RS-13-009, Clinton, Unit 1, Updated Safety Analysis Report, Revision 15, Chapter 7 - Instrumentation and Control Systems

From kanterella
Jump to navigation Jump to search
Clinton, Unit 1, Updated Safety Analysis Report, Revision 15, Chapter 7 - Instrumentation and Control Systems
ML13016A336
Person / Time
Site: Clinton Constellation icon.png
Issue date: 01/10/2013
From:
Exelon Generation Co
To:
Office of Nuclear Reactor Regulation
References
RS-13-009
Download: ML13016A336 (797)
v  d  e


Text

CPS/USAR CHAPTER 07 7.2-1 REV. 11, JANUARY 2005 7.2 REACTOR PROTECTION (TRIP) SYSTEM - INSTRUMENTATION AND CONTROLS

7.2.1 Description

7.2.1.1 System Description 7.2.1.1.1 Identification The reactor protection (trip) system (RPS) includes the power distribution panels, logic, load drivers, power supplies, sensors trip modules, bypass circuitry, and switches that cause rapid insertion of control rods (scram) to shut down the reactor. It also includes outputs to the performance monitoring system and annunciators, although these latter two system are not part of the reactor protection system. Trip signals are received from many diverse reactor and plant systems. 7.2.1.1.2 Classification The RPS is classified as Safety Class 2, Seismic Category I, and Quality Group B (Electric Safety Class 1E). 7.2.1.1.3 Power Sources The RPS utilizes three types of power; 120 Vac for the scram pilot valve solenoids and neutron monitoring system; 125 Vdc power for MSIV and turbine control and stop valve limit switches and the backup scram valve solenoids, and low voltage dc for the solid state logic. 7.2.1.1.3.1 120 Vac Four uninterruptible NSPS buses supply Class 1E 120 Vac power to the four logic divisions of the Reactor Protection System. A NSPS bus is normally fed via a DC to AC inverter, the inverter being fed by a 125 Vdc divisional charger with a floating battery. In the unlikely event of an inverter failure/power loss, the NSPS bus automatically transfers by the use of a solid state transfer switch, to an alternate 120 Vac source derived from a 480 Vac to 120 Vac transformer supply. Also, 120V AC can be supplied to the Division A and B NSPS buses by manual transfer to an inverter maintenance bypass feed. "The definition of a divisional inverter failure as used in the USAR is that the inverter detects abnormal conditions and performs a function. This function is to transfer to its alternate power source. The four divisional inverters automatically switch to the alternate power source for internal inverter problems and for handling fault clearing and inrush current demands. The transfer of the divisional inverters to their alternate source will occur if the alternate source is either energized or deenergized." Two RPS busses (A&B) supply uninterruptible non-Class 1E 120 Vac power to the RPS "A" and "B" scram solenoids and the MSIV "A" and "B" solenoids. Each RPS bus is normally fed via a DC to AC inverter with the inverter fed by a non-Class 1E battery charger with a floating battery. During maintenance or inverter failure or power loss, a manual bypass switch may be used to transfer the RPS bus to an alternate 120 Vac source from a Class 1E 480/120V transformer. See Figures 7.2-9 and 7.2-10 and Drawing E02-1RP99.

CPS/USAR CHAPTER 07 7.2-2 REV. 11, JANUARY 2005 7.2.1.1.3.2 125 Vdc The 125 Vdc is provided by the four divisional batteries. Batteries are sized to supply shutdown loads for a minimum of four hours without the chargers operating. 7.2.1.1.3.3 DC Logic Power DC logic power consists of eight 24 Vdc supplies (2 per division) and eight 12 Vdc supplies (2 per division). The dc supplies are powered from four 120 Vac NSPS buses. (See Subsection

7.2.1.1.3.) 7.2.1.1.4 Equipment Design 7.2.1.1.4.1 General The RPS instrumentation is divided into sensor (instrument) channels, trip logic divisions, and actuator output logic divisions. There are four sensor channels for each variable, although more than one sensor per variable may provide inputs to each trip channel. The sensor trip channels are designated as A, B, C and D, or divisions 1, 2, 3, and 4. The sensor trip channels are combined into a two-out-of-four logic using isolation modules to assure that no single failure can prevent the required safety

action from the remainder of the system. There are four trip logic divisions, which are designated as divisions 1, 2, 3 and 4. The four actuator logics are also designated as division 1, 2, 3, and 4. Each trip logic division 1 through 4 provides output signals to both scram pilot valve solenoids in rod groups 1, 2, 3, and 4 via the four Actuator Logics. During normal operation, all sensor and logic devices essential to safety are as shown in Figures 7.2-5 and 7.2-6. Figure 7.2-2 summarizes the RPS signals that cause a scram. The functional arrangement of sensors and channels that constitutes a single logic is shown in Figure 7.2-3. When a trip channel sensor signal exceeds the set point of the analog comparator trip module (ATM) the output changes state. The trip logics are unaware of the signal because the necessary two out of four coincidence is not met. When the signals of two or more trip channels of the same variable exceed the set point, the trip and actuator logics deenergize all scram pilot valve solenoids. There is one scram pilot valve with two solenoids and two scram valves for each control rod, arranged as shown in Drawing M05-1078, Sheet 3. Each scram pilot valve is solenoid operated, with the solenoids normally energized. The scram pilot valves control the air supply to the scram valves for each control rod. With either scram pilot valve solenoid energized, air pressure holds the scram valves closed. The scram valves control the supply and discharge paths for control rod drive water. As shown in drawing E02-1RP99, scram pilot valves for each group are controlled by actuator logics composed of signals from all four division logics.

CPS/USAR CHAPTER 07 7.2-3 REV. 11, JANUARY 2005 When any two-out-of-four actuator logics are tripped, air is vented from the scram valves and allows control rod drive water to act on the control rod drive piston. Thus, all control rods are scrammed. The water displaced by the movement of each rod piston is exhausted into a scram discharge volume. To restore the RPS to normal operation following any single actuator logic trip or a scram, the actuators must be reset manually. After a 10-second delay, reset is possible only if the conditions that caused the scram have been cleared. The actuator logics are reset by operating switches in the main control room. There are two dc solenoid operated backup scram valves that provide a second means of controlling the air supply to the scram valves for all control rods. When the solenoid for either backup scram valve is energized, the backup scram valves vent the air supply for the scram valve. This action initiates insertion of any withdrawn control rods regardless of the action of the scram pilot valves. The backup scram valves are energized (initiate scram) when any two-out-of-four Actuator Logics are tripped. To prevent the potential consequences of a postulated anticipated transient without scram (ATWS) event, a non-safety related alternate rod insertion (ARI) subsystem is provided as part of the ATWS system and is described in Subsection 7.7.1.25.1. 7.2.1.1.4.2 Initiating Circuits The RPS scram functions, shown in Figure 7.2-2, are discussed in the following paragraphs.

(1) Neutron Monitoring System-NMS (See Figure 7.2-4) Neutron monitoring system instrumentation is described in Section 7.6. The neutron monitoring system channels are considered to be part of the neutron monitoring system; however, the neutron monitoring system logics provide inputs to the RPS. Each RPS IRM logic receives signals from two IRM channels, and each RPS APRM logic receives signals from one APRM channel. The position of the reactor mode switch determines which input signals will affect the output signal from the logic. The neutron monitoring system logics are arranged so that failure of any one logic cannot prevent the initiation of a high neutron flux scram. There are four neutron monitoring system logics associated with the RPS. Each RPS logic receives inputs from either one SRM, APRM, or two IRM channels. High-high trip inputs from each SRM are combined to produce a non-coincident reactor trip through the automatic scram logic which is permitted by the removal of four shorting links. a. IRM System Logic The IRMs monitor neutron flux between the upper portion of the SRM range to the lower portion of the APRM range. The IRM detectors can be positioned in the core from the control room. The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor reaches a predetermined power level within the power range. The IRM is able to generate a trip signal that CPS/USAR CHAPTER 07 7.2-4 REV. 11, JANUARY 2005 can be used to prevent fuel damage resulting from abnormal operational transients that occur while operating in the intermediate power range. The IRMs are divided into four groups of IRM channels arranged in the core as shown in drawing E02-1NR99. Two IRM channels are associated with each one of the four trip channels of the RPS. Two IRM channels and their trip auxiliaries from each group are installed in each separate NMS cabinet. The arrangement of IRM channels allows the two IRM channels in each group (or one RPS trip channel) to be bypassed without compromising the intermediate range neutron

