. Same as 7g. Same as 7g. Same as above age comparator component fails off failure
i. Pre-trip volt- Component Pre-trip relays will no de- Period test. 3- 3-channel redund- No impact on AFAS1 The operator can age comparator failure energize when SG1 level channel comparison ancy (4th channel actuation logic restore the by-fails on reaches pre-trip setpoint. in bypass). pass the failed pretrip function
j. Pre-trip opto- Open circuit Pre-trip relay will de- Annunciating pre- None required. No impact on AFAS1 Same as above.

isolator fails component energize. trip alarm. actuation logic. off failure

k. Pre-tip relay Open circuit Same as 7j. Same as 7j. Same as 7j. Same as 7j. Same as 7j.

driver fails component off failure.

l. Pre-trip relay Emitter to Same as 7j. Same as 7j. Same as 7j. Same as 7j. Same as 7j.

driver fails collector on short circuit 7.3-73 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

m. Pre-trip Mechanical Same as 7j. Same as 7j. Same as 7j. Same as 7j. Same as 7j.

relay coil fails failure open

n. Pre-trip relay Mechanical Spurious pre-trip alarms Annunciating Visual indicator No impact on AFAS1 Same as above.

contact is damage, not affected. 3- actuation logic. annunciator corrosion channel redund-circuit fails ancy (4th channel open in bypass).

o. Pre-trip relay Contact Channel A pre-trip will not Periodic test, None required. AFAS1 actuation Same as above.

contact in arcing annunciate. 3-channel com- logic not affected annunciator parison. circuit fails closed.

p. Pre-trip relay Mechanical No visual indication of Periodic Test. Annunciator not AFAS1 actuation Same as above.

contact in damage, channel A Lo SG1 level affected. 3- logic not affected. indicator corrosion pre-trip. channel redund-circuit fails ancy (4th channel open in bypass.)

q. Pre-trip relay Contact Spurious pre-trip visual Visual pre-trip None required. AFAS1 actuation Same as above.

contact in- arcing indications. indication. logic not affected dicator cir-cuit fails closed.

r. Trip opto- Component Bistable relay will de- Annunciating 3-channel redund- AFAS1 actuation To restore the isolator fails failure, energize resulting in half ancy (4th channel logic becomes 1-out system logic to off open circuit trips of the AB, AC and AD in bypass). -of-2 coincident. 2-out-of-3 coin-actuation logic matrices. cidence, the operator must restore the by-passed channel then bypass the failed channel function.
s. Trip opto- Component Bistable relay will not Periodic test 3-channel redund- AFAS1 actuation Same as above.

isolator fails failure, de-energize on valid low ancy (4th channel logic becomes 2-out on short. level signal. in bypass). -of-2 coincident. circuit 7.3-74 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

t. Trip relay Transistor Bistable relay de-energ- Annunciation 3-channel redund- AFAS1 actuation Same as above.

driver fails failure, izes resulting in spurious indication. ancy (4th channel logic becomes 1-out off open half trips in AB,AC and in bypass). -of-2 coincident. circuit AD logic matrices. u.Trip relay Emitter to Affected relay will not Periodic test, 3-channel redund- AFAS1 actuation Same as above. driver fails collector de-energize for valid low 3-channel com- ancy (4th channel logic becomes 2-out on short level signal. Logic matrices parison. in bypass). -of-2 coincident. circuit (AB,AC and AD) will not de-energize. v.Trip relay Mechanical Same as 7t Same as 7t Same as 7t Same as 7t Same as above. coil fails failure open w.Trip relay Contacts Relay initiates input to Periodic test, 3-channel redund- No effect on block Same as above. form c con- welded by the channel A block circuit. 3-channel com- ancy (4th channel logic or AFAS1 tacts to SG1 arcing,fuse parison. in bypass). actuation logic. Rupture iden- failure tification circuit fails closed. x.Trip relay Open circuit Channel A block circuit can Periodic test, 3-channel redund- No effect on AFAS1 Same as above. form c con- not be activated. 3-channel com- ancy (4th channel actuation logic, tacts to SG1 parison. bypass). becomes 2-out-of-2 Rupture ID coincident. Circuit fails open y.Trip relay Contacts Channel A AFAS1 Relays will Periodic test, 3-channel redund- AFAS1 logic becomes Same as above. form c con- welded not de-energize on actual low 3-channel com- ancy (4th channel 2-out-of-2 coinci-tacts to AFAS1 level signal. parison. in bypass.) dent no effect on fails closed. channel A block logic. z.Trip relay Contacts Channel A AFAS1 relays will Annunciating 3-channel redund- No effect on AFAS Same as above. form c contact welded de-energize resulting in half ancy (4th channel block logic.AFAS1 to AFAS1 fails trips of AB, AC and AD in bypass.) actuation logic open actuation logic matrix and becomes 1-out-of-2 initiating input to channel A coincident. block circuit. 7.3-75 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects aa. Trip status Transistor Trip status relay will de- Annunciating, 3- None required No effect on AFAS1 The operator can relay driver failure,open energize resulting in spurious channel comparison actuation logic restore the by-fails off circuit trip annunciator and in- on block logic. passed channel dication. and then bypass the failed trip annunciator. ab. Trip status Emitter to Trip status relay will not de- Periodic test, 3- 3-channel redund- Same as above Same as above relay driver collector energize for valid low level channel comparison ancy (4th channel fails on short signal. in bypass). circuit ac. Trip status Mechanical Same as 7aa. Same as 7aa. Same as 7aa. Same as 7aa. Same as above. relay coil failure fails open ad. Trip status Contacts Spurious relay coil or relay Annunciating 3-channel redund- AFAS1 actuation Same as above. relay form welded driver failure annunciation. ancy (4th channel logic not affected. c contacts in bypass). to trip annunciator circuit fails open. ae. Trip status Contacts Annunciator will not signal Periodic test, None required.. AFAS1 actuation Same as above. relay form c welded, fuse relay coil or relay driver 3-channel com- logic not affected. contacts to failure failure. parison trip annunc-iator circuit fails closed. af. Trip status Mechanical No visual indication of Periodic Test Annunciator not AFAS1 actuation Same as above. relay form c damage, channel A Lo SG1 level trip. affected. 3-channel logic not affected. contact to corrosion redundancy (4th indicator channel in bypass). circuit fails open ag. Trip status Contact Spurious trip visual in- Visual trip in- None required. AFAS1 actuation Same as above relay form welded dication for Lo SG1 level. dication not affected. c contact to indicator circuit fails closed. 7.3-76 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects ah. SG1 rupture Transistor SG2 rupture relay will not Periodic test, 3-channel, redund- No effect on AFAS1 To restore the relay driver failure, energize for valid rupture 3-channel ancy (4th channel actuation logic. system to 2-out-fails off. open circuit signal. comparison. in bypass). Block logic be- 3 coincidence, comes 2-out-of-2 the operator coincident. must restore the bypassed channel and then bypass the failed channel function. ai. Sg1 rupture Emitter to No effect on system. Periodic test, 3-channel, redund- No effect on AFAS1 relay driver collector 3-channel ancy (4th channel actuation logic fails on. short comparison. in bypass). or on block logic. circuit aj. SG1 rupture Mechanical Same as 7ah. Same as 7ah. Same as 7ah. Same as 7ah. Same as 7ah. relay coil failure fails open. ak. Pre-trip opto- Component Bistable pre-trip relay Periodic test, None required. No impact on AFAS1 Same as above. isolator fails failure, will not de-energize on 3-channel com- actuation logic. on short cir- valid low level signal. parison. cuit al. Bistable hys- Component Bistable will reset at Periodic test. 3-channel redund- AFAS1 reset logic Same as above. teresis volt- failure greater than desired SG1 ancy (4th channel becomes 1-out-of-2 age fails high level. in bypass). coincident. am .Bistable hys- Component Bistable will reset at Periodic test. Same as 7al. Same as 7al- Same as above teresis volt- failure less than desired Sg1 level age fails low an. Bistable hys- Component Bistable will reset at Periodic test. Same as 7al. AFAS1 reset logic Same as above teresis volt- failure less than desired SG1 level becomes 1-out-of-2 age analog open cir- For reset before actuation, coincident. switch fails cuit reset level will equal trip open level, resulting in relay cycling. 7.3-77 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects ao Bistable hys- Component Bistable will trip greater Periodic test. Same as 7al. AFAS1 actuation Same as above teresis volt- failure than desired SG1 level logic becomes 1-out-age analog short cir- of-2 coincident. switch fails cuit closed

8. SG2 Lo level Failure modes and effects on AFAS2 actuation logic for low steam bistable and generator level trips are equivalent to the failure modes and bistable relay effects on AFAS1` actuation logic provided in line item 7, failure card(Channel A modes a through ao-Typical)
9. Pressure SG1< a. Setpoint Component Setpoint level goes to zero Annuniciating 3-channel redund- AFAS1 block logic To restore the SG2 bistable power fails failure, bistable relays de-energize ancy (4th channel becomes 1-out-of-2 system logic to and bistable off or low open circuit for any P1 < P2 signal in bypass). coincident. 2-out-of-3 relay card resulting in input to Channel coincidence, the (Channel A, A block circuit. operator must Typical) restore the by-Passed channel And then bypass The failed Channel function
b. Setpoint Component Bistable relays will not de- Periodic test 3-channel redund- AFAS1 block logic Same as above.

power fails failure, energize for valid SG1 )p ancy (4th channel for SG1 )p becomes high short in bypass). 2-out-of-2.Block circuit logic for FWH )p not affected.

c. Trip setpoint Component Same as 9a. Same as 9a. Same as 9a. Same as 9a. Same as above.

fails low failure

d. Trip setpoint Component Same as 9b. Same as 9b. Same as 9b. Same as 9b. Same as above.

fails high failure

e. Process "B" Component SG1 pressure signal goes to Same as 9a. Same as 9a. AFAS1 block logic Same as above.

input buffer failure, zero. Trip and pre-trip com- for SG1 )p becomes fails off or open parators de-energize bistable I-out-of-2. AFAS1 low circuit relays and initiates input to actuation logic or block logic for FWH )p not affected. 7.3-78 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

f. Process "B" Component SG1 pressure signal goes Periodic test 3-channel redund- AFAS1 block logic Same as above.

input buffer failure, high. Bistable will not ancy (4th channel for SG1 becomes fails high Short circuit change logic state for in bypass) 2-out-of-2. Block valid pressure differential. logic for FWH not affected.

g. Process "A" Component SG2 pressure goes negative. Periodic test 3-channel redund- AFAS1 block logic Same as above.

input buffer failure, Bistable will not change ancy (4th channel for SG1 becomes fails off or open logic state for valid signal. in bypass). 2-out-of-2. low circuit.

h. Process "A" Component SG2 pressure goes high. Annunciating 3-channel redund- AFAS1 block logic Same as above.

input buffer failure, Bistable relays de-energize ancy (4th channel becomes 1-out-of-2 fails high short resulting in input to channel in bypass). coincident. circuit. A block circuit.

i. Pre-trip set Component Pre-trip setpoint decreases Periodic test 3-channel redund- No impact on AFAS1 Same as above.

point fails failure pre-trip relays will not de- ancy (4th channel block logic. Low or off energize at desired pre-trip in bypass). level.

j. Pre-trip set Component Pre-trip relays will de- Pre-trip alarm None required No impact on AFAS1 Same as above.

point fails failure energize at higher than de- and periodic block logic. high sired pressure differential test. Spurious pre-trip alarms.

k. Pre-trip volt- Component Pre-trip relays de-energize Pre-trip alarm None required Spurious pre-test Same as above.

age comparator failure at higher than desired SG1 and test alarms no impact fails off open pre-trip pressure. on AFAS1 block circuit logic.

l. Pre-trip volt- Component Pre-trip relays will not de- Periodic test. 3-channel redund- No impact on AFAS1 Same as above.

age comparator failure, energize at desired pre-trip -ancy (4th channel block logic. fails on short circuit setpoint. in bypass).

m. Pre-trip opto- Open Cir- Pre-trip relay will deenergize Annunciating None required. No impact on AFAS1 Same as above.

isolator fails cuit, com- pre-trip alarm. block logic. off ponent failure 7.3-79 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

n. Pre-trip relay Component Same as 9m. Same as 9m. Same as 9m. Same as 9m. Same as above.

driver fails failure,open off circuit.

o. Pre-trip relay Emitter to Same as 91. Same as 91. Same as 91. Same as 91. Same as above.

driver fails collector on short cir-cuit.

p. Pre-trip relay Mechanical Same as 9m. Same as 9m. Same as 9m. Same as 9m. Same as above.

coil fails failure open

q. Pre-trip relay Mechanical Channel A SG1 pre-trip Periodic test 3-channel redund- No impact on AFAS1 Same as above.

contact to damage,cor- will not annunciate. ancy (4th channel block logic. annunciator rosion in bypass) visual fails close indicator not affected.

r. Pre-trip relay Contact Spurious Channel A SG1 pre- Annunciating None required. AFAS1 block logic Same as above.

contact to arcing trip alarms. not affected. annunciator fails open

s. Pre-trip relay Mechanical No visual indication of Periodic test Annunciator not AFAS1 block logic Same as above.

contact to damage, channel A SG1 pre-trip. affected 3-channel not affected. indicator cir- corrosion redundancy (4th cuit fails channel in bypass) open

t. Pre-trip relay Contact Spurious channel A pre-trip Visual pre-trip None required. AFAS1 block logic Same as above.

contact in arcing indications. indication. not affected. indicator cir-cuit fails closed

u. Trip voltage Open circuit Bistable relays will de- Annunciating 3-channel redund- AFAS1 block logic Same as above.

comparator component energize resulting in ancy (4th channel becomes 1-out-of-2 fails off failure input to AFAS1 block in bypass). coincident. circuit. 7.3-80 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

v. Trip voltage Component Bistable relays will de- Periodic test. 3-channel redund- AFAS1 block logic Same as above.

comparator failure energize for valid SG1 ancy (4th channel for SG )p becomes fails on signal. in bypass). 2-out-of-2 coincident.

w. Trip opto- Component Bistable relays will de- Annunciating 3-channel redund- AFAS1 block logic Same as above.

isolator failure, energize resulting in ancy (4th channel becomes 1-out-of-fails off open circuit input to channel A AFAS1 in bypass). -2 coincident. block circuit.

x. Trip opto- Component Bistable relays will not Periodic test 3-channel redund- AFAS1 block logic Same as above.

isolator failure, de-energize for valid SG1 ancy (4th channel for SG )p becomes fails on short signal. in bypass). 2-out-of-2 coincident. circuit

y. Trip relay Transistor Bistable relays de- Annunciating 3-channel redund- AFAS1 block logic Same as above.

driver failure, energizes resulting in ancy (4th channel becomes 1-out-of-fails off open circuit input to channel A AFAS1 in bypass). 2 coincident. block circuit.

z. Trip relay Emitter to Affected relay will not Periodic test 3-channel redund- AFAS1 block logic Same as above.

driver collector be able to de-energize ancy (4th channel for SG )p becomes, fails on short for valid signals. in bypass). 2-out-of-2 coincident circuit aa. Trip relay Mechanical Same as 9y Same as 9y Same as 9y Same as 9y Same as above coil fails failure open ab. Trip relay Mechanical Input to channel A block Periodic test 3-channel redund- No impact on AFAS1 Same as above form c con- damage circuit will be initiated. ancy (4th channel actuation logic. tacts to SG1 in bypass). AFAS1 block logic Rupture Ident- for SG1 )p becomes ication cir- 1-out-of-2 coinci-cuit fails dent. closed 7.3-81 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects ac. Trip relay Contacts Relay cannot activate channel Periodic test 3-channel redund- No effect on AFAS1 Same as above. form c con- welded A block circuit. ancy (4th channel actuation logic. tacts to SGl in bypass). AFAS1 block logic Rupture Ident- for SG1 becomes ification cir- 2-out-of-2 coinci-cuit fails dent. open ad. Trip status Transistor Trip status relay will de- Annunciating, 3- None required No effect on AFAS1 The operator can relay driver failure, energize resulting in spurious channel com- actuation logic restore the by-fails off open circuit trip annunciator and indi- parison or block logic passed channel cation. and then bypass the failed trip annunciator ae. Trip status Emitter to Trip status relay will not Period test, 3- 3-channel redund- Same as above Same as above. relay driver collector de-energize for valid channel ancy (4th channel fails on short SG1 signal comparison in bypass). circuit af. Trip status Mechanical Same as 7ad Same as 7ad Same as 7ad Same as above Same as above. relay coil failure fails open ag. Trip status Contacts Annunciator will not signal Periodic test, 3- 3-channel redund- No effect on AFAS1 Same as above. relay form c welded relay coil or relay driver 3-channel com- ancy (4th channel block logic. contacts to failure. in bypass). trip annunc-iator circuit fails closed Ah. Trip status Contacts Spurious relay coil or relay Annunciating None required AFAS1 block logic Same as above. relay form c welded, driver failure annunciation not affected. contacts to fuse trip annunci- failure ator circuit fails open 7.3-82 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects ai. Trip status Mechanical No visual Indication of Periodic Test Annunciator not AFAS1 actuation Same as above relay form damage, channel A SGl trip affected. 3- logic not affected c contact corrosion channel redund-to indicator ancy (4th channel circuit fails in bypass). open aj. Trip status Contact Spurious trip visual indi- Visual trip None required AFAS1 actuation Same as above relay form c welded cation for channel A SG1 indication logic not affected contact to indicator circuit fails closed ak. Bistable hys- Component Bistable will reset at greater Periodic test 3-channel redund- AFAS1 reset logic Same as above terisis volt- failure than desired SG1 ancy (4th channel becomes 1-out-of-2 age fails high in bypass). coincident. al. Bistable hys- Component Bistable will reset at less Periodic test Same as 7ak Same as 7ak Same as above teresis volt- failure than desired SG1 age fails low am. Bistable hys- Component Bistable will reset at less Periodic test Same as 7ak Same as 7aK Same as above teresis volt- failure, than desired SG1 . For age analog open circuit reset before actuation, reset switch fails level will equal trip level, open resulting in relay cycling. an. Bistable hys- Component Bistable will trip at greater Periodic test Same as 7ak AFAS1 actuation Same as above Leresis volt- failure, than desired SG1 logic becomes age analog short 1-out-of-2 coin-in which fails circuit cident closed

10. Pressure SG2 Failure modes and effects on AFAS2 block logic for pressure SG2 <SG1 trips are
   < SG1 Bistable                                             equivalent to the failure modes and effects on AFAS1 block logic provided in line Item 9, failure modes a through an.

7.3-83 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

11. Pressure FWHL Failure modes and effects for pressure FWHL < FWH2 trips are equivalent to
  < FWH2 Bistable                                  failure modes and effects provided in line Item 9, failure modes a through an.
12. Pressure FWH2 Failure modes and effects on AFAS2 block logic for pressure FWH2 < FWH1 trips are
  < FWH1 Bistable                                  equivalent to the failure modes and effects on AFAS1 block logic provided in line Item 9, failure modes a through an.
13. AFAS1 bistable a. One trip Transistor One bistable relay de- Indication in 3-channel redund- AFAS1 actuation Same as 9a card relay driver failure, energizes resulting in half affected logic ancy (4th channel logic remains fails off open trip of AB, AC or AD logic matrix in bypass). 2-out-of-3 coin-circuit matrix. cidence, with 1-out-of-2 select-ive coincidence between unaffected channels.
b. One trip Emitter to Affected relay will not de- Periodic test 3-channel redund- AFAS1 actuation Same as above relay driver collector energize for valid signal ancy (4th channel logic becomes fails on short in bypass). 2-out-of-2 coin-circuit cident.
c. One trip Mechanical Same as 13a Same as 13a Same as 13a Same ag 13a relay coil failure fails
d. One trip Contracts Channel A AFAS1 test coil Visual indication 3-channel redund- AFAS1 actuation Same as above relay form c welded, com- will de-energize resulting in ancy (4th channel logic becomes contact to 2/4 ponent fail- half trips of the AB,AC and AD in bypass). 1-out-of-2 coin-logic matrix ure logic matrices. cident.

fails open

e. One trip Contacts Channel A AFAS1 test coils Periodic test 3-channel redund- AFAS1 actuation Same as above relay form c welded will not de-energize for valid ancy (4th channel logic becomes contact to 2/4 signal. ia bypass). 2-out-of-2 coin-logic matrix cident .

fails closed 7.3-84 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

f. One trip Contacts Annunciator will not signal Periodic test 3-channel redund- AFAS1 actuation Same as above relay form c welded relay coil or relay driver ancy (4th channel logic not affected contact to failure. in bypass).

trip annunci-ator circuit fails open.

g. One trip form Contacts Spurious relay coil or relay Annunciating None required AFAS1 not affected Same as above c contact to welded driver failure indications.

trip annun circuit fails closed.

14. AFAS2 Bistable Failure modes and effects on AFAS2 actuation logic for AFAS2 bistable trips card are equivalent to the Failure modes and effects on AFAS1 actuation logic provided in line Item 13. Failure modes a through g
15. Logic matrix a. Fails off Transistor One matrix relay de-energizes Visual Indicator A minimum of two AFAS1 actuation Same as 9a.

relay driver failure, inducing a trip via the time trip paths must logic remains open cir- delay circuitry in one of four be de-energized 2-out-of-3 coin-cuit AFAS2 trip paths. to produce a cident. trip.

b. Fails on Emitter to One logic matrix relay will Periodic test 3-channel redund- AFAS1 actuation Same as above collector not de-energize on a valid ancy (4th channel logic remains short cir- signal coincidence. in bypass). 2-out-of-3 coin-cuit cident. Affected logic matrix can still generate a trip to other three circuits.
16. Logic matrix a. Fails open Open One matrix relay de-energizes Visual Indication A minimum of two AFAS1 actuation Same as above relay coil Inducing a trip via the time trip paths must logic remains delay circuitry in one of four be de-energized 2-out-of-3 coin-AFAS1 trip paths. to produce a cident trip.

7.3-85 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

b. Shorted Hot Short Affected matrix relay will not Periodic test 3-channel redund- Same as above Same as above de-energize on valid signal. ancy (4th channel in bypass).
17. One logic matrix a. Fails open Open circuit Induced trip via the time Visual Indication A minimum of two AFAS1 actuation Same as above.

relay contact in mechanical delay circuitry in one of trip paths must remains 2-out-of-3 trip path damage, cor- four trip paths. be de-energized to coincident. rosion produce a trip.

b. Fails closed Contact weld One matrix relay contact will Periodic test 3-channel redund- AFAS1 actuation Same as above not open for valid signal. ancy (4th channel logic remains in bypass). 2-out-of-3 coin-cident. Affected logic matrix can still generate a trip with other relay.
18. One logic matrix a. Fails off Broken Spurious indication that one Annunciating, None required. No effect on AFAS1 Same as above.

indicator lamp filament matrix relay is de-energized. visual indication trip logic.

b. Fails on Hot short No indication of matrix relay Periodic test. None required. Same as above. Same as above.

failure or de-energization.

19. One matrix power a. Fails off or Component Loss of one power supply. Annunicating, Second power No effect on AFAS1 Same as above.

supply low failure,open visual indication. supply provides trip logic circuit power to logic matrix relays.

b. Fails high Component Possible overstress of 2-out- Visual indication Same as above Same as above Same as above failure of-4 logic matrix relays. if matrix fails Relays may fail open and logic open.

matrix may become half-tripped.

20. Logic matrix a. Fails open Overstress, Loss of one of two matrix Power supply Same as above Same as above Same as above power supply mechanical power supplies. trouble alarm diode damage visual indication.

7.3-86 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

b. Shorted Overstress No impact during normal open- Periodic test Redundant power No impact on AFAS1 Same as above ation, loss of isolation for supplies trip logic.

power supplies

21. Logic matrix Fails open Overstress, Loss of one of two matrix Power supply Redundant power AFAS1 actuation Same as above.

power supply mechanical power supplies. trouble alarm, supplies. logic remains 2-damage visual indication out-of-3 coincident.

22. Logic matrix Fails off Open fil- Spurious visual indication of Visual indication, None required No impact on AFAS1 Same as above.

power supply ament failure of one logic matrix no alarm trip logic indicator lamp power supply.

23. Logic matrix Fails open Overstress, Spurious logic matrix power Annunciating None required. No impact on AFAS1 Same as above.

power supply mechanical supply alarms. trip logic. trouble annun- damage, open ciator relay circuit.

24. Logic matrix a. Fails open Mechanical Same as above Same as above Same as above Same as above Same as above power supply damage, open trouble annunc- circuit, relay contact corrosion
b. Fails closed Contact weld Power supply trouble alarm None, if power Visual power No impact on AFAS1 Same as above will not sound if power supply fails then supply operability trip logic.

supply fails. visual indication, indication no alarm.

25. Remote manual a. Fails open Mechanical initiation relays for Channel Visual indication A minimum of two AFAS1 actuation Same as 9a.

pushbutton damage, open A AFAS1 will de-energize and and annunciation trip paths -must circuit becomes circuit initiate input to Channel a be de-energized in 1-out-of-3 select-AFAS1 actuation circuit. in actuation ive. circuit to pro-duce a trip.

b. Fails closed Contact weld Unable to de-energize channel Periodic test 3-channel redund- AFAS1 for one leg Same as above short cir- A initiation relays for AFAS1 ancy (4th channel becomes 2-out-of-3 cuit by using pushbutton. in bypass). selective.

7.3-87 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

26. Initiation relay Fails open Open circuit One initiation relay de- Annunciating 3-channel redund- AFAS1 remains 2- Same as above energizes and initiates input ancy (4th channel out-of-3 coincident to one leg of actuation in bypass) initiation logic circuit. becomes 1-out-of-3 selective.
27. initiation relay a. Fails open Open circuit AFAS1 channel A will become Annunciating 3-channel redund- AFAS1 remains 2- Same as above contacts in actu- corrosion, half tripped. ancy (4th channel out-of-3 coincident ation circuit mechanical ia bypass). with initiation damage logic becoming 1-out-of-3 selective.
b. Fails closed Contact weld AFAS1 channel A actuation Periodic test Parallel redund- AFAS1 remains 2- same as above.

short cir- relay will not de-energize ancy in channel. out-of-3 coincident cuit to actuate AFAS1 channel A with initiation equipment. logic becoming 2-out-of 3 selective.

28. Actuation power a. Fails off or Component Loss of power from one power Annunciation and Power to each No effect on AFAS1 Same as above supply low failure, supply for one set of act- visual indication channel's bi- logic.

open circuit uation relays and bistables. stables and act-nation circuits is provided by two auctioneered supplies. If one fails, the other will meet requirements.

b. Fails high Component Same as 28a Annunciating, and Automatic over- No effect on AFAS Same as above.

failure visual indication voltage protection logic. Redundant power supply unaffected. 7.3-88 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

29. Actuation power a. Fails open Overstress, Loss of one of two power Power supply Redundant power No effect on AFAS1 Same as above.

supply diode mechanical supplies for one set of trouble alarm, supply. logic. damage actuation relays. visual indication.

b. Shorted Overstress No impact in normal operation, Periodic test Redundant power No effect on AFAS1 Same as above.

loss of isolation of one power supply. logic. supply.

30. AFAS1 Actuation a. Relay coil Mechanical Spurious visual indication Visual indication. None required No effect on AFAS1 Circuit status fails open failure that AFAS1 channel A has actuation circuit.

actuated.

b. Relay driver Transistor Same as 30a. Same as 30a. Same as 30a. Same as above.

fails off failure, short circuit.

c. Relay driver Emitter to No impact on system operation Periodic test. Same as 30a. Same as above.

fails on collector short circuit

31. Actuation Fails off Burnt fil- Spurious visual indication Visual indication. None required. No effect of AFAS1 Same as above circuit indi- ament, mech- that one leg of actuation logic.

cator lamp. anical dam- circuit has opened. age.

32. AFAS1 Manual a. Fails open Mechanical AFASI channel A actuation. Annuciating. AFAS1 not fully AFASI actuated, Same as above actuation damage, open actuated. AFAS2 unaffected.

pushbutton circuit

b. Fails closed Contact weld Manual actuation will not Periodic test Automatic act- No manual actuation Same as above.

mech,anical open one leg of actuation ation not affected of one leg of AFAS1 damage circuit.

33. AFAS1 Lockout a. Fails open Mechanical No impact in normal operation. Periodic test. None required. No effect on AFAS1 Same as above.

reset pushbutton damage. Unable to reset latching re- logic. lays after test or actuation. 7.3-89 Amendment No. 25 (04/12)

TABLE TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

b. Fails closed Contact weld Inadvertent automatic reset of Periodic test. Automatic act- No effect on AFAS1 Same as above.

mechanical of relays. uation and manual logic. damage. initiation not affected.

34. AFAS1 Lockout a. Fails open open circuit One actuation leg opens. Annuciating. Opposite actuation No effect on AFAS1 Same as Above.

relay coil overstress, leg will provide logic. mechanical power to actuation damage. relays.

b. Shorted Mechanical Partial trip in one leg of Visual indication. Opposite actuation Same as above Same as above.

damage. AFAS1. leg will provide power to actuation relays.

35. AFAS1 Inter- a. Fails open Mechanical No impact on system operation. Periodic test None required. No effect on AFAS1 Same as above.

posing relay damage, open actuation circuit. coil circuit.

b. Short Mechanical Interposing relay contact will Periodic test None required. Same as above. Same as above.

short not be held closed.

36. AFAS1 Inter- a. Fails open Mechanical Same as 35a. Periodic test. Same as above. Same as above. Same as above.

posing relay damage

b. Fails closed Contact weld Cycling and latching relays Periodic test. Manual actuation No automatic act-will not de-energize for valid not affected. uation of one leg trip. of AFAS1
37. Lockout relay a. Fails open Open cir- One actuation leg opens. Annunicating Opposite actuation No effect on AFAS1 Same as above N.O. contact cuit, mech- leg provides power logic.

anical to actuation damage relays.

b. Fails closed Contact Latching relay equipment will Periodic test Automatic act- AFAS1 logic not Same as above.

weld, mech- cycle with relays. uation and manual affected. anical initiation not damage affected. 7.3-90 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

38. Lockout indica- Fails off Burnt fil- Spurious visual indication Visual indication None required. No effect on AFAS1 Same as above.

tion lamp. anent, that one lockout relay is logic. mechanicaL de-energized. damage.

39. AFAS1 actuation a. Fails open Mechanical One valve or pump will be Visual indication. Only one Full AFAS actuation Same as above.

relay coil damage, open actuated in one train of component still requires 2-circuit AFAS1. will be actuated. out-of-3 signal The full train coincidence. will not be actuated.

b. Shorted Mechanical Actuation relay will not hold Visual indication Same as above Same as above Same as above short contacts, one pump or one valve will be actuated in one AFAS1 train.
40. Actuation relay a. Fails closed Contact weld Unable to test actuation of Periodic test. None required. No effect on AFAS1 Same as above.

indicator N.C. mechanical one pump or valve in one logic. contacts damage AFAS train.

b. Fails open Mechanical One valve or one pump will Visual indication One component AFAS actuation Same as above.

damage be actuated in one AFAS will be actuated, remains 2-out-of-3 train. full train will coincidence. not be actuated by failure of one actuation relay.

41. Actuation relay a. Fans closed Contact weld Spurious indication of failed Visual indication None required. No impact of AFAS Same as above.

Indicator NO mechanical actuation relay. logic. contacts. damage b.Fails open Mechanical No indication of actuation Periodic test None required. No impact on AFAS Same as above damage, open relay failure. logic. circuit

42. Time delay a. Timer fails Component Timer will not de-energize Periodic test 3-channel redund- AFAS1 remains 2- Same as Above circuitry off or slow failure initiation relays if it fails ancy (4th channel out-of-3 coincident off. Time delay will be in- in bypass). with initiation creased if timer fails slow. logic becoming out-of-3 selective.

7.3-91 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

b. Timer fails Component Timer will de-energize in- Periodic test 3-channel redund- AFAS1 remains 2- Same as above.

fast failure itiation relays before de- ancy (4th channel out-of-3 coincident sired delay. in bypass). with initiation logic becoming 1-out-of-3 selective after timer has timed out.

c. Time delay Transistor Time delay relay will de- Visual indication. A minimum of two AFAS1 remains 2- Same as above driver fails failure, energize resulting in the de- trip paths must be out-of-3 coincident off open circuit energizing of the associated de-energized to with initiation initiation relays. produce a trip. logic becoming 1-out-of-3 selective.
d. Time delay Emitter to Affected relay will not de- Periodic test 3-channel redund- Same as 42a Same as above relay driver collector, energize for valid signal. ancy (4th channel fails on short circuit in bypass).
e. Time delay Mechanical Same as 42c. Same as 40c. Same as 42c. Same as 42C. Same as above relay coil failure fails open
f. Time delay Contacts Initiation relays in affected Periodic test Same as 42a. Same as 42a. Same as above contact to welded, trip path will not de-energize initiation component on valid signal.

circuit fails failure closed.

g. Time delay Component Initiation relays will be de- Visual indication Same as 42c. Same as 42c. Same as above relay contact failure energized.

to initiation circuit fails open.

h. Opto-isolator Component Analog switch in normally Periodic test Same as 42a. AFAS1 actuation Same as above between timer failure, open state providing logic becomes 1-and analog, open circuit Continuous hysteresis voltage out-of-2 coincident switch, fails to bi- stable comparator.

off Associated bistable will trip at greater than desired SG1 level. 7.3-92 Amendment No. 25 (04/12)

TABLE 7.3-10 (continued) AUXILIARY FEEDWATER ACTUATION SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Method Inherent Remarks Failure Symptoms and Local Effects of Compensating Effect Upon and Name Mode Cause Including Dependent Failures Detection Provision AFAS Other Effects

i. Opto-isolator Component Timer timing-out will not Periodic test Same as 42a AFAS1 reset logic Same as above between timer failure, change state of analog switch. becomes 1-out-of-2 and analog short cir- Associated bistable will reset coincident.

switch, fails cuit at less than desired SG1 level on

j. Time delay Component Associated bistable will trip Periodic test Same as 42a Same as 42i. Same as above analog switch failure, at greater than desired SG1 fails closed short cir- level.

cuit

k. Time delay Component Associated bistable will reset Periodic test Same as 42a Same as 42h. Same as above analog switch failure, at lower than desired SG1 fails open open cir- level.

cuit

l. Time delay Component Same as 42j. Periodic test. Same as 42a Same as 42i. Same as above hysteresis failure voltage fails high
m. Time delay Component Same as 42k. Periodic test. Same as 42a Same as 42h. Same as above hysteresis failure voltage fails low
n. Hysteresis Component Same as 42j. Periodic test. Same as 42a Same as 42i. Same as above voltage sum- failure mer, output fails high
o. Hysteresis Component Same as 42k. Periodic test. Same as 42a Same as 42h. Same as above voltage sum- failure mer output fails low 7.3-93 Amendment No. 25 (04/12)

Refer to drawing 8770-B-327 Sheet 372 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM PRESSURIZER PRESSURE P-1102A MEASUREMENT LOOP FIGURE 7.3.1 Amendment No. 15 (1/97)

Refer to drawing 8770-5518 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 ELEC. SCHEMATIC-ESFAS MC FIGURE 7.3.2 Amendment No. 15 (1/97)

Refer to drawing 8770-5521 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 ELEC SCHEMATIC-ESFAS SA FIGURE 7.3.3 Amendment No. 15 (1/97) 

              .)
  • 1t * -

II- -TO I!UIOTf. INDIC.ATOQ ll.

  • I* S'l DC. TO liMOT£ INOICATOI ~

I* Sll De. TO lEJ.I:TOI! fl!tP C0WTA1Nl-4EI.IT Pfil'E5SUilE ME.4SUlEMEt.IT CIUWI.II!LS Pli:.ESSURIZER PftiSSUR£ ~MSIT CHA.I<NI!LS SlutiA.L 1*5'1111: $1~L W-4 I'lL I 'IU(( .. D.t1S) M~(c.woz.~) 14C(Cw111.n) 14.6. \CwD 37l) M& ll"P H~) MC (C"'O ll4) hiDl'"'l) S1S} I ~.L.. ...A.._ I ~"~~ I ~..-!.... su.s Sl:~ 

                                                                                                                                                                                                                  ~EL C1-4>><Na.