monitoring function. Each IRM channel includes four trip circuits as standard equipment. One trip circuit is used as an instrument trouble trip. It operates on three conditions: (1) when the high voltage drops below a preset level, (2) when one of the modules is not plugged in, or (3) when the OPERATE-CALIBRATE switch is not in the OPERATE position. Each of the other trip circuits are specified to trip if preset downscale or upscale levels are reached. The trip functions actuated by the IRM trips are indicated in Table 7.6-4. The reactor mode switch determines whether IRM trips are effective in initiating a rod block or a reactor scram (drawing E02-1NR99). Subsection 7.7.1.2.3.2.3, "Rod Block Trip System," describes the IRM rod block trips. With the reactor mode switch in REFUEL or STARTUP, an IRM upscale or inoperative trip signal actuates a neutron monitoring system trip of the RPS. Only one of the IRM channels must trip to initiate a NMS trip of the associated trip channel of the RPS. At least two IRM trip channels in the RPS must trip to result in a scram. b. APRM System Logic The APRM channels receive input signals from the LPRM channels and provide a continuous indication of average reactor power from 10 percent to greater than rated reactor power. The APRM subsystem has redundant channels which meet industry and regulatory safety criteria. With the maximum permitted number of LPRM channels bypassed, the APRM subsystem is capable of generating a trip scram signal before the average neutron flux increases to the point that fuel damage is

probable. The trip units for the APRMs supply trip signals to the RPS and the Rod Control and Information System. Table 7.6-6 itemizes the APRM trip functions. Any one APRM can initiate a rod block, depending on the position of the reactor mode switch. Subsection 7.7.1.2, "Rod Control and Information System," describes in detail the APRM rod block functions. The APRM upscale rod block and the simulated thermal power scram trip set points vary as a function of reactor recirculation driving loop flow. The APRM signals for upscale rod block and the thermal power scram trip are passed through a 6-second time constant circuit to simulate thermal power. A faster response time (approx. 0.09 seconds) APRM upscale trip has a fixed setpoint, not variable with recirculation flow. Any APRM upscale or inoperative trip initiates a NMS trip in the RPS. Only the trip channel associated with that APRM is affected. At least two APRM trip channels in the CPS/USAR CHAPTER 07 7.2-5 REV. 11, JANUARY 2005 RPS must trip to result in a scram. The operator can bypass the trips from one APRM in each trip system of the RPS via the divisional sensor bypass. A simplified circuit arrangement is shown in Figure 7.6-20 (APRM Block Diag.). In addition to the IRM upscale trip, a fast response APRM neutron flux trip function with a setpoint of 15% power is active in the startup mode. Neutron monitoring system channel operating bypasses are described in Subsection 7.2.1.1.4.4.1. Diversity of trip initiation for unusual excursions at reactor power is provided by the Neutron Monitoring System trip signals and reactor vessel high pressure trip signals. An increase in reactor power will initiate protective action from the Neutron Monitoring System as discussed in the above paragraphs. This increase in power will cause reactor pressure to increase due to a higher rate of steam generation with no change in turbine control valve position resulting in a trip from reactor vessel high pressure. These variables are independent of one another and provide diverse protective action for this condition. (2) Reactor Pressure Reactor pressure is measured at four physically separated locations. An instrument sensing line from each location is routed through the drywell and terminates in the containment. One locally mounted, nonindicating pressure transmitter monitors the pressure in each instrument sensing line. Cables from these transmitters are routed to the control room. Each pressure transmitter provides a signal to a trip module in the same instrument channel. High pressure initiates a trip signal in each channel. Only the channel associated with each transmitter is affected. The physical separation and the signal arrangement assure that no single physical event can prevent a scram caused by reactor vessel high pressure. At least two instrument trip channel trips are required to cause a scram. The environmental conditions for the RPS are described in Subsection 3.11.2. The piping arrangement of the reactor pressure sensors is shown in Drawing 796E724, "Nuclear Boiler System P&ID." The discussion of diversity for reactor vessel high pressure is provided in Subsection 7.2.1.1.4.5. (3) Reactor Vessel Water Level Reactor vessel high and low water level signals are initiated from level (differential pressure) transmitters which sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. The transmitters are arranged on four sets of taps in the same way as the reactor vessel high pressure transmitters. The four pairs of instrument sensing lines terminate outside the drywell and inside the containment; they are physically separated from each other and tap the reactor vessel at widely separated points. Other systems sense pressure and level from these same instrument sensing lines. Each transmitter provides a high and low level signal to one trip channel trip module in the RPS. At least two trip channel trips are required to cause a scram. The physical separation of CPS/USAR CHAPTER 07 7.2-6 REV. 11, JANUARY 2005 redundant instruments and signal arrangement assure that no single physical event can prevent a scram due to reactor vessel low water level. Diversity of trip initiation for breaks in the reactor coolant pressure boundary is provided by reactor vessel low water level trip signals and high drywell pressure trip signals. If a break in the primary system boundary were to occur, a volume of primary coolant would be released to the drywell in the form of steam. This release would cause reactor vessel water level to decrease and drywell pressure to increase resulting in independent protective action initiation. These variables are independent and provide diverse protective action for this condition. The environmental conditions for the RPS are described in Subsection 3.11. The piping arrangement of the reactor vessel water level sensors is shown in Drawing 796E724, "Nuclear Boiler System P&ID." (4) Turbine Stop Valve Turbine stop valve closure inputs to the reactor protection system come from valve stem position switches mounted on the four turbine stop valves. Each of the single-pole, single-throw switches opens before the valve is more than 10% closed (Analytical Limit) to provide the earliest positive indication of closure. The logic is arranged so that closure of two or more valves initiates a scram, as shown in Figure 7.2-7. Turbine stop valve closure trip channel operating bypasses are described in Subsection 7.2.1.1.4.4.2. Diversity of trip initiation for increases in reactor vessel pressure due to termination of steam flow by turbine stop valve or control valve closure is provided by reactor vessel high pressure and power trip signals. A closure of the turbine stop valves or control valves at steady-state conditions would result in an increase in reactor vessel pressure.

If a scram was not initiated from these closures, a scram would occur from high reactor vessel pressure or power. Reactor vessel high pressure and high power are independent variables for this condition and provide diverse protective action. The environmental conditions for the RPS are described in Subsection 3.11. (5) Turbine Control Valve Fast Closure Turbine control valve fast closure inputs to the RPS come from oil line pressure switches on each of four fast acting control v alve hydraulic mechanisms. These hydraulic mechanisms are part of the turbine control, and they are used to effect fast closure of the turbine control valves. These pressure switches provide signals to the RPS as shown in Figure 7.2-7. If hydraulic oil line pressure is lost, a turbine control valve fast closure scram is initiated. Turbine control valve fast closure trip channel operating bypasses are described in Subsection 7.2.1.1.4.4.2. The discussion of diversity for turbine control valve fast closure is the same as that for turbine stop valve closure provided in Subsections 7.2.1.1.4.2(4) and 7.2.1.1.4.5.

CPS/USAR CHAPTER 07 7.2-7 REV. 11, JANUARY 2005 The environmental conditions for the RPS are described in Subsection 3.11. (6) Main Steam Line Isolation Valves Limit switches mounted on the eight main steam line isolation valves signal main steam line isolation valve closure to the reactor protection system. Each of the valve limit switches is arranged to open before the valve is more than 15% closed (Analytical Limit) to provide the earliest positive indication of closure. To facilitate the description of the logic arrangement, the position-sensing channels for each valve are identified and assigned to reactor protection system logics as follows: Valve Identification Position-Sensing Channels Feed TripTrip Logic Main steam line A, inboard valve F022A Division 1 Main steam line A, outboard valve F028A Division 1 Main steam line B, inboard valve F022B Division 2 Main steam line B, outboard valve F028B Division 2 Main steam line C, inboard valve F022C Division 3 Main steam line C, outboard valve F028C Division 3 Main steam line D, inboard valve F022D Division 4 Main steam line D, outboard valve F028D Division 4 The arrangement of signals within the trip logic requires closing of at least one valve in two or more steam lines to cause a scram. In no case does closure of two valves in one steam line cause a scram due to valve closure. The wiring for position-sensing channels feeding the different trip channels is separated. Main steam line isolation valve closure trip channel operating bypasses are described in Subsection 7.2.1.1.4.4.3. Diversity of trip initiation for main steam isolation is provided by reactor vessel high pressure and power trip signals. A closure of the MSIVs at steady state conditions would cause an increase in reactor vessel pressure and power. If a scram was not initiated from MSIV closure, a scram would occur from high reactor vessel pressure or high power. These variables are independent and provide diverse protective action for this condition. The environmental conditions for the RPS are described in Subsection 3.11. (7) Scram Discharge Volume Four non-indicating level switches (one for each channel) provide scram discharge volume (SDV) high water level inputs to the four RPS channels. In addition, a non indicating level transmitter and a trip unit for each channel provide redundant SDV high water level inputs to the RPS. This arrangement provides diversity, as well as CPS/USAR CHAPTER 07 7.2-8 REV. 11, JANUARY 2005 redundancy. Sensors are arranged so that no single event will prevent a reactor scram caused by scram discharge volume high water level. With the predetermined scram setting, a scram is initiated when sufficient capacity still remains in the tank to accommodate a scram. Both the amount of water discharged and the volume of air trapped above the free surface during a scram were considered in selecting the trip setting. Scram discharge volume water level trip channel operating bypasses are described in Subsection 7.2.1.1.4.4.4. The scram discharge volume function is to receive water which is discharged from the control rod drives (CRD) during a scram. If at the completion of the scram the level of water in the scram discharge volume is greater than the trip setting, the RPS cannot be reset until the discharge volume has been drained. In addition as described previously, the trip setting has been selected such that sufficient volume would be available to receive a full discharge of CRD water in the event that the scram discharge volume high level trip does not occur and subsequent scram protection is required. The environmental conditions for the RPS are described in Subsection 3.11. The piping arrangement of the scram discharge volume level sensors is shown on Drawing M05-1078, "CRD Hydraulic System P&ID." (8) Drywell Pressure Drywell pressure is monitored by four nonindicating pressure transmitters mounted on instrument racks outside the drywell in the containment. These racks also house the reactor vessel level and pressure sensors. Instrument sensing lines connect the transmitters with the drywell interior. The transmitters are physically separated and electrically connected to the RPS so that no single event will prevent a scram caused by drywell high pressure. Cables are routed from the transmitters to the divisional cabinets.

Each transmitter provides an input to one trip channel and one logic division. Each transmitter provides a drywell high pressure signal to one trip channel trip module in the RPS. At least two trip channel trips are required to cause a scram. The discussion of diversity for high drywell pressure is provided in Subsection 7.2.1.1.4.5. The environmental conditions of the RPS are described in Subsection 3.11.

(9) Deleted.

(10) Manual Scram A scram can be initiated manually. There are four scram buttons, one for each division logic (1, 2, 3 and 4). To initiate a manual scram, the arming collars must be set and at least two buttons must be depressed. The manual scram logic is the same as the automatic scram logic at the divisional logic level, i.e., any two-out-of-four divisions. The switches are located close enough to permit one hand motion to initiate a scram.

Manual scram capability can be tested. The reactor operator also can scram the reactor by interrupting power to the scram pilot valve solenoids or by placing the mode switch in its shutdown position.

CPS/USAR CHAPTER 07 7.2-9 REV. 11, JANUARY 2005 7.2.1.1.4.3 Logic The basis logic arrangement of the RPS is illustrated in drawing E02-1RP99. The system is arranged as four separately powered division logics. Each logic receives input signals from at least one channel for each monitored variable. At least four channels for each monitored variable are required, one for each of its four automatic or manual logics. Channel and trip logic devices are fast-response, and are highly reliable solid-state components. The actuator logic devices for interrupting the scram pilot valve solenoids have high current carrying capabilities and are highly reliable. All RPS logic devices are selected so that the continuous load will not exceed 50% of the continuous duty rating. The system response time, from the input of a step function to the input of the trip channel trip device, up to and including the change of state of the trip actuator, is less than 30 milliseconds. The time requirements for control rod movement are discussed in Subsection 4.6.1.1.2.5.3. The RPS response time, which is the time interval from when the monitored parameter exceeds its setpoint at the channel sensor until de-energization of the scram pilot valve solenoids, is provided in the Operational Requirements Manual (ORM). In each division, the trip channel inputs are combined into a two-out-of-four system trip logic or a non-coincident combination logic in each of the four divisional trip systems. Each trip system logic provides one input into each of the actuator logics. To produce a scram, any two-out-of-four Actuator logics must be tripped. Diversity of variables is provided for RPS but not in the trip and actuator logics.

The RPS reset switches (one per division) are used to momentarily bypass the seal-in circuit of the trip logic of the reactor shutdown system. If a single trip logic is tripped, or if a reactor scram condition is present, manual reset is prohibited for a 10-second period to assure completion of required safety actions and to permit the control rods to achieve their fully inserted position.

The manual trip can be immediately reset. Scram reset redundancy is provided by use of four reset switches. Actuation of all four switches is required to reset, following a scram and 10 second time delay, provided that the scram initiation signal has cleared. The use of four reset switches ensures that each division of the RPS logic is reset and that the trip condition has cleared. 7.2.1.1.4.4 Scram Operating Process Divisional channel bypasses exist for all essential variables, except the non-coincident NMS channels which can be bypassed by individual selector switches, via the NS 4/RPS division of sensor bypass. Only one division may be bypassed at a time which converts the RPS system logic from a two-out-of-four to a two-out-of-three logic trip system. Interlocks are provided to prevent bypassing more than one logic division at a time. All manual bypass switches are in the main control room, under the direct control of the main control room operator. The bypass status of trip system components is continuously indicated in the control room. There are four keylocked bypass switches, one for each logic division, located in the main control room. Bypassing any single system logic division will not inhibit protective action when required.

CPS/USAR CHAPTER 07 7.2-10 REV. 11, JANUARY 2005 7.2.1.1.4.4.1 Neutron Monitoring System Bypasses for the neutron monitoring system channels are described below. Divisional channel bypasses exist for both the APRM and IRM system channels via the NS 4/RPS division of sensor bypass. Only one division may be bypassed at a time, which then converts the RPS system logic from a two-out-of-four to a two-out-of-three logic trip system. Interlocks are provided to prevent bypassing more than one logic division at a time. There are four keylocking bypass switches of the maintained contact type, one for each logic division, located in the main control room. Bypassing either an APRM or an IRM channel will not inhibit the neutron monitoring system from providing protection action when required. Divisional bypasses do not exist for the SRM RPS logic. However, individual SRM channels may be bypassed by a selector switch located in the main control room. For the SRM division logic to function, either a non-tripped or bypass condition for the APRM and IRM division logic must exist. During fuel loading, neutron flux is monitored by the source range neutron monitoring channels. When the four shorting lin ks are removed, the SRMs provide a scram signal when the preset level of any channel has been reached. The SRM trip logic is bypassed by installation of the four shorting links. 7.2.1.1.4.4.2 Turbine Stop Valve and Turbine Control Valve Test/Fast Closure The turbine control valve fast closure scram and turbine stop valve closure scram are automatically bypassed if reactor power is at a value less than 33.3% of its rated value as indicated by turbine first stage pressure. Closure of these valves below this low initial power level will not cause fuel thermal power limits (MCPR) to be violated, thus the protective scram trip is bypassed at these low power levels. Turbine control valve fast closure and turbine stop valve closure trip bypass is effected by four pressure transmitters connected to the turbine first stage. One annunciator for channels 1 and 4 and one for channels 2 and 3 indicate the bypass condition. The transmitters are arranged so that no single failure can prevent a turbine stop

valve closure scram or turbine control valve fast closure scram. In addition, this bypass is operationally removed when the turbine first stage pressure exceeds the setpoint corresponding to greater than 33.3% of rated power. Turbine first stage pressure is sensed from 2 physically separate and redundant pressure taps. Each pressure tap is piped to two pressure transmitters which sense first stage pressure.

Redundancy has been achieved by connecting one pressure transmitter output to each of the four divisional trip logics such that at least two divisions must be bypassed, by action of the turbine first stage pressure scram bypass trip modules, to prevent a scram from turbine stop valve closure or turbine control valve fast closure. 7.2.1.1.4.4.3 Main Steam Line Isolation Valves At plant shutdown and during initial plant startup, bypass is required for the main steam line isolation valve closure scram trip in order to proper ly reset the Reactor Protection System. This bypass is in effect when the mode switch is in the shutdown, refuel or startup position. The bypass allows plant operation when the main steam line isolation valves are closed during low power operation. The operating bypass is remov ed when the mode switch is placed in RUN. The discussion of diversity for main steam line isolation valve closure is provided in Subsection 7.2.1.1.4.2(6) and 7.2.1.1.4.5.