A a TO C5A.S.OIA. TO CS...S CW a ro , 

                       .t.CTVJ.T f:D
  • 1 .. k*ll1o***'
                                                                                           ...     ,                                     <~--~------------------~---4~-------+----~~*&770-145
                                                                                                                                                                                                                               .swa 10 CIS CH A                                                                                                                          fO CIS CH 8 USET                                           .. J
  • SK-8770-145 SH 3 SK-8770-145 SH 3 (F JG. 7.3-141 (FIG. 7.3-141 lllhiO'f£ +k'ICrUAJIDS I..O'riC.  !:t2.!.U*

I

  • IU.WUio.L II~LS Lall -l.><TUlT i*rTC.>4 CO'<TACT CLO~va~. * * $1Gri.IAL F.t..IL.Ult! TO A~ ~$\Jil.E"'lWT C._.\.IJ,.f:L L.llQoll ND Z
  • ll-'$ c ..... M aLOCltU) 1'14!o<VIo.LLY TO PIOV1J)! S><UTJ><:Miol SkALL. T11,1P HUSVIt£MI!IJT :t.*ST..aLf.

ll . \IQ. OP" I!:Vt.loiTS OlPUSJivllfl.A.TIOW. lol.OQL II ~TlO.LLY UHO'<I!.l) A.~Vt ) - IUW0/1"0 .. Ololf. MlA$UitE~EW"t: CHA,..IJf:L II04l au.IN* Tll<.u<CI LOGIC. ~I.. K <:Dooi\IRT-al) Tl) t OUT e# l LG - LOW I.D*LO

  • I..OW*L.O'W UCDILnll. .t. Ul I"W.USUII'.IUil P<<.f.SSutt.
                                                                                                                                        ' WD.                                 Ttll' "10PI l * ~Tl lt. WI'PI.lli Faa IU. 4 . IIC 110   - .. I (ttl A..
  • UAltl1 ii~"'ALS, C0~4'1ACTS CLOSE 0 -

'110' TO INITIATti-WT4TV'ft LI ..... T:S (UJ) c 4UU.) iJ -NOT Am. 1-7/83 Ji'Q - e !>>.$CO owe;. 1170 !}Z7 ~~~ (U *WOIC..IlTED) FLORIDA POWER & LIGHT COMPANY St. Lucie Plant 

                                                                                                                                                                                                                   ~lAS   LOGIC DIAGRAM FIGURE 7.3-4

Refer to drawing 8770-B-326 Sheet 251 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM LP SAFETY INJECTION PUMP 1A FIGURE 7.3-5 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 252 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM LP SAFETY INJECTION PUMP 1B FIGURE 7.3-6 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 237 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM LP SAFETY INJECTION PUMP 1A FIGURE 7.3-7 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 238 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM LP SAFETY INJECTION PUMP 1B FIGURE 7.3-8 Amendment No. 15 (1/97)

THIS FIGURE HAS BEEN DELETED Amendment No. 16, (1/98) FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM HP INJECTION PUMP 1C FIGURE 7.3-9

Refer to drawing 8770-B-327 Sheet 278 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 HPSI PUMP DISCHARGE VALVE V-3655 (CONTROL WIRING DIAGRAM) FIGURE 7.3-9a Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 257 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM LP SAFETY INJECTION FLOW CONTROL VALVES FIGURE 7.3-10 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 269 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM LP SAFETY INJECTION TANK ISOLATION VALVE V-3624 FIGURE 7.3-10a Amendment No. 15 (1/97)

It* TO iii.IHOTE IW'DICATOil lltE.FUE.LIWG WA.TE!l"TANk LEVEL MfA.SUR.f:MI:NT CM~NNElS COIJT-'IWt\EtO' PR.ESSUSlE t'\U$UREMI:NT C:~NN!LS SIGNI.L 4*10 MA f'ltOiol IH I 

 '
  • FROI'I Sli I lllll.OI1 S~ I J:ROM SIA I F'IOI'\ SH I M.t.. MB MC Mt:l
                       ~"'EST                ~TEST                    't..._L~ "T!ST SiGNAL    ao.n.l   SIGNAL        aio".n.f-      .ICiNA.L rc L

lSOLATIGH D!VICE Itt.& IU.S otANNlL C.~..ll .. ll.L c.s~ CSAS Jj, 

                                  "                      IUS CH f>

0\LTlli\TIOM ftL.A'tS t.HAHNI.L 

                                                                                                                                               ~

GIUNNH. 

                                                                                                                                                                                                       ~

I} I I(EHEt,llE~ 10 A(TU~TE) 

                                                         ~

cs;.s c" 1!. j ~t.CTIIATIOW ltllLII.YS 1 ......__(ENEltG,IZIE\) TO 4C.TVAT!)Pfl! LIST~ _ ___j fliL.UU OF aATTI!!RY lA SHALL &LOCK ACTUATION 01" IISTA&L~S A AND C: _fi.ILUI.E OF 8ATTUY lA SHALL f>lDCk ACTUATION OF IISTA,LiS A Al<tl) C FAILURE OF BATTeRY I& SffAll.. P.LCKIC. ACTUIJION OF IISU6Lt5 8 4NP D RILUlE OF IATTER'I' II SH.L.L 8LOCIC AeTUATIOW 01' IISTA&LU & At.ID l) 

                                                                                                                                                                                      ~K  ..: 8770-145 SH. 2 FLORIDA POWER & LIGHT COMPANY St. Lucie Plant RAS AND CSo.S LOGIC DIAGRAM FIGURE 7.3-11
                                                                                ---------*-"*--------                               ---h--~~-

Refer to drawing 8770-B-326 Sheet 287 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM CONTAINMENT SPRAY PUMP 1A FIGURE 7.3-12 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 290 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM CONTAINMENT SPRAY PUMP 1B FIGURE 7.3-13 Amendment No. 15 (1/97)

  • RADIATION MONITORING MEt.SURI!MEHT C.HANNE I.S
                                                                                           * - TO REI'IOT! IN!)IC.ATOR.

CONTAINMENT PRESSU~E MEASUIU:I'IENT CI-IANNE\..S FROM SH I SIGNAl. 4 *ZO MA -~1 l I FROM SH I FROM S~ I F~OH SH I f=F!OM ~I MA (C.Wf) 451) M e.cc.wo 4S1) MC(C.WO 457) MD(CW!l 457) MA MB MC MD 

             '4d.ihhtr+

r---, r - ~ 1 ,~----, ,-----, TEST TI!Sf TEST TEST ZSOJl.l SIGiolAI.. ZSOA SIGIIIAL 2.'iOJ\. SI~NAI.. ZIJ>OJt. Sl<iNA.I. TO SIAS CHA SK-8170-145 SH 1 (FIG. 7.3*41 TO SIAS CH 8 SK-8170-145 SH 1 (FIG. 7.3-41 ClS C"tS (.HA.NNEI... CHA.to&NEL

b. AUTO TEST CHE.CK- a ASNORMAL c.ts I

CA.81114ET Poo~ OPEN CIS I I J AC.TUATION ACTUATION RELA8S RU~YS HOPVLE j L{DE *fNEitC..ilEO (DE-ENE~C:.11ED TO ~TUt..TE) TO ACTU4TE) PU LIST PU. LIST SK-8770 145 SH. 3 FLORIDA POWER & LIGHT COMPANY St. Lucie Plant CIS LOGIC DIAGRAM FIGURE 7.3-14

Refer to drawing 8770-B-326 Sheet 511 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM REACTOR CONTAINMENT PURGE ISOL VALVES FIGURE 7.3-15a Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 512 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM REACTOR CONTAINMENT PURGE ISOL VALVES FIGURE 7.3-15b Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 513 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM EC SHIELD BLDG VENT EXHAUST FAN HVE-6A 288994 FIGURE 7.3-16 Amendment No. 29 (10/18)

Refer to drawing 8770-B-326 Sheet 516 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM EC SHIELD BLDG VENT EXHAUST FAN HVE-6B 288994 FIGURE 7.3-17 Amendment No. 29 (10/18) 

                                                                                          -
  • TO tfHQ"l t INOI(I.TOI!

HU.Jol C.llffiATOil lA. fltE~SURE t1U~UI!t!NtNT CIU.NWiil~ )TEAM GENEIIA.TOR 1~ PtlS~UitE HE ... SUIU!t1f>{T CIU.NWf:LS 4 *lO t'IJ. 4*10 "'"" I MAl(wDUI) M.~(,wiiHI) 1-\~(t,.Ojll) H_P((woll&) 

                                                                                        ~

r-----1 .---, 

                                                                                                                                                                              *c : : ":)"" ""'""": ...

tt~T Tt.~T H~l Tt!.T twa. $1C.wt.L zsoa l~ l.tG.NA.LMSoaStC.NA.. I[D- -, 

                                                                                                                      '"' :* *: . , r~*: "':. .

lS./'O./'A.......,~IGWAL l Is 

                                                                                                                                                           ,S'o\     StGN~L       ISOA   SIGioi.A.L     Sl(i.HAL I

lO L II LO -1.0 I II 

                                                                                                                                            ..JL
                                                           ....      -     ~L _:j~                                                          ~                     -0
                                                                                                                                               'Ta-t.t1-l lli4L.o"'T I\Ol4l1011                                                    -¢>

c-. * ~* I I:~~\~.-.?"*-t--...,, ~-rn--1 . - ':IU.O(II. I ~-------+- sw 

                                                                                                                                                   \?--*~-       *--                                      ~@:

1~ MliHHt 

                                                                                                                                                                       "'Tilt.~                       ~~

I I To Cl Mf. STElH llil----tI 

                                                                                                                                                  ._,                                                      ..ll)

ISOL.\ItON It MOT£ 114.LVE ll R£1101f. lr 

                                                                                               &lO~KINCir                                                              ULt.lS                           &LOUt~
                                                                    ~                          CN  1.                                     Lu,;:j                                                         cw.

(Oi*illlRC,tllQ 10 lLTUall) I HU.Tlo" lO Mll!ATE) I ~U*htlfttlf.D OEVIG£ lt---- --- 

            ~

H 

     ~   In
            ~

I , I tajH~~ r---------Jf *~~Ej H {ll * ~ 

 ;§s                                                                                                                                                             ~

H 

 -.JC11/111:'

0~ i ~ [/1 CLOSE CH. B MSIV, CLOSE Cll. A MSIV, MFIV & MFW PUMP MFIV & MFW PUMP 

                          ~                                            DISCHARGE VALVE                                                                 DISCHARGE VALVE q§i i                    00
            ~ :?r         Q I
            ~~            ~

th [/1 0 10 

                          =~

10

Refer to drawing 8770-B-326 Sheet 312 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM MAIN STEAM ISOLATION VALVE HCV-08-1A OPENING CLOSING & TESTING FIGURE 7.3-19 Amendment No. 22 (05/07)

Refer to drawing 8770-B-326 Sheet 315 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM MAIN STEAM ISOLATION VALVE HCV-08-1B OPENING, CLOSING, & TESTING FIGURE 7.3-20 Amendment No. 22 (05/07)

103 fl'1t lll .I Ittiffi.: J I I I. I I Ill II ... t+tt=l I IIll! 

            !  I
,\iJ>~ I I ' ,f.:.:h Ill d I II*: i I:' *
  • li'"t~l 1: 'I I 111'1.1:, 1:,;:1 l.l":t:

Tili!I'I"tJ: I I ll:!lli!t'i!i!}::HiiH' I lilll:l:i::L, ..... 11 'l'l:r 1 Iii,!/:. r' 

                                               -*I.. llrr:,-~-,r;.,,,ilFJ::.,    :::.f1/iil.:::n::;:!l:::. 1:;./!,i*i::::!:l:*:
                                                                                                                                 'li'[,,,:,,-_,.,.,,,.,,.i,, :::1 **~*

I0 2 ~~~~~~-+~-+~~~L4+U~~~~~~~~~~~ II I I I I I I II t:l****:l""' , .. * *. JJ, II~ 'l"l .. 

                                                                                              * ~t..**tHI "***1:1*

1 l.!'~!H**t*\)~,. f+/-ili+/-ll'+/-i+/-t+/-lli 1~1 ':*1**1 11* It Ill HH!Jd. * 'd* I II II I !1J! tlRilmWti*I::HFT 1+**:t fl i lll;l 1-H Ill: til: I '*Iii** Tl*lli i I!i: li;J,' 1:: T ' I i Iilli:! :1 : i i i l! hi!t::::I:A i i' li!:T:U :1 i 1: 1!1111 i I! il ili:JU i u;;: uw I!.rn--I'IT:JI!J qj. ,. "~I* 

                                                    ,  1     ,
                                                                 . **,,.,,:I: I'.I 'I i IIi' I!t f,in~tl*a.**:;;l:ii'l I j*!:J:I!:J :i:Jt' III! II'll r*l IIi I !illij'llil iii ,J;o ***
                                                                       *         ,     ,   f  ,   * *,                       *d*    t .**  'J;* J,,.       I    1    *-          !  }1>   II  *   **
                                                                                                                                                                                                             'li'i.j'i:
                                                                                                                                                                                                        * *' I
.f.:_j:l
                       ,         f
 ~

w tl!'tJ If 1 I*l'lj:_iifl; 

                           . J   1':       '1 1 ' .,,, ** il!!!_JflTI*

1 ' j I il t, l1'_ 1J liHI:_'i~'_:lliii!j!:_'~l 

                                                                                                             **~~ l!!:l:f\. '            '!

i!:! 1 f*!*! 1j l!.*j:Eittl! 

                                                                                                                                                **I* 1             1 -t=ttt 1
                                                                                                                                                                                          *~j* 11 11. I:ji*,::j:*~:

i (-ll!!::_*!*,*;:j1i 1 

                                                                                                                                                                                                               '.\,*'
 ~

j::: 10 

                           !llllilllid ll:lr;:H'I! I !I lUI i : III lTl:P!'!IiimTITITTI!HTTl I! lTTli'N.Ill!!liii 11"L: :I:'
                                     .fil: 1l~:l ldJiP:J' 11-,,~,~~,:,,                                 i_:_;rml-IJ:n:nl     ifl"fll_   :1*_-,ll~,.-~.,:i'li'ii~~nPJ
                                                                                                                       ,l! .... f.,.,, .....;,:, ;:111!': 1:11* ~ 11., 11&.:*!1t1iJ ,,,I!Jl,iii'.... t 1,, *~,,,,

I I' 'I I' I I I iff '!'!!itl* 11 't'l'l ! j,, t I IIII I. 'I":' I':.: i ll!':; I! I IIt I I' '" I'.: 1;** ** I.  :; I ;; 

                                                  *J_ii. i I    ;
                                                              ;:;_:       t' "l' I' I'1*.*_*:_ ' f !     11I'f ..

1 

                                                                                           ! ' II 1      I     .

1 

                                                                                                                        'Ill'::' IIi.:::::::

1'1'1 ljl*. 

                                                                                                                       ' 1-1 i ;; '        I' I
  • I I' i :'II
                                                                                                                                                                    . , :I ~ *.,,,

I! I ., ' ., .. I I I . II I It' I 

                                                                                                                                                                                      ~- N;' I"II1I.........
                                                                                                                                                                                *. I;*::*::: I'
I:

til!;!':!n>*:*:;.;ri:.cli Ill , !:. ,... 1._ *::_ 1::+-r+.;.,lH+:.++H-4 ,_ . -r+-t-+-1 

                    !,   :,* ~*:   I I ~ ,
                                                     , , ,     . l , _  !I : .
                                                                                  ,. I 1:
           ~1                                                                                0.1                                                                  1.0                                                           10 BREAK AREA (FT2)
                                ... T                               T                                               1                                         I                                       I                          II 2                              3                                              6                                      12                                         ?4                         42  FLORIDA POWER & LIGHT COMPANY St. Lucie Plant EQUIVALENT PIPE DIAMETER (INCHES)                                                                                                        TIME TO SIAS ACTUATION VS. LOCA (SINGLE. ENDED RUPTURE)                                                                                                                   BREAK SIZE FIGURE 7.3-21

      "'liii&WlfF-Rii!ftB                                 II'               i    i
                                                                              ~     I   "ol
  • L I~
              'i'                   I.'                   ;

I 1-l...,_ __ f--,-t---t--1 

                                                                      ~........,                                             I      I I . I I .I           *: I :    I   .
                                                                            ~f--~                      Tf-i ~~~~~J~~ ;~~~~~~~EHJo PSIG -"- - --c
              --~~--r-r--r-+-+-++
                                                               *!*.t'**i!*).l' j::I\..Ji:*
                                                                                                                                          ,         ;;il~jj l.,.                                 '-H+l l j!l!:'-:: . ::,

I .* 

                                                                      -                                - - .,... -                                                           -- - -     -      ---y-11 1                                           *    ::     .. 1   !         :~n_l;:.:

102 1I I I 1 1 * :'\ 1 , *'

  • 1 ! * ., : J r * :
              --4-l"f-~-r-r--r-+-+-r+~--t                                                                                                           j    t **
            ~n~T-IT;-:-:-r-Ffll*l'ii                                        ;.:, "1**1*1'-'"1                                       I    ****
            tl * [ * ] I ' I I lll11dl 'LLI'i!l[i:;LJ:*\.1-Ilii'TTIH+ I*
            . li I . :1 ,J I * , I I ' I J Htl 'i : : 'I' i *i H :1: iL IX I I 1: 1:11 ' i l : I ! -: i I ,r 11  IILI.II>I ITiiPJ:ll;.                                             U:d:::*~r,:J!l:!hf\.lild:ll!~lil!liii'!J::I ...

aw e w

£ t=
          ~~~__tpLW+Sf~~                                                  hfl,-llt-
              ,ill' i.J 1:. I IH:Ii!il.l'i!T: il:ili:l: .1 I!IT1J, .:, t:               1 ljlx_IL!*;w: 111                                ,Tif;::I Ii I:::I .*I* 11i;: I: i 'I : 1 ::Ill;   I ' Ii1       J!.ljj;:          t: I; ll' :I:LIJ'::; Ii:; *I* . , Ii I'j .I: I: 1-f"'l..,;

N..i :j j:; "iI*:* ... q, It: 

                                                                                                                                                                          **I ::*jt!.:

1 

           - I       1 1.          . , **   "    ..                I
                                                                                      !>~~,II**--             .I    ......                                                               1, ..             :II TlJlTli T :To; rn m: ' I ::1 : I i I 1:1                       ! ; ! :1' ;i l           i:1: :1 ' i ;il :i L I : I ;1:1 :! i l i : ll : i !I ;q :""\; r I : I;;                                 I*
               .'II: :I I :: p I: I!'IVl'l'l!']iT;TTT!Fl'ji'li']FJ
               . l ' " .  " .. "      I'  I '.. .' . I         :I' I f! ; : I . ;         ;I    ' .. .. .. "
~:, .
                                                                                                                            *1****1*1'1' ' "
                                                                                                                                             *1*11!        Ill;:; 'I ILl **I"., .. ,., . *...
                                                                                                                                                                                                  ,!I
. li!lt'l:_,:_:l*:::lll
            .* ***!*'.*I                                   ;:1:1:111*1
                                                                ) ! 1. *li . t:t     I'   :'_1 11:;:
                                                                                                  '_.:1':.*1.~.: '1*"1:             I' I:1:1:11 :.: 1* I'::1::11 1*'::::: l::lr' 1
.: :.r:'

l\_*-*l::

!.1-"t~~t-+Ht-1~1* T' l'..'.:.:.ccclljfR-i.:r:-

lt .. ~~~! ~1~ .::* ** 1  : :  : *: , 

            -*       ... -'-t~1TlliP!

i !H*  : *.. '.  ; . i_u_-"1+m*~~,,

i i,
                                             **;tftttt.'                 ;:     J;    :     ! ;:j: .**            .. :*:              .    - . . . ; :.         ;::; ;;:* .: . . :.: ...            .   * . :

l:.t; 

                                                                         't!iii:TIJi',. ftt     . _ * .  .
               . ,;    *  *    .::    :::.,       *.    ,   :::          I::. :fl.:;,*                      :   .:: :;: *             :   : : . .:_:::          .:::
            ' tn'. *~m***
          ~;:               ; :: I"*  ::~: :--                              ~-.                 :::'

nLi! ;:* *;:,;II**' nmrriT I::: 1 I I, I ,I I I, '""'"'

lit:
_  : ~ ; : : . t I.

t If 

                                                                                                                                      !* I:I: 1*1* r, 'I>::
  • 1 *  ;

t I : : i Iii q:* ;:. II Jilt;;,

  • I i....

It: "/: ": I ' ' ....... ' 

                                                                    . : UJ                                      I;
         .01                                                      0.1                                                                           1.0                                                          10 BREAK AREA (FT2)

EQUIVALENT PIPE t>IAMI:TER (INCHES) FlORIDA POWER & LIGHT COMPANY (SINGLE-ENDED RUPTURE) St. Lucie Plant TIME TO CSAS ACTUATION VS. LOCA BREAK SIZE FIGURE 7.3*22

103 *:~11311 DII==T-1 I I I t+l=lll I i t=+-1= I II II m 

          *. "-1'                                                                                          L_j. I _l_l_lli I.        I I I
  • I I I I
  • l.:J' I sI PSIC Cll HIGH PRESSURE SETPOINT I I
  • I I I I II Cl) HI~~ R~D)A P?~ SE~P?IHT 10 R 'liR
                                    "-~**111111*11
                              .,,.1"'1.::'\...            i* : ,jlli           :;'

11 i,l 11 11' 1 1 oj:'i:l:' . . . l*ll'll'j*l'l'l"l'l*li,'**1 I l~i'LLW..'JI 11

  • 1 1 I
                                                                  ~~~E;,l_l=t-H*;1~: ; ;i. :i~JJil~f'--L.;,

r:*.* :.*Tr **::::'i,.: I: .:'I' '.1-+-+-'\J~~ 

             *J: .       ,.         1 ,       ~ ll ;I' u1 i :1 ::," !,: k 1i : 1 " .1!I. ~      1 I

I 1* , ,, r: 11. , ~~ 1* 

                                      ~~*:
-:,~.' .' '. *. *j* . - *. . . *r:l .* t.*:;

l.lll t:T,-~H-+++1 

                                                                                                                                                                                    *I*
                                                                                                                                                                                    *.;*j::

102 **'I. '. I' i I 1 

                                                            .       I It '-'--                                                                                                      I!':       
                                                                 !'\.."-.
                                                                     *X" Li..cL' I* i r*.LliLJiiLL:.L Ill **          t I ~!I !i h {d il_'l i;: L IJ!JJ! HLLililltifl! I i :I*                                                     II' .
                                                                     * .. ,~'VI::*Ii::I 1 ~I~'LL!ll;il;ii'l~ ,., , .I'~''
It~\ .
  • 1 , :N~. . ,.. , . 1 , . . *. j'l'lii;I'
                                                                          *'il,,~:'lii'li!'liil'.*l::                               1 , . . n ,Ll. l'i'!.lll':*j::

1 

                                                                                                                                                                                     * * .... 1.'*1*"1'11.

r-. ... 1::':1 . .. r 

...G I    --                                                                                                                                1
              ~-=.it      c..:.:L,      ;;                           *,I ...'ll:l'~*                          I    ..
                                                                                      , t. ,I., *~~' t,-*:lt'"l':lfl'l!lll*i:~*i*!ll t, **        ,        I              l'
                                                                                                                                       ! . - . ' ~ I . r*: . . .

l** 

                                                                                                                                                                    - 1*'~:,,

1 

                                                                                                                                                                                ...,.,"ll'*'*r-ll' I"      l.., * " .
~: ~..
.,~                                                                  I    *   '   '     * '  '    t I        '   I t   It >'   l '.                                                 *t J ! !    ; : j' r      ....    !
                                                                                                            ~\.:-li'lllll'll'li!,                                      ...
1:1:: ;L::V:L't: I: I ililll; i i :Lr: I. I I:"T'i:

2 

~

f! !i~l\. I i : r ;,li;! l'j~* ' * !

  • i: ,.

1 f*lj **:

: t; ::i! 1::: il!  !( 2b~I' ~~: I

[t i1lfJ'.* !! 1: ;1;: 11; Pj, ;; N.Li ; .r;~ 111;1: u: .. Llj~ ,t;: ;<i 

         **kJ~ibrl U:. * **litIii~                .1         !                                                                                                                                            *. 'I 10  t
                                                  *. 1      *:--H 11!l~ 1 d: t'tl' ,,frr:-. FTl* ttl:' .. F\,!.1!, i
  • I: * '* 1
  • 1' * :_ 1 t ,
                                                                                                   ., l;ll    I L,t!i1"           I      'f'l        : , I iII'             . I " ' *'                           I: I  I I
                                                                                                 *l! 1*11 llt*ll*il'h-1             1 1*1 I*N.III fllfd *** I ** I :.L*L*J~

I tft*** f! . lil ~*. '!J:II:~ *l,iltfi/1'1/i,,ldi I :1 I I III*H t\Lf/H/IkJ *Ji_lttlt :*1.* 1 1 1 1 4=i I'. i. . q::.:l'ilillli:ili 11 l<i:l:lll!ll~:i:lid.l'* 1:'1'! llil! I !llili:l]il:l!!l!I!I'V: 1*1 dill;! iII :~1 I *1:: 1:*: I i il. II :I i. i'I!-~1 '1 : I i 1 I-.1 F.:J~.** I i : I' I ' 11' 1i. I;. I: I *, j 1'I1 t !:II:'!."' 1 '.*I:& 1:::1 i: I' /I: iii llit: . LLLLULJJll :: 1*!: :*.J.l.LI* ' 

                                                                                       .i'd!::y; 71: I 1!1*111: :i:lffi!l:fl'"'i.'

I' i~_:fi-++H 

                                                                                                                                                                                                                          -
  • Note: For CIS actuation on SIAS time see Fig. 7.3-21 0.1 1.0 10 BREAK AREA (fT2) r--- ~

flORIDA POWER & liGHT COMPANY 42 2 3 6 12 24 St. Lucie Plant EQUIV ALEHT PIPE DIAMETER (INCHES) (SIMGLE-EHDED RUPTURE) TIME TO CIS ACTUATION VS. LOCA SREAK SIZE fiGURE 7.3-23

Refer to drawing 8770-G-226 Sheet 1 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 REACTOR BUILDING INSTRUMENT ARRANGEMENT (SH 1) FIGURE 7.3-24 Amendment No. 22 (05/07)

Refer to drawing 8770-G-226 Sheet 2 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 REACTOR BUILDING INSTRUMENT ARRANGEMENT (SH2) FIGURE 7.3-25 Amendment No. 25 (04/12)

Refer to drawing 8770-G-226 Sheet 3 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 REACTOR BUILDING INSTRUMENT ARRANGEMENT (SH 3) FIGURE 7.3-26 Amendment No. 15 (1/97)

Refer to drawing 8770-G-229 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 MISCELLANEOUS INSTRUMENT ARRANGEMENT FIGURE 7.3-26a Amendment No. 15 (1/97) 

                  ~r..~1:
                  ~****             .                                                                _....,.. 10 F.-*'7:-\.:l..F* *. F
                                                                                                     /.
                  &:7~::---
                                                                                                                                                         .rAAJ .
                                 !:                                                                                                    ('y....,*t;- ... _

QC., r----1 H-I" C'(. L\1-.Ji...."-* .AMFl.\F\1.:: R - - - - - , 

                                                                                                              ~---~

niiQM _J}~ +Z4 

                                                                                                                             -~

L;;J. E~~- 

                                 -~-A-t _'""p
                          - _:_---- i't:icCt.i,;,,o.JC.. F'C:IO::IOC
                                                                                                      /

J-1 pc;-- --r -tl4 . p ( ___,. *1\l\r -- .. - ---t i *:;;r;,t::- 

                                                                                                                                                ,,-c *. ;,v r i ',                                                      ~
  • _) . -'\j\/"v~ -.
                                                                                                                               ?                       F._i P  ,..,-.~.'-'~
                      . ----11*--r- -~t---
                          ---~---1                        IOeK '>

A.I..)TC T£:.*;:.,..... 

                            -   ~---1                                f                                                                                                           Q,_)Q:
                                                                                                                                                                                   ~*
   ~0~1(-
                       ,        b.;,      I
                         't .   ..,-]                              -2.4
                                ~--

I~-.,_-------** . -'VVv---- -------*-- ------  ? 

                                                                                                                                                                            ~f4-
                                                                                                                                                                                        ~::.~T Py\...c;.&.
                                                                                                                                     -    ~4 I
                                                                                                                                                                       -*z4 FLORIDA POWER & LIGHT COMPANY St. Lucie Plant ESFAS AUTOMATIC TEST CIRCUIT FIGURE 7.3-27 L-----------------------------~.~--------------------------                              ----                                                              ~

Refer to drawing 8770-B-276 Sheet 25.1 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (REACTOR AUXILIARY BUILDING SUPPLY FAN HVS-4A) FIGURE 7.3-28 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 25.2 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (REACTOR AUXILIARY BUILDING SUPPLY FAN HVS-4B) FIGURE 7.3-29 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 25.3 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (EMERGENCY EXHAUST FAN HVE-9A) FIGURE 7.3-30 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 25.4 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (EMERGENCY EXHAUST FAN HVE-9B) FIGURE 7.3-31 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 25.5 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (CONTROL ROOM FAN HVA-3A) FIGURE 7.3-32 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 25.6 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (CONTROL ROOM FAN HVA-3B) FIGURE 7.3-33 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 25.7 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (CONTROL ROOM FAN HVA-3C) FIGURE 7.3-34 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 25.8 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (CONTROL ROOM FAN HVE-13A) FIGURE 7.3-35 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 25.9 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (CONTROL ROOM FAN HVE-13B) FIGURE 7.3-36 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 25.12 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (REACTOR CONTAINMENT AIR RECIRC UNIT - FAN HVS 1A) FIGURE 7.3-37 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 25.10 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (SHIELD BUILDING VENTILATION SYSTEM A EXHAUST HVE-6A) FIGURE 7.3-38 Amendment No. 22 (05/07)

 Refer to drawing 8770-B-276 Sheet 25.11 

                                     
                   FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1
                                     
                      CONTROL & BLOCK DIAGRAM (SHIELD BUILDING VENTILATION SYSTEM B            EC 288994 EXHAUST HVE-6B)

FIGURE 7.3-39 

                                       $PHQGPHQW1R9 1018 

~ ______________ j 250 n R-8A r LOGIC CHANNEL - s' I 

                                                                                                               }e
                                                                  +/-0.01%

I I 

                                                                                                        -- 1             S!AS LOGIC             II 2        CH A
                                                                                             /':,                    A   CONfO ON
                         *                                                                        {                      FIG ?.J-4-3             I
                                                                                           . __ ,}0 MEASJREMENT CHANNEL MA                                   M~S~L INPUT
                                                                                 +;:1-ffft r- -----::::-- -7ociC" ooNN'Els81 SIAS LOGIC 28     SAME AS CH A
 * ~EASUREMENT  CHANNELS M8, MC  ~ MD ARE lDENTICAL TO CHANNEL MA 6 fROM CHANNEL M3, MC & MD B!S'ABLE MODULES 0 .\NNUNCIATOR AMENDMENT NO. 10 17/91)

FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 PRESSURIZER PRESSURE & CONTAINMENT PRESSURE ESFAS MEASUREMENT CHANNELS F!GURE 7.3-40

,- 12*v AC SUP Pi. Y 120V AC oc SUPPLY 1 I I.OGI~H~SA---, I 1 I I A-lOA 2so n

!:o.ot*.

I , I I R*9A ;0 I I RAOIA. liON 2SO 0 

                                                                   +/-0.01 ..

MlrtfUAL TEST L-- J __ ._JD_ 3 

                                                                                                                                                                              ~  }

I.OGICC-- 68 H*NNEL 58 CIS 

                                                                                                                                                                                                     ---1.I I                                                                                                     I.. PUT    AUTOMATIC TEST INPUT 4        LOCIC SAME AS CH.A        I IL __ :_ __

MEASUREMENT CHANNEc

  • I
                                                                         --...,                                                                       ~- --- 7oG;-;;.A:;: :-1 I                                                                      I
                                                                                                                                                                         * }e I
                                                                                                      ~:{                                             I .
                                                                                                                              '""        I'SOI.ATION                           I I {

I

  • 16 J MODULE 1 7A CIS LOGIC I ffi9
    * -  MEASUREI>'ENT O!J.NNELS M8, lAC & MD ARf IDENTICAL TO CHANNEL MA.

I CONTAINMENT  ::.:.:.:.:.-:_=_ 4 3 C OHT'O. OH FIG. 7.3*::_ f1 - FI'OM CHANNEL N8, MC &-\..0 91Sr ASL f MODULES 0- ANNUNCIATOR I PRESSURE r- -- --,-~CISC-::;E. . I 

                                                                                       (                                                                                        ~

CDHT"D. FRO.:;) ss MANUAL 

                                                                                   '"              TEST INPUT
                                                                                                                                                                              !p           LOGIC I                                 AUTOMATIC TEST INPUT 16 {                             SAMEUCH.A I                 <

I I I TRIP L- -- -- ~ ;;:;;.;-;:: l I I I 0 ( r 2'}e cs*s ~ocu.: I { I ffi9 I6 { ~ SA 

                                                                                                                                                                                     ~

CONTD. OH FIG. 7.3-A) I J.ANUAL ~-- - -.. O~H~I. ;;---1 r MOD~I.E f - - ~l

/0 TEST I

INPUT AUTOMATtC TEST INPUT L . _ j ~6<==== CSASCOGIC W<EASCH.A I I I L_ _ ____ _ J-~ FLORIDA POWER & L!GHT COMPANY ST. LUCIE PLANT JNIT 1 CONTAIN"ENT PA['IATI~ & PRESSURE ESFAS MCASUPP 1 fNT \'-'A~NELS FIGURE 7.3-41

~-------- ------- ------- ------- ---- --=-su:;--- -- --r-- --- ::~c-::::;1 I I I I I I uov lSO fl 

                                                                                +/-0.0 l"'e R-11A I                                                 I AC I                                       StJP"fll. Y 2500

{ I

}e RAS LOGIC I

I L...------ ---------....-1

':0.01*;

It::.. ' lOA COHT o. OH FIG. 7.3*54 I 

                                                                                                                                                                  .t R*l 2A I                                             -;

I REFUELING 1--- -- -- --L; OOH~B I I WATER TANK 1 

                                                                                                                                                                   ~}8os ~~~K LEVEL
                                                                                                                                                                                             .I I

AUTOMATIC TEST INPUT 4 SAME AS CHAH"'fL A I I I I STEAM GENERATOR f 8 (TYPICAL) I 120VAC 

                                                                                                                                            'I _____ ___ _J I     (PT* 8023A,)

I LOGIC CHANNEL* SA I I s**e;" GEN. 1 

                                                                                                                                                                  ~ }8
                                                                                                --2H(TYP' I                                                                                                      .                                       I6{                            MSIS              I MANUA.

I 3 llA t.OGIC COIIT'D. OH I I RL TEST INPUT FIG. 1.3 ** , ', sG.l AUTOMATIC TEST I I II I DC IUPPLY I ,. I BIST:au 

                                                                                                                   ..ODULE I                                                 II I

I MSIS BLOCK P TRIP LOGIC CHANGE I }8 IIS!l I I 0 Li~~T 1A{~ 

                                                                                                                                                                   ~

4 2A BLOCK LOGIC CONi'O. ON FIG. 7.J*d I I MANUAL TEST INfUT II I L_ :::_s~E:::_~E~~----- ---- _ -- ___ -------- -------- ------- j_ ____ ~ _____ j

  • MEASUREMENT CHANNELS MB, MC & MO ARE IDENTICAL TO CHANNEL MA.

STEAM GENERATOR 28 fNHRUMENTATtOJ.i/S IDENTICAt.. TO STEAM GENERATOR 2A. 

    -  FROM CHANNEL MB, MC & MD BISTABLE NOOULES
     - ANN UNCI A roR FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 REFUELING WATER TANK & STEAM GEN*

F.RATOP ESFAS I.IEASI IRE~IENT (HANNFLS FIGURE 7:3-42

1------s**soR Msos &LOC<< *I PERMISSIVE OFF ON 

                                                                                                    ~----------                          -{-JT,m:>                                 1~ - - l S,.

_id_ I SEQUENCE OF 

                                                                                                   !-EVENTS RECORDER DC SU,PLY T---- --- ---

_l_ COMM. 