CPS/USAR CHAPTER 07 7.2-11 REV. 12, JANUARY 2007 7.2.1.1.4.4.4 Scram Discharge Volume Level The scram discharge high water level trip bypass is controlled by the manual operation of keylocked divisional bypass switches, and is interlocked with the mode switch. The mode switch must be in the SHUTDOWN or REFUEL position. Four bypass channels emanate from the four banks of the RPS mode switch and are connected into the RPS logic. This bypass allows the operator to reset the reactor trip system trip actuators so that the system is restored to operation allowing the operator to drain the scram discharge volume. Resetting the trip actuators opens the scram discharge volume vent and drain valves. One annunciator in the main control room for each channel indicates the bypass condition. The discussion of diversity of the scram discharge volume level trip is provided in Subsection 7.2.1.1.4.2(7). 7.2.1.1.4.4.5 Mode Switch in Shutdown The scram initiated by placing the mode switch in SHUTDOWN is automatically bypassed after a short time delay. The bypass allows the contr ol rod drive hydraulic sy stem valve lineup to be restored to normal. One annunciator in the main control room for channels 1 and 4 and one for channels 2 and 3 indicate the bypassed condition.

Redundancy of the operating bypass with the mode switch in shutdown is provided by four separate time delay devices connected in a manner which provides redundancy of the bypass operation, but will not inhibit the scram initiation. Diversity of variables is not provided for this function because placing of the mode switch in shutdown is the normal method for shutting down the reactor and requires only operator action for initiation. The mode switch in shutdown is not a safety function and does not require diversity. 7.2.1.1.4.4.6 Maintenance, Calibration or Test Bypasses Each reactor scram sensor can be removed for maintenance, test or calibration. When a trip channel is removed from service, annunciation of the administrative tripping of one of the four trip channels or alarming of the channel bypass is provided in the control room. A single division of system inputs to the 2/4 logic s may be bypassed by the manual actuation of one keylocked selector switch located in the main control room. The bypass switch permits disabling the inputs of one division at a time, changing the overall two out of four logics to two out of three (still meeting the single failure criterion requirement of IEEE-279). There are four sensor bypass switches designated for NS 4/RPS. Each switch is electrically interlocked to prevent bypassing more than one divisions' inputs (t o that system) at a time. Each bypass is indicated at the input cabinet, and is annunciated in the main control room. The bypass switch in one logic cabinet is electrically interlocked with the switches on the other divisions. Only the first bypass switch operated will affect a bypass. If a second switch is operated or fails so that it attempts to bypass, the bypass signal is ignored. APRM and IRM channel trip functions are administratively bypassed by the use of the respective division sensor bypass switch as required for maintenance, test, or calibration.

CPS/USAR CHAPTER 07 7.2-12 REV. 12, JANUARY 2007 Administrative controls during maintenance, test, and calibration are specified in the individual maintenance, test, and calibration procedures and in the plant Technical Specifications. A discussion of the bypass indication is provided in Subsection 7.2.2.1.2. 7.2.1.1.4.4.7 Interlocks The scram discharge volume high water level trip bypass signal interlocks with the rod control and information system to initiate a rod block. Reactor vessel low water level, reactor vessel pressure and drywell high pressure signals are shared with the containment and reactor vessel isolation control system (CRVICS). The sensors provide signals to trip channels in the RPS, and the containment and reactor vessel isolation control system (CRVICS). The turbine stop valve closure and turbine control valve fast closure channels also provide signals to trip the reactor recirculation pumps. In addition, the turbine stop valve channels are interlocked with the CRVICS low condenser vacuum bypass. A discussion of the Neutron Monitoring System interlocks to rod block functions is provided in Subsection 7.6.1.5. The reactor mode switch has interlocks to other than the RPS. These interlocks are discussed in Subsection 7.6.1 and 7.3.1. 7.2.1.1.4.5 Redundancy and Diversity Instrument sensing lines from the reactor vessel are routed through the drywell and terminates inside the containment. Instruments mounted on instrument racks in the containment sense reactor vessel pressure and water level from these instrument sensing lines. Valve position switches are mounted on valves from which position information is required. The sensors for RPS signals from equipment in the turbine building are mounted locally. The four battery powered inverters and divisional 120 Vac power supplies for the RPS are located in an area where they can be serviced during reactor operation. Cables from sensors and power cables are routed to four RPS logic cabinets in the main control room. One logic cabinet is used for each division. The redundancy portions of the RPS have physically separated sensor taps, sensing lines, sensors, sensor rack locations, cable routing and termination in four separate panels in the control room. By the use of four or more separate redundant sensors for each RPS variable with separate redundant logic and wiring, the RPS system has been protected from a credible single failure. For additional information on redundancy of RPS subsystems, refer to

Subsection 7.2.1.1.4.2. Redundancy of NSPS power supply to RPS logic is provided. There are four battery powered inverter power supplies which supply NSPS electrical power, one to each logic division of the RPS. A loss of one power supply will neither inhibit protective action nor cause a scram.

CPS/USAR CHAPTER 07 7.2-13 REV. 11, JANUARY 2005 Diversity is provided by monitoring diverse sets of independent reactor vessel variables. Pressure, water level, and neutron flux are all independent and are separate inputs to the system. Main steam line isolation valve closure, turbine stop valve closure, and turbine control valve fast closure are anticipatory of a reactor vessel high pressure and power scram trip. Therefore, reactor high pressure and power are diverse scram inputs to main steam line closure. Drywell high pressure and reactor low water level are diverse scram variables for a steam line break inside the containment. Diversity of variables for main steam line breaks outside the drywell, which initiate main steam line isolation and in turn reactor trip initiation is covered in Subsection 7.3.1.1.2.4.1.3.5. Diversity of variables for residual heat removal (RHR) system line breaks, which only initiate RHR isolation, is covered in Subsection 7.3.1.1.2.4.1.11.5. Diversity of variables for reactor water cleanup system (RWCU) line breaks, which only initiate RWCU isolation, is covered in Subsection 7.3.1.1.2.4.1.10.5. Diversity of variables for reactor core isolation cooling (RCIC) system steam line breaks, which only initiate RCIC isolation, is provided by ambient temperature, steam line pressure, and flow measurements. Other leaks outside drywell are detected by sump levels and the leak detection signals have no reactor trip function. Additional discussions of diversity of RPS variables are provided in Subsection 7.2.1.1.4.2. 7.2.1.1.4.6 Actuated Devices The actuator logic prevents output current flow when a trip signal is received and deenergizes the scram valve pilot solenoids. There are two pilot solenoids per control rod. Both solenoids must deenergize to bleed the instrument air from and open the inlet and outlet scram valves to allow drive water to scram a control rod. Each solenoid receives its signal from actuator logic in divisions 1 through 4. The instrument air system provides support to the RPS by maintaining the air operated scram valve closed until a scram is required. The individual control rods, the scram valves and pilot solenoids and their controls are not part of the RPS. For further information on the scram valves and controls rods see Subsection 4.2.3. The "A" and "B" scram pilot valve solenoids are s upplied from RPS busses A and B. Each RPS bus provides uninterruptible non-Class 1E 120 Vac power. See Subsection 7.2.1.1.3.1. In addition to the two scram valves for each control rod drive, there are two backup scram valves which are used to vent the scram pilot valve air header for all control rods. Energizing either backup scram valve initiates venting, and the two backup scram valves are individually supplied with 125-Vdc power from the essential plant batteries. Any use of plant instrument air system for auxiliary use is so designed that a failure of the air system will cause a safe direction actuation of the safety device.

CPS/USAR CHAPTER 07 7.2-14 REV. 11, JANUARY 2005 7.2.1.1.4.7 Separation Four independent sensor channels monitor the various process variables listed in Subsection 7.2.1.1.4.2. The redundant sensor devices are separated such that no single failure can prevent a scram. All protection system wiring outside the logic cabinets is run in divisional raceways. Physically separated cabinets or cabinet bays are provided for the four scram trip logics. The arrangement of RPS channels and logic is shown in Figure 7.2-3. The criteria for separation of sensing lines and sensors are discussed in Subsection 7.1.2.2. The mode switch, scram discharge volume high water level trip bypass switches, scram reset switches, and manual scram switches are all mounted on the principal plant console. Each device is mounted in a metal enclosure and has a sufficient number of barrier devices to maintain adequate separation between redundant portions of the RPS. Conduit is provided from the metal enclosures to the point where adequate physical separation can be maintained without barriers. The outputs from the logic cabinets to the scram pilot valve solenoids are run in rigid conduit or armored cable with no other wiring. There are conduit groups which match the four scram groups. The groups are selected so that the failure of one group to scram will not prevent a reactor shutdown. Signals which must run between redundant RPS divisions are electrically/

physically isolated by isolators to provide separation. RPS inputs to annunciators, recorders, and the computer systems are arranged so that no malfunction of the annunciating, recording or computing equipment can functionally disable the RPS. Direct signals from RPS sensors are not used as inputs to annunciating or data logging equipment. Electrical isolation is provided between the primary signal and the information output by means of optical isolators. 7.2.1.1.4.8 Testability The RPS can be tested during reactor operation by six separate tests. The first five tests are manual tests and, although each individually is a partial test, combined with the sixth test they constitute a complete system test. The sixth test is the self-test of the Nuclear Systems Protection System which includes the logic for the RPS and several other safety systems. The self-test automatically tests the complete system excluding sensors and actuators. The first of these is the manual scram test. The manual scram test verifies the ability to de-energize the scram pilot valve solenoids without scram by using the manual scram pushbutton switches. By depressing the manual scram button for one trip logic, one of the two pilot valve solenoids in each scram group is de-energized. After the first trip logic is reset, the second trip logic is tripped manually and so forth for the four manual scram buttons. In addition to control room and computer printout indications, scrams groups indicator lights indicate that the actuator trip logics have de-energized the scram pilot valve solenoids. The second test includes calibration of the Neutron Monitoring System by means of simulated inputs from calibration signal units. Calibration and test controls for the Neutron Monitoring System are located where the LPRM cards are located in the Main Control Room. They are under the administrative control of the control room operator. Subsection 7.6.1.5, "Neutron Monitoring System," describes the calibration procedure.