                                                                                                                                                                           =T    ----Ill~

120 COMM y A(. I I i l I 3-0UT.OF-4 MATRIX & ACTUA TIOII MODULE A CSIAI OR MSIS OIILYI I I I I I I r==-=-, . .. 1 I TO AND FROM OTHER IDEMTICAL J-OUT-OF-* LOCIC r--1 I lI ~~~ ~{. 1!1 l 

                                                                                                      >     ESFS 2-0UT -OF-4                                                                              I
                                 !1 1II 1                                                      .:

MATRICES AIIO ACTUA TIOM MODULES I I I I I 1&~{ MSIS ~ SIAS ACTUJ.TED ji!JII ~ K2A K2A I I I CCSAS MODULE> OIILYJ - - I MSIS@t== ======== =======3 I 

              ====::========                              =========:====                              ===========

I SFfttNC Rf TURN TO I HORMAL I SIAS @ ( 

                                                                                                                                                               !KEY LOCK!                                 I I                                                                                                                                                                                                         I MOTE ESFS LOGIC CHAMII EL sa IS IDENTICAL TO CHANNEL SA                                                                                                              I FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT I ESFAS LC'G;C   C~t>..**~!E!...

FIGUI<E 7.3-43

SA MEASU~EMENT MEASUR fMENT MEASUREMENT MEASUREMENT LOGIC CABINET SB CABIN:T MA CABINE r MC CABINET MD CABINET MB 2/4 ACTUATION MODULE USED FOR { AB CHANHEL ONLY 24V DC RELAY SAME AS OUTPUT CABINET SA l iNTERFACING WIRES BETWEEN CHANNEL "A" & CHANNEL "AB" TOTAL 2WIRES BOX AB2 SAME AS AB1 2 HERMETICALLY SEALED ROTARY RELAYS. B- CABLES if-- INSULATION RESISTANCE 1000 MEGOHMS. DIELECTRIC STRENGTH IOOOV RMS, 601-!Z MINIMUM, 1RELAY SHELL - STEEL. STEEL CONDUIT TO I. EQUIPMENT CIRCUITS AB- CABLES AB - EQUIPMENT CON1 fiOL SOARD I FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UHIT 1 ESFAS iNTERCONNECTIONS FOR AB SHARED SYSTEM EQUIPMENT FIGURE 7.3-44

I I- 

  ~

AMENDMENT NO. . 2 ( 12/93) FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT - UNIT 1

  • COMPONENT COOLING WATER SURGE TANK VENT CONTROL FIGURE 7.3-45

Refer to Drawing 8770-11613 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 AUXILIARY FEEDWATER ACTUATION SYS. SIMPLIFIED FUNCTIONAL DIAGRAM FIGURE 7.3-46 Amendment No. 26 (11/13)

Refer to Drawing 8770-11612 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 AUXILIARY FEEDWATER ACTUATION SYSTEM TESTING SYSTEM DIAGRAM FIGURE 7.3-47 Amendment No. 26 (11/13)

ST. LUCIE UNIT 1 A TWS/DSS BLOCK DIAGRAM __ I_ SAFETY RELATED ~ INON-SAFETY ESFAS-SA CEA VE ESFAS- MA MG A RTGB CONl OR 

                                               ~ 7~srli~L                                  214                                                  (

PRZ LOGIC ---fj~ l~~~L l PRESS .. I Ill ISOL _;,..-{_ BISTABLE~ PT- L CONV. SB 

                                                                                                                   -..       A 1102A LOCAL
                                                                                                                   ....      R MB 1-                         BYPASS     I   ISOL                    /
                                               ~ *rrl ~Lr                                                                SA
                                                                                                                                          .          CONTROL PRZ                                                                                     """1                               "       ROOM PRESS  ... I    111 l                                                           ACTUATE                                         ANNUNCIATORS
                                             *   -~BISTABLE ~L....J  ISOL                                    .. I      ISOL                    ./

PT- -... 1 CONV. I SB ..- 

                                                                                                            --1          SA 1102B s

ESFAS-SB ACTUATE I ISOL 1~ MC ... -~ SB 1-f- 

                                                                             ~

BYPASS I ISOL 1 ~ 11 PRZ 

                                               ~ BYFrl ~1:                                                   -l          SB r   PRESS       I   Ill 1 0                           -;,    ~BISTABLE  }L....J ISOL
0 PT- SB
                         -.. 1CONV.I                                      1I (1)0     1102C                                                                                            -...
                                                                                                                     -       A
-')> LOCAL

-n o:l r-o r co MD --R G') 0)> ~:E mm 1-- 

          -a:O                                                                    .......
0 c ~~

rRO 214 ISOL m OUl_..._ l>r PRZ l!j *rrl ~ LOGIC 

                                                                                                ...  ~:-L I              1         - .... cc

-..J )>0 Z- PRESS

  • I Ill L ISOL 1 Ln SB I G)Ul -tG) ..... , BISTABLE 1-w :0(1) PT- SB I CEADRI r --

I 4lo )> c:C 11020 

                              -l CONV. I                                              -

z-1 MGSET co s: -('") CONTACTOR 

          -to
          .... s:
               )>
               "z

7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN This section describes the instrumentation and control systems that are required to establish and maintain a safe shutdown condition for the reactor. "Safe Shutdown" is defined as hot standby conditions as a minimum, with the capability to proceed to cold shutdown should conditions warrant. In most cases these instrumentation and control systems are utilized in the performance of both normal and emergency plant operations. Plant modes of operation are defined in the plant Technical Specification. 7.

4.1 DESCRIPTION

The shutdown system, which is manually operated, is not a protective system as listed in the scope, paragraph 1 of IEEE-279. Therefore, the design bases (Section 3) of IEEE-279 do not apply. Nevertheless, the system conforms to many of the requirements of IEEE-279 as described in Section 7.4.2. The instrumentation and controls required for safe shutdown meet the following design bases: a) The systems conform to the provisions of IEEE-308 (November 1970), "Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations." b) Any single failure will not prevent safe plant shutdown. c) Channel independence is maintained by electrical and physical separation between redundant channels. d) Equipment, including electrical cables, associated with redundant systems is identified as described in Section 7.1.2.5. e) The systems are designed to withstand design basis earthquake loads without loss of their safety functions. f) The systems can be tested as described in Section 7.4.2.1.10. g) Equipment is provided in appropriate locations outside the control room to bring the plant to a hot standby condition with potential capability for subsequent cold shutdown. In order to achieve safe plant shutdown, controls and instrumentation are provided to allow the operator to actuate, control and monitor operation of systems and components necessary to bring the unit from full power operation to cold shutdown. A tabulation of control room instrument readouts used to monitor shutdown is shown on Table 7.4-1. Process Instrumentation available to the operator in the control room which can be used to assist in assessing post-LOCA condition is shown on Table 7.5-3. 7.4-1 Amendment No. 22 (05/07)

For safe shutdown, plant procedures include the following sequence of operations assuming concurrent loss of off-site power: a) Automatic actuation of emergency diesel generators b) Maintenance of hot standby conditions which requires:

1) Actuation and operation of auxiliary feedwater system
2) Actuation and control of atmospheric dump valves
3) Monitoring of reactor coolant system pressure, temperature and pressurizer level 7.4-1a Amendment No. 18, (04/01)
4) Monitoring of steam generator pressure and level c) Boration of reactor coolant system which requires:
1) Actuation and control of boron addition and charging subsystem of CVCS
2) Monitoring of reactor coolant system boron concentration d) Reactor coolant system cooldown to 325°F which requires:
1) Operation and control of auxiliary feedwater system
2) Control of atmospheric dump valves e) Reactor coolant system cooldown to cold shutdown which requires:
1) Actuation and control of shutdown cooling system
2) Actuation and control of component cooling system
3) Actuation and control of intake cooling water system
4) Operation and control of boron addition and charging subsystem
5) Monitoring of reactor coolant system temperature, pressure and level Based on the above, the following is the minimum equipment required to be operable for safe shutdown:

a) Auxiliary Feedwater System b) Chemical and Volume Control System (Boron addition and charging portions only) c) Shutdown Cooling System d) Atmospheric Dump Valves (or Steam Dump and Bypass System) e) Control Room and instrumentation listed in Table 7.4-1. 

     - or -

Instrumentation & controls located outside the control room as detailed in Sections 7.4.18 and DBD-FP-1 (Reference 1). The following support systems are also required to be operable for safe shutdown, including shutdown with a concurrent loss of offsite power: a) Onsite Power System b) Diesel Fuel Oil Storage and Transfer System c) Intake Cooling Water System d) Component Cooling Water System e) Heating, Ventilating, and Air Conditioning (HVAC) Systems for areas containing systems and equipment required for safe shutdown UNIT 1 7.4-2 Amendment No. 28 (05/17)

The controls and instrumentation associated with the system and components listed are discussed in the following subsections. 7.4.1.1 Auxiliary Feedwater System Instrumentation The auxiliary feedwater system design is discussed in Section 10.5. The system P&ID is shown on Figure 10.1-2d. Location of system components is shown on the plant general arrangement drawings. The system instrumentation and controls necessary to achieve plant shutdown are as follows: a) Actuation of System Components The auxiliary feedwater system is automatically initiated from the control room. In addition, it can be manually actuated from either the control room or locally. The auxiliary feedwater automatic actuation system (AFAS) logic is shown on Figure 7.4-26. The operator has the capability for manual operation of the AFW valves before and after actuation of AFAS. The AFAS measurement channels include four steam generator level signals from each steam generator, derived via the reactor protection system. The AFAS circuitry is located in the control room. b) Control of System Operation Controls are provided for automatically starting two motor driven pumps (1A and 1B), opening the steam inlet valves (I-MV-08-13 and 14) to the turbine driven pump (1C) and opening the auxiliary feedwater control valves (I-MV-09-9, 10, 11 and 12). Steam for the turbine driven pump is supplied from either one or both of the steam generators. Power for the auxiliary feedwater turbine driven pump (1C) steam inlet valves (I-MV-08-13 and 14) and auxiliary feedwater discharge valves (I-MV-09-11 and 12) is supplied from 125V dc bus 1AB. Auxiliary feedwater flow is modulated by means of throttling the appropriate auxiliary feedwater pump discharge control valves until the desired flow is reached. These control valves are motor operated and fail "as-is" on loss of power. In the event of loss of ac power to control valves I-MV-09-9 and 10, auxiliary feedwater is supplied from the turbine driven auxiliary feedwater pump 1C thru dc operated valves I-MV-09-11 and 12. c) Redundancy and Diversity The two motor driven pumps and their respective discharge valves MV-09-9 and 10 to the steam generators are redundant to the turbine driven pump and its discharge valves MV-09-11 and 12 to each steam generator. 125V dc power for the turbine driven pump and associated valves is available from the 125V dc bus 1AB. (See Subsection 8.3.2). Auxiliary Feedwater System diversity is provided by virtue of the diverse pump drivers, motor driven versus steam turbine driven, and the associated ac versus dc valve operators. Additionally, there are manual operators (handwheels) on the flow control valves to the steam generators. 7.4-3 Amendment No. 22 (05/07)

d) Interlocks, Bypasses, Sequencing and Testing Upon a loss of offsite power, the motor driven AFW pumps are automatically restarted and powered from the emergency diesel generators if they were previously running. Sequencing of diesel generator loads is shown in Table 8.3-2. Sensor checks of the AFW automatic initiation system measurement channels are made when checking the RPS measurement channels. The AFW automatic initiation steam generator level signals are derived from the same signals used by the RPS. Testing capabilities have been provided for bistables and actuation relays in order to verify their operability. 7.4.1.2 Atmospheric Dump Valves Instrumentation and Control The atmospheric dump valves (HCV-08-2A, 2B) are discussed in Section 10.3.2 and shown on Figure 10.1-1a. The valves are located outside the containment upstream of the main steam isolation valves. The valves are used to remove decay heat from the steam generator in the event of loss of offsite power. The decay heat is dissipated by venting steam to the atmosphere. In this way the reactor coolant system can be maintained at hot standby conditions or cooled down to 325°F. The valves are electro-pneumatically operated and are controlled automatically or manually from either the control room or from the Hot Shutdown Control Panel (PIC-08-1A1 and 1B1). From the control room, the valves are controlled by means of the Distributed Control System (DCS) via touch screen Manual/Auto (M/A) stations (PIC-08-1A and 1B) or flat panel displays located on RTGB-102. From the Hot Shutdown Control Panel, the valves are controlled by controllers PIC-08-1A1 and 1B1. Valve position is controlled by a digital valve positioner that sends pneumatic control air to the valve actuator. The valves will fail closed on loss of instrument air. The DCS was expanded to include the atmospheric dump valve control subsystem. A more detailed discussion of the DCS can be found in Subsection 7.5.1.3.1. The M/A stations and flat panel displays were installed to integrate the ADV controls into the DCS in addition to the equipment discussed in Subsection 7.5.1.3.1. 7.4-4 Amendment No. 24 (06/10)

The DCS also indicates valve positions via the M/A stations or the flat panel displays on RTGB 102. a) Bypasses and Interlocks No bypasses or interlocks are provided for atmospheric dump valves. b) Redundancy and Diversity The atmospheric dump valves are not a redundant system since both are required to maintain the reactor at hot standby. However, in the event of failure of one valve or loss of instrument air, reactor decay heat will be removed through the main steam line safety valves which will be opened when pressure in the steam generator reaches the pressure relief set point (Table 5.5-2). Steam release will-continue until the pressure is reduced to the safety valve re-set pressure (Table 5.5-2). The safety valves will continue to cycle in this manner as steam generator pressure rises and is relieved. The reactor coolant system will remain at hot standby conditions during this pressure relief cycling. Cooldown of the reactor coolant to 325°F can then be accomplished through manual operation of the atmospheric dump valves. Each valve has a handwheel which can be operated locally to override the actuator spring. 7.4.1.3 Shutdown Cooling System Instrumentation The shutdown cooling system is discussed in Section 9.3.5. The system P&ID is shown on Figure 6.3-1 and 6.3-2 as part of the safety injection system. Location of major system components is shown on the plant general arrangement drawings. The system instrumentation and controls necessary to achieve plant shutdown are discussed in the following (note that all valves can be locally, manually positioned if required): a) Actuation of System Devices and Interlocks To achieve safe shutdown, actuation of the following system components is required (note that single train operation would not require all of the listed equipment):

1) Unlocking and opening the four isolation valves (V3480, V3481, V3651, V3652) on the low pressure safety injection pump suctions. The valve control circuits are interlocked so that valves can be opened-only if the pressurizer pressure is below 267 psia and an alarm will annunciate if the valves are not fully closed at a pressure above 267 psia.
2) Unlocking and closing the motor operated valves (V3432, V3444) in the pump suction lines from the refueling water tank
3) Unlocking and opening the motor operated crossover valves from the pumps to the shutdown cooling heat exchanger
4) Closing the motor operated valves in the containment spray header
5) Unlocking and opening the motor operated valve on the outlet of the shutdown heat exchanger
6) Operating one or both low pressure safety injection pumps, as required, to maintain the desired cooldown rate 7.4-5 Amendment No. 22 (05/07)
7) Closing minimum recirculation flow valves
8) Operating the low pressure injection valves for system flow control, as required
9) Operating FCV-3306, MV-03-2 (SDC Heat Exchanger Bypass Valves) and HCV-3657 (SDC Heat Exchanger common outlet control valve), as required to control the amount of flow through the SDC Heat Exchangers
10) Operating the LPSI pump discharge isolation valves, as required, to start or isolate a LPSI pump.

Reactor coolant system cooldown to approximately 325F is accomplished through the dumping of secondary steam as discussed in Sections 7.4.1.1 and 7.4.1.2. The shutdown cooling system is brought into use when the reactor coolant system conditions are satisfactory for shutdown cooling operations as indicated in the Technical Specifications. The shutdown cooling system interlocks, as discussed in Section 7.6.1.1, prevent any possibility of overpressuring the low pressure portions of the system. Control panel hand switches and valve position limit indicating lights are provided for the shutdown cooling isolation valves, the shutdown cooling heat exchanger common inlet, outlet, and bypass valves and the low pressure injection valves. b) Control of System Operation The shutdown cooling system is designed to be manually initiated upon the attainment of the required reactor coolant system conditions of temperature and pressure. Once the system is in operation, the cooldown rate is adjusted by controlling the flow through the heat exchanger(s) and, consequentially, the heat removal rate. There are several heat exchanger flow control methods. Throttling total system flow with the injection valves while maintaining the heat exchanger outlet and bypass valves at fixed positions will vary flow through the heat exchanger(s). Throttling the heat exchanger outlet valve by means of the control board mounted indicating controller or manually adjusting the heat exchanger bypass valve is another method. In automatic control, the shutdown cooling flow indicator-controller can maintain a constant total shutdown cooling flow rate to the core by adjusting the heat exchanger bypass flow to compensate for changes in flow rate through the heat exchangers. Manual control is the preferred method due to considerations for system component maintenance. c) Monitoring of System Operation Control board process indication and status instrumentation is provided to enable the operator to evaluate system performance and detect malfunctions. In addition to the valve status instrumentation mentioned in part (a), indication is provided of low pressure safety injection pump discharge header pressure and temperature, shutdown cooling heat exchanger outlet temperature, and shutdown cooling injection flow and temperature. Low pressure safety injection pump operating status is also indicated on the control board. d) Interlocks, Sequencing and Bypasses The shutdown cooling system has been provided with electrical interlocks and alarms to prevent any possibility of overpressurizing the low pressure portions of the system. The redundant interlocks allow opening the isolation valves only when the reactor coolant system pressure is below 267 psia. 7.4-6 Amendment No. 18, (04/01)

and an alarm will annunciate if the valves are not fully closed and pressure were to increase above that point. Section 7.6 contains a detailed description and analysis of the interlocks. System sequencing is controlled manually by the operator in accordance with approved operating procedures. The shutdown cooling system instrumentation has no bypass features which would allow an operator to jeopardize the protection afforded by the interlocks or degradation of any other control functions. e) Redundancy Sufficient instrumentation is supplied to assure adequate system monitoring during all modes of system operation. The redundant isolation valves for each pump suction line are controlled by redundant instrument channels powered from separate supplies. f) Supporting Systems The shutdown cooling system relies upon the low pressure safety injection pumps for motive force and the component cooling water system for heat transfer. Either of the two pumps and two heat exchangers is sufficient for proper system operation. 7.4.1.4 Component Cooling Water System Instrumentation The component cooling water system is discussed in Section 9.2.2. The system P&ID is shown on Figure 9.2-2. Location of system components is shown on the plant general arrangement drawings. The system instrumentation and controls necessary to achieve plant shutdown are as follows: a) Actuation of System Components To achieve safe shutdown the system component actuation steps required are:

1) Starting the component cooling water pumps
2) Opening the outlet valves from the shutdown heat exchangers b) Control of System Operation The component cooling water system is designed to operate without automatic or manual process control after the system is actuated. The pumps, heat exchangers and components operate with unmodulated flow. Accordingly there are no control valves, controllers or other control instrumentation which are required for safe shutdown.

7.4-7 Amendment No. 17 (10/99)

The pumps are started manually by means of control switches located on the main control panel or by means of the respective switchgear cubicle control switch. Pump logic and control diagrams are shown on Figures 7.4-3 through 7.4-5. Electrical schematic diagrams of pump control circuits are shown on Figures 7.4-6 through 7.4-8. Control panel switches are provided to actuate the shutdown heat exchanger outlet valves (HCV 3A and B). In the event of a LOCA, the component cooling pumps, heat exchanger and header isolation valves are actuated automatically upon SIAS. The actuating instrumentation and controls for SIAS actuation are part of the engineered safety features actuation system and are discussed in Section 7.3. The component cooling water surge tank is normally vented to the atmosphere through a three-way valve (RCV-14-1) in the tank vent line. Upon a high radiation signal the valve will change position and venting will be diverted to the waste management system. The high radiation signal is derived from either of the two radioactivity monitors (see Figure 7.3-45) located in the component cooling water discharge headers. The operation of this interlock is not required for safe shutdown and is not designed as seismic Class I. c) Monitoring of System Operation Control room process indication alarm and status diverse instrumentation (flow, pressure) is provided to enable the operator to evaluate system performance and detect malfunctions. Component cooling surge tank low level is alarmed in the control room by redundant instrumentation. The outlet temperature, pressure and flow from each component cooling heat exchanger is indicated in the control room. High temperature, low flow and low pressure are alarmed. CCW flow outlet from the shutdown heat exchanger is similarly indicated and alarmed. Temperature indication of CCW outlet from the shutdown heat exchanger is available in the control room. The shutdown heat exchanger outlet valves and header isolation valves are provided with position indicating lights in the control room. Component cooling pump operating status is also indicated in the control room. Refer to Section 7.5 for further discussion of safety related monitoring instrumentation. d) Interlocks, Bypasses and Sequencing Upon loss of off-site power, the pumps are automatically restarted and loaded on the emergency diesel generators. Their sequencing is shown in Table 8.3-2. As discussed in Section 8.3.1.2.4, if all three pumps are available for starting, pump 1C which is part of electrical load group AB will not be started if off-site power is lost to avoid overloading the diesel generator. If either pump 1A or 1B is out of service, pump 1C will replace that pump and will start automatically as part of the corresponding electrical load group. 7.4-8 Amendment No. 18, (04/01)

e) Redundancy Separate switches and actuation circuitry are provided for redundant components. Physical and electrical separations are provided as discussed in Section 7.4.2.1. f) System Supporting Equipment Control switches are also provided locally and in the control room to operate the cross-connection valves (I-MV-14-1,2,3,4) on the suction and discharge pump headers. This allows the operator to control alignment of pump flow to each of the redundant headers. 7.4.1.5 Intake Cooling Water System Instrumentation The intake cooling water system is discussed in Section 9.2.1. The system P&ID is shown on Figure 9.2-1 and 1a. Location of system components is shown on the plant general arrangement drawings. The system instrumentation and controls necessary to achieve plant shutdown are discussed as follows: a) Actuation of System Components To achieve safe shutdown the only system component actuation step required is starting the intake cooling water pumps. b) Control of System Operation The pumps are started manually either by means of switchgear cubicle control switches or control room switches. Pump logic and control diagrams are shown on Figures 7.4-9 through 7.4-11. Electrical schematic diagrams of pump operation are shown on Figure 7.4-12 through 7.4-14. In the event of a LOCA, the intake cooling water pumps and essential header isolation valves are actuated automatically upon SIAS. The actuating instrumentation and controls for SIAS actuation are part of the engineered safety features actuation system and are discussed in Section 7.3. Following actuation of the pumps, the intake cooling system is designed to operate with automatic temperature controlled modulation of the intake cooling water flow through the component cooling heat exchangers. The heat exchanger outlet flow control valves (TCV-14-4A and TCV-14-4B) are controlled by pneumatic temperature controllers TIC-14-4A and TIC-14-4B which sense outlet temperature on the component cooling water side of the heat exchangers. The temperature controllers are provided for efficient system operation during normal plant operation. The control valve pneumatic controls have been designed and qualified as seismic Class I to assure proper operation of the control valves during safe shutdown. As temperature increases, intake cooling water flow is automatically increased. The control valves are pneumatically operated and fail wide open on loss of instrument air. In the event of loss of air the intake cooling system will operate in the full unmodulated flow mode. Although these valves are normally operated while placed in automatic, manual control is used when under Operations administrative control to perform testing. 7.4-9 Amendment 18, (04/01)

No other automatic or manual control of system operation is required for safe shutdown. c) Monitoring of System Operation Control room process indication, alarm and status instrumentation is provided to enable the operator to evaluate system performance and detect malfunctions. Pump discharge pressure to the essential redundant headers is indicated and low pressure is alarmed. Separate instrumentation serves each of the redundant headers. Outlet flow for each of the component cooling heat exchangers is indicated locally by separate instrumentation and low flow is alarmed. Intake cooling water pump operating status and header isolation valve position are indicated in the control room. Pump failure is alarmed in the control room. Refer to section 7.5. d) Interlocks, Sequencing and Bypasses Upon loss of off-site power, the pumps are automatically restarted and loaded on the emergency diesel generators. Their sequencing is shown in Table 8.3-2. If all three pumps are available for starting, pump 1C which is part of electrical load group AB will not be started to avoid overloading the diesel generator. Refer to Section 8.3.1.2.4. If either pump 1A or 1B is out of service, pump 1C will replace that pump and will start automatically as part of the corresponding electrical load group. e) Redundancy Separate control panel switches and actuation circuitry are provided for starting the pumps. Physical and electrical separation are provided as discussed in Section 7.4.2.1. 7.4.1.6 Emergency Power System Instrumentation The emergency power system is discussed in Section 8.3. Location of system components is shown on the plant general arrangement drawings. The system instrumentation and control required to achieve safe plant shutdown are discussed as follows: a) Actuation of System Components:

1) Starting the emergency diesel generators
2) Tripping the circuit breakers between the normal and emergency 4.16 kv buses
3) Tripping the circuit breakers for non-essential loads on the emergency buses
4) Closing the diesel generator circuit breakers to the 4.16 kv buses 7.4-10 Amendment No. 18, (04/01)
5) Closing the circuit breakers for loads required for safe shutdown b) Control of System Operation Once the system is actuated the diesel generator voltage and frequency are automatically controlled.

Each diesel generator set has its own speed control system and voltage regulator. No other manual or automatic controls are necessary for proper system functioning. Manual backup for voltage and frequency controls are provided locally and in the control room. Control switches are also provided locally and in the control room for manually starting the diesel generators and operating the generator breakers. c) Monitoring of System Operation Control room indication, alarm and status instrumentation is provided to enable the operator to evaluate system performance and detect malfunctions. Diesel generator current voltage and frequency are indicated. Alarms are provided to indicate diesel generator malfunction or trip. Refer to Sections 7.5 and 8.3.1.1.7. d) Bypasses, Interlocks, and Sequencing Upon loss of off-site power, the emergency diesel generators are automatically started, the breakers between normal and emergency buses are automatically tripped and loads are automatically stripped from the emergency buses. When the emergency diesel generators reach operating frequency and voltage, the diesel generator breakers are automatically closed and the loads required for safe shutdown which were previously running are automatically restarted and loaded on the diesel generators in the proper sequence as shown in Table 8.3-2. Additional loads are manually connected as required. The automatic starting and loading sequence is discussed fully in Section 8.3.1.1.7. Diesel generator logic and electrical schematic control diagrams are shown in Section 8.3. In the event of a LOCA, the emergency diesel generators are automatically started on SIAS. The actuating instrumentation and controls for these signals are part of the engineered safety features actuation system and are discussed in Section 7.3. e) Redundancy Separate control switches and actuation circuitry is provided for starting emergency diesel generators and actuating emergency bus breakers. Physical and electrical separations are provided as discussed in Section 7.4.2.1. 7.4.1.7 Boron Addition and Charging Subsystems The boron addition and charging subsystems are portions of the chemical and volume control system which are used in the shutdown process. The chemical and volume control system is discussed in Section 9.3.4. The 7.4-11 Amendment 15, (1/97)

system P&ID is shown on Figures 9.3-4 and 9.3-5. Location of major system components is shown on plant general arrangement drawings. The system instrumentation and controls which are utilized to achieve plant shutdown are discussed as follows: a) Actuation of System Components To help achieve a safe shutdown and cooldown, the system component actuation steps required are:

1) Coordinated control of the charging pumps, letdown control valves, and letdown backpressure valves to adjust and maintain the correct pressurizer water level
2) Periodic sampling and adjustment of the boron concentration to compensate for the temperature decrease and other variables until shutdown concentration is reached.

The charging pumps are used to inject water or concentrated boric acid into the reactor coolant system as required. With one pump normally in operation, the other charging pumps are automatically started by the pressurizer level control system (discussed in Section 7.7.1.2.2). The charging pump suction is shifted from the volume control tank to the boric acid pump discharge. Should the boric acid pumps fail to start, a separate (diverse) flow path is available from the concentrated boric acid tank gravity feed lines. Electrical schematic diagrams of the charging pumps, boric acid make-up pumps and level control circuits are shown on Figures 7.4-15 through 7.4-20. Should the charging line inside the reactor containment be inoperative for any reason, the line may be isolated outside of the reactor containment and charging flow can be injected via the safety injection header (Refer to Section 9.3.4). b) Control of System Operation The boric acid concentration is controlled during shutdown and cooldown to compensate for reactivity changes associated with a decreasing coolant temperature in order to ensure that a sufficient shutdown margin is maintained. Concentrated boric acid from the storage tanks is blended with demineralized water and injected into the reactor coolant system to achieve the desired coolant concentration by means of feed and bleed. Five modes of makeup system operation are provided utilizing control board mounted flow indicating controllers, batching switches, and totalizer counters. In the dilute mode, a batching switch is used to introduce a preset quantity of primary makeup water into the volume control tank and then the reactor coolant system by means of the charging pumps. In the borate mode, another batching switch is used to introduce a preset quantity of concentrated boric acid in the same fashion. In the automatic mode, a preset ratio of boric acid and primary makeup water is automatically blended and introduced into the volume control tank when necessary upon demand from the volume control tank level program. In the blend mode, the batching switches are used to introduce a preset quantity of boric acid and primary makeup water blended at a preset ratio into the volume control tank. In the manual mode, the primary makeup water and concentrated boric acid flow rates are manually set to achieve the desired blend and the totalizer counters are used to monitor the quantities introduced. 7.4-12 Amendment No. 24 (06/10)

c) Monitoring of System Operation Control board process indication and status instrumentation is provided to enable the operator to evaluate system performance and control system operation. This instrumentation is discussed in detail in Section 7.5.1.4. d) Interlocks, Sequencing and Bypasses Proper system operation is achieved by the coordinated operation of the charging pump and boric acid pump control circuits. The charging pump control circuit sequences charging pump operation in response to pressurizer level control circuit requirements as discussed in Section 7.7.1.2. The boric acid pump control circuit sequences boric acid pump and valve operation to achieve the desired boric acid concentration. Manual control of any portion of these systems can be achieved while allowing the remainder to continue functioning in automatic. The receipt of a safety injection actuation signal (discussed in Section 7.3) will override any control mode condition so that full boron addition and charging capabilities are achieved. A keylocked pressurizer high level control bypass switch is utilized for charging the pressurizer solid with the reactor shutdown. This is performed under strict administrative control. No other instrument bypasses exist which could degrade this response. e) Redundancy and Diversity Two separate and distinct modes of boron addition are available through the use of the boric acid makeup pumps or the gravity feed lines. Either of these methods can be used to transfer concentrated boric acid from each of the boric acid makeup tanks to the volume control tank. Charging system redundancy is achieved by having two separate charging pumps and supporting instrumentation powered from separate electrical buses. The third pump and supporting instrumentation is powered from the 1AB bus as described in Section 8.3.1.1.3. The charging pumps are located in separate concrete block cubicles to provide spatial separation between them. f) Supporting System The boron addition and charging subsystems use portions of the chemical and volume control system flow path and instrumentation in common. In addition, the refueling water tank is used as the source of makeup demineralized water and boric acid dilution. 7.4.1.8 Emergency Control Stations In the event of an emergency condition which causes the control room to be abandoned, local emergency controls are provided to enable the operator to maintain the unit at hot standby conditions from outside the control room. Instrumentation is provided to control and monitor conditions in the reactor coolant system and the secondary system. Emergency instrumentation and controls are provided outside the control room to enable the operator to shutdown and maintain the unit at hot standby or initiate a cool down as required by GDC 19 (Reference subsection 7.4.2.3). The postulated control room conditions and/or events which would make it inaccessible and result in its evacuation remain undefined, with the exception of a fire in the control room or cable spreading room. Since no other failure mechanisms have been established or identified, a shutdown from outside the control room is not assumed to be accompanied by any DBA. UNIT 1 7.4-13 Amendment No. 28 (05/17)

AA shutdown from outside the control room due to a fire is discussed in the Fire Protection Design Basis Document (Reference 1) and the Unit 1 Nuclear Safety Capability Assessment (NSCA) (Reference 2). The Unit 1 Essential Equipment List (Reference 3) defines the instrumentation and controls for equipment required for safe and stable plant operations from both inside and outside the control room to address a plant fire. The NSCA identifies which circuits require transfer switches so that shutdown can be achieved independent of the control room and/or cable spreading room. These transfer switches and other provisions (such as redundant fuses) are located throughout the plant to provide for electrical isolation of electrical faults which could occur in the control room and/or spreading room due to a fire. For both NFPA 805 and GDC 19 functions, transfer switches are also used to switch instrumentation and control functions from the control room to their remote location. UFSAR Table 7.4-1 is applicable to GDC 19 requirements and does not include analysis which is applicable to NFPA 805 requirements. As discussed above, the NFPA 805 requirements are included in the NSCA. Plant Procedures for a shutdown from outside the control room due to a fire are based on the NSCA. UNIT 1 7.4-13a Amendment No. 28 (05/17)

The following instrumentation and controls are provided on the hot shutdown panel in the Reactor Auxiliary Building (EL. 43 ft): a) Reactor Coolant System (RCS) Controls: Control Switches Power Operated Relief Valve (1) PORV Block Valve (1) Pressurizer Aux spray valve (2) Pressurizer heater (8) (480v MCC) Charging pumps (3) (480v SWGR) Letdown valves (1 Containment Isolation Valve, 1 Prz Level Letdown Control Selector Switch) Pressurizer Pressure Control Selector Switch Hand indicating controllers Letdown control valves (1) Pressurizer spray valve (1) Readouts Pressurizer pressure indicators (2) Pressurizer level indicators (1) Reactor Coolant System temperature indicators RCS Cold Leg Temperature (2) Excore Wide Range Reactor Power (2) Excore Source Range Reactor Power (2) b) Secondary System Controls: Control switches Motor driven auxiliary feedwater pumps (2) Motor operated auxiliary feedwater pump valves (6) Turbine driven auxiliary feedwater pump 1C 7.4-14 Amendment No. 20 (4/04)

Hand/Pressure indicating controllers Atmospheric dump valves (2) Readouts Steam generator 1A level indicator Steam generator 1A wide range level indicator Steam generator 1B level indicator Steam generator 1B wide range level indicator Steam generator 1A pressure indicator* Steam generator 1B pressure indicator*

  • Indicators on atmospheric steam dump controllers provide this function.

7.4-15 Amendment No. 20 (4/04)

The operator trips the reactor before leaving the control room and the control of hot shutdown is accomplished by means of the emergency controls located on the hot shutdown panel. The hot shutdown panel room is located within a security area and therefore, is not required to be locked, but may include security access control that does not inhibit the ability of the operator to gain access to the room during safe shutdown. Isolation switches, located at the emergency control station, are provided to electrically isolate the control room circuitry from the emergency controls. The isolation switch "Isolate" position is annunciated in the control room in order to preclude inadvertent isolation during normal operation. Verification of reactor trip is accomplished through visual check of the CEA trip breakers. The instrumentation and control provided enables the plant operators to maintain the unit at hot shutdown conditions. Pressurizer pressure and level can be monitored by means of the pressurizer pressure and level indicators and controlled by operation of the pressurizer heaters, letdown control valves and charging pumps. Reactor coolant temperature (T-Cold) indication is provided at the hot shutdown panel. The usage of T-Cold indication alone as the means of primary system temperature indication during alternate shutdown was accepted by the NRC in their letter, J A Norris (NRC) to C O Woody (FPL), Alternate Shutdown Capability; T-Cold Indication and High Impedance Faults; St. Lucie Plant, Unit No. 1, dated August 16, 1989. Removal of residual heat through the secondary steam system can be controlled through operation of the atmospheric dump valves and auxiliary feedwater pumps and control valves. Secondary side conditions can be monitored by means of steam generator pressure and level indicators. Shutdown boron concentration can be monitored through the sample room and boration can be achieved through manual valve line-up from the boric acid makeup tanks and/or the refueling water tank to the charging pumps. 7.4-16 Amendment No. 16, (1/98)

7.4.2 ANALYSIS 7.4.2.1 Conformance to IEEE-279 IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power generating Stations," establishes minimum requirements for the reactor protective and engineered safety features instrumentation and control systems. The instrumentation and controls associated with the safe shutdown systems are not defined as a protective system in Section 1.0 of IEEE-279; nevertheless, many criteria of IEEE-279 have been incorporated in the design of the safe shutdown system instrumentation and control. Conformance with the applicable portions of IEEE-279, Section 4, is discussed in the following sections. 7.4.2.1.1 General Functional Requirements For events other than a LOCA, the safe shutdown systems are provided with sufficient controls and monitoring instruments to allow the operator to manually initiate a safe shutdown in a reasonable time and monitor the performance of shutdown components. Automatic start of the safe shutdown systems is not provided as required by paragraph 4.1 of IEEE-279. However, in the event of loss of off-site power, the emergency diesel generators are started automatically in conformance with the applicable portions of IEEE-279 (1971) Section 4.1. 7.4.2.1.2 Single Failure Criterion The instrumentation and controls required for the maintenance of a hot safe shutdown condition are designed and arranged such that no single failure can prevent a safe shutdown, even in the event of loss of offsite power. Single failures considered include electrical faults (e.g., open, shorted or grounded circuits) and physical events (e.g., fires, missiles) resulting in mechanical damage. Compliance with the single failure criterion is accomplished by providing redundancy of power supplies, actuation circuits, and by separating the redundant elements electrically and physically to achieve the required independence. Each of the provisions is discussed below: a) Redundancy Each of the systems required for safe shutdown consists of redundant subsystems and/or components for maximum system reliability. These are the auxiliary feedwater, component cooling water, intake cooling water systems and boron addition and charging subsystems. The emergency power system consists of two redundant emergency diesel generator sets. Each of the redundant components has automatic and/or manual actuation circuits which are separate from those provided for its redundant counterpart. Redundant instrumentation is provided to monitor reactor coolant system conditions. Each steam generator is provided with separate pressure and level monitoring instrumentation, (See Section 7.5.1.5). 7.4-17 Amendment No. 17 (10/99)

b) Electrical Separation Electrical separation is achieved through the provision of independent power supplies and the elimination of electrical interconnection between redundant elements. Control power for redundant circuits is fed from separate 125 v dc buses. Power for redundant pumps and valves is supplied from separate emergency diesel generators. Components designated A are part of electrical load group A and components designated B are part of electrical load group B. Third service components (designated C) are part of electrical load group AB. Electrical separation between the electrical load groups is discussed in Section 8.3.1.2.2. The provision of separate power supplies and elimination of electrical connections between redundant circuits ensures that loss of power or electrical faults on any circuit cannot affect the redundant circuit. Multiple high impedance faults are not required to be analyzed due to isolation of faults on a bus prior to restoration of power to the bus. This method of controlling faults was approved by the NRC in their letter, J A Norris (NRC) to C O Woody (FPL), Alternate Shutdown Capability; T-Cold Indication and High Impedance Faults; St. Lucie Plant, Unit No. 1, dated August 16, 1989. c) Physical Separation Protection against the possibility of mechanical damage to both redundant portions of any instrumentation and control system required for safe shutdown has been achieved by spatial separation and/or the provision of physical barriers between redundant elements. Physical separation within control panels is achieved by providing at least 12 inches of spatial separation between redundant circuitry or by a metal barrier. This separation is provided between control switches, controllers, relays and wiring necessary to actuate and control redundant components. Cable trays and conduit containing redundant wiring and cables necessary to actuate and control redundant components is physically separated as discussed in Section 8.3.1.2.3. Redundant system pumps, piping and other components are physically separated to ensure that no single failure can cause damage to both redundant components. This separation afforded by component separation is maintained for redundant instrumentation which is mounted on the piping or components and which is required for safe shutdown. The redundant wiring and circuitry of the instrumentation and control systems required for safe shutdown are marked and identified as described in Section 8.3.1.2.3. The physical arrangement of instrumentation outside the containment is shown on Figures 7.4-21 through 7.4-24. 7.4-18 Amendment No. 24 (06/10)

7.4.2.1.3 Quality Control of Components and Modules The quality control enforced during design, fabrication, shipment, field storage, installation and component checkout used for instrumentation and control components required for safe shutdown and the documentation of control has been in accordance with the quality assurance program. 7.4-18a Am. 9-7/90

7.4.2.1.4 Equipment Qualification The instrumentation and control necessary to achieve safe shutdown are designed to operate in the design ambient conditions in the area in which they are located. Components located in the control room, which is normally air conditioned, are designed to operate in the ambient conditions associated with loss of air conditioning for the time necessary to achieve safe shutdown. Environmental design and qualification of electrical and instrumentation equipment for loss of air conditioning is discussed in Section 3.11. Seismic qualification and testing are discussed in Section 3.10. 7.4.2.1.5 Channel Integrity Preoperational testing and inspection is performed to verify that all components, automatic and manual controls and sequences of the integrated systems provided for safe shutdown accomplish the intended design function. Specific component testing is performed as described in Chapter 14. Essential instrumentation and controls required for safe shutdown are designed as seismic Class I equipment to ensure their ability to function during and following a design basis earthquake. All components have seismic Class I supports and are located in seismic Class I structures. Purchase specifications specify the horizontal and vertical acceleration forces associated with the design basis earthquake based on the floor response spectra for the equipment location. Seismic design and qualification requirements are discussed in Section 3.10. All components are provided protection from hurricane and tornado winds, external missiles and flooding as discussed in Sections 3.3, 3.4 and 3.5. 7.4.2.1.6 Channel Independence Safe shutdown system channel independence is achieved by electrical and physical separation as described in Section 7.4.2.1.2. 7.4.2.1.7 Control and Protection System Interaction Any portion of the safe shutdown system controls which is used for both control and protection functions is designed in accordance with IEEE-279 as shown in Section 7.3 and Chapter 8. 7.4.2.1.8 Derivation of System Inputs The safe shutdown system monitoring signals are direct measures of the desired variables. Refer to Table 7.4-1. 7.4.2.1.9 Capability for Sensor Checks The-safe shutdown system monitoring sensors are checked by perturbing the monitored variable, by introducing and varying a substitute input to 7.4-19

the sensor similar to the measured variable, or by cross-checking between channels. 7.4.2.1.10 Capability for Test and Calibration The instrumentation and control components required for safe shutdown which are not normally in operation will be periodically tested. This includes instrumentation and controls for the auxiliary feedwater system, atmospheric dump valves, and emergency power system. All automatic and manual actuation and control devices will be tested to verify their operability. Periodic testing is described in the Technical Specifications. 7.4.2.1.11 Manual Initiation The safe shutdown systems may be manually actuated. No single failure will prevent the safe shutdown. 7.4.2.1.12 Identification of Protective Action Indication lights or annunciators are provided for all safe shutdown system actions and operating status of all equipment. 7.4.2.1.13 Information Readouts All safe shutdown system monitoring and control channels are indicated in the control room. 7.4.2.1.14 System Repair Replacement or repair of components can be accomplished in reasonable time when the systems are not actuated as limited by the Technical Specifications. 7.4.2.1.15 Identification Identification of safe shutdown system channels is as described in Sections 7.1.2.5 and 8.3.1.2.3. 7.4.2.2 Conformance to IEEE-308 The electrical circuitry associated with the safe shutdown systems conforms to IEEE-308, "IEEE Standard Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations". The safe shutdown electrical systems are described in Section 8.3. During normal operation, power is supplied to the automatic control of all three charging pumps from 125v dc bus 1A. Upon receipt of an SIAS, the automatic control is isolated and the pumps receive a start signal. Figure 7.4-25 demonstrates the manner in which physical and electrical separation is achieved between the normal portion and the safety related portion of the charging pumps control, and their power supplies. 7.4-20 Amendment No. 18, (04/01)

7.4.2.3 Conformance to the Requirements of AEC GDC 19 As described in Section 7.4.1.8, local emergency control stations are provided to maintain the plant in the hot standby condition in the event that the control room must be abandoned. Adequate instrumentation is provided to enable operator control of equipment necessary to maintain reactor coolant system and secondary system pressure, temperature and levels. 7.4-21 Amendment No. 18, (04/01)

It is also possible to achieve plant cold shutdown from outside the control room by use of suitable procedures. Components of systems required to bring the plant from hot standby to cold shutdown can be actuated locally at the electrical switchgear. System valving can be operated manually to align proper flow paths. Local instrumentation can be utilized to monitor system functioning. 7.4.2.4 Loss of Instrument Air Systems Pneumatically operated valves in systems required for safe shutdown will fail in the position required for system operation in the plant shutdown mode. Except for the atmospheric dump valves which fail closed, valves which are in required flow paths will fail open on loss of instrument air. The atmospheric dump valves may be opened by local manual means in the event of loss of air. Valves which isolate nonessential portions of the system from portions required for safe shutdown fail closed. Valve failure positions are shown on the system P&I diagrams. None of the essential control or monitoring instrumentation is pneumatic. Electrical instrumentation is powered from the emergency power system. The intake cooling outlet flow from the component cooling heat exchangers is pneumatically controlled. The valves will fail wide open on loss of air. Flow modulation is not required for safe shutdown. The pressurizer spray valves (PCV-1100E and PCV-1100F) fail closed on loss of instrument air. Pressurizer pressure is controlled by operation of the electric pressurizer heaters. Therefore, the loss of instrument air will not interfere with the safe shutdown of the plant. 7.4.2.5 Loss of Cooling Water to Vital Equipment None of the instrumentation and controls required for safe shutdown rely on cooling water for operation. 7.4.2.6 Plant Load Rejection, Turbine Trip and Loss of Off-Site Power In the event of loss of off-site power associated with plant load rejection or turbine trip, power for safe shutdown is provided by the on-site emergency power system. The description and analysis of the emergency power system are discussed fully in Section 8.3. The emergency diesel generators will provide power for operation of pumps and valves. The station batteries will provide dc power for operation of control and instrumentation systems required to actuate and control essential components. The emergency diesel generators will automatically start and begin supplying power to components necessary to achieve safe shutdown. The station batteries will maintain continuity of dc control power if offsite power is lost. The emergency power system is designed to meet the single failure criterion and withstand severe natural phenomena. Adequate on-site emergency power will be available to safely shutdown the 7.4-22

plant under all plant design conditions assuming a single failure, in the event of loss of off-site power. REFERENCES

1. DBD-FP-1, Fire Protection Design Basis Document.
2. 8770-B-048, Unit 1 Nuclear Safety Capability Assessment (NSCA).
3. 8770-B-049, Unit 1 Essential Equipment List.

UNIT 1 7.4-23 Amendment No. 28 (05/17)

TABLE 7.4-1 INSTRUMENTS REQUIRED TO MONITOR SAFE SHUTDOWN Measured Quantity Sensor Tag Numbers Component Cooling Water System

1) CCW pressure at HX outlet PT-14-8A,PT-14-8B
2) CCW flow, headers A&B FT-14-1A,FT-14-1B
3) CCW flow at shutdown HX outlet FT-14-10A,FT-14-10B Intake Cooling Water System
1) Intake cooling water flow @ HX outlet FIS-21-9A,FIS-21-9B (Non-safety)
2) Intake cooling water header A&B PT-21-8A,PT-21-8B pressure Auxiliary Feedwater System
1) Auxiliary feedwater discharge FT-09-2A,FT-09-2B,FT-09-2C header flow
2) Auxiliary feedwater discharge PT-09-8A,PT-09-8B,PT-09-8C header pressure
3) Condensate storage tank level LT-12-11,LT-12-12
4) Steam Generator level LT-9013 A,B,C,D LT-9023 A,B,C,D
5) Steam pressure to steam driven PT-08-5 auxiliary feedwater pump Atmospheric Dump System
1) Steam generator pressure PT-08-1A,PT-08-1B Shutdown Cooling System
1) HX outlet temperature TE-3303 X,Y
2) Shutdown cooling return flow FT-3306 Boron Addition & Charging System
1) Charging pump header pressure PT-2212
2) Charging header flow FT-2212 7.4-24 Amendment 15 (1/97)

TABLE 7.4-2 COMPONENTS ACTUATED BY AUXILIARY FEEDWATER AUTOMATIC INITIATION SYSTEM Action Component Tag Number Start AFW Pump 1A Start AFW Pump 1B Open AFWP-1A Disch. to SG-1A MV-09-9 Open AFWP-1B Disch. to SG-1B MV-09-10 Open AFWP-1C Disch. to SG-1A MV-09-11 Open AFWP-1C Disch. to SG-1B MV-09-12 Open Steam from SG-1A to AFWP-1C MV-08-14 Open Steam from SG-1B to AFWP-1C MV-08-13 Open Steam to AFWP-1C MV-08-3 7.4-25 Amendment No. 24 (06/10)

Refer to drawing 8770-8326 Sheet 629 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM AUXILIARY FEEDWATER PUMP1A FIGURE 7.4-1 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 630 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM AUXILIARY FEEDWATER PUMP18 FIGURE 7.4-2 Amendment No. 15 (1/97)

Refer to drawing 8770-B-276 Sheet 14.28 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (COMPONENT COOLING WATER PUMP 1A) FIGURE 7.4-3 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 14.2C FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (COMPONENT COOLING WATER PUMP 1B) FIGURE 7.4-4 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 14.2D FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (COMPONENT COOLING WATER PUMP 1C) FIGURE 7.4-5 Amendment No. 22 (05/07)

Refer to drawing 8770-B-326 Sheet 201 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM COMPONENT COOLING WATER PUMP 1A FIGURE 7.4-6 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 205 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM COMPONENT COOLING WATER PUMP 18 FIGURE 7.4-7 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 209 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM COMPONENT COOLING WATER PUMP 1C FIGURE 7.4-8 Amendment No. 15 (1/97)

Refer to drawing 8770-B-276 Sheet 21.1 B FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (INTAKE COOLING WATER PUMP 1A) FIGURE 7.4-9 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 21.1 C FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (INTAKE COOLING WATER PUMP 18) FIGURE 7.4-1 0 Amendment No. 22 (05/07)

Refer to drawing 8770-B-276 Sheet 21.1 D FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL & BLOCK DIAGRAM (INTAKE COOLING WATER PUMP 1C) FIGURE 7.4-11 Amendment No. 22 (05/07)

Refer to drawing 8770-B-326 Sheet 832 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM INTAKE COOLING WATER PUMP 1A FIGURE 7.4-12 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 833 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM INTAKE COOLING WATER PUMP 18 FIGURE 7.4-13 Amendment No. 15 (1/97)

Refer to drawing 8770-B-826 Sheet 834 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIARAM INTAKE COOLING WATER PUMP 1C FIGURE 7.4-14 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 177 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM CHARGING PUMP 1A FIGURE 7.4-15 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 178 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM CHARGING PUMP 1 8 FIGURE 7.4-16 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 179 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM CHARGING PUMP 1C FIGURE 7.4-17 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 139 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMATIC DIAGRAM CHARGING PUMPS-LEVEL CONTROL FIGURE 7.4-18 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 174 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMA TIC DIAGRAM BORIC ACID MAKE-UP PUMP1A FIGURE 7.4-19 Amendment No. 15 (1/97)

Refer to drawing 8770-B-326 Sheet 175 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 SCHEMA TIC DIAGRAM BORIC ACID MAKE-UP PUMP18 FIGURE 7.4-20 Amendment No. 15 (1/97)

Refer to drawing 8770-G-227 Sheet 1 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 REACTOR AUXILIARY BLDG. INSTRUMENT ARRANGEMENT FIGURE 7.4-21 Amendment No. 15 (1/97)

Refer to drawing 8770-G-227 Sheet 2 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 REACTOR AUXILIARY BLDG. INSTRUMENT ARRANGEMENT FIGURE 7.4-22 Amendment No. 15 (1/97)

Refer to drawing 8770-G-227 Sheet 3 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 REACTOR AUXILIARY BLDG. INSTRUMENT ARRANGEMENT FIGURE 7.4-23 Amendment No. 15 (1/97)

Refer to drawing 8770-G-227 Sheet 4 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 REACTOR AUXILIARY BUILDING INSTRUMENT ARRANGEMENT (SH 4) FIGURE 7.4-23a Amendment No. 15 (1/97)

Refer to drawing 8770-G-229 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 MISCELLANEOUS INSTRUMENT ARRANGEMENT FIGURE 7.4-24 Amendment No. 15 (1/97)

8¥' . ~t"':a.wl r~'L ~*---- ~ ~--- -- . . . . . . -_,_.,..., . . . ... . --- --*- -~ -~~---- 

                           ~~G41           *., , * .uirt      Iii: WftWITfli 0.1m'~*   1'.1. !i.tMQiiiJJ,                                           I I                         ~[jg(,l~ 4;1ruo~.tg~ ! t1x!IO. Iii     J m~ 1                                                             I I                                   rah.lli4 ei im~ M~ l!tln 1                                                                         1 fl _      - - -  _ ...,.. _____ .... -- ~                                            _ ......... _                            ...... d LJ!I l _ '" . . I !"!.Ill~' !\1,
    !IM1'04.                                                                 I~V  iiC, nli !I                       llS r ii(, *-I,
  • L iii 1~ (c.i . ~ Ni!il~ *(tilt1IOIL totER liiJil!U"-
 'ilrlliU DL
                                                                                                                 ~i.II~ Nl! O   .       ~~

1DU'i'Ji ~ mo. ~ nr mn '11"1 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CHARGING PUMP 1A, 18, AND 1C INTERFACE WITH NORMAL CONTROLS FIGURE 7.4-25

FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 AUXILIARY FEEDWA TER SYSTEM AUTOMATIC INITIATION LOGIC FIGURE 7.4-26

7.5 SAFETY RELATED DISPLAY INSTRUMENTATION (INCLUDES NON-SAFETY RELATED DISPLAY INSTRUMENTATION) 7.

5.1 DESCRIPTION

This section describes those instrumentation systems which provide timely information to the operator to enable him to observe safety related and non-safety related parameters and take the appropriate action. Included are: a) Reactor protective system monitoring (1E) b) Engineered safety features monitoring (1E) c) CEA position indication (non 1E) d) Boron control display instrumentation (1E and non 1E) e) Plant process display instrumentation (1E and non 1E) f) Control Boards (1E) and Annunciators (non 1E) 7.5.1.1 Reactor Protective System Monitoring The reactor protective system continuously monitors the system input parameters and performs the actuation logic required to initiate a trip should these inputs reach their trip setpoints. The reactor protective system is designed such that a trip occurs automatically without the requirement for operator action. Even though the reactor protective system trip is automatic and does not require operator action, sufficient information is provided to the operator in the control room to allow him to confirm that a trip has taken place or to cause an anticipatory manual trip if desired. This information consists of indication of process parameters which initiate reactor trip, trip and pre-trip lights and audible alarms and CEA position information. (Refer to Section 7.2). Subsequent to a reactor trip, the operator can ensure that the reactor has tripped and that the CEA's are fully inserted into the core by monitoring the CEA position and neutron level information that is provided. 7.5.1.2 ESFAS Monitoring The engineered safety features actuation system (ESFAS) continuously monitors the system input parameters and performs the actuation logic required to initiate each of the actuation signals should these inputs reach their actuation setpoints. The ESFAS is designed to actuate all components and systems automatically without reliance on operator action. Even though the ESFAS is automatic, sufficient information is provided to the operator in the control room to allow him to confirm that actuation has taken place or to cause an anticipatory manual trip if desired. This information consists of indication of input parameters which cause signal actuation, actuation channel trip and pre-trip alarms and actuated system process indication and component status indication. This monitoring instrumentation allows the operator to verify that system actuation has occurred, to evaluate post-accident system operation and detect component malfunctions. The specific indications and alarms provided are given in Section 7.5.1.6. 7.5-1 Amendment No. 18, (04/01)

7.5.1.3 CEA Position Indication Systems Two independent non Class 1E systems of CEA position indication are provided which display CEA position in the main control room. The systems are the pulse counting CEA position indication system and the reed switch CEA position indication system. In addition to these systems, there is a core mimic display which provides CEA travel limit information. The various position indicating systems are described below. 7.5-1a Amendment No. 22 (05/07)

7.5.1.3.1 Pulse Counting CEA Position Indication Systems The CEA control system includes logic that infers each control element drive system CEA position by EC291158 maintaining a record of the raise and lower control pulses sent to each magnetic jack mechanism. CEA position information is available on various touch screen flat panels in the control room. A EC291158 printout is available, on operator demand, of the position of all CEAs or of those CEAs within a given group. The CEA control system also provides deviation information. If the deviation in position EC291158 between the highest and the lowest CEA in any group exceeds a preset amount, an alarm is sounded. The CEA control system also provides position information for regulating groups out-of- EC291158 sequence and power and pre-power dependent insertion alarms. The Distributed Control System (DCS) consists of operator and engineering workstations, displays, printers and racks for the control processors and input and output modules. The DCS is connected to the Plant Data Network (PDN), a system of network switches, fiber-optic cables and other components that integrate the DCS functions. The functions of the Digital Data Processing System (DDPS) were integrated into the DCS. The DCS provides the following functions (previously performed by the DDPS):

  • Calculation of Calorimetric Power - results are displayed on RTGB-104 and on a line printer on a periodic basis.
  • Monitoring of Incore Detectors and Input to the Beacon Core Monitor - status of the incore detectors is monitored and displayed periodically. Alarms are provided should a detector exceed a preset operating range. EC291158
  • Xenon and Iodine Concentration Calculations - reactivity worth is calculated on a set frequency for subsequent use of estimate reactor critical conditions during startup operations.
  • Average Tcold temperature and reactor power are calculated and displayed on RTGB-104.

The DCS provides printed records, both periodic and on demand, of all monitored activities via two printers provided in the Unit 1 Control Room. Two operator workstations consisting of keyboards and touch screen flat panel displays are installed on the Operators Console to provide historical, trending or current status of the system inputs. A flat panel display is installed on the RTGB-104 to display Qpower and Tcold. An engineering workstation is provided in the Southeast corner of the Unit 1 control room. This workstation is used to make configuration changes to the DCS, change alarm setpoints, and modifies displays. This location, inside the Control Room but outside the Operators Work Area, allows for Operations supervision of configuration changes without the need for the additional security measures and communications necessary to make such changes from a remote location. 7.5-2 Amendment No. 30 (05/20)

The DCS is designed with expansion capabilities so that additional instrumentation and control systems can be added in the future, which will utilize the same graphical user interface, storage and printing capability. The system architecture, types and locations of components has incorporated to the extent practical, reliability, redundancy and diversity. The power supplies have been selected so that any panel, inverter, batter or AC power feed can be removed from service without impact to the PDC, assuming a coincident loss of offsite power. The DCS will also provide an additional capability. Sequence of Events (SER) records are provided by monitoring the opening and closing of contacts for various pieces of equipment. These reports are utilized to reconstruct events following plant trips or other transients. 7.5.1.3.2 Reed Switch CEA Position Indication System The reed switch CEA position indication system utilizes a series of magnetically actuated reed switch position transmitters, spaced at 1 1/2-inch intervals along the CEDM housing and arranged with precision resistors in a voltage divider network, to provide voltage signals proportional to each CEA position. These signals are displayed in various Operator selectable graphics (including bar chart format) by a touch screen, flat panel display on the main control board. Two separate and independent hardware / software EC291158 platforms (Programmable Logic Controllers PLCs) provide alarm information and CEA motion inhibit on CEA deviation within a group, CEA regulating group withdrawn out-of-sequence, CEA regulating group overlap, power dependent insertion limits exceeded, and CEA regulating or shutdown group rods inserted below operational limits. The common flat panel display can be driven by either PLC chassis via a KVM switch. CEA Position Indication graphics can also be viewed on any other Ovation DCS display EC291158 station as a backup to the primary display. The reed switch system is electrically isolated from the pulse counting position system. The reed switch position transmitter (RSPT) associated with each control element assembly (CEA) continuously outputs an analog position signal to two separate and independent hardware / software EC291158 platforms (Programmable Logic Controllers PLCs) for CEA position monitoring. These two systems utilize separate pieces of equipment and receive the power required for their operation from two different sources. The RSPT analog position signal for each CEA is wired to the main control board where it is split and wired independently and directly to each of the above two systems. 7.5-2a Amendment No. 30 (05/20)

7.5.1.3.3 Core Mimic CEA Position Indication EC291158 A core mimic flat panel display is located on the main control board. The normally displayed graphic depicts the reactor core with CEDM locations identified by number. Each CEDM display location on the EC291158 graphic includes logic for four different background colors which provide the information listed in Table 7.5-1. 7.5.1.3.4 Comparison The CEA position instrumentation is functionally identical to that provided for Calvert Cliffs Units 1 and 2 (AEC Docket Nos. 50-317 and 50-318) with the exception that the reed switch CEA position indication system for St. Lucie Plant includes a logic package to provide a CEA motion inhibit signal to the CEA Regulating and Shutdown Groups when certain rod programming requirements are not met. In addition, a CEA motion inhibit bypass is provided to allow manual override of the inhibit signal for positioning of the CEA Regulating and Shutdown Groups in accordance with the Technical Specifications. 7.5-3 Amendment No. 30 (05/20)

7.5.1.4 Boron Control Display Instrumentation Information is provided to the operator to allow regulation and monitoring of the boron concentration in the reactor coolant. The means by which boron control is accomplished are dilution and boration. The volume control tank contents may be maintained at a prescribed boron concentration either manually or automatically. Boron concentration is determined via sampling of the coolant. Recorders are used to record reactor make-up water flow and boric acid make-up flow. Indication of boric acid make-up tank level is provided in the control room for each tank. These instruments provide information to the operator on the control board on the status of boron control at all times. The boron concentration, in conjunction with the CEA positions, must be controlled to insure that adequate shutdown margin is maintained for the reactor. Reactor power level versus regulating CEA position is used to provide CEA insertion limits which insure adequate shutdown margin. Thus, if for a certain power level decreasing boron concentration is causing the regulating CEA's to be automatically driven excessively into the core, a CEA insertion limit will actuate an alarm (pre-power dependent insertion alarm) and thus indicate this condition to the operator. Should the boration continue, with the resulting further insertion of the CEA's another alarm (power dependent insertion alarm) is provided. This also prohibits further CEA motion. The CEA insertion alarms are provided redundantly from the two CEA position information sources; the pulse counting system and the reed switch system. 7.5.1.5 Reactor Coolant System Display Instrumentation The reactor coolant system process display instrumentation measures temperatures, pressures, flows and levels in the reactor coolant system and secondary systems. Process variables required for startup, operation 7.5-4 Amendment No. 22 (05/07)

and shutdown of the plant are indicated, recorded and controlled in the control room. Other instrumentation which is used less frequently or which requires a minimum of operator action is located near the equipment. Alternate selected indicators and controls are located at other locations than the control room to allow reactor shutdown should the control room have to be evacuated (See Section 7.4.1.8). Four independent measurement channels are provided to monitor each process-parameter required for the reactor protective system. Redundant channels are provided for engineered safety features actuation to meet the single failure criterion. Two redundant channels are provided to monitor parameters required for critical control functions. These channels and associated sensors are independent of the reactor protective system. 7.5.1.5.1 Coolant Temperature Measurement The temperature measurements are made with precision resistance temperature detectors (RTDs) which provide a signal to the remote temperature indicating control and safety devices. The following is a brief description of each of the temperature measurement channels: Hot leg temperature - Each hot leg contains five temperature measurement channels. Four of these channels provide a hot leg temperature signal to the thermal margin/low-pressure trip circuits. The other hot leg temperature measurement channel provides a signal to the loop Tavg computer in the reactor regulating system. The five hot leg temperatures are indicated on the control panel. Cold leg temperature - Each cold leg branch contains three temperature measurement channels. Two of the channels in each branch provide a cold leg temperature signal to the thermal margin/low-pressure trip circuits. These channels also provide cold leg temperature indication on the control panel. The third cold leg temperature measurement channel in one branch provides a signal to the loop Tavg computers. This channel also provides a high alarm and a signal to an automatic CEA withdrawal prohibit. The third channel in the other branch is recorded on the control board. Loop average temperature - Each of the two reactor regulating system channels receives a hot leg and cold leg temperature from each loop. The Tavg summer receives input hot and cold leg temperatures from any combination of the loops and provides an average temperature output to the reactor regulating system and to a recorder. The temperature recorder trends the average temperature for each loop and records the programmed reference temperature signal (Tref) corresponding to turbine first stage pressure. 7.5-5 Amendment No. 25 (04/12)

7.5.1.5.2 Pressurizer Pressure Measurement Pressure is measured by electromechanical pressure transmitters. The transmitter produces a dc current output that is proportional to the pressure sensed by the instrument. The dc current signals are transmitted to remote pressure indicating, control and safety devices. The following is a brief description of each of the pressure measurement channels: Pressurizer pressure for protective action - Four pressurizer pressure transmitters provided independent narrow range pressure signals. These four independent pressure channels provide the signals for the reactor protective system, high pressure trip and the variable thermal margin/low-pressure trip. The channels also provide the low-low pressure signal to initiate safety injection. All four pressure channels EC 291890 are indicated in the control room and high, low, and low-low alarms are annunciated. Figure 7.2-3 is a functional diagram of one of these channels. Pressurizer pressure for control action - Two independent pressure channels provide narrow range signals for control of the pressurizer heaters and spray valves. The output of either controller may be manually selected to perform the control function. Outputs from the two pressure control channels are recorded in the control room and provide independent high and low alarms. Two independent low range pressure measurement channels provide the operator with indication during plant heatup, cooldown and shutdown conditions. They also provide redundant interlock/actuation signals for of the shutdown cooling system isolation valves and safety injection tank isolation valves. These two channels provide the signals for the reactor coolant system overpressure mitigating system (OMS). EC 291890 Two independent wide range pressure measurement channels provide the operator with indication during normal plant operation and for post-accident monitoring on the Qualified Safety Parameters Display System (QSPDS). The pressurizer pressure inputs to the QSPDS are also used to calculate and display subcooled or superheat margins. 7.5.1.5.3 Pressurizer Level Measurement Level is sensed by level transmitters which measure the pressure difference between a reference column of water and the pressurized water level. This pressure difference is converted to a dc current signal proportional to the level of water in the pressurizer. The dc current output signals are transmitted to remote level indicating and control devices. Two independent pressurizer level transmitters provide signals to the chemical and volume control charging and letdown system. In addition, signals are provided for pressurizer heater override control. These selected level transmitters are calibrated for steam and water densities existing at normal pressurizer operating conditions. The two pressurizer level control channels each provide a signal for a level recorder in the control room. This recorder records actual level as sensed by the selected level control channel and the programmed level setpoint signal from the reactor regulating system. In addition to the recorder, each channel also provides a signal for a level indicating meter in the control room. 7.5-6 Amendment No. 30 (05/20)

7.5.1.5.4 Coolant Flow Measurement An indication of reactor coolant flow is obtained from measurement of the pressure drop between the hot leg piping and the outlet plenum of each steam generator. The pressure drop is sensed by differential pressure transmitters which convert the pressure difference to dc currents. The dc currents provide a signal to the remote flow indicating and safety devices. Four independent differential pressure transmitters are provided in each reactor coolant loop to measure the pressure drop across the steam generators. The outputs of corresponding transmitters in each loop are summed by pairs to provide four independent signals representative of flow through the reactor core. These signals are indicated and supplied to the reactor protective system for low flow actuation. The differential pressure sensed by each transmitter is indicated in the control room. 7.5.1.5.5 Steam Generator Pressure Measurement Steam generator pressure is measured by electromechanical pressure transmitters. The transmitter produces a dc current output that is proportional to the pressure sensed by the instrument. The dc current output signals are transmitted to remote pressure indicating, control, and safety devices. Four independent pressure transmitters are provided to measure the pressure in each steam generator. These signals are indicated and supplied to the reactor protective system for the auctioneered low steam generator pressure trip. In addition, these signals are fed into the engineered safety features system MSIS actuation logic to close the main steam and main feedwater isolation valves of both steam generators upon a low pressure condition. 7.5.1.5.6 Steam Generator Water Level Measurement Level is sensed by level transmitters which measure the pressure difference between a reference column of water and the steam generator water level. This pressure difference is converted to a dc current signal proportional to the actual steam generator water level. The dc current output signals are transmitted to remote level indicating, control, and safety devices. The following is a brief description of each of the level measurement channels: Steam generator water level for protective action - Four steam generator level transmitters provide independent narrow range level signals for each steam generator to the reactor protective system for the low steam generator water level trip function. These channels also provide a signal to close the associated feedwater regulating control valve if a high steam generator level is sensed. All four channels are indicated in the control room. 7.5-7 Amendment No. 26 (11/13)

Steam generator water level for control action - two independent level channels for each generator are provided for the Distributed Control System (DCS), one is for feedwater regulating system three-element control, the other channel is for low power feedwater control. A more detailed discussion of the use of this process information can be found in Subsection 7.7.1.3.1. 7.5.1.5.7 Nuclear Instrumentation Nuclear instrumentation is discussed in Section 7.2.1.1. 7.5.1.5.8 Comparison The process instrumentation is functionally identical to that provided for Calvert Cliffs Units 1 and 2 (AEC Docket Nos. 50-317 and 50-318). 7.5.1.6 Control Panels and Annunciators 7.5.1.6.1 Main Control Panel (RTGB) The RTGB consist of six separate control panels located in the control room and mounted adjacent to one another in an "L-shaped" arrangement. The components on each panel are grouped functionally with the following functional identification for each panel. a) Panel 101 - Turbine, Generator and Auxiliaries b) Panel 102 - Feedwater and Cooling Water Systems c) Panel 103 - Reactor Coolant System d) Panel 104 - Reactivity Control e) Panel 105 - Waste Management and Chemical and Volume Control Systems f) Panel 106 - Engineered Safety Features Systems The panels are free standing bench type duplex vertical boards with control switches arranged on the lower bench portion, indicating and recording display instrumentation on the lower vertical section and annunciator windows on the upper vertical section. Each panel has control switches for the pumps, valves, fans and other components in the functional group associated with that panel. Important system process parameters are displayed on indicators, recorders, or flat panel displays driven by the Distributed Control System (DCS). Equipment status and valve positions are displayed by status lights. The safety related display instrumentation located on each of the panels are listed and identified on Table 7.5-2. Each panel is designed as a separate structure with open sides for interconnecting wiring between panels. Adjacent panels are bolted together. 7.5-8 Amendment No. 22 (05/07)

7.5.1.6.2 Control Room Auxiliary Console The Control Room Auxiliary Console (CRAC) was added in the control-room to supplement additional RTGB space needed to meet the requirements of NUREG-0737. The CRAC is a four segment console with a bench section and a vertical section. The control switches are arranged in a modular fashion on the lower bench section. Indicating, recording and annunciating are located on the upper vertical section. Control switches are of a modular plug-in design with indicating lights provided on each module as necessary. The safety-related display instrumentation located on CRAC is listed and identified on Table 7.5-2. 7.5.1.6.3 Annunciators Alarm instrumentation alerts the plant operators to the occurrence of malfunctions in equipment or systems and gives positive notification of changes in plant or equipment status or operating modes. The annunciators in conjunction with the process display instrumentation enable the operator to take proper corrective or anticipatory action if necessary to maintain the plant in a safe condition. Alarms inform the operator of deviations from normal operating conditions, impending occurrence of automatic protective system actuation and status or malfunction of safety systems during post-accident or safe shutdown conditions. The arrangement and identification of the annunciator windows is as shown on Figures 7.5-1 through 7.5-27. 7.5.1.6.4 Radiation Monitoring Panel The Radiation Monitoring Panel consists of six separate control cabinets located in the control room mounted adjacent to one another. The cabinets have ratemeters, recorders, and annunciators for monitoring plant processes and area radiation conditions. The safety-related display instrumentation located on the Radiation Monitoring Cabinets is listed on Table 7.5-2. 7.5.1.6.5 Post-Accident Panel The Post-Accident Panel provides recording and indication for the monitoring of plant/system parameters subsequent to an accident. The safety-related display instrumentation is listed on Table 7.5-2. UNIT 1 7.5-9 Amendment No. 28 (05/17)

7.5.2 ANALYSIS 7.5.2.1 Reactor Protective System Monitoring Sufficient information is provided to the operator to allow confirmation that a trip has occurred and to determine the process parameter that has provided a trip input. CEA insertion information can be determined by the operator after a trip by CRT bar chart information described in Section 7.5.1.3.2 and CEA Limit Light Indication discussed in Section 7.5.1.3.3. Indication of neutron flux levels in the reactor core as well as other reactor and reactor coolant system information is displayed to the operator. The following design criteria are the bases for presentation of the display instrumentation: a) System conditions requiring operator attention during routine plant operations and at the time of reactor trip are displayed on the control board b) Annunciation of operations performed at the reactor protection system cabinet which affect the function of the system c) Indication of any selected plant variables that are manually bypassed 7.5.2.2 ESFAS Monitoring 7.5.2.2.1 Performance of Manual Safety Functions The engineered safety features systems are designed so that no operator action is required for the systems to perform their safety functions following occurrence of a LOCA. The systems actuate automatically when the ESFAS set points are reached and all required component actuations are performed automatically in the required sequence. The adequacy of the automatic actuation is demonstrated in Section 15.4. Following engineered safety features system actuation, no operator action is required for proper system functioning. The safety injection system, containment spray system, shield building ventilation system and their supporting systems are designed to operate unattended indefinitely. Transfer of safety injection and containment spray pump suction from the refueling water tank to the containment sump is performed automatically on RAS. The control room operator does however, have sufficient monitoring and alarm instrumentation available to enable him to take corrective or anticipatory action if necessary. 7.5-10

Following manual or automatic actuation, status and monitoring display instrumentation enables the operator to assess the response of the engineered safety features systems. Pump operating lights are provided and process flow rates and pressures are indicated on the control panels. Containment isolation valve position lights are provided. Pump and fan failure alarms are also displayed. Manual control switches allow the operator to attempt to restart tripped equipment or to isolate and take out of service supporting equipment of tripped components. Leakage of radioactive water from engineered safety features components can be detected by means of high level alarms for the engineered safety features pump room sumps or high area radiation alarms. The leaking header can be isolated by the operator by closure of the containment sump isolation valve (MV-07-2A, 2B). 7.5.2.2.2 Monitoring of Post-Accident Conditions The information presented below represents the post accident monitoring capability prior to changes implemented post TMI and is retained for historical record. As such, some of the references contained herein (including UFSAR figures and sections) may no longer be appropriate. See Section 7.5.3 for a description of additional monitoring capability. The ability of the plant to adequately cope with the entire spectrum of postulated incidents, from the trivial to the design basis loss of coolant accident (LOCA), is demonstrated in Section 15.0. A listing of safety-related display instrumentation in the control room is provided in Table 7.5-2. With the exception of two postulated design basis incidents, the LOCA and the steam line break, the incident spectrum can generally be characterized as follows: a) The event occurs and automatic controls initiate appropriate protective actions. b) Instrumentation and control are not subjected to unusual environmental conditions (humidity, temperature, pressure, radiation). c) Corrective actions are initiated to return the plant to normalcy. For these events, safety-related display instrumentation provides the necessary information to assess the severity of the incident and to monitor the course of the incident, generally short term events. The plant is generally accessible for inspection of affected areas. The steam line break within containment or the LOCA expose instrumentation within containment to above normal temperature and pressure. In the case of the LOCA, high radiation fields are present (see Section 12.1)*. The steam line break containment temperature/pressure transient is short term and less severe than the LOCA transient, thus, with regard to environmental design, the LOCA is limiting. Current LOCA transients are illustrated on Figures 6.2-1A to 6.2-1C. Intelligence generated by instruments located within containment necessary to initiate required automatic actuation of safety features for the

  • See Section 3.11 for referencing to responses pursuant to the requirements of IE Bulletin 79-01B.