CPS/USAR CHAPTER 07 7.2-15 REV. 11, JANUARY 2005 The third test is the single rod scram test which verifies the capability of each rod to scram. It is accomplished by operating two toggle switches on the hydraulic control unit for the particular control rod drive. Timing traces can be made fo r each rod scrammed. Prior to the test, a physics review is conducted to assure that the rod pattern during scram testing will not create a rod of unacceptable reactivity worth. The fourth test involves applying a test signal to each RPS analog trip channel in turn and observing that the channel trip device changes state. One method utilizes electrical signals generated by the calibrator and fed to the ATM while bypassing the transmitter (see Subsection 7.1.2.10). If desired, the transmitter may be used directly in the test. In this method, the manually initiated test signals simulate the actual process signal. The test signal can be manually varied and, in conjunction with the Analog Trip Module (ATM) output indicator light and the appropriate instruments, both the transmitter and ATM outputs can be verified. This test also verifies the channel independence of the input variables. Pressure transmitters and level transmitters are located on their respective local panels. The transmitters can be individually valved out of service and subjected to test pressure to verify operability of the transmitters as well as verification of calibration range. To gain access to the field controls on each transmitter, a cover plate of sealing device must be removed. The access to the field controls is administratively controlled. Only qualified personnel are granted access for the purpose of testing or calibration adjustments. The fifth test is the sensor check. Digital inputs are tested by varying the monitored variable (e.g., stop valve closure, control valve fast closure, main steam line isolation valve closure) or by disconnecting the sensor from the process variable and inputting and varying a test source (e.g., CRD scram discharge high water level). In those cases where the sensor is disconnected from the process variable, an out-of-service alarm will be indicated in the main control room. Analog input is checked by cross comparison of the instrument channels measuring the same variable. The sixth test is an Automatic Pulse Test (APT) performed by the Self-Test Subsystem (STS) to the Nuclear Systems Protection System (NSPS).

The Self-Test Subsystem is an overlay testing and surveillance subsystem which provides the capability to continuously and automatically perform end-to-end testing of all active circuitry, within the NSPS panels, essential to t he safe shutdown of the reactor. The primary purpose of the STS is to improve the availability of the NSPS by optimizing the time to detect and determine the location of a failure in the functional system. It is not intended that the STS eliminate the need for the other five manual tests. Rather, by continuously providing an on-line periodic test, most faults are detected more quickly than by manual testing only. The STS is classified as Safety Associated, and its equipment is designed to meet the IEEE standards and Regulatory Guides which apply to this classification. In particular, the STS is designed to meet the separation requirements of Reg Guide 1.75 by use of the same isolation devices and enclosures as the NSPS equipment with which it is associated. Wherever it interfaces with safety equipment, STS equipment is qualified to 1E standards. In addition, the interfaces are by means of high impedance isolation devices which insure that failures in the STS will not propagate to the safety equipment.

CPS/USAR CHAPTER 07 7.2-16 REV. 11, JANUARY 2005 The overall STS has the following general features: (1) Each of the four NSPS divisional panels has a resident Self-Test Controller (STC) which contains a microprocessor executing firmware program designed to perform the required testing within that panel and to perform the monitoring function between the panels. In conjunction with the STC's in the other three divisions, the interdivisional communication paths including the divisional isolators are tested. (2) A portable Diagnostic Terminal (DT) is used by maintenance for fault isolator. It is capable of detecting faults down to the replaceable PC card level. By providing information display and control interface to the STS, the Diagnostic Terminal minimizes the need for physical access to the essential hardware panels during maintenance thus serving to maximize NSPS availability. By using the keyboard of the DT, manual operation mode allows the selection of any test and repetition of tests. (3) The Process Computer (Performance Monitoring System) is used primarily as a communication link between the Diagnostic Terminal and the four Self-Test Controllers. (4) The STS provides the means to continuously monitor the logic circuit integrity and the circuit continuity of the following seven essential nuclear systems protection systems (NSPS) resident in the four divisional panels: A. Reactor Protection System B. Nuclear Steam Supply Shutoff System C. High Pressure Core Spray System D. Residual Heat Removal System E. Automatic Depressurization System F. Reactor Core Isolation Cooling System G. Low Pressure Core Spray System The STS utilizes the stimulus-response method of testing. A series of short duration pulses (origin of the name Automatic Pulse Test) are injected through a high impedance path into the "front ends" of the various modules (printed circuit boards). The pulse is of sufficient duration to temporarily change the state of the module. The test pulse is propagated through the logic to the point of measurement where it is compared by the STC with the expected result stored in the non-volatile data base of the STC.

To minimize test time, each system is subdivided into circuits which are tested separately. Interface circuits are retested by overlap-testing of the involved circuits. The maximum propagation delay (response time) through any logic channel in the NSPS will always be less than 1 millisecond for each overlapping test or the STS will report a logic fault.

CPS/USAR CHAPTER 07 7.2-17 REV. 11, JANUARY 2005 Test pulses are purposely of short duration and limited repetition rate so that they do not latch and cause mechanical movement downstream. This difference in responsiveness between functional system and tester is easy to achieve since the former involves electro-mechanical devices, slower response, and the latter is just an electronic pulse, fast response. To provide protection against inadvertent operation caused by abnormally long pulse, the device which couples the test pulse to the input has discrete elements combined in a manner to attenuate a pulse of excessive long duration. Only one STC at a time is allowed to perform its test sequence and this STC is known as the Master Unit with the other three STC being the slave units. Upon test completion, test control is passed on to the next STC which then becomes the new Master Unit. The testing continuously sequences from one STC to the next with the selection sequence being under software control. The slave units monitor the master unit and have the capability of taking over the annunciating when one detects a master unit fault. Each test sequence within a Division consists of four major test functions: (1) Test Microprocessor, Firmware, and Memory (self-check)

(2) Test Self-Test Subsystem (3) Test NSPS System (4) Test Interdivisional Communication Links The above tests are organized and controlled to establish NSPS circuit integrity by testing the tester first and then expanding the monitoring functions to include the interface circuitry and finally the NSPS circuits and interdivisional lines. Any STS failure will not degrade the NSPS function since STS is isolated from NSPS, hence eliminating failure propagation. Furthermore, any STS failure is automatically detected by the self-check and self-test of STS and cross-check of STC's. All interdivisional links are optically isolated. Upon fault detection (either absence of a signal or presence of a faulty signal), a retest sequence is performed before the information is recorded in the error log of the respective STC.

A single "STS Failure" annunciator output is provided to annunciate any failure detected by the STS. This indicates that a failure has been identified by the STS, either in the STS itself or in a functional system and that maintenance attention is required, commencing at the diagnostic terminal. This annunciator is designed to minimize the potential for a failure in one division to inhibit an annunciator from another division. The Diagnostic Terminal (DT) is then used to obtain the specific STC error log. The DT then functions as an interactive terminal allowing maintenance to isolate the fault to a replaceable PC card level. Backup information to identify the source of functional system out-of-service annunciation is provided by the system elementary diagrams which include indicators for the seven essential NSPS systems.