Information is presented therein on the results of the reevaluation of the environmental qualification of equipment including accident monitoring and display instrumentation. 7.5-11 Amendment No. 24 (06/10)

LOCA and steamline break are pressurizer pressure, containment pressure, containment radiation, and steam generator pressure. Instrument design data are provided in Table 7.3-1. To insure the required availability of these instruments, all are environmental design category I-B devices (see Section 3.11). With the exception of the fan cooler units within containment, process instrumentation required to monitor the status of engineered safety features is located outside of containment. Thus, its availability is not affected by the hostile LOCA environment. The sampling system (see Section 9.3.2) and the area monitoring system (see Section 12.1.4) are also located outside of containment. Surveys of the facility provide an independent means of verifying activity levels and equipment performance during the long term post accident period. Since only the LOCA and steam line break within containment result in unusual environmental conditions within containment, the discussion herein focuses on the limiting incident, e.g., the LOCA. It demonstrates that the existing design provides the operator with sufficient intelligence to assess the severity of the accident and to monitor its course. This is consistent with the design basis for this facility at the time of issuance of a construction permit. Thus, in accordance with 10 CFR 50.109 any modification to the facility resulting from the Staff's position (Question 7.5) is based on whether or not the retrofit results in a substantial increase in the protection of the health and safety of the public. This notwithstanding, pursuant to the Staff's position, the existing de-7.5-12 Amendment No. 24 (06/10)

sign has been evaluated in terms of post-accident requirements. A design modification has been developed that provides at least equivalent intelligence to that provided for Calvert Cliffs. It provides additional intelligence for the LOCA, and steam line break within containment: it uses an alternate means of determining certain parameters, e.g., sump level; and relies upon instruments that are primarily located outside of containment. Table 7.5-3 summarizes the accident and incident requirements and Table 7.5-4 indicates minimum post-LOCA operator indication and recorder requirements. The discussion below discusses the propriety of the approach. The phrase long term and short term post-LOCA requirements is utilized in the discussion that follows. To avoid confusion these terms are discussed here. Long term refers to a component that is required to function for the entire duration of the LOCA. Short term can have two meanings. Instruments (sensors) that initiate engineered safety features action (Category I-B devices listed in Section 3.11.1.3) must only function for a very short period of time. Thus, a qualification test of a few minutes, say 15, is more than adequate for these devices. This notwithstanding, they have been conservatively qualified to insure their operability in the post LOCA environment. For example, Figure 1 and 2 (see pages 3A-7 and 8) of Appendix 3A provide the time-history of pressure and temperature over the "24" hour qualifications test period for the various pressure sensors. Comparison (Figure 6.2-1A and 6.2-1C) illustrate that (i) the qualification test results are conservative, and (ii) after 24 hours containment temperature and pressure are not particularly adverse to component operation. The second usage of short term applies to components that are utilized during the short term phase of emergency core cooling, i.e., from initiation of the LOCA to completion of actions resulting from RAS (recirculation actuation signal). After RAS the ECCS and other safety systems are aligned for long term operation. Accordingly, components required during the initial phase of the plants' reaction to the LOCA are said to be required for the short term, and those required thereafter for the long term. Seismic design requirements are imposed on instruments required for the LOCA and steam line break only. (These requirements are not applied to area radiation monitors, and the plant's sampling system.) Instruments within containment that are required to operate in the long term post-7.5-13 Amendment No. 18, (04/01)

LOCA environment and their associated cables are qualified accordingly. With regard to the sensors, they are qualified for 24 hours under pressure and temperature conditions more severe than the LOCA. Since after the initial transient the conditions within containment are essentially equivalent to normal conditions and the units survived the test without malfunction, the test is considered adequate to verify long term capability. Nonetheless, long term indication of containment parameters is assured by the following instruments, which are located outside of containment. a) Containment Pressure - A containment pressure signal is directly obtained from the penetration with the transmitter located in the Reactor Auxiliary Building. b) Containment Temperature - Containment ambient air temperature indication and record will be obtained from RTD's with the recorder temperature transmitter mounted on the post accident panel. Containment sump temperature is obtained by measuring the containment sump liquid temperature. Temperature is derived from a device located in the containment spray suction line as close to the containment as possible. After about 5 1/2 hours thermodynamic equilibrium is achieved. Thus sump temperature provides long term containment atmospheric temperature. Figure 6.2-1B provides the LOCA atmosphere temperature transient. Air temperature signals are obtained from two temperature sensors in containment. For each of these new instruments, one channel is indicated in the control room and one channel recorded. These are the only signals required for long term post-LOCA. Pressurizer pressure is only required to initiate SIAS. All controlled effluents from the containment are exhausted via the seismically restrained plant vent. The vent monitor, therefore, measures the radioactivity level in the effluent releases. For TID 14844 type releases the sensing device will be saturated. For releases more representative of anticipated accident conditions, i.e., a small fraction of TID (< 10-4 TID concentrations) useful monitoring capability is available. Because it is desirable to assess the severity of the LOCA as quickly as possible, post-LOCA radiation sensors are provided. These radiation monitors are located within the RAB. They are shielded as required to monitor radiation levels within containment from 107 rads/hour to about 103 rads/hour. Two channels are provided with one indicated and the other recorded. See discussion of high range containment radiation monitors in Section 12.1.4.5 for current descriptions. Sufficient containment spray system information is provided to perform a heat balance on the shutdown heat exchangers. Thus, by securing the fan cooler units the heat being removed from containment can be measured. Generally, electrical separation is provided as follows. Where redundant systems are provided and/or the system only is required for the short term, I/I devices are used to derive the signals for the recorder. Where long term operation is required, redundant primary devices are provided. 7.5-14 Amendment No. 24 (06/10)

The discussion that follows describes how the operator (i) assesses the severity of the accident; (ii) ensures containment integrity and; (iii) ensures engineered safety features are operating properly. It also discusses reactor coolant system intelligence. a) Assessing the Severity of the Incident The operator will be able to assess the severity of the postulated incident. Since plant access will be limited for a period of time subsequent to the incident, the capability to assess the severity of the incident from the control room is appropriate. The following assures this criterion is met:

1) Containment Pressure - The pressure within containment will be available immediately to assess the magnitude of the pressure/ temperature transient within containment.
2) Radiation within Containment - The CIS monitors provide indication of radiation levels within containment. Exceeding their range of 0.01 to 100 R/hr will indicate immediately that the fission product release is substantial. The new post LOCA radiation monitors will extend the range to that associated with TID releases.
3) Hydrogen Concentration within Containment - During the early stages of the incident, hydrogen content within the containment provides the intelligence from which the extent of metal-water reaction and ECCS performance may be inferred. The hydrogen analyzer system (see Section 6.2.5.2.3) provides the ability to measure the containment hydrogen concentration without laboratory analysis. Design and performance data for the hydrogen analyzer is found in Table 6.2-24. Direct sampling capability is also provided.
4) Refueling Tank Water Level - The refueling water tank level instruments will indicate when the recirculation mode is required and automatically initiate the necessary actions to establish the long term post LOCA mode of operation. The time to initiate RAS will provide information which may be useful for determining the size of the leak.

b) Containment Integrity The operator will have the ability from the control room to determine the integrity of the containment and to insure maintenance of the containment controlled leakage path via the subatmospheric annulus surrounding the containment vessel. Monitoring of pressure and hydrogen (hydrogen analyzer or direct sampling) provides sufficient long-term containment environmental monitoring capability. 7.5-15 Amendment No. 24 (06/10)

1) Containment Isolation - Table 6.2-16 provides a listing of containment isolation valves. All remote manual and automatic trip valves are provided with position indicators in the control room. Signals derived from within containment will provide reliable short term indication of valve position. Administrative controls insure that all manual isolation valves are locked closed (see Section 6.2.4).
2) Personnel Air Lock - The post LOCA pressures within containment will insure that each personnel air lock is securely closed. Two doors are provided and they are mechanically interlocked to insure that one door cannot be opened until the second door is sealed (see Section 3.8.2.1.10(f)). Control room indication of door position is provided. Open door position is alarmed in the control room.
3) Annulus Vacuum - Annulus to atmospheric differential pressure indication is provided in the control room. This will provide indication of the establishment and maintenance of the containment controlled leakage path.
4) Containment Pressure - Containment pressure sensors directly measure containment pressure and are located outside of containment. Containment pressure indication is provided in the control room.
5) Containment Temperature - Since water, steam, and air are in thermodynamic equilibrium, monitoring pressure is sufficient to verify that the containment transient has been suppressed.

To comply with the Staff's position, containment sump water temperature and containment atmosphere temperature indications were provided. This provides direct long term containment temperature indication. The containment temperature monitors have redundant, physically separated channels, are energized from the redundant Class 1E instrument power supply systems, are indicated and recorded in the control room, and are qualified for post-LOCA environment. Component cooling water temperatures on the discharge of the containment cooling units (0-600°F) and shut down heat exchanger outlet temperature (0-400°F) provide means to monitor temperature trends within containment and to infer containment temperature. These sensors are located outside of containment.

6) Containment Hydrogen - The hydrogen analyzer system is available for long term monitoring of hydrogen concentrations within containment. The capability for direct sampling of hydrogen is also available.

c) Reactor Coolant System For LOCA transients, the initial suppression of the transient is independent of any detection or actuation because the core is reflooded by the passive safety injection tank system. Long term indication of RCS conditions is not required for monitoring the LOCA. Pressurizer pressure is required to initiate safety systems and the sensors are qualified accordingly. However, as noted below, some intelligence, which is not required, will be available. 7.5-16 Amendment No. 24 (06/10)

1) Pressurizer Pressure - Pressurizer pressure sensors are qualified for 24 hours (see Appendix 3A). The test conditions of temperature and pressure are more severe than LOCA conditions. Since containment environmental conditions after 24 hours are not very severe (less than 5 psig and 150°F), it may be concluded that the long term availability of the low range (0 to 1600 psia) and high range (1500 to 2500 psia) indication is likely.

The high pressure safety injection header pressure indicators (PI-3308 and 3309) can provide intelligence from which RCS pressure and pressure trends can be inferred. The sensors are located outside of containment (see Figure 6.3-1), and their indicating range is 0 to 2500 psig.

2) Pressurizer Level - For the LOCA, the rate of RCS coolant inventory loss is high, thus the RCS water level will be quickly reduced beyond the span of the pressurizer level instrumentation. Restoration of pressurizer level is not required for suppression of the LOCA transient, thus pressurizer level indication is not required.
3) Reactor Coolant Temperature - The RCS will be filled with a saturated steam water mixture. Thus, any indication of RCS pressure provides RCS temperature.

d) Engineered Safety Features Within Containment

1) Containment Cooling System - The system is located in the containment (see Section 6.2.2) and is qualified for long term post-LOCA operation within containment. The four fan cooler units are designed to run at 100% flow and any low flow condition is alarmed in the control room.
2) Safety Injection Tanks - These tanks are a passive component that perform their function independent of any actuating device shortly after initiation of the postulated leak. They serve no function thereafter.
3) NPSH Requirements - Technical Specification minimum level will ensure a minimum of 411,260 gallons from the refueling water storage tank are injected into containment before initiation of the recirculation actuation signal. The water level within containment resulting from the injection of 411,260 gallons is at elevation
         +23.66 feet which is about 32 feet above the suction nozzles of the engineered safety feature pumps. Note that all liquids released within containment drain to the containment sump. This elevation provides adequate NPSH for the ESF pumps (see sections 6.3.2.2.1 and 6.3.2.3). It may be concluded that refueling water tank level is adequate to determine when to initiate the recirculation mode; thus, containment sump level indication is not required for this purpose.

7.5-17 Amendment No. 26 (11/13)

The previous discussion provided herein demonstrates that the operator has sufficient intelligence to determine that (i) an accident has occurred; (ii) systems have responded properly; and (iii) the course of the accident is monitored. Containment pressure and radiation with confirmatory hydrogen concentration data is sufficient for the operator to provide the appropriate authoritative information required for emergency planning purposes. Containment temperature is not required for this determination. Containment transients for various postulated pipe breaks are provided by the figures associated with Section 6.2 of the FSAR. For the sake of this discussion, the most severe LOCA transient, namely, that associated with the 9.82 square foot slot break is discussed (see Figures 6.2-1A to 6.2-1C). For this case, the containment atmosphere and sump water temperature (which is previously provided in the St. Lucie post-LOCA monitoring system described herein) provides containment atmosphere temperature indication directly. Thus, the Staff's requirement for direct containment temperature indication applies to only about a 5.5 hour period 7.5-18 Amendment No. 22 (05/07)

immediately following occurrence of the LOCA. For the Staff to impose a backfit in accordance with the Commissions' regulations at 10 CFR 50.109, it must be demonstrated that the addition of containment temperature devices to provide a direct containment temperature reading for the first several hours of the post-LOCA period provides "substantial, additional protection which is required for the public health and safety..." It is applicants' position that substantial benefit cannot be demonstrated because:

1. Sufficient intelligence is provided for the operator to determine quickly the severity of the LOCA and whether or not the incident is proceeding in accordance with calculations. (Due to the conservative nature of the containment transient analyses it is most likely that the real-world LOCA transient will be much less severe than predicted by Section 6.2 analyses.)
2. Equipment required for post-LOCA operation has been qualified appropriately for this post-LOCA environment. Pressure indication provides adequate intelligence to determine whether or not design conditions have been exceeded.
3. Post-LOCA transient anomalies will determine the requirements for offsite protective measures.

Emergency planning does not rely on knowledge of containment temperature. It is noteworthy that the short term containment temperature transient is relatively insensitive to the large variations in pressure (see Figure 6.2-1A and -1C). The temperature is essentially the saturation temperature associated with the partial pressure of steam. In addition, the partial pressure of air is very insensitive to relatively large fluctuations in containment temperature, and can be readily estimated with reasonable accuracy. Thus, the containment temperature can be estimated with acceptable accuracy from containment pressure and a table of thermodynamic properties of steam. In summary, it is the Applicants' position that no undue risk to the public health and safety results from the lack of direct containment temperature indication during the first several hours immediately following the LOCA, and that temperature indication is not required to achieve the post-LOCA monitoring functions cited supra. However, direct containment temperature indication will be provided as required by Supplement No. 1 to the SER dated 5/9/75. 7.5.2.3 CEA Position Indication Systems CEA position indication is provided to allow the operator to easily determine the position of all of the CEAs within the reactor core. The information is presented in a form that can be easily assessed by the operator. He can easily determine that the CEAs are correctly positioned at each core location, that a CEA has dropped into the core, or that the CEA positions are as required after a reactor trip. The following design criteria were used in selection of the CEA position indication system: a) Redundant and diverse means of indicating CEA position is provided 7.5-19 Amendment No. 22 (05/07)

b) position readouts of all CEAs may be obtained; c) continuous position readouts of any selected CEA is available; d) redundant means of alerting the operator to deviation of CEAs within a group, out-of-sequence withdrawal or insertion of regulating CEAs, and the exceeding of power dependent insertion limits are provided; e) a permanent record may be made of the position of any or all CEAs; and f) separate "full-in" and "full-out" indication is provided for each CEA. 7.5.2.4 Boron Control Display Instrumentation Sufficient information in the form of reactor coolant sample results, monitors, alarms, and recorders are provided to the operator to allow monitoring of the boron concentration and proper performance of any required operations to change the boron concentration. Operators are provided with boron concentration (from sampling) along with boric acid flow and makeup water flow single channel recorders in the control room. Instrument ranges for these recorders are selected in accordance with standard engineering practices. Instrument accuracies for these recorders are selected such that existing instrument loop performance and safety analysis assumptions remain valid. In addition to the above, a boron dilution alarm is provided by the excore neutron flux monitoring system. See Section 7.5.5.1. 7.5.2.5 Reactor Coolant System Process Display Instrumentation Instrumentation is provided to give the operator sufficient information to monitor conditions in the reactor coolant system and secondary system 7.5-20 Amendment No. 21 (12/05)

and perform any operations that are required. The following design criteria were used in the selection of plant process instrumentation: a) Provide continuous monitoring of process parameters required by the operator for system operation b) Provide a permanent record of those parameters for which trend information is useful c) Provide display information to the operator that is reliable, comprehensible, and timely d) Provide multiple channels of indication for reactor protective system, and engineered safety features actuation system process parameters to allow cross-checking of channels e) Provide instrumentation display that adequately monitors the parameter over the range required for various conditions. A discussion of each parameter is provided below. 7.5.2.5.1 Coolant Temperature Four channels of hot leg and cold leg reactor coolant temperature indication are provided for each loop. Temperature indication is provided over the range of operating conditions and the channels may be cross-checked during operation. Additional channels are recorded over a wide range and indicated over a narrow range. 7.5.2.5.2 Pressurizer Pressure The pressurizer pressure channels provide continuous accurate, redundant system pressure information over the range of all plant operating conditions. Four redundant channels of indication are provided for those channels that provide input to the reactor protective system. This allows cross-checking between channels to assure operational availability of each input sensor during operation. Low range pressure indication and recording are also provided. 7.5.2.5.3 Pressurizer Level Two channels of pressurizer level information are provided. Each channel provides indications of level. The pressurizer level recorder indicates actual pressurizer level and the pressurizer level setpoints. Either channel of pressurizer level information can be recorded. 7.5-21 Amendment No. 24 (06/10)

7.5.2.5.4 Coolant Flow Four channels of reactor coolant flow are indicated on the control board. These channels provide indication of steam generator flow over the range of operating conditions. The channels may be cross-checked with each other during operation. 7.5.2.5.5 Steam Generator Pressure Four channels of steam generator pressure are indicated on the control board. The range of indication covers those pressures relating to plant operating conditions. The four pressure indications allow cross-checking of the channels during operation. 7.5.2.5.6 Steam Generator Water Level Four channels of steam generator water level are indicated on the control board for each steam generator. The range of indication is derived from the upper and lower sets of level taps on the steam generator and covers the expected levels during various operational conditions. The four-level indicators allow cross-checking of the channels during operation. Additional channels of level are utilized in the feedwater regulating system. These channels also provide level indication and recording in the control room. In addition, there are two (2) wide range steam generator water level channels located in the control room for each steam generator. The range of indication is derived from an upper level tap and a lower level tap. 7.5.2.5.7 Nuclear Instrumentation Indication and/or recording is provided for the neutron flux power over 1 total range from shutdown to 200 percent of rated power. Four redundant neutron flux monitoring channels provide logarithmic power indication for each channel from 2 X 10-8 to 200 percent power. The higher of either neutron or thermal power is redundantly indicated from 0 to 200 percent power. Recording of logarithmic power is provided on a one-out-of-four selected channel basis and for the selected linear power range control channel. Axial shape index and associated positive and negative limits are also indicated for each safety channel. 7.5.2.5.8 Pressurizer Relief and Safety Valve Position Indication Direct indication of relief and safety valve position is provided in accordance with the requirements of Item II.D.3 of NUREG-0737. A position indicating monitoring system detects pressurizer relief and power operated relief valve position by continuously and automatically detecting acoustic signals generated by flow through the valves. This is accomplished by means 7.5-22 Amendment No. 24 (06/10)

of accelerometers mounted on the valve discharge piping. A common audio visual alarm and individual valve position is provided in the control room. The system is powered from a Class 1E power source. 7.5.2.6 Control Panels and Annunciators The control panels and annunciators are arranged in functional groupings to allow the operator to assess quickly the operating conditions of the various plant systems over the full range of normal operating and accident conditions. Safety related parameters in the reactor protective system, ESFAS and systems required for safe shutdown are indicated and/or annunciated. This monitoring instrumentation provides means of detecting malfunctions in safety related systems. Wiring inside the panels is arranged so that any device mounted on the panel may be removed without removing or disconnecting adjacent equipment. Physical separation-within the panels is provided between redundant safety related wiring and components which are identified as SA, SB or SAB corresponding to the emergency electrical load group to which they belong. Panels containing more than one set of redundant components are subdivided into compartments divided by a fire barrier. No cable terminal blocks or other components are located closer than one inch to the barrier. No single panel compartment contains wiring or other components of two redundant safety systems. Wiring entering the panels for redundant systems is run in separate fully enclosed steel raceways to separate boxed-in terminal boxes. Wiring from the terminal boxes to panel mounted equipment is carried in separate conduit or enclosed raceways. Physical separation is similarly maintained in the panels among the four protection system measurement channels MA, MB, MC and MD. Identification of redundant wiring and components is as described in Section 8.3.1.2.3. 7.5.3 TMI RELATED ADDITIONAL ACCIDENT MONITORING INSTRUMENTATION 7.5.3.1 Containment Pressure Monitors In compliance with NUREG-0737 permanently installed wide range containment pressure monitors are provided for post-accident monitoring of containment pressure. 7.5.3.1.1 Design Bases a) Measurement and indication capability is provided over a range of -5 psig to four times the containment design pressure (175 psig). 7.5-23 Amendment No. 22 (05/07)

b) Safety related redundant instrumentation channels are provided to meet the single failure criteria. c) Continuous indication and recording of containment pressure is provided in the control room. d) Each instrument covers the entire pressure range. e) The monitoring instrumentation inputs are from sensors that directly measure containment pressure and provide input only to the containment pressure monitors. f) An instrumentation channel is available during normal operation prior to an accident as specified in plant technical specification. g) Testing and calibration requirements are specified in plant technical specification. h) The instruments are specifically Identified on the control panels so that the operator can easily discern that they are intended for use under accident conditions. 7.5.3.1.2 Design Description The containment pressure detectors are electronic transmitters mounted outside the Reactor Containment Building. The detectors share existing containment pressure transmitter sensing lines which penetrate the containment. A normally open fail closed solenoid valve with remote manual control from the control room is provided for containment isolation for each loop. The redundant containment pressure monitoring channels are provided with indicators in the control room and one of the channels is recorded in the control room. 7.5.3.1.3 Safety Evaluation The containment pressure monitors, sensing lines and solenoid valves are designed to withstand maximum containment pressure and temperature. Two more channels of containment pressure monitoring instrumentation are provided as post-accident monitors (refer to Table 7.5-2). These are available for verification purposes in the unlikely event that the TMI related containment pressure monitors display conflicting information. Channel calibration and channel check are performed periodically. 7.5.3.2 Containment Water Level Monitors In compliance with NUREG-0737, permanently installed narrow and wide range containment water level monitors are provided for post-accident monitoring. The narrow range instrument covers the range from the bottom to the top of the reactor cavity sump. The wide range instruments cover the range from the bottom of the containment to the elevation equivalent to 600,000 gallon capacity. 7.5-24 Amendment No. 22 (05/07)

7.5.3.2.1 Design Bases a) Safety-related, redundant wide range water level monitors are provided to meet the single failure criteria. b) One narrow range containment water level monitor is provided. c) Continuous indication and recording of containment water level is provided in the control room. d) Adequate overlapping of the ranges of narrow and wide range monitors is provided. e) Signals from the associated sensors are only used for monitoring the containment water level. f) The availability requirement of the wide range containment water level monitors is specified in plant technical specification. g) Testing and calibration requirements are specified in plant technical specification. 7.5.3.2.2 Design Description The wide and narrow range containment level transmitters are located inside the containment. The narrow range monitor measures discrete level points from four inches above the bottom of the sump (Elev.-6'-8") to the top of the sump (elevation 0 ft.) . The wide range monitors measure discrete level points from elevation -1 ft. to elevation 26'-1" of the containment. The two channels of wide range level monitors are indicated in the control room, one channel is recorded. The narrow range level monitoring channel is both indicated and recorded in the control room. 7.5.3.2.3 Safety Evaluation The containment level monitors and sensing lines are designed to operate under the postulated design basis accident environment. These monitors are provided strictly for monitoring purposes. The narrow range water level instrument is primarily used during normal operation and does not serve any safety-related function post-accident. 7.5.3.3 Subcooled Margin Monitor System The Subcooled Margin Monitor System is described in Section 7.5.4.2. 7.5-25 Amendment No. 24 (06/10)

7.5.3.4 High Range Containment Radiation Monitors The high range containment radiation monitoring system is described in Section 12.1.4.5. This system has the capability to detect and measure radiation levels within the containment during and following an accident. 7.5.3.5 Noble Gas Effluent Radiation Monitors The noble gas effluent radiation monitoring system is described in Section 11.4.2.7. This system is designed to measure release of radioactive noble gases from the plant. 7.5.4 SAFETY ASSESSMENT SYSTEM/EMERGENCY RESPONSE DATA ACQUISITION AND DISPLAY SYSTEM AND QUALIFIED SAFETY PARAMETER DISPLAY SYSTEM 7.5.4.1 Safety Assessment System/Emergency Response Data Acquisition and Display System The Safety Assessment System (SAS)/Emergency Response Data Acquisition and Display System (ERDADS) of the St. Lucie Plant is designed to fulfill the requirements of NUREG-0696 and NUREG-1394 for a data gathering, storing and display system for providing necessary data to the Safety Parameter Display System (SPDS) plus other Emergency Response Functions data required in the plant control rooms. The SAS/ERDADS also provides data to the Technical Support Center, Emergency Offsite Facility, and to the NRC's remote facilities through the PI servers. The Distributed Control System (DCS) was expanded to include the SAS/ERDADS subsystem. This ERDADS subsystem to the DCS is referred to as ERDADS/DCS or just DCS. The DCS provides a centralized, flexible, computer-base data and display system to assist control room personnel in evaluating the safety status of the plant. This assistance is accomplished by providing the operators, the Emergency Response Facilities (ERFs) and the NRC with high-level graphical displays containing a minimum set of key plant parameters representative of the plant safety status. The Safety Parameter Display System portion of the SAS is implemented on a flat panel disply (FPD) which is seismically mounted in an area of the Control Room visible to the control room operator and the senior reactor operator. This FPD contains the high-level display from which the overall safety status of the plant may be assessed. 7.5-26 Amendment No. 25 (04/12)

The system specified by the U.S. Nuclear Regulatory Commission to fulfill the data collection needs of the NRC is the Emergency Response Data System (ERDS). The ERDS data link provides a direct near real time transfer of parametric reactor data of specified data points from the SAS/ERDADS DCS to the NRC Operations Center through the PI servers. The ERDS data link is used only during emergencies and is activated by the licensee during declared emergencies classified at the ALERT or higher level. Specified data parameter points include (1) core and coolant system conditions, (2) conditions inside containment, (3) radioactivity release rates, and (4) Meteorological Tower data. This information allows the NRC information with which to assess the potential or actual impact on public safety. The SAS/ERDADS hardware system utilizes a redundant component configuration to insure high availability. The SAS/ERDADS equipment is composed of:

1. Field inputs to the SAS isolation cabinets to the ERDADS/DCS.
2. Hardware and software necessary to communicate with the Radiation Monitoring System and the Meteorological System.
3. Man Machine Interface (MMI) display stations which are provided in the Unit 1 Control Room, the Technical Support Center and in the Emergency Offsite Facility through the PI servers.

The system is supplied with highly reliable non-Class 1E power from two uninterruptible 120 VAC sources (battery-backed inverters). This design eliminates momentary interruptions due to circuit transients or power-supply failures and fluctuations. Sufficient power is available for the system to function following a loss of offsite power and failure of both emergency diesel generators to start or load through activation and full functional operation of the Technical Support Center. Additionally, the architecture of the computer system itself minimizes the probability of the system suffering an outage from an internal single failure. The SAS/ERDADS is implemented on a digital computer system. The display software that controls the sensor data, key parameter construction and display formats has been developed under strict verification EC291890 and validation. Verification and validation is addressed and designed into the SAS DCS software to provide a highly reliable product and mechanism for identifying and controlling future changes. 7.5.4.2 Qualified Safety Parameter Display System (QSPDS) The Qualified Safety Parameter Display System (QSPDS) installed at St. Lucie Unit 1 satisfies the NUREG-0737 requirement for a redundant Class 1E Inadequate Core Cooling (ICC) instrumentation processing and display system. The QSPDS consists of a Subcooled Margin Monitor System, Heated Junction Thermocouple System and a Core Exit Thermocouple System. The QSPDS is a micro-processor based signal processing system with an RTGB mounted display unit and associated keyswitch panel and trackball assemblies for each of the two channels. Each channel receives and processes signals and transmits the output to the flat panel display unit. The three main functions to the QSPDS are to process input signals, display the information to the control room operator, and transmit data to the Safety Assessment System. Inputs into each channel of the system consists of up to 22 Core Exit Thermocouple signals (up to 23 for channel B), 8 Heated Junction Thermocouples (four operable required), 4 RCS leg temperatures and 1 pressurizer pressure input. The outputs of each channel consist of a fiber optic link to the RTGB mounted flat panel display unit and a new foxboro I/A based communication link to the PSL Unit 1 DCS. In addition, each QSPDS channel will provide 3 ICC alarm outputs (low subcooling margin, low reactor vessel level, high CET temp) and a QSPDS trouble alarm. The Core Exit Thermocouples, Heated Junction Thermocouples, RCS leg temperatures and pressurizer pressure are used as inputs in calculating subcooled or superheat margins. The Heated Junction Thermocouples are also used to detect RCS inventory loss. The SAS/ERDADS is implemented on a digital computer system. The display software that controls the sensor data, key parameter construction and display formats has been developed under strict verification and validation. Verification and validation is addressed and designed into the SAS DCS software to provide a highly reliable product and a mechanism for identifying and controlling future changes. 7.5-26a Amendment No. 30 (05/20)

7.5.4.2.1 Alternate Reactor Vessel Level Monitoring Technical Specifications required that an alternate method of determining reactor vessel level be implemented when both channels of RVLMS are out-of-service. The alternate methods are:

1) Mismatch between charging and letdown with incorrect response of pressurizer level to pressurizer spray or charging;
2) CET indicated temperature in the superheat region;
3) Unheated junction thermocouples indicating superheat.

PWR operators have been trained on these methods as part of the Mitigating Core Damage Courses required following TMI. 7.5.4.2.2 Mismatch between charging and letdown with incorrect response of pressurizer level to pressurizer spray or charging This process to identify voids was incorporated into St. Lucie procedures following the Natural Circulation Cooldown event on Unit 1. A void developed in the reactor head due to incomplete cooling of the upper head region. The void was identified by the mismatch in charging and letdown and the opposite response to pressurizing sprays. With voids present in the reactor vessel head, increasing pressurizer sprays causes pressurizer level to rise. A reduction in sprays and increased charging would cause pressurizer level to decrease. Both of these indications are abnormal and opposite to what is expected for a subcooled RCS. Post event evaluations confirmed the creation and collapse of a reactor head void. 7.5.4.2.3 CET indicating temperatures in the superheat region Events where RCS inventory is reduced to the top of the core can be determined by use of the CETs. Once the core becomes uncovered, the steam rising from the core would become superheated as it passes over the top of the uncovered fuel assemblies. The CETs can be used to monitor this condition by providing a temperature that indicates the steam has entered the superheat region. Pressurizer pressure and steam tables would have to be used in-conjunction with the indicated temperature to determine that the steam is being superheated. The CETs can be read directly on QSPDS. 7.5.4.2.4 Unheated Junction Thermocouples Indicating Superheat As discussed above, thermocouples can be used to determine if superheated conditions exist in the reactor core. The RVLMS uses both heated and unheated thermocouples to determine reactor vessel level. If the unheated thermocouples are available, they can be used and temperatures read from QSPDS. 7.5-26aa Amendment No. 18, (04/01)

7.5.5 EXCORE NEUTRON FLUX MONITORING SYSTEM The Excore Neutron Flux Monitoring System monitors neutron flux wide range and source range monitors with independent displays in the Control Room and on the Hot Shutdown Panel. This system is designed to meet the NRC requirements necessary to support the NFPA 805 Nuclear Safety Cabability Assessment and Regulatory Guide 1.97, Revision 3, Category 1 variables. The Excore Neutron Flux Monitoring System consists of two redundant Class IE channels each consisting of the following major components: a) Fission chamber neutron detector assembly b) Cable assemblies with qualified junction box c) Containment triaxial cable penetration feedthrough modules d) Amplifier assembly e) Signal Processing Assembly f) Control Room instrumentation (displays & trend recorder) g) Hot shutdown panel instrumentation (displays) The Excore Neutron Flux Monitoring System is designed to provide neutron flux measurement from 5 x 10-2 nv (neutron/cm2-sec) to 5 x 109 nv. The complete system with the exception of the fission chamber neutron detector assemblies, associated cables and electrical penetration feedthroughs is installed outside the Reactor Containment Building. Signals are transmitted via shielded twisted pairs (STP) between the amplifier and signal processor. Each channel provides a wide range output and source range output covering the lower five decades. The Excore Neutron Flux Monitoring channel output Class IE signals (wide range power, source range power, rate of change and Boron Dilution) are displayed simultaneously on the control room meters (RTGB-104), the recorders on PACB in the Control Room (wide and source range power). Non Class IE signals for the source and wide range are indicated in the Hot Shutdown Panel. In addition, a non-class IE (isolated output) signal is provided for the Boron dilution monitors located on the bench section of RTGB-104. The monitor is powered from non-class IE power supply. Display Output Range Range Sensitivity Startup range 20 cps/nv 1 to 105 cps 5 x 10-2 to 5 x 10+3 nv Wide-range log 20 cps/nv 2 x 10-8 to 5 x 10-1 to 200% 5 x 109 nv Period 1.25 V/dpm -1 to +7 dpm 5 x 10-1 to 5 x 109 nv UNIT 1 7.5-26b Amendment No. 28 (05/17)

The source range circuitry monitors neutron flux from 5 x 10-2 nv to 5 x 103 nv and provides two isolated 4 to 20 mA analog output representing a log count rate of 1 to 105 counts per second (cps). The log count rate Class IE parameter is displayed on the control room indicators and the trend recorder. The log count rate non-class IE isolated parameter is indicated on the HSP via Dixson meters. The wide-range log power circuit monitors the neutron flux from 5 x 10-1 nv to 5 x 109 nv and provides two isolated 4 to 20 mA analog output. The wide flux range is displayed on a 10 decade indicator as 2 x 10-8 to 200% power. Wide-range log power and wide-range log power rate-of-change, (-1 to +7 dpm) Class IE signals are displayed on the control room Dixson meters and the recorders on PACB. Non Class IE isolated signals for wide flux range is displayed on the HSP. A functional block diagram of the system is shown on Figure 7.5-29. 7.5.5.1 Boron Dilution Alarm Reactivity control in the reactor core is affected, in part, by soluble boron in the reactor coolant system. The boron dilution alarm (BDA) utilizes the start-up channel nuclear instrumentation signals to detect a possible inadvertent boron dilution event while in Modes 3-6. There are two redundant boron dilution monitoring channels to ensure detection and alarming of the event. The BDA operates in a manner similar to the Unit 2 boron dilution alarm system. The BDA alarm logic is designed to follow the decreasing neutron flux signal after a reactor shutdown occurs, including when the neutron flux signal levels out at the core's configuration steady state level. If the neutron flux signal increases, the alarm setpoint remains equal to what it was just prior to the flux increase. A boron dilution event is detected when the neutron flux signal is equal to or greater than the alarm setpoint. Each BDA channel provides an alarm signal to the plant annunciation system upon detection of a dilution event, with each channel having its own separate annunciator alarm window. The BDA has the capability for the operator to input a reset signal to the system. This reset capability allows the BDA to be acknowledged and alarm detection to be reset based on current plant conditions. The BDA is powered from an offsite power source with an onsite backup power source. Both BDA channels are powered from the same source, but via separate fuses. 7.5-26c Amendment No. 24 (06/10)

REFERENCES:

SECTION 7.5

1. NUREG-0737 "Clarification of TMI Action Plan Requirements," U.S. Nuclear Regulatory Commission, November 1980.
2. NUREG-0696 "Functional Criteria of Emergency Response Facilities," U.S. Nuclear Regulatory Commission, February 1981.
3. NUREG-1394 "Emergency Response Data System (ERDS) Implementation," Revision 1.

7.5-26d Amendment No. 24 (06/10)

TABLE 7.5-1 CEA POSITION LIGHT MATRIX Amber - CEA Fully Inserted (Dropped CEA) Green - CEA Lower Electrical Limit White - CEA Intermediate Position Between the Lower and Upper Electrical Limits EC291158 Red - CEA Upper Electrical Limit EC291158 7.5-27 Amendment No. 30 (05/20)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES RTGB-101 4.16KV BUS 1AB AMPS AM-942 X X R.G. 1.97 TYPE D, CAT 2 DIESEL GENERATOR 1A AMPS AM-954D X X R.G. 1.97 TYPE D, CAT 2 DIESEL GENERATOR 1B AMPS AM-964D X X R.G. 1.97 TYPE D, CAT 2 FLOW INDICATOR FOR CONTROL FI-25-18A X ROOM (NORTH) OUTSIDE AIR INTAKE FLOW INDICATOR FOR CONTROL FI-25-18B X ROOM (SOUTH) OUTSIDE AIR INTAKE DIESEL GENERATOR 1A FM-954 X FREQUENCY DIESEL GENERATOR 1B FM-964 X FREQUENCY PRESSURE DIFFERENTIAL PDI-25-14A X INDICATOR FOR CONTROL ROOM OAI PRESSURE PRESSURE DIFFERENTIAL PDI-25-14B X INDICATOR FOR CONTROL Room OAI PRESSURE DG 1A VARS VARM-954 X 7.5-28 Amendment No. 18, (04/01)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES DG 1B VARS VARM-964 X VOLTMETER FOR 125V DC BUS 1A VM-1001 X X R.G. 1.97 TYPE D, CAT 2 VOLTMETER FOR 125V DC BUS 1B VM-1002 X X R.G. 1.97 TYPE D, CAT 2 4.16KV BUS 1AB VOLTAGE VM-942 X X R.G. 1.97 TYPE D, CAT 2 4.16KV BUS lA3 VOLTAGE VM-954 X X R.G. 1.97 TYPE D, CAT 2 DIESEL GENERATOR 1A VOLTAGE VM-954D X X R.G. 1.97 TYPE D, CAT 2 4.16KV BUS 1B3 VOLTAGE VM-964 X X R.G. 1.97 TYPE D, CAT 2 DIESEL GENERATOR 18 VOLTAGE VM-964D X X R.G. 1.97 TYPE D, CAT 2 RECORDER FOR DIESEL REC/954 X GENERATOR 1A WATTS/FREQ RECORDER FOR DIESEL REC/964 X GENERATOR 1B WATTS/FREQ 7.5-29 Amendment No. 25 (04/12)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES RTGB-102 AFW PUMP 1A AMPS AM-629 X X AFW PUMP 1B AMPS AM-630 X X ICW PUMP 1A AMPS AM-832 X ICW PUMP 1B AMPS AM-833 X ICW PUMP 1C AMPS AM-834 X FLOW INDICATOR FOR AUXILIARY FI-09-2A X X X R.G. 1.97 TYPE D, CAT 2 FEEDWATER PUMP 1A DISCHARGE FLOW INDICATOR FOR AUXILIARY FI-09-2B X X X R.G. 1.97 TYPE D, CAT 2 FEEDWATER PUMP 18 DISCHARGE FLOW INDICATOR FOR AUXILIARY FI-09-2C X X X R.G. 1.97 TYPE D, CAT 2 FEEDWATER PUMP 1C DISCHARGE LEVEL INDICATOR CONTROLLER FOR LIC-9013A X X X X R.G. 1.97 TYPE D, CAT 1 STEAM GENERATOR 1A DOWNCOMER R.G. 1.97 TYPE A, CAT 1 LEVEL 7.5-30 Amendment No. 20 (4/04)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES LEVEL INDICATOR CONTROLLER LIC-9013B X X X X R.G. 1.97 TYPE A, CAT 1 FOR STEAM GENERATOR 1A R.G. 1.97 TYPE D, CAT 1 DOWNCOMER LEVEL LEVEL INDICATOR CONTROLLER R.G. 1.97 TYPE A, CAT 1 FOR STEAM GENERATOR 1A LIC-9013C X X X X R.G. 1.97 TYPE D, CAT 1 DOWNCOMER LEVEL LEVEL INDICATOR CONTROLLER LIC-9013D X X X X R.G. 1.97 TYPE A, CAT 1 FOR STEAM GENERATOR 1A R.G. 1.97 TYPE D, CAT 1 DOWNCOMER LEVEL LEVEL INDICATOR CONTROLLER LIC-9023A X X X X R.G. 1.97 TYPE A, CAT 1 FOR STEAM GENERATOR 1B R.G. 1.97 TYPE D, CAT 1 DOWNCOMER LEVEL LEVEL INDICATOR CONTROLLER LIC-9023B X X X X R.G. 1.97 TYPE A, CAT 1 FOR STEAM GENERATOR 1B R.G. 1.97 TYPE D, CAT 1 DOWNCOMER LEVEL LEVEL INDICATOR CONTROLLER LIC-9023C X X X X R.G. 1.97 TYPE A, CAT 1 FOR STEAM GENERATOR 1B R.G. 1.97 TYPE D, CAT 1 DOWNCOMER LEVEL LEVEL INDICATOR CONTROLLER LIC-9023D X X X X R.G. 1.97 TYPE A, CAT 1 FOR STEAM GENERATOR 1B R.G. 1.97 TYPE D, CAT 1 DOWNCOMER LEVEL LEVEL INDIC SWITCH FOR LIS-12-11 X X R.G. 1.97 TYPE D, CAT 1 CONDENSATE STORAGE TANK LEVEL LO/LO ANN LEVEL INDIC SWITCH FOR LIS-12-12 X X R.G. 1.97 TYPE D, CAT 1 CONDENSATE STORAGE TANK LEVEL LO/HI ANN STEAM INLET TO AUX FEEDWATER PI 5 X PUMP TURBINE DRIVEN 7.5-31 Amendment No. 18, (04/01)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES PRESSURE INDICATOR FOR PI 8A 0 X X AUXILIARY FEEDWATER PUMP 1A DISCHARGE PRESSURE INDICATOR FOR PI 8B 0 X X AUXILIARY FEEDWATER PUMP 1B DISCHARGE PRESSURE INDICATOR FOR PI 8C 0 X X AUXILIARY FEEDWATER PUMP 1C DISCHARGE PRESSURE INDICATOR FOR PI 9A 0 X X FEEDWATER HEADER STEAM GENERATOR 1A INLET PRESSURE INDICATOR FOR PI 9B 0 X X FEEDWATER HEADER STEAM GENERATOR 1A INLET PRESSURE INDICATOR FOR PI 9C 0 X X FEEDWATER HEADER STEAM GENERATOR 1A INLET PRESSURE INDICATOR FOR PI 9D 0 X X FEEDWATER HEADER STEAM GENERATOR 1A INLET PRESSURE INDICATOR FOR PI-09-10A 0 X X FEEDWATER HEADER STEAM GENERATOR 1B INLET PRESSURE INDICATOR FOR PI-09-10B 0 X X FEEDWATER HEADER STEAM GENERATOR 1B INLET PRESSURE INDICATOR FOR PI-09-10C 0 X X FEEDWATER HEADER STEAM GENERATOR 1B INLET 7.5-32 Amendment No. 17 (10/99)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES PRESSURE INDICATOR FOR PI-09-10D 0 X X FEEDWATER HEADER STEAM GENERATOR 1B INLET PRESSURE INDICATING SWITCH PIS-21-8A 0 X FOR INTAKE COOLING WATER PP DISCH HDR PRESSURE INDICATING SWITCH PIS-21-8B 0 X FOR INTAKE COOLING WATER PP DISCH HDR RTGB-103 LEVEL INDICATOR FOR LI-1110X 0 X X R.G. 1.97 TYPE D, CAT 1 PRESSURIZER LEVEL LEVEL INDICATOR FOR LI-1110Y 0 X X R.G. 1.97 TYPE D, CAT 1 PRESSURIZER LEVEL LEVEL RECORDER FOR LR-1110 0 X X R.G. 1.97 TYPE D, CAT 1 PRESSURIZER DIFFERENTIAL PRESSURE PDI-1101A 0 X INDICATOR FOR STEAM GENERATOR 1A & 1B DIFFERENTIAL PRESSURE PDI-1101B 0 X INDICATOR FOR STEAM GENERATOR 1A & 1B DIFFERENTIAL PRESSURE PDI-1101C 0 X INDICATOR FOR STEAM GENERATOR 1A & 1B 7.5-33 Amendment No. 17 (10/99)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES DIFFERENTIAL PRESSURE PDI-1101D X INDICATOR FOR STEAM GENERATOR 1A & 1B PRESSURE RECORDER FOR PR-1102A X X PRESSURIZER & THERMAL MARGIN LOW PRESSURE SETPOINT PRESSURE RECORDER FOR PR-1102B X X PRESSURIZER & THERMAL MARGIN LOW PRESSURE SETPOINT PRESSURE RECORDER FOR PR-1102C X X PRESSURIZER & THERMAL MARGIN LOW PRESSURE SETPOINT PRESSURE RECORDER FOR PR-1102D X X PRESSURIZER & THERMAL MARGIN LOW PRESSURE SETPOINT PRESSURE INDICATOR FOR PI-1103A X PRESSURIZER (LOW RANGE) PRESSURE INDICATOR FOR PI-1104A X PRESSURIZER (LOW RANGE) 7.5-34 Amendment No. 24 (06/10)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES PRESSURE INDICATING PIC-1103 X CONTROLLER LOW RANGE FOR PRESSURIZER PRESSURE INDICATING PIC-1104 X CONTROLLER LOW RANGE FOR PRESSURIZER CORE EXIT THERMOCOUPLES QSPDS(CET-SA) X 1) ICC DISPLAY A

2) R.G. 1.97 TYPE C, CAT 1,
3) R.G. 1.97 TYPE B, CAT 3 REACTOR VESSEL LEVEL QSPDS (HJTC-SA) X 1) ICC DISPLAY A
2) R.G. 1.97 TYPE B, CAT 1 PRZR PRESSURE QSPDS (PT-1107) X 1) ICC DISPLAY A
2) R.G. 1.97 TYPE A, B & C, CAT 1 RCS COLD LEG TEMP LOOP 1A2 QSPDS (TE-1112CA) X 1) ICC DISPLAY A
2) R.G. 1.97 TYPE A & B, CAT 1 RCS HOT LEG TEMP LOOP 1A QSPDS (TE-1112HA) X 1) ICC DISPLAY A
2) R.G. 1.97 TYPE A & B, CAT I RCS COLD LEG TEMP LOOP 1B1 QSPDS (TE-1122CA) X 1) ICC DISPLAY A
2) R.G. 1.97 TYPE A & B, CAT 1 RCS HOT LEG TEMP LOOP 1B QSPDS (TE-1122HA) X 1) ICC DISPLAY A
2) R.G. 1.97 TYPE A & B, CAT 1 7.5-35 Amendment No. 24 (06/10)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES RCS SUBCOOLED MARGIN QSPDS (TMAR-SA) 1) ICC DISPLAY A

2) R.G. 1.97 TYPE B, CAT 2 TEMPERATURE INDICATOR FOR TI-1102A X REACTOR COOLANT LOOP TEMPERATURE INDICATOR FOR TI-1102B X REACTOR COOLANT LOOP TEMPERATURE INDICATOR FOR TI-1102C X REACTOR COOLANT LOOP TEMPERATURE INDICATOR FOR TI-1102D X REACTOR COOLANT LOOP LEVEL INDICATOR FOR S/G #1A LI-9012 X R.G. 1.97 TYPE D, CAT 1 (WIDE RANGE) (NOT NUCLEAR AS MODIFIED PER FPL AND SAFETY BUT HAS ITS NRC AGREEMENT TRANSMITTER QUALIFIED FOR POST ACCIDIENT ENVIRONMENT)

LEVEL INDICATOR FOR S/G #1B LI-9022 X R.G. 1.97 TYPE D, CAT 1 (WIDE RANGE) (NOT NUCLEAR AS MODIFIED PER FPL AND SAFETY BUT HAS ITS NRC AGREEMENT TRANSMITTER QUALIFIED FOR POST ACCIDIENT ENVIRONMENT) RTGB-104 CORE EXIT THERMOCOUPLES QSPDS (CET-SB) X ICC DISPLAY B R.G. 1.97 TYPE C,CAT 1 R.G. 1.97 TYPE B,CAT 3 REACTOR VESSEL LEVEL QSPDS (HJTC-SB) X 1) ICC DISPLAY B

2) R.G.1.97 TYPE B, CAT 1 PRZR PRESSURE QSPDS (PT-1108) X 1) ICC DISPLAY B
2) R.G. 1.97 TYPE A, B & C CAT 1 7.5-36 Amendment No. 18, (04/01)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE RPS ESF DOWN SYS SUPPORT MONITORING NOTES RCS COLD LEG TEMP LOOP 1A1 QSPDS(TE-1112CB) X 1) ICC DISPLAY B

2) R.G. 1.97 TYPE A & B, CAT 1 RCS NOT LEG TEMP LOOP 1A QSPDS (TE-1112HB) X 1) ICC DISPLAY B
2) R.G. 1.97 TYPE A & B, CAT 1 RCS COLD LEG TEMP LOOP 1B2 QSPDS (TE-1122CB) X 1) ICC DISPLAY B
2) R.G. 1.97 TYPE A & B, CAT 1 RCS HOT LEG TEMP LOOP 1B QSPDS (TE-1122HB) X 1) ICC DISPLAY B
2) R.G. 1.97 TYPE A & B, CAT 1 RCS SUBCOOLED MARGIN QSPDS (TMAR-SB) X 1) ICC DISPLAY B
2) R.G. 1.97 TYPE B, CAT 2 WIDE RANGE POWER INDICATOR RI-26-80A1 X X R.G. 1.97 TYPE A & B, FOR EX-CORE NEUTRON CAT 1 MONITORING SOURCE RANGE POWER INDICATOR RI-26-80A2 X FOR EX-CORE NEUTRON MONITORING RATE OF CHANGE POWER RI-26-80A3 X INDICATOR FOR EX-CORE NEUTRON MONITORING WIDE RANGE POWER INDICATOR RI-26-80B1 X X R.G. 1.97 TYPE A & B, FOR EX-CORE NEUTRON CAT 1 MONITORING SOURCE RANGE POWER INDICATOR RI-26-80B2 X FOR EX-CORE NEUTRON MONITORING RATE OF CHANGE POWER RI-26-80B3 X INDICATOR FOR EX-CORE NEUTRON MONITORING RTGB-106 CCW PUMP 1A AMPS AM-201 X 7.5-36a Amendment No. 18, (04/01)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES CCW PUMP 1B AMPS AM-205 0 X R CCW PUMP 1C AMPS AM-209 0 X R HPSI PUMP 1A AMPS AM-237 0 X R HPSI PUMP 1B AMPS AM-238 0 X R LPSI PUMP 1A AMPS AM-251 0 X X R LPSI PUMP 1B AMPS AM-252 0 X X R CONTAINMENT SPRAY PUMP 1A AM-287 0 X R AMPS CONTAINMENT SPRAY PUMP 1B AM-290 0 X R AMPS FLOW INDICATOR FOR SHUTDOWN FI-07-1A 0 X X R.G. 1.97 TYPE D, CAT 2 HEAT EXCHANGER 1A FLOW TO CNTMT SPRAY 7.5-36b Amendment No. 17 (10/99)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES FLOW INDICATOR FOR SHUTDOWN FI-07-1B X X R.G. 1.97 TYPE D, CAT 2 HEAT EXCHANGER 1B FLOW TO CNTMT SPRAY FLOW INDICATOR CONTROLLER FIC-3306 X X R.G. 1.97 TYPE D, CAT 2 FOR SHUTDOWN COOLING RETURN FLOW INDICATOR SWITCH FOR FIS-14-1A X X R.G. 1.97 TYPE D, CAT 2 COMPONENT COOLING WATER HX 1A OUTLET FLOW INDICATOR SWITCH FOR FIS-14-1B X X R.G. 1.97 TYPE D, CAT 2 COMPONENT COOLING WATER HX 1B OUTLET FLOW INDICATOR SWITCH FOR FIS-14-10A X COMPONENT COOLING WATER FROM S/D HX 1A FLOW INDICATOR SWITCH FOR FIS-14-10B X COMPONENT COOLING WATER FROM S/D HX 1B HAND INDICATOR CONTROLLER HIC-3657 X FOR HCV-3657 LEVEL INDICATING SWITCH FOR LIS 2A X X R.G. 1.97 TYPE D, CAT 2 REFUELING WATER TANK LEVEL LEVEL INDICATING SWITCH FOR LIS 2B X X R.G. 1.97 TYPE D, CAT 2 REFUELING WATER TANK LEVEL LEVEL INDICATING SWITCH FOR LIS 2C X X R.G. 1.97 TYPE D, CAT 2 REFUELING WATER TANK LEVEL 7.5-36c Amendment No. 18, (04/01)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES LEVEL INDICATING SWITCH FOR LIS 2D X X R.G. 1.97 TYPE D, CAT 2 REFUELING WATER TANK LEVEL LEVEL INDICATING SWITCH FOR LIS 7D X CAUSTIC SUPPLY TANK LEVEL PRESSURE DIFFERENTIAL PDI-25-15A X INDICATOR FOR CONTAINMENT TO ANNULUS PRESSURE DIFFERENTIAL PDI-25-15B X INDICATOR FOR CONTAINMENT TO ANNULUS PRESSURE DIFFERENTIAL PDIS 1A X INDICATOR SWITCH FOR CNTMT VACUUM RELIEF PRESSURE DIFFERENTIAL PDIS-25-1B X INDICATOR SWITCH FOR CNTMT VACUUM RELIEF PRESSURE DIFFERENTIAL UR-25-1 X RECORDER FOR HEPA FILTER OF HVE-9A PRESSURE DIFFERENTIAL UR-25-2 X RECORDER FOR HEPA FILTER OF HVE-9B PRESSURE DIFFERENTIAL PDIS 7A X INDICATOR SWITCH FOR FAN HVE-6A PRESSURE DIFFERENTIAL PDIS 7B X INDICATOR SWITCH FOR FAN HVE-6B 7.5-36d Amendment No. 22 (05/07)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES PRESSURE DIFFERENTIAL UR 1 X RECORDER FOR HVE-6A PREFILTER PRESSURE DIFFERENTIAL UR 2 X RECORDER FOR HVE-6B PREFILTER STEAM GENERATOR 1A PRESSURE PI-8013A X X X R.G. 1.97 TYPE D, CAT 2 STEAM GENERATOR 1A PRESSURE PI-8013B X X X R.G. 1.97 TYPE D, CAT 2 STEAM GENERATOR 1A PRESSURE PI-8013C X X X R.G. 1.97 TYPE D, CAT 2 STEAM GENERATOR 1A PRESSURE PI-8013D X X X R.G. 1.97 TYPE D, CAT 2 STEAM GENERATOR 1B PRESSURE PI-8023A X X X R.G. 1.97 TYPE D, CAT 2 STEAM GENERATOR 1B PRESSURE PI-8023B X X X R.G. 1.97 TYPE D, CAT 2 STEAM GENERATOR 1B PRESSURE PI-8023C X X X R.G. 1.97 TYPE D, CAT 2 STEAM GENERATOR 1B PRESSURE PI-8023D X X X R.G. 1.97 TYPE D, CAT 2 7.5-36e Amendment No. 22 (05/07)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES PRESSURE INDICATING ALARM PIA-1102ALL X X FOR PRESSURIZER PRESSURE INDICATING ALARM PIA-1102BLL X X FOR PRESSURIZER PRESSURE INDICATING ALARM PIA-1102CLL X X FOR PRESSURIZER PRESSURE INDICATING ALARM PIA-1102DLL X X FOR PRESSURIZER PRESSURE INDICATING SWITCH PIS-07-2A X FOR CNTMT BUILDING ATMOSPHERE PRESSURE PRESSURE INDICATING SWITCH PIS-07-2B X FOR CONTAINMENT ATMOSPHERE PRESSURE PRESSURE INDICATING SWITCH PIS-07-2C X FOR CONTAINMENT ATMOSPHERE PRESSURE PRESSURE INDICATING SWITCH PIS-07-2D X FOR CONTAINMENT ATMOSPHERE PRESSURE PRESSURE INDICATING SWITCH PIS-07-3A X FOR SHUTDOWN HX 1A OUTLET PRESSURE INDICATING SWITCH PIS-07-3B X FOR SHUTDOWN HX 1B OUTLET 7.5-36f Amendment No. 18, (04/01)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES PRESS INDICATING SWITCH FOR PIS-07-7 X SODIUM HYDROXIDE TK 1A PRESS PRESSURE INDICATOR SWITCH PIS-14-8A X FOR COMP CLG WTR HX 1A OUTLET PRESSURE PRESSURE INDICATOR SWITCH PIS-14-8B X FOR COMP CLG WTR HX 1B OUTLET PRESSURE ELECTRONIC INDICATOR & RIS 3-2 X SWITCH FOR CONTAINMENT RADIATION (CIS MA) ELECTRONIC INDICATOR & RIS 4-2 X SWITCH FOR CONTAINMENT RADIATION (CIS MB) ELECTRONIC INDICATOR & RIS 5-2 X SWITCH FOR CONTAINMENT RADIATION (CIS MC) ELECTRONIC INDICATOR & RIS 6-2 X SWITCH FOR CONTAINMENT RADIATION (CIS MD) TEMPERATURE INDICATOR FOR TI-3303X X X R.G. 1.97 TYPE D, CAT 2 SDC HEAT EXCHANGER 1A OUTLET TEMPERATURE INDICATOR FOR TI-3303Y X X R.G. 1.97 TYPE D, CAT 2 SDC HEAT EXCHANGER 1B OUTLET 7.5-36g Amendment No. 18, (04/01)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES CRAC PNL I Level Indicating Switch for LIS-07-13A X R.G. 1.97 Type B, CAT 1 Containment Level Wide Range "A" R.G. 1.97 Type C, CAT 1 Level Indicating Switch for LIS-07-13B X R.G.1.97 Type B, CAT 1 Containment Level Wide Range "B" R.G.1.97 Type C, CAT 1 Level Indicating Switch for LIS-07-14A X R.G.1.97 Type B, CAT 2 Containment Sump Level Narrow R.G. 1.97 Type C, CAT 2 Range Level Recorder for Containment UR-07-1 X R.G. 1.97 Type B, CAT 1 Level Wide Range R.G. 1.97 Type C, CAT 1 Level Recorder for Containment UR-07-1 X R.G. 1.97 Type B, CAT 2 Level Narrow Range R.G. 1.97 Type C, CAT 2 Pressure Indicating Switch for PIS-07-8A X R.G. 1.97 Type C, CAT 1 Containment Press "A" (Wide Range) Pressure Indicating Switch for PIS-07-8B X R.G. 1.97 Type C, CAT 1 Containment Press "B" (Wide Range) Pressure Recorder for Containment UR-07-1 X R.G. 1.97 Type C, CAT 1 Pressure (Wide Range) Level Indicator for S/G #1A LI-9014 X R.G. 1.97 Type D, CAT (Wide Range) 1 as modified per FPL and NRC Agreement Level Indicator for S/G #1B LI-9024 X R.G. 1.97 Type D, CAT (Wide Range) 1 as modified per FPL and NRC Agreement CRAC PNL 3 Reactor Refueling Water Level LI-1117 Generic Letter 88-17 Reactor Refueling Water Level LI-1117-1 Generic Letter 88-17 (Wide Range) 7.5-36h Amendment No. 22 (05/07)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES HYDROGEN ANLYZR PNL HYDROGEN ANALYZER 1A H2 ANLYZR X R.G. 1.97 TYPE C, CAT 1 1A R.G. 1.97 TYPE A, CAT 1 HYDROGEN ANALYZER 1B H2 ANLYZR X R.G. 1.97 TYPE C, CAT 1 1B R.G. 1.97 TYPE A, CAT 1 PAP A FLOW RECORDER FOR FR-07-4 X X R.G. 1.97 TYPE D, CAT 2 CONTAINMENT SPRAY FLOW FLOW RECORDER FOR AUXILIARY UR-09-1 X X X R.G. 1.97 TYPE D, CAT 2 FEEDWATER PUMP 1A DISCHARGE FLOW RECORDER FOR SHUTDOWN UR-03-1 X X R.G. 1.97 TYPE D, CAT 2 COOLING RETURN FLOW RECORDER FOR HPSI UR-03-1 X X R.G. 1.97 TYPE D, CAT 2 HEADER FEED TO LOOP 1A1 FLOW RECORDER FOR HPSI UR-03-1 X X R.G. 1.97 TYPE D, CAT 2 HEADER FEED TO LOOP 1B2 LEVEL RECORDER FOR REFUELING LR-07-2A X R.G. 1.97 TYPE D, CAT 2 WATER TANK LEVEL LEVEL RECORDER FOR STEAM UR-09-2 X R.G. 1.97 TYPE A, CAT 1 GENERATOR 1A R.G. 1.97 TYPE D, CAT 1 LEVEL RECORDER FOR STEAM UR-09-2 X R.G. 1.97 TYPE A, CAT 1 GENERATOR 1B R.G. 1.97 TYPE D, CAT 1 PRESSURE INDICATOR FOR UR-07-2 X R.G. 1.97 TYPE C, CAT 1 CONTAINMENT PRESSURE (MID R.G. 1.97 TYPE B, CAT 1 RANGE) LEVEL RECORDER FOR STEAM UR-09-1 X R.G. 1.97 TYPE D, CAT 1 GENERATOR 1A/1B (WIDE RANGE) AS MODIFIED PER FPL AND NRC (TRANSMITTER QUALIFIED FOR POST AGREEMENT ACCIDENT ENVIRONMENT0 7.5-36i Amendment No. 23 (11/08)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES PRESSURE INDICATOR FOR UR-07-2 CONTAINMENT SUMP PRESSURE X PRESSURE RECORDER FOR HPSI UR-03-1 X PUMP 1A DISCHARGE HEADER PRESSURE RECORDER FOR HPSI UR-03-1 X PUMP 1B DISCHARGE HEADER STEAM GENERATOR 1A PRESSURE UR-09-2 X R.G. 1.97 TYPE D, CAT 2 RECORDER STEAM GENERATOR 1B PRESSURE UR-09-2 X R.G. 1.97 TYPE D, CAT 2 RECORDER RADIATION RECORDER FOR WIDE RR-26-80A X 1.97 TYPE A & B, CAT 1 & SOURCE RANGE NEUTRON FLUX TEMPERATURE INDICATOR FOR UR-07-2 X R.G. 1.97 TYPE D, CAT 2 CONTAINMENT TEMPERATURE TEMPERATURE INDICATOR FOR UR-07-2 X R.G. 1.97 TYPE D, CAT 2 CONTAINMENT SUMP TEMPERATURE TEMPERATURE RECORDER FOR SDC UR-03-1 X R.G. 1.97 TYPE D, CAT 2 HX 1A OUTLET 7.5-36j Amendment No. 23 (11/08)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES PAP B PRZR SRV FLOW (2) FI-1200 X R.G. 1.97 TYPE D, CAT 2 NUREG 0737 ITEM II.D.3 PRZR SRV FLOW (2) FI-1201 X R.G. 1.97 TYPE D, CAT 2 NUREG 0737 ITEM II.D.3 PRZR SRV FLOW(2) FI-1202 X R.G. 1.97 TYPE D, CAT 2 NUREG 0737 ITEM II.D.3 PRZR PORV FLOW(2) FI-1402 X R.G. 1.97 TYPE D, CAT 2 NUREG 0737 ITEM II.D.3 PRZR PORV FLOW(2) FI-1404 X R.G. 1.97 TYPE D, CAT 2 NUREG 0737 ITEM II.D.3 FLOW RECORDER FOR FR-07-1B X R.G. 1.97 TYPE D, CAT 2 CONTAINMENT SPRAY FLOW X FLOW RECORDER FOR AUXILIARY UR-09-3 X R.G. 1.97 TYPE D, CAT 2 FEEDWATER PUMP 1B DISCHARGE X X FLOW RECORDER FOR AUXILIARY FR-09-2C X R.G. 1.97 TYPE D, CAT 2 FEEDWATER PUMP 1C DISCHARGE X X FLOW RECORDER FOR HPSI UR-03-2 X X R.G. 1.97 TYPE D, CAT 2 HEADER FEED TO LOOP 1A2 FLOW RECORDER FOR HPSI UR-03-2 X X R.G. 1.97 TYPE D, CAT 2 HEADER FEED TO LOOP 1B1 (2) These components are not safety related but they are powered from Class 1E source and sensor is environmentally qualified. 7.5-36k Amendment No. 25 (04/12)

TABLE 7.5-2 SAFETY RELATED DISPLAY INSTRUMENTATION REQUIRED FOR INSTRUMENT SHUT- ESF & SHUTDOWN POST ACCIDENT PARAMETER TAG NO. RANGE(1) RPS ESF DOWN SYS SUPPORT MONITORING NOTES PRESSURE RECORDER FOR UR-07-3 X R.G. 1.97 TYPE C, CAT 1 CONTAINMENT (MID-RANGE) PRESS R.G. 1.97 TYPE B, CAT 1 RADIATION RECORDER FOR WIDE & RR-26-80B X R.G. 1.97 TYPE A&B, CAT 1 SOURCE RANGE TEMPERATURE RECORDER FOR UR-07-3 X R.G. 1.97 TYPE D, CAT 2 CONTAINMENT & SUMP TEMPERATURE TEMPERATURE RECORDER FOR SDC HX 1B UR-03-2 X R.G. 1.97 TYPE D, CAT 2 OUTLET RAD MON CABINET A CONTAINMENT RADIATION (CIS MA) RIS-26-3-1 X CROAI (NORTH) RADIATION RIS-26-84 X CROAI (SOUTH) RADIATION RIS-26-85 X RAD MON CABINET B CONTAINMENT RADIATION (CIS MB) RIS-26-4-1 X CROAI (NORTH) RADIATION RIS-26-86 X CROAI (SOUTH) RADIATION RIS-26-87 X RAD MON CABINET C CONTAINMENT RADIATION (CIS MC) RIS-26-5-1 X RAD MON CABINET D CONTAINMENT RADIATION (CIS MD) RIS-26-6-1 X RAD MON CABINET E CONTAINMENT RADIATION HIGH RIS-26-58 X R.G. 1.97 TYPE C, CAT 3 RANGE R.G. 1.97 TYPE E, CAT 1 CONTAINMENT RADIATION HIGH RIS-26-59 X R.G. 1.97 TYPE C, CAT 3 RANGE R.G. 1.97 TYPE E, CAT 1 CONTAINMENT RADIATION HIGH RR-26-58 X R.G. 1.97 TYPE C, CAT 3 RANGE R.G. 1.97 TYPE E, CAT 1 CONTAINMENT RADIATION HIGH RR-26-59 X R.G. 1.97 TYPE C, CAT 3 RANGE R.G. 1.97 TYPE E, CAT 1

1. Instrument ranges are selected in accordance with standard engineering practices and regulatory requirements.

7.5-36l Amendment No. 25 (04/12)

TABLE 7.5-3* ACCIDENT AND INCIDENT INSTRUMENTATION REQUIREMENTS Y = LOCAL SYSTEMS X = CONTROL ROOM REACTOR COOLANT CONTAINMENT EMERGENCY CORE RWT PZR PZR RCS SUMP CONTAINMENT CONTAINMENT CONTAINMENT PERSONNEL EMERGENCY CONTAINMENT ACCIDENT COOLING LEVEL PRESS LEVEL TEMP LEVEL PRESSURE TEMPERATURE ISOLATION VALVE AIR LOCK CONTAINMENT SPRAY SYSTEM FLOW/PRESS/TEMP POSITION STATUS COOLING OPERATION FLOW/PRESS/TEMP CATEGORY #1 CEA WITHDRAWAL BORON DILUTION CEA DROP LOSS OF RCS FLOW EXCESS LOAD LOSS OF FEED FLOW CATEGORY #2 FUEL HANDLING X X LIQUID RELEASE X X GASEOUS RELEASE X X SG TUBE RUPTURE X X X LOSS OF LOAD X X X MS LINE RUPTURE X X X X X X X CEA EJECTION X X X X X X X X X X CATEGORY #3 LOCA X X X X X X X X X X (continued on next page) 7.5-37 Amendment No. 16, (1/98)

TABLE 7.5-3* (continued) ACCIDENT AND INCIDENT INSTRUMENTATION REQUIREMENTS SYSTEMS Y=LOCAL X=CONTROL ROOM SECONDARY SYSTEM RADIATION MONITORING SAMPLING POST LOCA MONITORS AFW OR CONTROL AUXILIARY EXTERNAL REACTOR CONTAINMENT STEAM S/G CONTAINMENT PLANT ACCIDENT MAIN FEED ROOM BUILDING CONTAINMENT PLANT ATMOSPHERE HYDROGEN RADIATION PRESSURE LEVEL AREA VENT FLOW OA INTAKE AREA SURVEYS SAMPLES SAMPLES CATEGORY #1 CEA WITHDRAWAL X X BORON DILUTION X X CEA DROP X X LOSS OF RCS FLOW X X X EXCESS LOAD X X X LOSS OF FEED FLOW X X CATEGORY #2 FUEL HANDLING X X X X X X LIQUID RELEASE X X X X X GASEOUS RELEASE X X X X X SG TUBE RUPTURE X X X X X X X LOSS OF LOAD X X X X X MS LINE RUPTURE X X X X X X CEA EJECTION X X X X X CATEGORY #3 LOCA X X X X X X X

  • See first paragraph in Section 7.5.2.2.2 7.5-37a Amendment No. 24 (06/10)

TABLE 7.5-4* ACCIDENT AND INCIDENT INSTRUMENTATION Minimum Required For Operator Indication Post-LOCA System Parameter Indication Record Seismic Qualified HPSI Flow FI-3311 2 x 8 FI-3321 2 x 8 FI-3331 2 x 8 FI-3341 2 x 8 Pressure PI-3308 2 x 8 PI-3309 2 x 8 Temperature 3 3 x 8 LPSI Flow FIC-3306 4 x Pressure PI-3307 1,4 x Temperature 1,4 TR-3351 x RWT Level LIS-07-2A 4 x LIS-07-2B x Pressurizer Pressure PIA-1102A PR-1102A x 5,6 EC291890 PIA-1102B PR-1102B x 5,6 Level LIC-1110X LR-1110 x LIC-1110Y RCS Temperature TIA-1121X TR-1111X Containment Sump Level 7 7 x 8 Pressure 2 2 x 8 Sump Temper- UR-07-2 UR-07-3 x 8 ature Air Temper- UR-07-2 UR-07-3 x 8 ature Isolation Valve Position 10 NA x 10 Air Locks Position 11 x Fan Cooler Units Air Flow 12 x 8 CCW Flow 12 x 8 CS Temperature 2 2 x 8 (suction) Temperature TI-3303X 1 x 8 (discharge) TI-3303Y 1 x 8 Flow FI-07-1A x x 8 FI-07-1B 1 x 8 Pressure (suc- 2 2 x 8 tion) Steam Generator Pressure PI-8013A 1 x 5 1A PI-8013B x 5 Level LIC-9013A 1 x 5 LIC-9013B x 5

  • The information provided in this table reflects the accident monitoring requirements prior to R.G. 1.97. EC291890 See first paragraph in Section 7.5.2.2.2.