CPS/USAR CHAPTER 07 7.2-18 REV. 11, JANUARY 2005 Other tests which are performed on a less frequent basis are the ATM set point and response test, plant startup and shutdown sensor verification, sensor response time test, and special component manual tests. They are discussed in the following paragraphs. A manual ATM set point and response test is provided (see Technical Specification). Each ATM has provisions for the application of a current ramp and a stable current level. The current ramp is applied to check the trip setpoint and response time. The stable current level is applied to the set point (calibration). Bypasses may be utilized while performing individual ATM set point/response tests. Indication of a bypass at the annunciator panel in the control room will be initiated at the time the ATM is selected and placed in test/calibrate mode. The design is such that a gross failure alarm is initiated any time the manual test/calibrate is applied. The alarm typewriter provided with the Performance Monitoring System (process computer) verifies the correct operation of any sensors during plant startup and shutdown. Main steam line isolation valve position switches and turbine stop valve position switches can be checked in this manner. The verification provided by the alarm typewriter is not considered in the selection of test and calibration frequencies and is not required for plant safety. Required sensor response times are determined for each RPS function and are identified in the design specification. The sensor manufacturer provides sensors which meet the required response times and certifies their ability to obtain these values. During preoperational testing, the sensors are tested using an accepted industry method, and the actual response time data are compared to the design requirement for acceptance. In addition, the overall RPS response time is verified during preoperational testing from sensor trip to load drive trip device to the change of state of the actuator logic output, and can be verified thereafter by similar test. For NSPS components identified as having particular failure modes which could prevent the NSPS from performing its safety functions and which are not automatically tested by the self test system or monitored during standard periodic surveillance tests, special manual tests are performed at specified intervals to ensure their functionality. 7.2.1.1.4.9 Noise and Interference The basic elements of the decision-making logic of the NSPS are standard MIL grade CMOS logic elements, in dual in-line ceramic packages, mounted on multilayer printed circuit cards. CMOS logic was chosen for the NSPS application because of its high noise immunity compared to other types of solid state devices. With the CMOS devices powered by 12 Vdc, it takes an input greater than approximately 4 V to switch the output on a low-to-high transition, and less than approximately 8 V to switch on a high-to-low transition. Thus, noise spikes of considerable magnitude can be tolerated on the input lines without causing erroneous logic states. As a comparison, TTL logic that must be operated at +5 V has a low-to-high minimum threshold of approximately .7 V. Numerous design techniques have been utilized to reduce the possibility of any significant electrical noise being coupled into the logic circuitry. All inputs and outputs that leave the NSPS cabinets are buffered and isolated, and internal wiring is routed to prevent "crosstalk" or radiated electro-magnetic interference. Specifically, prevention of electromagnetic conducted interference is accomplished in the following ways.

CPS/USAR CHAPTER 07 7.2-19 REV. 11, JANUARY 2005 Power lines: Conduction of EMI via power lines to the logic elements is prevented by the use of switching power supplies that are specified by the manufacturer to have a maximum noise spike of 62 mV. In addition, each logic card has single pole filters on the power input to remove any remaining high-frequency noise. Input signal lines: Inputs from other separation divisions and from nondivisional sources are processed through optical isolators which are also filtered on the input side. Inputs from same-division sources such as the control room panels or field sources are processed through digital signal conditioners (DSC's) that are filtered and optically coupled. Inputs to trip units are current loops and therefore much less vulnerable to

EMI. Output signal lines: Outputs to actuated devices pass through load drivers that have pulse transformer coupling between input and output stages. Outputs to other logic elements in other divisions pass through optical isolators. Internal wiring: Interconnections between logic cards is on a backplane of wire-wrapped terminals. The connections are made point to point so that groups of wires do not run in parallel for long distances. Power wiring is routed as far from signal wiring as possible. The high current wiring of the drives to the pilot valve solenoids is run in conduit, as is the wiring for utility services (lighting).

Card layout: All signal inputs at the card level are buffered by a 100 K ohm resistor. The use of ground planes over large areas of the boards also insures electrically quiet circuitry. All standards of good practice were applied during the design and construction of the solid state safety system to prevent any problem with EMI. (Q&R 421.18) 7.2.1.1.5 Environmental Considerations Electrical devices for the RPS instrumentation are located in the containment, turbine building and main control room. The environmental conditions for these areas are shown in Table 3.11-5. 7.2.1.1.6 Operational Considerations 7.2.1.1.6.1 Reactor Operator Information 7.2.1.1.6.1.1 Indicators Scram group indicators extinguish when an actuator logic prevents output current flow from the 120 Vac power source to the scram pilot valve solenoid associated with the actuator logic. Recorders (which are not part of the RPS) in the main control room also provide information regarding reactor vessel water level, reactor vessel pressures, and reactor power level.

CPS/USAR CHAPTER 07 7.2-20 REV. 11, JANUARY 2005 7.2.1.1.6.1.2 Annunciators Each RPS trip channel input is provided to the annunciator system through isolation devices. Trip logic trips, manual trips, and certain bypasses also signal the annunciator system (Subsection 7.7.1). When an RPS sensor trips, it lights an annunciator window, one common to division 1 and 4 sensors and one common to division 2 and 3 sensors for that variable, or the principle plant console in the main control room to indicate the out-of-limit variable. Each trip logic, one common to logic division 1 and 4 and one common to logic division 2 and 3, lights a red annunciator window to indicate that a trip has occurred. As an annunciator system input, a RPS channel trip also sounds an audible indication, which can be silenced by the operator. The annunciator window lights flash until acknowledged, whereupon the window lights latch on. Resetting the annunciator system so as to extinguish the window lights is not possible until the condition causing the trip has been cleared. 7.2.1.1.6.1.3 Computer Alarms A computer printout identifies each tripped channel; however, status indication at the RPS trip channel device may also be used to identify the individual sensor that tripped in a group of sensors monitoring the same variable. Additional discussion of the non-safety computer systems are contained in Section 7.7.1. Upon detection of a status change of any of the preselected sequential events contacts, the Sequence-of-Events Log shall be initiated and shall signal the beginning of an "Event." The log shall be automatically printed. This log will include both NSS and BOP inputs. Changes of state received 15 milliseconds or more apart are sequentially differentiated on the printed log, together with time of occurrence, which shall be printed in an hours, minutes, seconds, milliseconds format. Use of the alarm printer and computer is not required for plant safety. 7.2.1.1.6.2 Reactor Operation Controls 7.2.1.1.6.2.1 Mode Switch A conveniently located, multiposition, keylock mode switch is provided to select the necessary scram functions for various plant conditions. The mode switch selects the appropriate sensors for scram functions and provides appropriate bypasses. The switch also interlocks such functions as control rod blocks and refueling equipment restrictions, which are not considered here as part of the RPS. The switch is designed to provide separation between the four trip logic divisions. The mode switch positions and their related scram functions are as follows: (1) SHUTDOWN Initiates a reactor scram; bypasses main steam line isolation scram and the reactor vessel high water level scram and provides a discharge volume high water level trip bypass permissive.

(2) REFUEL Selects neutron monitoring system scram for low neutron flux level operation (but does not disable the APRM scram); bypasses main steam line isolation scram CPS/USAR CHAPTER 07 7.2-21 REV. 11, JANUARY 2005 and the reactor vessel high water level scram and provides a discharge volume high water level trip bypass permissive. (3) STARTUP Selects neutron monitoring system scram for low neutron flux level operation; bypasses main steam line isolation scram and the reactor vessel high water level scram. (4) RUN Selects neutron monitoring system scrams for power range operation. 7.2.1.1.6.3 Set Points Instrument ranges are chosen to cover the range of expected conditions for the variable being monitored. Additionally, the range is chosen to pr ovide the necessary accuracy for any required set points and to meet the overall accuracy requirements of the channel. See the Operational Requirements Manual (ORM) for setpoints. (1) Neutron Monitoring System Trip To protect the fuel against high heat generation rates, neutron flux is monitored and used to initiate a reactor scram. The neutron monitoring system set point bases are discussed in Subsection 7.