7.5-38 Amendment No. 30 (05/20)

TABLE 7.5-4* (Contd) Post-LOCA System Parameter Indication Record Seismic Qualified Steam Generator Pressure PI-8023A 1 x 5 1B PI-8023B x 5 Level LIC-9023A 1 x 5 LIC-9023B x 5 AFW Flow FI-09-2A x x FI-09-2B 1 x FI-09-2C 1 x

  • See first paragraph in Section 7.5.2.2.2 7.5-39 Amendment No. 23 (11/08)

TABLE 7.5-4* (Contd) Post-LOCA System Parameter Indication Record Seismic Qualified FW FI-09-1A 1 FI-09-1B 1 Radiation Containment RIS-26-3-2 1 x 5 RIS-26-4-2 1 x 5 RAB 13 13 Plant Vent 14 14 x Post-LOCA Radiation 2 2 x 8 Hydrogen 15 LEGEND HPSI - High Pressure Safety Injection LPSI - Low Pressure Safety Injection RWT - Refueling Water Tank RCS - Reactor Coolant System CCW - Component Cooling Water CS - Containment Spray System AFW - Auxiliary Feedwater System RAB - Reactor Auxiliary Building FW - Main Feedwater Notes:

1. New instrument to be located in the control room. It will derive its signal from an existing non-protection/safety signal existing in the control room. An isolating device (I/I) will be used to maintain independence of the signal, i.e., to insure that failure of the new device does not affect the existing signal.
2. New primary device will be installed to supply indicating device in the control room.
3. Same as shutdown heat exchanger inlet temperature.
4. System design mode is for short term post-LOCA operation, i.e., RAS deenergizes this system.
5. Post-LOCA or steam line break within containment qualification of primary device required for short term only.
6. Parameter initiates safety system action and is not required thereafter.
7. Directly obtained from containment spray suction pressure and containment pressure.
8. Required long term post-LOCA. The device is located outside containment.
9. Directly obtained from containment spray suction temperature.
10. Indication of automatic isolation valve position is derived from valve limit switch. Limit switches on isolation valve within containment are qualified for the short term post-LOCA environment.
  • See first paragraph in Section 7.5.2.2.2.

7.5-40 Amendment No. 24 (06/10)

TABLE 7.5-4 (Cont'd)

11. Air locks are designed so that only one door may be opened at a time. Control room annunciation is provided.
12. The fan cooler units are operated at a constant speed. Opening of the fan motor breakers are annunciated in the control room. Loss of CCW to the fan cooler units will be annunciated.

Containment heat removal is determined from a containment spray energy balance on the shutdown heat exchangers with the fan coolers secured.

13. See Section 12.1.4 for a discussion of the area monitoring system.
14. See Section 12.2.4.2 for a discussion of the plant vent monitoring system.
15. See Section 6.2.5.2.3 for a discussion of the hydrogen analyzer.

7.5-41 Amendment No. 25 (04/12)

TABLE 7.5-5 EXCORE NEUTRON FLUX MONITORING SYSTEM Output Neutron Flux Log Count Rate Display Sensitivity Range Range Startup/ 20 cps/nv 1 to 105 cps 5x10-2 to Source Range 5x103 nv Wide Range Log 20 cps/nv 2x10-8 to 200% 5x10-1 to 5x109 nv Period (rate) 1.25 V/dpm -1 to 7 dpm 5x10-1 to 5x109 nv 7.5-42 Am. 4-7/86

Refer to drawing 8770-B-327 Sheet 1022 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM STATION AUXILIARIES B ANNUNCIATOR A-SH 1 RTGB-101 FIGURE 7.5-1 Amendment No. 15 (1/97)

Refer to Drawing 8770-B-327 Sheet 1023 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM STATION AUXILIARIES B ANNUNCIATOR A SH. 2 RTGB-101 FIGURE 7.5-2 Amendment No. 22 (05/07)

Refer to Drawing 8770-B-327 Sheet 1020 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM STATION AUXILIARIES A ANNUNCIATOR B SH. 1 RTGB-101 FIGURE 7.5-3 Amendment No. 22 (05/07)

Refer to drawing 8770-B-327 Sheet 1021 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM STATION AUXILIARIES A ANNUNICATOR-B SH 2 RTGB-101 FIGURE 7.5-4 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 861 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM GENERATOR MAIN & AUX TRANSF ANNUNCIATOR-C SH. 1 FIGURE 7.5-5 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 862 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM GENERATOR MAIN & AUX TRANF ANNUNCIATOR-C SH.2 FIGURE 7.5-6 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 841 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM CIRCULATING INTAKE & COOLING WATER ANNUNCIATOR-E FIGURE 7.5-7 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 842 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM CIRCULATING INTAKE & COOLING WATER ANNUNCIATOR-E FIGURE 7.5-8 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 650 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM CONDENSATE-FEEDWATER ANNUNCIATOR - G SH 1 RTGB-102 FIGURE 7.5-9 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 651 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONDENSATE - FEEDWATER ANNUNCIATOR-G SH 2 RTGB-102 FIGURE 7.5-10 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 399 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM CEA ANNUNCIATOR-K RTGB-104 FIGURE 7.5-11 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 400 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM REACTOR PROTECTION ANNUNCIATOR-L RTGB-104 FIGURE 7.5-12 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 589 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM WASTE MANAGEMENT ANNUNCIATOR-N SH1 RTGB-105 FIGURE 7.5-13 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 590 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM WASTE MANAGEMENT ANNUNCIATOR-N SH 2 RTGB-105 FIGURE 7.5-14 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 366 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM ENGINEERED SAFEGUARD ANNUNCIATOR-P SH1 RTGB-106 FIGURE 7.5-15 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 367 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM ENGINEERED SAFEGUARDS ANNUNCIATOR-P SH 2 RTGB-106 FIGURE 7.5-16 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 364 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM ENGINEERED SAFEGUARDS ANNUNCIATOR-Q SH 1 RTGB-106 FIGURE 7.5-17 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 365 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM ENGINEERED SAFEGUARDS ANNUNCITOR-Q SH 2 RTGB-106 FIGURE 7.5-18 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 362 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM ENGINEERED SAFEGUARDS ANNUNCIATOR-R SH 1 RTGB-106 FIGURE 7.5-19 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 363 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 ENGINEERED SAFEGUARDS ANNUNCIATOR-R SH 2 RTGB-106 (CONTROL WIRING DIAGRAM) FIGURE 7.5-20 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 360 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONROL WIRING DIAGRAM ENGINEERED SAFEGUARDS ANNUNCIATOR-S SH 1 RTGB-106 FIGURE 7.5-21 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 361 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONROL WIRING DIAGRAM ENGINEERED SAFEGUARDS ANNUNCIATOR-S SH 2 RTGB-106 FIGURE 7.5-22 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 961 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM DIESEL GENERATOR 1A-ANN FRONT VIEW FIGURE 7.5-23 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 971 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM DIESEL GENERATOR 1B-ANN FRONT VIEW FIGURE 7.5-24 Amendment No. 15 (1/97

Refer to Drawing 8770-B-327 Sheet 891 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM LINE REPEAT ANNUNCIATOR FIGURE 7.5-25 Amendment No. 22 (05/07)

Refer to drawing 8770-B-327 Sheet 358 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM RADIATION MONITOR PANEL ANNUNCITOR-X CABINET-E FIGURE 7.5-26 Amendment No. 15 (1/97)

Refer to drawing 8770-B-327 Sheet 1094 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CONTROL WIRING DIAGRAM CONTROL ROOM AUX. CONSOLE ANNUNCIATOR Y FIGURE 7.5-27 Amendment No. 15 (1/97)

THIS FIGURE HAS BEEN DELETED Florida Power & Light Company St. Lucie Plant Unit 1 SAFETY ASSESSMENT SYSTEM Figure 7.5-28 Amendment No. 25 (04/12)

Refer to drawing 8770-B-327 Sheet 59 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 EX-CORE NEUTRON MONITORING SYSTEM CHANNEL SB FIGURE 7.5-29 Amendment No. 15 (1/97)

7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY 7.

6.1 DESCRIPTION

This section includes a description of those systems which are required for safety which have not been discussed in Sections 7.2 through 7.5. These systems include instrumentation to prevent overpressurization of the Reactor Coolant System and low pressure systems and to prevent or mitigate the consequences of possible refueling accidents. 7.6.1.1 Shutdown Cooling System Interlocks a) Description The shutdown cooling system described in Section 9.3.5 is designed as a low pressure system. Each shutdown cooling suction line contains two normally closed, locked-closed, motor operated valves in series, ensuring that the low pressure piping is not exposed to normal reactor coolant system pressure. Administrative controls and procedures prevent opening these valves before the reactor coolant system has been depressurized. In addition, open permissive interlocks (OPI) prevent energizing the valve operators above acceptable pressures. The interlocks are derived from two separate, redundant pressure transmitters, PT-1103 and PT-1104, sensing pressurizer pressure. PIC-1104 prevents opening valves V3652 and V3480. PIC-1103 prevents opening the back-up valves, V3651 and V3481. These four shutdown cooling isolation valves were originally designed to automatically close on high pressurizer pressure. In response to Generic Letter 88-17, the auto closure interlock (ACI) was deleted to reduce the potential for a spurious loss of shutdown cooling due to inadvertent valve closures. b) Design Basis As noted above, the design basis for these interlocks is to provide a means of preventing an operator action which could produce an unsafe condition. The interlock has no protective function as defined in IEEE 279. However, Section 3 of IEEE 279 is used as a guideline. The following discussion responds to the concerns identified in Section 3, insofar as they are applicable:

1) The interlocks shall function to prevent opening the shutdown cooling line isolation valves whenever pressurizer pressure exceeds 267 psia
2) Pressurizer pressure shall be monitored to provide the required function
3) Two separate, physically independent sensors shall be provided, either of which will perform the required function
4) Reactor coolant system pressure will be at a nominal pressure of approximately 2235 psig during plant operation. Reactor coolant system pressure will be at or below 267 psia when the shutdown cooling system is in operation and the isolation valves are open 7.6-1 Amendment No. 18, (04/01)
5) The design pressure of the shutdown cooling system suction piping is 350 psig.

Procedures, administrative controls and the interlocks all serve to ensure that the isolation valves are not open at a pressure of greater than 350 psig.

6) Protective action is provided as follows: If the RCS pressure exceeds the setpoint, the interlock prevents energizing the valve open contacts. If RCS pressure exceeds the setpoint and any of the SDCS isolation valves are open, a control room alarm will be initiated to alert the operator. Valve position indication is provided in the control room. Two separate and physically independent circuits have been provided for each valve to monitor valve position and annunciation.

7.6.1.2 Fuel Handling System Interlocks Interlock Design Criteria Interlocks have been provided to ensure the readiness of system components, to simplify the performance of sequential operations, and to limit travel and loads such that design conditions are not exceeded. In no case are they utilized to prevent inadvertent criticality or the reduction of shielding water coverage for personnel protection. The interlocks have been designed in accordance with the equipment specifications and the following:

1. Section #4 of Specification for Electrical Overhead Traveling Cranes - EOCI #61 (Note:

EOCI #61 was published by the Electric Overhead Crane Institute prior to 1970. A UFSAR review in 1998 identified that EOCI has now become the Crane Manufacturers Association of America -CMAA-. The superceding specifications are #70 and #74)

2. ANSI Standards C6.1, C19.1, C50
3. NEMA Standards IC-I and WC-5 Safety Significance of Single Failures No single interlock failure will result in a condition which will allow equipment malfunction or operator initiated procedures to cause inadvertent criticality, damage to the fuel or the reduction of shielding water coverage. Where these results were considered possible, redundant switches, mechanical restraints and physical barriers have been employed.

Interlocks Details Prior to equipment operation, preoperational tests were performed to ensure that all control circuits, interlocks, safety and alarm devices are functioning. Recommended maintenance was performed and a dummy fuel assembly was handled to further assure safe and reliable equipment performance. Where possible, in the design of this equipment, mechanical stops and positive locks have been provided to prevent damage to or dropping of the fuel assemblies. In the design of the refueling machine, positive locking between the grapple and the elements is provided by the engagement of the actuator arm in vertical channels running the length of the hoist assembly so that relative rotational movement and uncoupling is not possible, even with inadvertent initiation of an uncoupling signal to the actuator assembly. Therefore, failure of an electrical interlock will not result in the dropping of a fuel assembly. 7.6-2 Amendment No. 17 (10/99)

The following list identifies and defines the function of the interlocks contained in the fuel handling equipment. In no case has a method been provided to directly inform the operator that an interlock is inoperative, however, in most cases a redundant device has been provided to perform the same function as the interlock or to present information to the operator allowing him to deduce that an interlock has malfunctioned. An interlock status display panel is provided for operator information. Refueling Machine Interlocks

a. Interrupts hoisting of a fuel assembly if the load increases above the overload set point. The hoisting load is visually displayed so that the operator can manually terminate the withdrawal operation if an overload occurs and the hoist continues to operate.
b. Interrupts hoisting of a fuel assembly when the correct vertical position is reached. A mechanical up-stop has been provided to physically restrain the hoisting of a fuel assembly above the elevation which would result in less than the minimum shielding water coverage.
c. Interrupts insertion of a fuel assembly if the load decreases below the underload set point.

The load is visually displayed so that the operator can manually terminate the insertion operation if an under load occurs and the hoist continues to operate.

d. Interrupts lowering of the hoist under a no-load condition. The weighing system interlock is backed-up by an independent slack cable switch which terminates lowering under a no-load condition.
e. Denies translation of the bridge and trolley while the fuel hoist is operating.
f. Hoisting is denied during translation of the bridge and/or trolley. No back-up or additional circuitry is provided for this interlock.
g. Denies motion of the bridge and/or trolley with the spreader extended. The underwater TV system can be used by the operator to determine whether the spreader has been raised, and lights on the control console indicate whether the spreader is withdrawn or extended.
h. Stops translation of the bridge and/or trolley when the collision ring on the mast is contacted and deflected. Redundant switches are provided to minimize the possibility of this interlock becoming inoperative and slow bridge and trolley speeds are mandatory for movement of the refueling machine in areas other than its normal travel route which might contain obstructions. Travel limits also restrict running the mast into the pool wall.

7.6-3 Amendment No. 20 (4/04)

i. Mandatory slow hoisting speed while fuel assembly is within the core if not in "Open Water" and below "Entering Core" height. During insertion and withdrawal the change in hoist speed can be monitored by observation of the hoist vertical position indicator. A change in the sound of the hoist will accompany the change in hoist speed.
j. Prevents rotation of the upender while the RFM is at the upender station unless the hoist is at Full Up, and the spreader is retracted. Failure of this interlock while the refueling machine is at the upending station will allow an upending signal by the transfer equipment operator at the station only to initiate rotation of the fuel carrier by the upender. In the event that this signal is erroneously initiated while the fuel assembly is being lowered from or raised into the refueling machine, a bending load will be applied to the fuel assembly.

Transfer System Interlocks

a. Terminates winching of the fuel carriage through the transfer tube if the load increases by more than 10 percent above the set point. The winching load is visually displayed at the Reactor Side Console so that the operator can manually terminate the transfer operation if an overload occurs and the interlock fails. An overload is indicated by a light on both consoles and by an audible alarm.
b. Prevents the winch from attempting to pull the fuel carriage through the transfer tube with an upender in a vertical position. If this interlock fails and a transfer signal is initiated, winching will be terminated when the load reaches 10 percent above the set point.
c. Prevents rotation of the upender unless the fuel carrier is correctly located for upending.

Failure of this interlock will: 1) with the fuel carrier in the transfer tube allow the upender to rotate with no affect on the carrier or fuel assembly, and 2) with the fuel carrier partially in the upender, attempt to but not be successful in rotating the carrier since a mechanical lock prevents premature carrier rotation.

d. The isolation valve limit switch interlock prevents movement of the fuel carrier unless the valve is fully opened. If this interlock fails with the valve partially closed, the fuel carrier will contact the valve and winching will be terminated by an overload signal. No damage to the fuel assembly will result since the fuel assembly is enclosed in the carrier.

Spent Fuel Handling Machine Interlocks

a. Interrupts hoisting if the load increases above the set point. Since the tool is manually controlled by the operator, failure of the tool to move or reduction in tool speed as a result of an overload can be sensed by the operator if the interlock becomes inoperative. In addition, digital display of hoist cable load is provided.
b. Interrupts hoisting if the load decreases to below the tare value. Since the tool is manually controlled, a slack cable condition can be visually determined by the operator and hoisting terminated.
c. The bridge and trolley are restricted to slow speed with a bundle weight if the hoist is not in the full up position. If this interlock fails, the mandatory slow speed restriction is removed.

However, since the translation speed controls are infinitely variable, the operator can run at slow speed when the interlock malfunction is recognized.

d. Boundary Encoder System protect against running the load into walls or the gate of the storage area. No back-up or additional circuitry is provided for this interlock. However, the operator has direct vision of the tool and the attached load so that translation can be terminated if an interlock fails to operate.

7.6-4 Amendment No. 21 (12/05)

7.6.1.3 Overpressure Mitigating System (OMS) The Overpressure Mitigating System (OMS) uses the pressurizer Power Operated Relief Valves (PORVs), V1402 and V1404, with two temperature dependent, low range pressure setpoints as the pressure relief mechanism. The OMS is described in Section 5.2.2.6. The low range setpoints are energized and de-energized from the main control board through the PORV mode selector switch. Also, means for alarming the various modes of operation have been provided. The OMS uses two different temperature-dependent pressure setpoints during low range operation. The applicable low range pressure setpoint is automatically selected by bistables associated with RCS wide range cold leg temperature transmitters (TT-1115, 1125). The measured variable is the reactor coolant pressure obtained from low range pressurizer pressure transmitters (PT-1103, 1104). EC291890 The PORVs open whenever pressurizer pressure is greater than 350 psia with Tc (cold leg temperature) less than or equal to 200°F during cooldown, heatup, or isothermal conditions. The PORVs open whenever pressurizer pressure is greater than 530 psia with Tc between 200-300°F during cooldown, heatup, or isothermal conditions. When the pressure signal exceeds either setpoint, an alarm and annunciation informs the operator that the PORVs have received a signal to open from the OMS. The PORVs relieve to the Quench Tank. 7.6-5 Amendment No. 30 (05/20)

The control switches have three positions: low range, normal range and over-ride. The operator is warned by annunciation to switch over to low range operation on decreasing temperature. The alarm will clear when: a) PORV control switches are in low range, and b) The PORV block valves are open. This assures proper alignment of the OMS during shutdown. During normal RCS heatup the operator is prompted by annunciation to select normal range OMS operation when temperature increases to the point where low range over pressure protection is no longer needed. The OMS design includes an anticipatory PORV alarm. This alarm will inform the operator that RCS pressure is approaching the applicable temperature dependent low range OMS PORV actuation setpoint. 7.6.1.4 Anticipated Transient Without Scram (ATWS) On July 26, 1984, The Code of Federal Regulations was amended to include Section 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants" (also known as the ATWS Rule). The ATWS Rule requires specific improvements in the design and operation of commercial nuclear power facilities to reduce the likelihood of a failure to shut down the reactor following anticipated transients and to mitigate the consequences of anticipated transients which occur without a shutdown. The occurrence of an anticipated transient in conjunction with a failure of the Reactor Protective System (RPS) to produce a reactor trip is defined as an ATWS event. The combination of an RPS failure and an anticipated transient is outside the present plant design basis and was analyzed by Combustion Engineering (CE) via CENPD-158. It was determined that a complete loss of feedwater combined with a failure of the reactor to trip would result in a primary coolant system pressure excursion well above reactor vessel service level C limits and therefore potentially challenge the integrity of the reactor coolant pressure boundary. For Combustion Engineering plants, the regulations require the implementation of two methodologies for ensuring that an excessive primary coolant pressure excursion does not occur. These methodologies are called "prevention" and "mitigation". Prevention takes form as a Diverse Scram System (DSS) whose purpose is to initiate a shutdown of the reactor by control rod insertion upon conditions indicative of an anticipated transient, independently and diversely from the RPS. Mitigation is accomplished by tripping the turbine and initiating Auxiliary Feedwater to conserve steam generator inventory and to ensure that a primary coolant heat sink is available. A combination of prevention and mitigation will limit the peak reactor coolant system pressure rise to within acceptable values. 7.6.1.4.1 Diverse Scram System (DSS) The Diverse Scram System (DSS) is a safety-related system that utilizes existing pressurizer pressure instruments and takes signals from secondary current loops in RTGB-106 as inputs. These signals are wired to the Engineered Safety Features Actuation System (ESFAS) cabinets where they are processed by DSS bistable and logic components to provide reactor trip signals. The trip signals are used to open the non-safety related control element assembly drive (CEA Drive) motor generator (MG) set output load contactors located between the CEA drive MG set output breakers 7.6-6 Amendment No. 22 (05/07)

and the Reactor Trip Switchgear. The consequential loss of voltage on the Reactor Trip Switchgear buses causes the reactor to shut down. This system, diverse and independent from the RPS except at the instrument loops, satisfies the ATWS Rule requirements for ATWS prevention. The DSS utilizes the four pressurizer pressure transmitters and their respective current loops for the source of the DSS input signals. These transmitters are also used for the RPS (high pressurizer pressure reactor trip and low pressurizer pressure reactor trip), indications, high and low pressurizer pressure annunciation, Engineered Safety Features Actuation System (ESFAS-low pressurizer pressure/safety injection actuation), and as input to the Sequence of Events Recorder (SER). Two I/I (current-to-current) converters in each instrument loop isolate the RPS and DSS inputs from each other. The pressurizer pressure input signals are wired into the ESFAS cabinets where they are routed to four bistable modules, one in each measurement cabinet. Digital outputs (ON) are produced from the bistable modules when the pressurizer pressure reaches 2450 psia. This is the DSS actuation setpoint recommended by Combustion Engineering in Combustion Engineering Owners Group (CEOG) report CE NPSD-354. Each of the four bistable modules produce an output for two digital isolators, SA and SB, located in the same measurement cabinets as their associated bistable modules. The outputs of the four SA isolators are routed to ESFAS cabinet ESC-SA while the four SB isolator outputs go to ESFAS cabinet ESC-SB. In each safety cabinet (ESC SA and ESC SB), there is an actuation module which accepts the four isolated digital signals and applies two-out-of-four (2/4) logic to produce a digital output. Each 2/4 actuation module sends its output through an isolator to a CEA drive MG set load contactor, the SER, and to an annunciator window. Both actuation modules must function and trip both load contactors to produce a reactor trip in a 2/2 output logic. There are two bypass switches, one each located on safety channel cabinets ESC SA and ESC SB. Both switches have two positions, NORMAL and BYPASS, and are controlled by keys removable only in the NORMAL position. When in the NORMAL position, the DSS operates as designed and sends actuation signals to the MG set load contactors to trip the reactor. In the BYPASS position, however, the DSS actuation signals are blocked to allow operators to test and maintain the DSS with the plant at power without the potential for reactor trip. Complete testing overlap, from the sensors to the trip coils may be accomplished with the plant shut down. There are also four bistable bypass switches, one for each bistable device. Their function is to bypass bistable devices individually to test or maintain them without causing bistable output signals to be sent to the 2/4 actuation modules. Since the logic of the DSS is integrated into the ESFAS, the existing ESFAS cabinet automatic testing instrument (ATI) is utilized to check the functions of the DSS components from the bistable devices through the 2/4 actuation modules by using pulses from an auto-test generator. ATI operates continuously as long as ESFAS circuits are energized. An annunciator window is used to alert the operator when a DSS actuation signal is obtained from either 2/4 actuation module. Another is provided to alarm when either of the two safety channel bypass switches is placed in the BYPASS position. Local indicating lights on the ESFAS cabinets provide status indication of the same conditions. 7.6-6a Amendment No. 18, (04/01)

Diversity of the DSS from sensor output to, and including, the device that interrupts control rod power is required. This diversity to the RPS and its trip paths is achieved by utilizing different manufactures or circuit designs for the bistables, comparators, relay logic and relay actuation outputs. Finally, the final actuation devices (contactors vs. breakers) are diverse and are operated independent of the RPS or its trip paths. Although the Electrical power supply system which serves RPS and DSS is the same, analysis has shown that the design of the inverter system is such that it minimizes common cause failures or will annunciate the condition before a unacceptable degradation occurs, which, could affect both the DSS and RPS. In addition the DSS will remain operable upon loss of offsite power. End to end testing of the DSS is performed each refueling outage. This system, diverse and independent from the RPS except at the instrument loops, satisfies the ATWS Rule requirements for prevention. 7.6.1.4.2 Diverse Turbine Trip (DTT) The Diverse Turbine Trip (DTT) is inherent in the design of the DSS and it utilizes the DSS bistable and logic functions. Tripping of the load contactors for both MG sets will initiate a DTT. When the DSS actuates during an ATWS event, the load contactors will open and de-energize the reactor trip switchgear buses. The loss of voltage on the reactor trip switchgear will be sensed by four undervoltage relays, which, in turn will operate one auxiliary relay each. The contacts on the four auxiliary relays are arranged in two-out-of-four logic to provide turbine trip signals to the emergency trip solenoids. If the emergency trip solenoids are operated, hydraulic oil will be dumped from the turbine control oil system and turbine trip will occur. Reference Section 10.2.2 for further description of the turbine trip system. The components that are unique to the DTT (i.e., undervoltage relays, auxiliary relays, and trip solenoid valves) do not appear in any of the RPS trip path circuits. The DTT therefore satisfies the ATWS rule requirements for mitigation. 7.6.1.4.3 Diverse Auxiliary Feedwater Actuation System (DAFAS) The Diverse Auxiliary Feedwater Actuation System is described in Subsection 7.3.1.1.13. Diversity of the DAFAS from sensor output up to, but not including, the final actuating devices is required. This diversity to the RPS is achieved by utilizing different manufactures or circuit designs for the bistables, comparators, matrix relays and initiation relays. Finally, electrical power system independence is achieved as discussed above for the DSS. The DAFAS therefore satisfies the ATWS Rule requirements for mitigation. 7.6-6b Amendment No. 26 (11/13)

7.6.2 ANALYSIS 7.6.2.1 Shutdown Cooling System Interlocks a) Requirements There are no AEC Safety Guides or General Design Criteria which apply to these interlocks. The requirements of IEEE 279-1971 and IEEE 338-1971 are written expressly for protection systems, and as such, they are not directly applicable to these interlocks. The requirements of these IEEE Standards are discussed in the following paragraphs to the extent that they apply. b) IEEE 279 - 1971, Section 4 The following discussion refers to the requirements set forth in Section 4 of IEEE 279-1971:

1) The interlocks are designed for the normal plant operating environment and are not required to function under abnormal or accident conditions.
2) Any single failure leading to loss of one channel will not permit overpressurization of the low pressure piping. Loss of both interlock channels, coupled with violation of administrative controls and procedures would be required.
3) The sensors for these interlocks are to the same specification and quality requirements that are imposed on protective system instrumentation.
4) Type tests are performed on the instrumentation that will ensure their operation during expected conditions of seismic activity.
5) The interlocks are designed to maintain functional capability in the normal plant operating environment. They serve no function during abnormal or accident situations.
6) The pressure transmitters are located on separate pressurizer nozzles, and separation is maintained between channels.

7.6-7 Amendment No. 18, (04/01)

7) Control and Protection System interaction is not applicable since the interlocks have no control system function.
8) Pressurizer pressure is used as the signal for these interlocks.
9) The operational availability of the two pressure sensing channels can be determined by comparing their outputs.
10) The required test interval is once per 18 months. Therefore, capability for testing during power operation is not required.
11) Removal of one channel for test does not compromise system reliability. Failure of the remaining channel during a test outage would not create an unacceptable situation, since administrative controls (key locks) effectively preclude inadvertent opening of the valves by the operator.
12) thru 14. There are no bypasses.
15) thru 18. These requirements are not applicable.
19) The isolation function is indicated by the valve position indication.
20) The readout consists of two pressure indicators and position indication for two valves.

This provides the operator with clear concise information.

21) The components are easily accessible. One channel can be placed out of service for repair without jeopardizing the isolation of the shutdown cooling system.
22) Not applicable.

7.6.2.2 Fuel Handling System Interlocks The analysis of the refueling interlocks is presented in Section 9.1.4. 7.6.2.3 Overpressure Mitigating System An analysis has been performed on Overpressure Mitigation and is contained in Subsection 5.2.2.6. 7.6.2.4 Diverse Scram System The requirements of 10 CFR 50.62 for prevention were incorporated into the Diverse Scram System. This design has been specifically approved in the USNRC Safety Evaluation of Compliance with ATWS Rule 10 CFR 50.62 dated September 6, 1989. 7.6-8 Amendment No. 22 (05/07)

7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY 7.

7.1 DESCRIPTION

The control and instrumentation systems whose functions are not essential for the safety of the plant includes all of the plant instrumentation and control equipment not addressed in Sections 7.1 through 7.6. The following general descriptions should permit an understanding of the way the reactor and important subsystems are controlled. Pursuant to an NRC letter dated 9/17/79 requesting an evaluation for potential interactions between non-safety grade systems and safety grade systems, studies were performed by CE and FPL in which combinations of control system failures and high energy pipe break events were considered. Thirteen systems involving five accident scenarios, which encompass the spectrum of postulated high energy line breaks were reviewed. Of the total of sixty-five possible combinations of control systems and possible accidents, fourteen scenarios were identified as warranting detailed review. The control functions involved were pressurizer level, pilot operated relief valves, CEA position, feedwater flow, turbine control, steam bypass, steam dump upstream of MSIV, and steam dumps downstream of MSIV. The events involved were steam line break, feedwater line break, CEA ejection and small break LOCA. In no instance were potential interactions identifiable which could constitute a substantial safety hazard. See Reference 1. 7.7.1.1 Reactor Control Systems The reactor is controlled by reactivity adjustments with CEA's and with boric acid dissolved in the reactor coolant. Rapid changes in reactivity are compensated for, or are initiated by, CEA movement. Long-term variations in reactivity due to fuel burnup and fission product concentration changes are controlled by adjusting the boric acid concentration. Since this rate of addition produces slow changes in the reactor power level, operator action suffices to effect the boron concentration change. EC291158 Interlocks ensure that the shutdown CEA groups are in the full withdrawn position before the other EC291158 CEA groups can be withdrawn. 7.7-1 Amendment No. 30 (05/20)

An interlock bypass is provided to allow CEA regulating group withdrawal in support of CEA surveillance testing and retrieval of a dropped rod. An alarm is provided when further insertion of regulating group CEA's would reduce the amount of effective shutdown reactivity in the CEA's below specified limits. The designed reactivity feedback properties of the Nuclear Steam Supply System (NSSS) inherently cause reactor power to match the total NSSS load. The resulting reactor coolant temperature at which this occurs is a controlled parameter and is adjusted by changes in total reactivity as implemented through CEA position changes or through boric acid concentration changes in the reactor coolant. The ability of the NSSS to follow turbine load changes is dependent on the ability of the automatic control systems or operator to adjust reactivity, and other parameters which include feedwater flow, bypass steam flow, reactor coolant inventory and energy content of the pressurizer such that NSSS conditions remain within normal operating limits. The reactor regulating system is designed to provide signals to automatically adjust reactor power and reactor coolant temperature to follow turbine load transients within the following limits: a) A step increase in steam flow of 10 percent, with steam flow initially between 15 and 90 percent. b) A step decrease in steam flow of 10 percent, with steam flow initially between 100 and 25 percent. c) Ramp changes in steam flow at a rate of 5 percent per minute within the range of 15 to 100 percent. 7.7-2 Amendment 18, (04/01)

The CEA control system sequences the motion of CEA's in a predetermined manner and prevents the EC291158 withdrawal of more than one group of CEA's except in overlap regions where the movement of two groups is permitted. CEA withdrawal will be prevented when a high power pretrip alarm, high rate-of- EC291158 change-of-power pretrip alarm, high local power density alarm or a thermal margin/low pressure pretrip alarm is present. EC291158 7.7.1.1.1 Reactor Regulating System A block diagram of the reactor regulating system is shown on Figure 7.7-1. Two separate channels for regulation are provided and either may be switch selected. The system is comprised of the following components: a) Water Level Set Point Function Generator b) Tref Function Generator c) Tavg - Tref Summer d) Tavg - Tref Stability Compensation Unit e) Reactor Power - Turbine Power Stability Compensation Unit f) Pressurizer Pressure Stability Compensation Unit g) Temperature, Power and Pressure Error Summation Unit h) CEA Direction and Speed Control Unit The system includes the following inputs to each channel: a) Loop 1A T hot, Loop 1B T hot b) Loop 1A T cold, Loop 1B T cold c) Turbine first stage pressure d) Power Range neutron flux e) Pressurizer pressure The system develops the following outputs from each channel: a) CEA drive direction and signals to the CEDM control system* EC291158 b) T ref and Tavg signals to recorders c) Automatic CEA withdrawal prohibit signals to the CEDM control systems* EC291158 d) Deviation alarms for T avg - T ref e) Pressurizer Level Setpoint Signals In each channel, a temperature programmer establishes the desired reactor coolant average temperature (T ref ) based on a power reference signal from turbine first stage pressure. T ref varies linearly with power from a nominal temperature of 532F at a hot standby to an adjustable limit of 520F to 580F at 100 percent power. Tref is subtracted from selected Tavg. This difference signal is monitored by a T avg - T ref deviation alarm unit and is also used in a CEA controller channel. The reactor regulating system receives turbine first stage pressure as a primary input. Turbine first stage pressure is a linear function of load. Power range neutron flux and pressurizer pressure are compensating inputs to the system. The regulating system generates an output of CEA drive direction EC291158 and speed signals based on compensated error signals derived from these inputs.* By means of a two-position switch, the operator selects which pressurizer level setpoint programmer used.

  • RRS output signals for CEA direction, CEA speed and automatic withdrawal prohibit are no longer EC291158 used by the CEA control system.