6.1.5, "Neutron Monitoring System Instrumentation and Controls." (2) Reactor Vessel System High Pressure Excessively high pressure within the Reactor Vessel threatens to rupture the reactor coolant pressure boundary. A reactor vessel pressure increase during reactor operation compresses the steam voids and results in a positive reactivity insertion; this causes increased core heat generation that could lead to fuel failure and system overpressurization. A scram counteracts a pressure increase by quickly reducing core fission heat generation. The reactor vessel high pressure scram setting is chosen slightly above the reactor vessel maximum normal operation pressure to permit normal operation without spurious scram, yet provide a wide margin to the maximum allowable reactor vessel pressure. The location of the pressure measurement, as compared to the location of highest nuclear system pressure during transients, was also considered in the selection of the high pressure scram setting. The reactor vessel high pressure scram works in conjunction with the pressure relief system to prevent reactor vessel pressure from exceeding the maximum allowable pressure. The reactor vessel high pressure scram setting also protects the core from exceeding thermal hydraulic limits that result from pressure increases during events that occur when the reactor is operating below rated power and flow. (3) Reactor Vessel Low Water Level Low water level in the reactor vessel indicates that the reactor is in danger of being inadequately cooled. Decreasing water level while the reactor is operating CPS/USAR CHAPTER 07 7.2-22 REV. 11, JANUARY 2005 at power decreases the reactor coolant inlet subcooling. The effect is the same as raising feedwater temperature. Should water level decrease too far, fuel damage could result as steam forms around fuel rods. A reactor scram protects the fuel by reducing the fission heat generation within the core. The reactor vessel low water level scram setting was selected to prevent fuel damage following abnormal operational transients caused by single equipment malfunctions or single operator errors that result in a decreasing reactor vessel water level. The scram setting is far enough below normal operational levels to avoid spurious scrams. The setting is high enough above the top of the active fuel to assure that enough water is available to account for evaporation loss and displacement of coolant following the most severe abnormal operational transient involving a level decrease. (4) Reactor Vessel High Water Level Indicates any increase in feed water flow and impending power increase. The high water level trip causes scram prior to significant power increase, limiting neutron flux and thermal transient so that the fuel design basis is satisfied. The scram setting is selected such that spurious scrams will be avoided and that abnormal operational transients causing an increase in feedwater flow will not result in unacceptable results. (5) Turbine Stop Valve Closure Closure of the turbine stop valve with the reactor at power can result in a significant addition of positive reactivity to the core as the reactor vessel pressure rise causes steam voids to collapse. The turbine stop valve closure scram initiates a scram earlier than either the neutron monitoring system or reactor vessel high pressure. It is required to provide a satisfactory margin below core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity caused by increasing pressure by inserting negative reactivity with control rods. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine stop valve closure scram provides additional margin to the reactor vessel pressure limit.

The turbine stop valve closure scram setting provides the earliest positive indication of valve closure. (6) Turbine Control Valve Fast Closure With the reactor and turbine generator at power, fast closure of the turbine control valves can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The turbine control valve fast closure scram initiates a scram earlier than either the neutron monitoring system or nuclear system high pressure. It is required to provide a satisfactory margin to core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity resulting from increasing pressure by inserting negative reactivity with control rods. Although the nuclear system high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine control valve fast closure scram provides additional margin to the nuclear system CPS/USAR CHAPTER 07 7.2-23 REV. 12, JANUARY 2007 pressure limit. The turbine control valve fast closure scram setting is selected to provide timely indication of cont rol valve fast closure. (7) Main Steam Line Isolation The main steam line isolation valve closure can result in a significant addition of positive reactivity to the core as reactor system pressure rises. The main steam line isolation scram setting is selected to give the earliest positive indication of isolation valve closure. The logic allows functional testing of main steam line isolation trip channels by partially closing a main steam line isolation valve. (8) Scram Discharge Volume High Water Level Water displaced by the control rod drive pistons during a scram goes to the scram discharge volume. If the scram discharge volume fills with water so that insufficient capacity remains for the water displaced during a scram, fast control rod movement would be hindered during a scram. To prevent this situation, the reactor is scrammed when the water level in the discharge volume is high enough to verify that the volume is filling up, yet low enough to ensure that the remaining capacity in the volume can accommodate a scram. (9) Drywell High Pressure High pressure inside the drywell may indicate a break in the reactor coolant pressure boundary or pressure increase as a result of high drywell temperature.

It is prudent to scram the reactor in such situations to minimize the possibility of fuel damage and to reduce energy transfer from the core to the coolant. The drywell high pressure scram setting is selected to be as low as possible without inducing spurious scrams. (10) Manual Scram Push buttons are located in the control room to enable the operator to shut down the reactor by initiating a scram. (11) Mode Switch in SHUTDOWN When the mode switch is in SHUTDOWN, the reactor is to be shut down with all control rods inserted. This scram is not considered a protective function, because it is not required to protect the fuel or reactor vessel process barrier and it bears no relationship to minimizing the release of radioactive material from any CPS/USAR CHAPTER 07 7.2-24 REV. 11, JANUARY 2005 barrier. The scram signal is removed after a short delay, permitting a scram logic reset that restores the normal valve lineup in the control rod drive hydraulic system. 7.2.1.1.7 Containment Electrical Penetration Assignment Electrical containment penetrations are assigned to the protection systems on a 4-division basis as described in Subsections 7.2.1.1.4.1 and 7.2.1.1.4.7. Each penetration is provided with an enclosure box on each end providing continuation of the metal wireways described in Subsection 7.2.1.1.4.7. 7.2.1.1.8 Cable Spreading Area Description A general description of the separation criteria used in cable spreading areas is described in GE Topical Report NEDO-10466-A "Power Generation Control Complex" and is further described in Subsection 8.3.1.4. 7.2.1.1.9 Main Control Room Area The main control room area is on one floor. Divisions 2 and 3, Nuclear System Protection System (NSPS) cabinets, and Divisions 1 and 4, NSPS Cabinets are located on opposite sides of the main control room. Detailed design basis, description, and safety evaluation aspects for a PGCC System are comprehensively documented and presented in GE Topical Report NEDO-10466-A "Power Generation Control Complex;" and its amendments. 7.2.1.1.10 Main Control Room Cabinets and Their Contents Each RPS logic cabinet for Divisions 1, 2, 3, and 4 contains the trip channel analog trip modules, optical isolators, trip channel logic, self test system, bypass switch, terminal boards, the trip and actuator logics, and the scram actuator load drivers for a single division. The console for reactor control contains the reactor mode switch, bypass switches, scram solenoid valve status indicating lights, and manual scram switches. 7.2.1.1.11 Test Methods that Ensure RPS Reliability Surveillance testing is performed periodically on the RPS during operation. This testing includes sensor calibration and trip channel actuation with simulated inputs to individual trip modules and sensors. The sensors, which are transmitters, can be checked by comparison of the associated control room meter readings on other channels of the same variable. 7.2.1.1.12 Interlock Circuits to Inhibit Rod Motion as well as Vary the Protective Function There are no interlock circuits which inhibit rod motion as well as vary the protective functions. 7.2.1.1.13 Support Cooling Systems, HVAC Systems Descriptions The cooling (ventilating) systems important for proper operation of RPS equipment are described in Section 9.4.

CPS/USAR CHAPTER 07 7.2-25 REV. 12, JANUARY 2007 7.2.1.2 Design Bases Design bases information requested by IEEE 279 is discussed in the following paragraphs. These IEEE 279 design bases aspects are considered separately from those more broad and detailed design bases for this system cited in Section 7.1.2.1.1. 7.2.1.2.1 Conditions The generating station conditions which require RPS protective action are identified in the CPS Technical Specifications and the Operational Requirements Manual. 7.2.1.2.2 Variables The generating station variables which require monitoring to provide protective actions are neutron flux, reactor water level, reactor steam dome pressure, reactor recirculation flow, main steam isolation valve position, turbine stop valve position, turbine first stage pressure, turbine control valve fast closure (sensed as EHC hydraulic oil pressure), drywell pressure and scram discharge volume water level. 7.2.1.2.3 Sensors for Variables Having Spatial Dependence A minimum number of 16 LPRMs per APRM, with at least 2 LPRMs at each of the 4 core axial levels, are required to provide adequate protective action. 7.2.1.2.4 Operational Limits Prudent operational limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious scram is avoided. It is then verified by analysis that the release of radioactive material, following postulated gross failures of the fuel or the reactor coolant pressure boundary, is kept within an acceptable bounds. Design basis operational limits are based on operating experience and constrained by the safety design basis and the safety analyses. 7.2.1.2.5 Margin Between Operational Limits The margin between operational limits and the limiting conditions of operation (scram) for the RPS are in CPS Technical Specifications and Operational Requirements Manual (ORM). The margin includes the maximum allowable accuracy error, sensor response times and sensor set point drift. Annunciators are provided, at the setpoints listed in the Operational Requirements Manual (ORM), to alert the reactor operator of the onset of unsafe conditions. 7.2.1.2.6 Levels Requiring Protective Action Levels requiring protective action are shown in CPS Technical Specifications and the Operational Requirements Manual. These levels are the limiting safety system settings. 7.2.1.2.7 Ranges of Energy Supply and Environmental Conditions RPS uninterruptible 120 Vac logic power is provided by four Class 1E NSPS busses. Each bus is powered by a 125 Vdc/120 Vac inverter fed by a battery charger with floating battery. Each battery has sufficient stored energy to maintain a stable power supply and thus prevent scrams CPS/USAR CHAPTER 07 7.2-26 REV. 11, JANUARY 2005 caused by switch yard switching transients. Power loss due to inverter failure is sensed by a solid state transfer switch which then automatically transfers the NSPS bus to an alternate Class 1E power source provided by a Class 1E 480/120 V transformer. Also, 120V AC can be supplied to the Division A and B NSPS buses by manual transfer to an inverter maintenance bypass feed. RPS 120 Vac scram solenoid and MSIV solenoid power is provided by two uninterruptible Class 1E RPS busses. Each bus is powered by a DC to AC inverter fed by a battery charger with floating battery. During maintenance or inverter failure/power loss, each RPS bus may be transferred manually to an alternate power source provided by a Class 1E 480/120 V transformer. (See Figures 7.2-9 and 7.2-10 and Drawing E02-1RP99.) Environmental conditions for proper operation of the RPS components during normal operations are covered in Table 3.11-5. 7.2.1.2.8 Unusual Events Unusual events are defined as malfunctions or accidents, and others which could cause damage to safety systems. Chapter 15 and Appendix 15A, "Accident Analysis" describes the following credible accidents and events; floods, storms, tornadoes, earthquakes, fires, LOCA, pipe break outside containment, and feedwater line break. Each of these events is discussed below for the subsystems of the RPS.