7.7-3 Amendment No. 30 (05/20)

7.7.1.1.2 Control Element Drive System The CEA's are divided into the following groups: a) Shutdown - two groups b) Regulating - seven groups Each CEA remains stationary except when a raise or lower signal is present. When such a signal is received, the regulating CEA's move at a nominal speed of 30 inches per minute. The shut down EC291158 CEA's move at a fixed nominal speed of 20 inches per minute. The CEA position set points are shown on Figure 7.7-3. EC291158 Regulating CEA's may be moved in manual control by manual group or sequential group movement. EC291158 Individual CEA's may be moved in manual control. Under sequential group control, when the moving group reaches a programmed low (high) position, the next group begins inserting (withdrawing); the initial group stops upon reaching its lower (upper) limit. This procedure, applied successively to all regulating groups, allows a smooth and continuous rate-of-change of reactivity. EC291158 Under sequential group control, when the regulating groups reach the "prepower dependent" insertion alarm point, this condition is annunciated. If sequential group insertion is continued, a "power dependent" alarm point limit is reached, a second alarm is initiated, and a CEA motion inhibit imposed. These two programmed limits may be adjusted during the life of the plant and are provided to aid the operator in assuring adequate shutdown margin. The shutdown CEA's may be moved in the manual control mode only, with either individual or group movement. The group selection limitations enforced by the operator console graphics prevents EC291158 withdrawal of more than one shutdown group at any time. The shutdown groups must be withdrawn to the upper limit established in the Technical Specifications before regulating group withdrawal is allowed. An upper portion of shutdown group travel is utilized to minimize guide tube wear at a single EC291158 point. An interlock prevents a group insertion of shutdown CEAs unless the regulating groups are fully inserted. EC291158 7.7-4 Amendment No. 30 (05/20)

Equipment protective interlocks to prohibit regulating group withdrawal are provided to prevent the reactor from reaching off normal conditions. These interlocks are summarized in Table 7.7-1. EC291158 Spurious withdrawal of individual CEAs due to a single failure in the CEDM system cannot occur due to the CEA block (motion inhibit) circuit. The CEA block circuit monitors CEA position to detect EC291158 conditions of individual CEA deviation within a group, CEA group out-of-sequence, CEA group excessive overlap and CEA group power dependent insertion limit violations. A CEA motion inhibit and alarm is activated upon the detection of any of the above conditions. For this reason a spurious withdrawal of an individual CEA is not classified as an anticipated operational occurrence and therefore is not analyzed in Section 15.2.1. With the CEA block circuit, a dual failure is required within the control element drive system for it to cause an individual CEA withdrawal. The CEDM reed switch position transmitters and cabling are located outside of the CEDM cooling shroud and in the free circulating air environment of the containment. The majority of the CEDM reed position switches and cabling have been replaced since St. Lucie Unit 1 was licensed. The original criteria for these components are presented below: a) The maximum hot spot temperature in the area is anticipated to be 152 F. A long term elevated temperature test has been conducted on a scale reed switch position transmitter which was built from identical production reed switch components. The transmitter has not suffered any operational degradation at a temperature of 300 F for a period of more than a year. The cabling to the switches has a 70 C (158 F) continuously rated jacket and 90 C (194 F) continuously rated individual conductor insulation. b) The maximum anticipated radiation level in the area is about 12 rads/hour assuming full power operation. The CEDM reed switch position transmitters are qualified for 30 rads/hr, plus 15 minutes of post-LOCA operation. The cabling is qualified for a total integrated dose of 107 rads. 7.7-5 Amendment No. 30 (05/20)

7.7.1.1.3 Comparison Comparisons contained herein were considered valid at the time the operating license for St. Lucie Unit 1 was issued, and is being retained in the updated FSAR for document completeness and historical record. No present or future update for this section is required. The Reactor Control Systems are functionally identical to those provided for Calvert Cliffs Units 1 and 2 (AEC Docket Nos. 50-317 and 50-318) with the following exceptions: a) The duplicate steam dump programmers have been replaced by a single system which is located for convenience within the reactor regulating system. The new system performs all of the functions of the previous programmers and provides an additional capability for handling up to a 29 percent load rejection. Refer to Section 7.7.1.3. b) The control element assemblies are grouped differently due to the different assembly configurations within the core. c) The control element drive system for the St. Lucie Unit No.1 includes CEA Motion Inhibit circuitry which will prevent CEA movement if certain rod programming requirements are not met. Refer to Section 7.5.1.3. d) An additional automatic withdrawal prohibit (AWP) has been incorporated to CEA withdrawal subsequent to a demanded steam bypass system operation. e) The reactor regulating system will not supply automatic motion signals to the control element drive system when the power level is below 15 percent to prevent operation of the system in the automatic mode below this power. 7.7.1.2 Reactor Coolant Control System The reactor coolant control system is composed of two subsystems, the reactor coolant pressure control system and the pressurizer level control system. 7.7.1.2.1 Reactor Coolant Pressure Control System The reactor coolant pressure control system maintains system pressure within specified limits by the use of pressurizer heaters and spray valves. 7.7-6 Amendment No. 18, (04/01)

During normal operation, a small group of heaters is proportionally controlled to maintain operating pressure. If the pressure falls below the proportional band all of the heaters are energized. Above the normal operating range the spray valves are proportionally opened to increase the spray flow rate as pressure rises. A small, continuous spray flow is maintained through the spray lines at all times to keep the lines warm and thereby reduce thermal shock when the control valves open, and to ensure that the boric acid concentration in the coolant loops and pressurizer is in equilibrium. A high pressurizer level energizes the backup heaters to minimize the increase in subcooling during this transient. A low pressurizer water level deenergizes all heaters, thereby providing heater protection. Two channels of control are provided and the controlling channel is selected by a switch on the control board. Manual control of the heaters and the spray may be selected at any time. The outputs from both pressure control channels are recorded in the control room and provide independent high and low alarms. The control and alarm pressure setpoints are shown on Figure 7.7-4. Consistent with the requirements of NUREG-0737, Item II.E.3.1, the pressurizer heater power supply consists of Class IE power to redundant heaters powered from either the normal offsite power source or the emergency onsite power source. Switching is accomplished manually in the control room. Upon a SIAS, the pressurizer heater buses are de-energized, making the heater groups unavailable until SIAS has been reset. 7.7.1.2.2 Pressurizer Water Level Control System The pressurizer water level control system minimizes changes in reactor coolant system water inventory by the use of charging pumps and letdown control valves in the chemical and volume control system described in Section 9.3.4. During normal operation, the pressurizer water level is programmed as a function of the average reactor coolant temperature. The level controller compares the measured and programmed level signals and generates a proportional signal for regulating the letdown control valves. In addition, the level controller functions to start or stop additional charging pumps at low or high level setpoints. Two channels of control are provided and the controlling channel is selected by a switch on the control board. Automatic control is normally used during operation but manual control may be utilized at any time. Both independent level channels provide pressurizer level signals for two additional functions: a) A low level signal from either channel deenergizes all heaters; b) A high level signal from the controlling channel energizes the backup heaters. 7.7.1.2.3 Comparison The reactor coolant control system is functionally identical to that provided for Calvert Cliffs Units 1 and 2 (AEC Docket Nos. 50-317 and 50-318). 7.7-7 Amendment No. 24 (06/10)

7.7.1.3 Steam Generator Control System The steam generator control system is composed of three subsystems, the feedwater regulating system and auxiliary feedwater control system which function to maintain proper steam generator water level, and the steam dump and bypass system. 7.7.1.3.1 Feedwater Regulating System The Feedwater Regulating System, which is a subsystem of the Distributed Control System (DCS), maintains steam generator water level within acceptable limits by positioning the main feedwater regulating valves (FCV-9011 and 9021) which control the feedwater to each steam generator. These valves have a backup air supply to assure their proper operation and are designed to fail as-is upon low instrument air pressure. The functional block diagram of the system is shown in Figure 7.7-5. The two steam generators are operated in parallel. Each Feedwater Regulating System uses a three-element control system with inputs of feedwater flow, steam flow and steam generator water level for automatic water level control above 15 percent power. The output of the DCS provides a signal to position the respective feedwater regulating valve. When an abnormally high steam generator water level is sensed in either steam generator, a signal is sent to close the associated feedwater regulating valve. This signal can be removed by use of a manual override. (See Steam Generator overfill discussion on next page.) In the event of a reactor or turbine trip, the feedwater regulating valves are closed and feedwater control is transferred to the Low Power Feedwater Control System (LPFCS) which is a subsystem of the DCS that controls steam generator level via the bypass valves (LCV-9005 and 9006). In order to reduce the frequency of reactor trips encountered during startup due to the thermal shrink and swell characteristics of the steam generator, the LPFCS has been designed to provide automatic control of the feedwater bypass valves and maintain steam generator level at setpoint value during unit startup in the range of approximately 2 to 15% load(1). This provides the flow required for decay heat removal at normal reactor coolant operating temperatures and allows the operator sufficient time before manual control of level is required. The LPFCS monitors conditions in both the primary and secondary loops of the NSSS for control of feedwater flow into each steam generator. The LPFCS auctioneers two steam generator level signals, LT-9005 and LT-9011 for SG 1A and LT-9006 and LT-9021 for SG 1B, to select the highest signal to maintain the level setpoint. The LPFCS also utilizes a feedforward signal based on wide range steam generator water level deviation from its zero power value. This difference generates a reference feedwater flow demand that is proportional to changes in steam flow. The LPFCS uses feedwater temperature downstream of the high pressure heaters to compensate for the effect of feedwater temperature on the steam generator level characteristics. Note (1): The upper end of the LPFCS specified range (i.e., 15% power) reflects the original low end capability of the main feedwater control system, and the original nomenclature of LCV-9005/LCV-9006 (i.e., 15% bypass valves), rather than the maximum capability of the low power feedwater control system. 7.7-8 Amendment No. 26 (11/13)

The manual control of the feedwater regulating system may be selected at any power level. When in manual control, the operator in the control room can: a) Position each feedwater regulating control valve (FCV-9011, FCV-9021) b) Open or close each feedwater stop valve c) Position each feedwater bypass regulating valve (LCV-9005, LCV-9006) d) Control operation of feedwater pumps The main feedwater regulating valves have the capability for local manual operation and can be accomplished by pinning the valve stem to the manual jacking mechanism. Local manual operation is controlled by plant operating procedures. The DCS was expanded to include the feedwater regulating system and the Low Power Feedwater Control System. A more detailed discussion of the DCS can be found in Subsection 7.5.1.3.1. To integrate the feedwater regulating and the low power feedwater subsystems into the DCS, equipment in addition to the equipment discussed in Subsection 7.5.1.3.1 was installed. Two touch screen Manual/Auto stations (FIC-9011/LIC-9005 and FIC-9021/LIC-9006) are used to control the valves, while two flat panel displays provide indication, alarms and control capabilities. This equipment is located on RTGB-102. The operator can at any time control operation of two electrically driven auxiliary feedwater pumps and/or the turbine driven auxiliary feedwater pump described in Section 10.5 and position the associated auxiliary feedwater regulating valves. Steam Generators Overfill Protection Features: (Generic Letter 89-19) A review of the feedwater control system was performed in conjunction with Generic Letter 89-19 Resolution of Unresolved Safety Issue A-47 (Safety Implication of Control Systems in LWR Nuclear Power Plants). This generic letter required, in part, that all CE plants provide automatic steam generator overfill protection and that these features be sufficiently separate of the existing feedwater control system to mitigate main feedwater (MFW) overfill events. The desired degree of separation was such that it would not be powered from the same power source, not located in the same cabinet, and not routed so that a fire may affect both systems. Periodic testing of these added features, to verify functionality, was also required. (

References:

1) Engineering Evaluation JPN-PSL-SEIJ 007 and 2) NRC SER Steam Generator Overfill Protection Response to Generic Letter 89-19 dated 4/4/94.)

The Steam Generator Overfill Protection features utilize the same safety grade steam generator level transmitters signals that provide input to the Reactor Protection System. High and High-High level trip settings provide logic outputs, which are isolated before passing to the non-Class IE Steam Generator Overfill Protection logic. Feedwater isolation functions are then performed under a 2-out-of-4 coincidence. Diverse and redundant equipment is actuated by these High and High-High signals. First, after the initiating event, high level protection closes the respective steam generator feedwater control valve(s) through the feedwater regulation system, as shown on Figure 7.7-5. Second, if the high level protection should fail, a High-High level protection will trip the turbine, stop the main feedwater pumps and close the main feedwater pump discharge valves. Separate sources of power are provided for the feedwater control system and High-High Steam Generator Overfill Protection circuits to insure availability of one of these systems should an overfill event occur. Furthermore, the design of the feedwater control system requires the feedwater regulating valve to fail closed on a loss of power such that even in the unlikely event of a total power failure to both systems, feedwater flow will still be isolated for the affected train. Plant procedures are provided to periodically verify operability of Steam Generator Overfill Protection features during power operation and to functionally test the system during refueling. 7.7-8a Amendment No. 21 (12/05)

7.7.1.3.2 Steam Dump and Bypass System The steam dump and bypass system described in Section 10.4.4 is designed to provide a means of manually controlling reactor coolant temperature during plant startup and for removing NSSS stored energy, decay heat, and pump energy during shutdown cooling. The original system design flow capacity of 45% was restored as part of the modifications implemented in support of the Extended Power Uprate. The system is designed to mitigate challenges to the pressurizer and steam generator safety valves during large load rejections. The system itself is composed of five valves with a combined capacity of greater than 45%, two control board mounted manual-automatic controllers, and one test panel with flat panel display. The system input variables of main steam header pressure, steam flow, reactor coolant average temperature and reactor trip enter into the computation in order to produce individual valve area modulation signals or, if conditions warrant, individual "quick-opening" signals to the dump valves. Initiation of a steam dump enables an interlock in the reactor regulating system which will prevent CEA withdrawal to ensure timely termination of the transient. 7.7.1.3.3 Comparison Comparisons contained herein were considered valid at the time the operating license for St. Lucie Unit 1 was issued, and is being retained in the updated FSAR for document completeness and historical record. No present or future update for this section is required. The steam generator control system is functionally identical to that provided for Calvert Cliffs Units 1 and 2 (AEC Docket Nos. 50-317 and 50-318) with the following exceptions: a) The high level signal which closes the feedwater regulating valve is derived from the high level trip functions of the four independent level indicators for that steam generator. A high level override control is available to the operator in the unlikely event that a spurious high level signal is received. b) The steam dump and bypass system has been modified to include a 45 percent load rejection capability regardless of initiating condition. The steam dump and bypass system functions on a combined steam pressure and steam flow program. Manual control of any or all valves is still available for the control board station. 7.7-9 Amendment No. 26 (11/13)

7.7.1.4 Turbine Control System 7.7.1.4.1 System Design The turbine control system is designed to: a) Automatically control the turbine generator power during all phases of normal operation b) Trip the turbine upon occurrence of conditions which could, if operation were to continue, cause equipment damage c) Provide a reactor trip signal to the reactor protective system upon occurrence of a turbine trip signal. The turbine trip system which provides the reactor trip is designed such that it does not compromise the reliability of the reactor protective system The turbine control system is a digital electronic hydraulic (DEH) system which controls the turbine automatically using a process control computer, servo-mechanism and hydraulic valve actuators. The computer represents the digital portion of the system, the servo hardware represents the electronic portion of the system and the valve actuators represent the hydraulic part of the system. 7.7-10

During automatic operation the DEH control system sends output signals to the servo system which in turn positions the hydraulic valve actuators and controls turbine speed or load. 7.7.1.4.2 Turbine Trip Signals The following conditions will cause a turbine trip: a) Reactor trip b) Turbine overspeed c) Low vacuum EC291158 d) Generator lockout relay e) Exhaust hood high temperature f) Turbine low bearing oil pressure g) Manual trip h) Hi-Hi Steam Generator Water Level Any turbine trip will cause the emergency trip fluid header pressure to decrease. Four pressure switches are provided on the emergency trip fluid line and serve as the trip inputs to the reactor protective system logic matrices. As discussed in Section 7.1, actuation of any two out of four pressure switches will cause a reactor trip. The pressure switches and circuitry are electrically separated and testable in accordance with IEEE-279. The sensors are connected to a common header and physical separation is provided as far as is practical. The remaining portion of the system conforms to the physical separation 7.7-11 Amendment No. 30 (05/20)

criteria as described for the reactor protective system in Section 7.1. The circuitry is designed as "deenergize to actuate" which increases the likelihood that physical damage will cause a trip. 7.7.1.4.3 Turbine Runback The turbine runback feature has been deleted. In the event of a dropped CEA, the operator has methods at his disposal to accomplish manual load reduction. 7.7-12 Am. 11-7/92

7.7.2 ANALYSIS 7.7.2.1 Reactor Control System The detailed analysis of the possible failure modes of the reactor control system and their possible effects is presented in Section 7.2.2.1 (GDC 25). 7.7.2.2 Reactor Coolant Control System 7.7.2.2.1 Reactor Coolant Pressure Control System Two independent channels are available for automatically regulating the pressurizer heaters and spray valves. Either channel may be used to control the pressure in the system, and the output from both channels is recorded in the control room. Independent high- and low-pressure alarms are provided to indicate a system malfunction. Upon alarm, the operator can shift control to the standby system or take manual control. Further degradation of the pressure regulation would result in a high or low pressure reactor trip (discussed in Section 7.2.1.2). 7.7.2.2.2 Pressurizer Water Level control System Two separate and redundant water level control systems are provided. Both automatic and manual control of level is provided. Three charging pumps and two letdown control valves provide redundant means of increasing or decreasing reactor coolant inventory. The variable pressurizer level control program maintains the proper coolant inventory by means of discharge or addition as required during plant load changes. Loss of pressurizer level control will result in alarms that will allow the operator to shift to the other control channel or take manual control. Further degradation of the level control will cause a loss of pressure control and an associated reactor trip. 7.7.2.3 Steam Generator Control System 7.7.2.3.1 Feedwater Regulating System Conventional three-element, feedwater control is used. Manual override of the automatic control is always available. Remote manual bypass valves and manual feedwater stop valves provide backup for feedwater valve failure. A low steam generator level will cause a reactor trip as discussed in Section 7.2.1.2 thus leaving enough water in the steam generators for at least 7.7-13 Amendment No. 17 (10/99)

10 minutes of decay heat removal. This is ample time for the operator to verify feedwater flow from either the main feedwater or the automatically initiated auxiliary feedwater systems. Auxiliary feedwater controls are discussed in Section 7.4.1.1. 7.7.2.3.2 Steam Dump and Bypass System The design of the steam dump and bypass system is based on the criteria that no single component failure or operator incorrect action can cause the improper opening of more than one dump valve. The major input variables are direct NSSS parameters. These ensure that the correct response is automatically taken to meet the design criteria regardless of the source or type of initiating condition. However, turbine load is used as an input parameter to increase the anticipatory response of the system in the quick-open mode to the most likely occurrences. The use of DCS controls (discussed in Section 7.7.1.3.2) ensures correct valve modulation until recovery from the transient is complete rather than terminating action when the discrete input is removed. The use of two reactor turbine generator board (RTGB) mounted manual-automatic controllers in conjunction with the DCS gives this system the capability of smooth transfer from manual to automatic and from automatic to manual operation. 7.7.2.3.3 Turbine Control System The turbine control system has automatic control and trip devices necessary for operation and protection of the main turbine. Turbine trip signals are provided to trip the unit upon occurrence of conditions which are potentially hazardous to the turbine or other plant equipment. The turbine trip signal input to the reactor protective signal meets as far as practical all design criteria for the reactor protective system. This trip signal is provided primarily for turbine equipment protection and is not required for reactor safety. 7.7.3 SYSTEM EVALUATION - HUMAN FACTORS ENGINEERING The information contained in this section provides a historical chronology of Control Room human factors design review based on NUREG-0737 requirements. Current requirements are provided in plant procedures. 7.7.3.1 HFE Program In response to the requirement of NUREG-0737, Clarification item I.D.1 "Control Room Design Review", and supplement 1 to NUREG-0737, FPL established and maintains a Human Factors Engineering program to review the design of the control room and remote shutdown capabilities in order to identify and correct design deficiencies. The design review was performed following the guidelines of NUREG-0700, "Guidelines for Control Room Design Review" and NUREG-0801, "Evaluation Criteria for Detail Control Room Design Review". The continuing Human Factors Engineering program provides for a review of plant changes associated with the Control Room or the Remote Shutdown Facilities to ensure compliance with the guidance provided in NUREG-0700. 7.7-14 Amendment No. 26 (11/13)

7.7.3.2 Detail Control Room Design Review Implementation A summary report which outlined the activities performed for the implementation of the Detailed Control Room Design Review was issued on November 1, 1983. This report was prepared following the outline recommended in Section 5.2 of NUREG-0700. This report discusses: a) The Detailed Control Room Design Review phases. b) The technical activities. c) Method of assessment of discrepancies. d) Method of identification and selection of enhancement and design solutions. e) Review results of Human Engineering Discrepancies, Human Engineering Discrepancy Assessment, and the selected enhancement and design solutions. f) Improvements to be made. g) Schedule of implementation. An overview of the major activities and methods utilized in the Detail Control Room Design Review (DCRDR) is presented below: Technical Approach The technical approach utilized in the DCRDR included those activities listed below. A detailed discussion of the methodologies and a discussion of the finding, of each of the surveys is included in Section 2.0 of the DCRDR report. Review of operation experience Assembly of control room documentation Review of system functions and task analysis Surveys 

        - noise
        - lighting
        - control room environment
        - design conventions
        - controls and displays
        - computers
        - emergency garments
        - labeling
        - annunciators
        - anthropometrics
        - force/torque
        - communications
        - maintainability 7.7-14a                                 Am. 8-7/89

Verification of task performance capability Validation of control room functions Assessment of discrepancies. Each survey report addresses: Task Objectives - The type of data to be collected or human performance variables under analysis. Review Team - The personnel required to conduct the task. Criteria - Generally, the review guidelines appropriate to the evaluation being conducted. Task Definition - Steps or procedures followed in the conduct of the task. Outputs and Results - Task results. These are Human Engineering Discrepancies which may be drawn upon by subsequent tasks (e.g., Task Analysis). Assessment The surveys identified Human Engineering Discrepancies (HEDs). These HEDs were assessed for error inducing potential and the system consequences of the potential error. The means of resolving the HEDs were also reviewed. The basic assessment process was divided into four steps as follows: Assess extent of deviation from NUREG-0700 guidelines Assess Human Engineering Discrepancy impact on error occurrence Assess potential consequences of error occurrence Assign Human Engineering Discrepancy scheduling priority. Based on the assessment of the HEDs probability of inducing errors, a priority for correction was assigned. The HED priority was utilized in the establishment of a backfit schedule. Implementation The backfit schedule program for the correction of the HEDs was established based on the following functions: Human engineering discrepancy priority Engineering and procurement lead time requirements and constraints Overall plant outage schedules. 7.7-14b Am. 8-7/89

The following design solutions and/or enhancements selected for the correction of the HEDs were based on the recommendations of NUREG-0700: Analysis of correction by enhancement Analysis of correction by design alternatives Assess extent of correction. As part of the correction of HEDs several backfit activities, plant change modifications, were implemented. The objectives of these activities were to reduce the potential for human errors and correct identified HED. Examples of these activities are: RTGB Demarcation Update which has provided enhanced demarcation and labeling for the RTG Boards; MSIV Test Panel Upgrade which split controls from the local test panel and the control panel to prevent erroneous information in the control room during testing; modification and upgrade of software for QSPD System providing enhanced display and a "user-friendly" environment; Nuisance Alarms Program which eliminated nuisance alarms, provided logic enhancements, corrected setpoints and deleted non-applicable alarms; Remote Reactor Vessel Level Indicator Modification which has added instrumentation in the control room to provide true level indication during reactor refueling; replacement of Metrascope to provide high resolution and enhanced software for indication of rod position; modifications to the circuitry of motor operated valves to provide enhanced annunciation in the control room during testing. Operating procedures have been reviewed and changed to a new format that will reduce the potential for human error. In the new format, procedures are required to be written to the entry-level person, and have less print per page, one action per step, and cautions and warnings before, rather than after the applicable steps. A review also has been made of maintenance procedures, health physics, and chemistry procedures, etc, with the intention of making them "user-friendly." Other examples of plant change modifications which reduce the potential of human errors include the modifications in Control Room equipment to upgrade the Emergency Response Data Acquisition and Display Systems (ERDADS), which is also known as the Safety Assessment System (SAS) and includes Safety Parameter Display System (SPDS) equipment. These modifications improve the performance and display capabilities of the existing system and include installation of new display keyboards and a trackball. A Human Factors Engineering evaluation of the ERDADS has been performed on the SPDS and non-SPDS portions. The SPDS portion consisted of a Human Factors Engineering Review and a SPDS verification. The Human Factors Engineering review involved the evaluation of SPDS displays, hardware, design and layout in accordance with the guidelines specified in Section 5 & 6 of NUREG-0800, Section 18.2, Appendix A, NRC Standard Review Plan and applicable guidelines specified in Section 5 and 6 of NUREG-0700, "Guidelines for Control Room Design Review." The SPDS review was performed using survey and table-top evaluation methods to obtain information regarding job compatibility, understandability, 7.7-14c Amendment No. 25 (04/12)

usability, and completeness. A table top evaluation was performed in conjunction with the SPDS survey on the SPDS portion of ERDADS. The results of the survey and table-top evaluation were analyzed to identify Human Engineering Discrepancies (HEDs). The SPDS Parameter Selection Verification consisted of comparing SPDS parameter displays against the design bases requirements and Emergency Operating Procedures (EOPs) for safety status. SPDS displayed alarms were also compared against current EOPs and SPDS design documents, and minimum displayed parameters were reviewed to determine their consistency with operators' needs. The non-SPDS portion of the ERDADS HFE review consisted of the evaluation of the St . Lucie Unit 1 Critical Safety Function Monitoring (CSFM) displays, hardware evaluation, design, layout, and man-machine interface in accordance with the guidelines specified in NUREG-0700, "Guidelines for Control Room Design Review." The non-SPDS review was performed by a survey evaluation method. The results of the survey were analyzed and all HEDs were resolved. 7.7.3.3 DCRDR Implementation Evaluation The St. Lucie Detailed Control Room Design Review (DCRDR) Program Plan was submitted to the NRC on June 30, 1983. The program plan utilized Supplement 1 to NUREG-0737, NUREG-0700, and NUREG-0801 as the bases for the program development. The St. Lucie Unit 1 DCRDR Summary Report was then submitted on November 1, 1983. The NRC reviewed these reports and provided FPL with a draft Safety Evaluation and Technical Report of the St. Lucie DCRDR on February 2, 1984. This report indicated that a pre-implementation audit would be necessary to resolve the open or confirmatory items identified in the Safety Evaluation. The NRC then conducted the pre-implementation audit of the DCRDR program on April 2 through 6, 1984. The results of the NRC audit identified the resolved items and those items requiring additional information. The NRC stated that a meeting would be appropriate to discuss FPL plans, methods, and schedules for submittal of a supplement to the St. Lucie DCRDR Summary Report. FPL reviewed the requirements of NUREG-0737, Supplement 1 and the operating experience review problems identified. Programs were established to review and resolve the open or confirmatory items. The Supplemental Summary Report, issued on April 1, 1986 describes the review process. The ten items contained in the supplementary summary report are listed below:

1. Operating Experience Review Problems.
2. LER Review.
3. Task Analysis.
4. HFE Review of Post Control Room Changes.
5. Additional HED Justification.
6. Reverification of Control Room Changes.
7. Reverification of Control Room Changes to Ensure No New HEDs.
8. Future Control Room Changes.
9. Supplemental Summary Report.
10. Integration Into Other Programs.

7.7-14d Amendment No. 22 (05/07)

The methodology utilized in the review and resolution of the open or confirmatory items is contained in the DCRDR Supplemental Summary Report. All retrofit packages for St. Lucie Unit 1 are being implemented per the FPL quality program for Human Factors Engineering. This program ensures that all aspects of design are in compliance with the guidance provided in NUREG-0700 and that Human Factors engineering principles are followed for plant changes associated with the Control Room or the Remote Shutdown Facilities. 7.7.4 Leading Edge Flow Meter (LEFM) The PSL Unit 1 Extended Power Uprate (EPU) raised the licensed maximum power lever to 3020 MWt. The EUP change to the maximum rated thermal power (RTP) included a 1.7% Measurement Uncertainty Recapture (MUR). Modifications required for the MUR portion of the EPU included installation of the Cameron Leading Edge Flow Meter (LEFM) CheckPlus system. The use of LEFM for determination of feedwater temperature and feedwater mass flow, results I an overall calorimetric uncertainty of 0.3%. The MUR uprate of 1.7% results from the difference between the original 2% power determination uncertainty (required by 10 CRF 50 Appendix K) and the LEFM based calorimetric uncertainty of 0.3%. The MUR portion of the EPU license amendment request was based on the following Cameron Topical Reports:

1) ER-80P, Improving Thermal Power Accuracy and Plant Safety While Increasing Operating Power Level Using the LEFM Check System, dated March 1997 (NRC SER dated March 8, 1999)
2) ER-160P, Supplement to Topical Report ER-80P: Basis for a Power Uprate with the LEFM Check System, dated May 2000 (NRC SER, dated January 19, 2001)
3) ER-157P, Supplement to Topical Report ER-80P: Basis for a Power Uprate with the LEFM Check or CheckPlus System, dated October 2001 (NRC SER, dated December 20, 2001)

The LEFM feedwater flow measurement system is an ultrasonic 8-path transit time flowmeter. The LEFM CheckPlus system consists of one flow element (spool piece) installed in each of the two FL flow headers. Each individual LEFM CheckPlus system flow element (spool piece) has been calibrated in a site-specific model test at Alden Research Laboratories with traceability to National Standards. The LEFM flow elements (meters) are installed at specified locations upstream from the existing FM venture nozzles. The resulting piping configurations were explicitly modeled as part of the LEFM meter factor and accuracy assessment testing performed at Alden Research laboratories. Test data and results for the flow elements are documented in Cameron Engineering Report ER-733, Meter Factor Calculation and Accuracy Assessment for St. Lucie Unit 1. The calibration factor (also known as the meter factor) and the uncertainty in the calibration factor for the LEFM CheckPlus system are also based on this Cameron engineering report. The LEFM CheckPlus system is used for continuous calorimetric power determination by providing FW mass flow and FW temperature input data to the distributed control system (DCS), which is the computer system used for automated performance of the calorimetric power calculations. The LEFM system communicates with the DCS via redundant digital communication links. The LEFM based mass flow rate and FW temperature data is integrated into appropriate DCS calorimetric display screens to facilitate side-by-side comparison with data based on conventional instruments. Hard-wired alarms from LEFM to main control room annunciator panels provide redundant operator notification of degraded system performance or outright system failure. The LEFM CheckPlus system incorporates self-verification features to ensure that hydraulic profile and signal processing requirements are met within the site-specific design basis uncertainty analysis contained I Cameron Report ER-740, Bounding Uncertainty Analysis for Thermal Power Determination at St. Lucie Units 1 & 2 using the LEFM CheckPlus system. Critical performance parameters are continually monitored for every individual meter path and alarm setpoints are established to ensure corresponding assumptions in the uncertainty analysis remain bounding. 7.7-14e Amendment No. 26 (11/13)

Operability of the LEFM instrumentation is required to support an overall calorimetric uncertainty of 0.3%. Operability requirements and associated actin statements are identified in UFSAR Section 13.8. Various LEFM system failure modes and resulting action statements are considered based on the use of independent LEFM instrumentation for feedwater headers A & B, and also based on redundancy within each LEFM sub-system. Original feedwater flow (Venturis) and temperature (RTD) instrumentation were retained and are used as backup calorimetric instrumentation if needed. 7.7-14f Amendment No. 26 (11/13)

REFERENCES FOR SECTION 7.7

1. R. E. Uhrig (FPL) to H. R. Denton (NRC) Re: St. Lucie Unit 1, Docket 50-335, Safety/Control Interactions, L-79-287, dated 10/8/79.

7.7-15

TABLE 7.7-1 CEA WITHDRAWAL AND MOTION INHIBIT INTERLOCKS Withdrawal Prohibit Condition - Regulating CEA's EC291158 Overpower Pretrip High Startup Rate Pretrip (between 10-4% and 15% power) Thermal Margin/Low Pressure Pretrip Local Power Density Pretrip CEA Motion Inhibit - Regulating CEAs Deviation in any group Regulating group or rod out-of-sequence Any group or rod overlap Regulating group power dependent insertion limit Inhibit regulating group EC291158 CEA Motion Inhibit - Shutdown CEAs Deviation in any group EC291158 Inhibit shutdown group 7.7-16 Amendment No. 30 (05/20)

REFER TO DRAWING 8770-884 Amendment No. 18, (04/01) FLORIDA Reactor Regulating System- Block Diagram Figure POWER & LIGHT CO. St. Lucie Plant 7.7-1

DELETED EC291158 FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 FIGURE 7.7-2 Amendment No. 30 (05/20)

Shutdown Regulating Fully CEA*s CEA*s Wittidrawn Up~r Elec . U.P~r Elec Limit -~133.12 ~Limit -~l3S;Jl! Upper CEA -~ 132, Upper CEA -~ 132. Group Stop Group Stop Regulating -.-12S Group CEA Withdrawal Interlock Upper Sequential -~ 94.S Permissive 

-0 Vl Q,)

Lower - 

.s::::.                                Sequential u

c: Permissive Pre-Power c::: Dependent 

-~                                      Insertion - 41.3 Vl 0

Q.. Alarm---, 

<                                       Power      L_ (variable)

L.I.J u Dependent 11 Insertion Alarm --+-(variable) Shut down CEA Lower CEA Insertion Group Stop- 4.5 Permissive-~ 10 Lower CEA -~ 4.5 Group Stop Lower -~ 1.25 Fully Elec Limit Dropped ---o 0 Inserted Dropped __ 0 CEA CEA~----------------------~ FLORIDA POWER & LIGHT COMPANY ST. LUCIE PLANT UNIT 1 CEA POSITION SETPOINTS FIGURE 7.7.3 Amendment No. 18, (04/01)

2500 Safety Va lves Open 2400 High Pressure Trip Both Power Operated Relief Valves Open I 2340 Spray Valves Fully Open (Above 2340 psia) High Pressure Alarm (2340 psia) ..... c Spray Valves Fully Closed (Below 2300 psia) 

                                                                                             *a a_ *-

ro 2300 <1'1 

                                                                                              'ti)Q.

2275 I Proportional Heaters "OFF" (2275 psia) VIO o..O 2250 I Control Setpoint (2250 psia) 

                                                                                             * - ll)

I-N 

                                                                                               <l.J"O
                                                                                               ... c 2225 2220 I                        Proportio nal Heaters "ON" (2225 psia)
                                                                                               ~ ctl
                                                                                               <Ill"'-.
                                                                                               ~00 ctl a_OO

' Vi 3:.-- 0.. 2200 Backup Heaters "ON" (Below 2200 psia) 0 c uT ....J Q.J Q.J 

                                                                                             ....... 3:

c::c c .....

> *- Q.J VI VI 2'a:l UJ ctl >.

c::c ~ ro a.. n;> ~ <( E= UJ I-2100 Low Pressure Alarm a;s 

                                                                                             ~

VI I-c::c UJ N a: VI VI UJ c::c a.. 1887 1 - - + - - - - - - - - - - - - - - Thermal Margin I Low Pressure Trip Minimum Valve 1600 Low-Low Pressure Alarm and Safety Injection Actuation Signal Amendment No. 26 (11/13) FLORIDA Figure POWER & LIGHT CO. PRESSURE CONTROL PROGRAM 7.7-4 St. Lucie Plant

0 (7e) MAIN 

                                                                        ~                                      STEAM                               ~

HEADER STEAM L-------- ~--------~ GENERATOR r- 

                                                                        ~ - - - - - - - -1               II                      I     r-------                                lB 1                                                                                                                                                                 I 1       I                      I     I I                                                       I       I                      I     I                                                                    I I                                                       I       I                      I     I                                                                    I J =l'                                                                                                                                                         ::r I I       I                      I     I I ~        ..,  :;:                                     1                                                                                        :;:      .., ~   I J ::i To Low                        I                       I                                                         a:           i;i I a    .,a:           PowerFeed ... - - - 1           I                       I                                                                  a J ib  ;' 3      ::0
                                                          .,                                                                                                                                     ;' 3   :;  I 3 ""     ;;)

Control I I I Control ..""' 3 .., I ~ "~ \0 \0 

                                                                                                                                                                                           " a::l: ~        I
                                                 <OQ.     .,                                      I       I                      I l c:;  ;;: ~                                                                                                                                     :;               I CJ                 ---.            I       I                      I                                                     CJ (1
                                                                                                                                                                                           "' c~~- ~

I ~ c - ~ (1 1 ~ I 

                                                 ~ "'     !!.                                                                                                                              ~     m~
                                                     ~
                                                -"' ..                                                                                                                                 "'               -   I I ~                  "'                1 .--Jr-l-~-----
                                    ,----                                                                                                                                                                  I~--

1

1 DCS r I II I I I I

d Ill I I I IJI I I IJI I I IJ Jl I I IJ Jl I I II . . verri e or Hig . . verri e or Hig Jl I I IJ S.G. Level/Turbine Tri S.G. Level/Turbine Tri Jl 1 I L----r-- - - - - 

                               "'Tl 9011                   "'

r IL______ I~~-----r~------J~ I "' FT [@E 9021 9021 0 ~ I I ~ 

              "'Tl             ~-

CD ~ I~ I ~ I I ~ 0.. CD 0.. (/)Q) 

                                                                    @]~                   ;!>~         l ~*.g            ~*.g l           ~;!>
                      ='"-u                                                               ~~           ~ ~~~             §~~ ~             ~~

OJ~ ro .§ .§ l.>a"" .>a"" I .§ .§ 

    "'Tl- .......                                                                        1?..1?..      J!"3 ib          !"31> 1           1?..1?..
    --0 CD            c :E:                                                              "<'<            n ~             11     ~         '<'<

coo, Q.CD I~ I - ~ I-cA"o CD ' I 1 214 1 en o o -uQo I .... High*High +' 

    -..J Q)"  ;1      rue                                                                              I        SG Level
    *co,              :::Jco                                                                           I            i
    -;'IQ30           ....... :::r c.-                                                                              I

()13(1)

JO r

(/) 

                      ;::::;:0                                                                           I
              ....... -->.3                                                                              I CD              "0 3                Q)                                                                        I
J z0 '<  : MAIN 1\.) I I [>I<J I FEEDWATER I 1'*1 I I I

(]) 1 I HEADER I 

~

1 I I 

~
~
                                                                                     ------.1..- SIAS&MSIS --------.J

~ ~------~-----L------------------------------------------------------------------------------------------------------------------------~ -}}

Retrieved from "https://kanterella.com/w/index.php?title=ML23096A035&oldid=3590161"