(1) Floods The buildings containing RPS components have been designed to meet the PMF (Probable Maximum Flood) at the site location. This ensures that the buildings will remain water tight under PMF. Therefore, none of the RPS functions are affected by flooding. See also Section 3.4.1. (2) Storms and Tornadoes The buildings containing RPS components have been designed to withstand all credible meteorological events and tornadoes as described in Subsection 3.3.2.

Superficial damage may occur to miscellaneous station property during a postulated tornado, but this will not impair the RPS capabilities. See also Section 3.3. (3) Earthquakes The structures containing RPS components except the turbine building have been seismically qualified as described in sections 3.7 and 3.8, and will remain functional during and following a safe shutdown earthquake (SSE). Reactor high pressure and power trips are diverse to turbine scram variables.

(4) Fires To protect the RPS in the event of a postulated fire, the RPS trip logics have been divided into four separate independent RPS panels. The sections are separated by fire barriers. If a fire were to occur within one of the sections or in the area of one of the panels, the RPS functions would not be prevented by the CPS/USAR CHAPTER 07 7.2-27 REV. 11, JANUARY 2005 fire. The use of separation and fire barriers ensures that, even though some portion of the system may be affected, the RPS will continue to provide the required protective action.

Refer to Section 9.5.1.

(5) LOCA The following RPS subsystem components are located inside the drywell and would be subjected to the affects of a design basis loss-of-coolant accident (LOCA): a. Neutron Monitoring System (NMS) c abling from the detectors to the main control room. b. MSIV Inboard position switches. c. Reactor vessel pressure and reactor vessel water level instrument taps and sensing lines, which terminate outside the drywell. d. Drywell pressure taps.

These items have been environmentally qualified to remain functional during and following a LOCA as discussed in Section 3.11 and indicated in Table 3.11-5. (6) Pipe Break Outside Containment This condition will not affect the reliability of the RPS. (7) Feedwater Line Break This condition will not affect the RPS.

(8) Missiles Missile protection is described in Section 3.5. 7.2.1.2.9 Performance Requirements The Operational Requirements Manual specifies instrument response time requirements and RPS setpoints which incorporate the affects of instrument performance such as accuracy, range magnitude and rates of change of sensed variables. Further descriptions of instrument performance requirements are included in Design Specifications and Calculations. 7.2.1.3 Final System Drawings The electrical elementary diagrams which were provided under separate cover are discussed in Section 1.7.1.

CPS/USAR CHAPTER 07 7.2-28 REV. 11, JANUARY 2005

7.2.2 Analysis

7.2.2.1 Reactor Protection (Trip) System-Instrumentation and Controls 7.2.2.1.1 General Functional Requirements Conformance This subsection presents an analysis of how the various functional requirements and the specific regulatory requirements of the RPS design bases (Subsection 7.1.2.1.1) are satisfied. 7.2.2.1.1.1 Conformance to Design Basis Requirements 7.2.2.1.1.1.1 Design Bases 7.1.2.1.1.1.1(1)

The RPS is designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier. Chapter 15, Accident Analysis, identifies and evaluates events that jeopardize the fuel barrier and reactor coolant pressure boundary. The methods of assessing barrier damage and radioactive material releases along with the methods by which abnormal events are sought and identified are presented in that chapter. Design bases from Subsection 7.1.2.1.1 require that the precision and reliability of the initiation of reactor scrams be sufficient to prevent or limit fuel damage. RPS allowable values and trip setpoints are established conservatively fr om analytic limits by accounting for instrument performance characteristics, calibration error and drift. The analytic limits are derived from limiting values of process parameters, which are obtained from the safety analysis. Technical Specifications provides allowable values, and the Operational Requirements Manual provides setpoints. The analysis on the use of the RPS inputs from devices mounted on non-seismically qualified equipment and/or located in non-seismically qualified enclosures has been accepted per three Safety Evaluation Reports, References 2, 3, and 4, and include data for 238 and generic 251 BWR/6 designs. This analysis takes into consideration turbine trip, generator load rejection trip, and recirculation pump trip (RPT). The selection of scram trip settings has been developed through analytical modeling, experience, historical use of initial setpoints and adoption of new variables and setpoints as experience was gained. The initial setpoint selection method provided for settings which were sufficiently above the normal operating levels (to preclude the possibilities of spurious scrams or difficulties in operation) but low enough to protect the fuel. As additional information became available or systems were changed, additional scram variables were provided using the above method for initial setpoint selection. The selected scram settings are analyzed to verify that they are conservative and that the fuel, and fuel barriers are adequately protected. In all cases, the specific scram trip point selected is a conservative value that prevents damage to the fuel, taking into consideration previous operating experience and the analytical models. 7.2.2.1.1.1.2 Design Basis 7.1.2.1.1.1.1(2)

The scram initiated by reactor high pressure, in conjunction with the pressure relief system, is sufficient to prevent damage to the reactor coolant pressure boundary as a result of internal pressure. The main steamline isolation valve closure scram provides a greater margin to the reactor coolant pressure boundary pressure safety limit than does the high pressure scram. For CPS/USAR CHAPTER 07 7.2-29 REV. 11, JANUARY 2005 turbine generator trips, the stop valve closure scram and turbine control valve fast closure scram provide a greater margin to the nuclear system pressure safety limit than does the high pressure scram. Chapter 15, Accident Analysis, identifies and evaluates accidents and

abnormal operational events that result in nuclear system pressure increases. In no case does pressure exceed the reactor coolant pressure boundary safety limit. 7.2.2.1.1.1.3 Design Basis 7.1.2.1.1.1.1(3)

The scram initiated by reactor vessel low water level limits the radiological consequences of gross failure of the fuel or reactor coolant pressure boundary. Chapter 15 evaluates gross failures of the fuel and reactor coolant pressure boundary. In no case does the release of radioactive material to the environs result in exposures which exceed the guide values of applicable published regulations. 7.2.2.1.1.1.4 Design Basis 7.1.2.1.1.1.1(4)

Scrams are initiated by variables which are designed to indirectly monitor fuel temperature and protect the reactor coolant pressure boundary. The Neutron Monitoring System monitors fuel temperature indirectly using incore detectors. The incore detectors monitor the reactor power level by detecting the neutron level in the core. Reactor power level is directly proportionate to neutron level and the heat generated in the fuel. Although the neutron monitoring system does not monitor fuel temperature directly, by establishing a correlation between fuel temperature and reactor power level, scram setpoints can be determined for protective action, which will prevent fuel damage. The reactor coolant pressure boundary is protected by monitoring parameters which indicate reactor pressure directly or anticipated reactor pressure increases. Reactor pressure is monitored directly by pressure sensors, which are connected directly to the reactor pressure vessel through sensing lines and pressure taps. In addition, reactor pressure transients are anticipated by monitoring the closure of valves which shut off the flow of steam from the reactor pressure vessel and cause rapid pressure increases. The variables monitored to anticipate pressure transients are main steamline isolation valve position, turbine stop valve closure, and turbine control valve fast closure. If any of these valves were to close, pressure would rise very rapidly, therefore, this condition is anticipated and a trip is initiated to minimize the pressure transient occurring. Chapter 15, identifies and evaluates those conditions which threaten fuel and reactor coolant pressure boundary integrity. In no case does the core exceed a safety limit. 7.2.2.1.1.1.5 Design Basis 7.1.2.1.1.1.1(5)

The scrams initiated by the Neutron Monitoring System, drywell pressure, reactor vessel pressure, reactor vessel water level, turbine stop valve closure, m ain steam isolation valve closure, and turbine control valve fast closure will prevent fuel damage. The scram setpoints and response time requirements for these variables are identified in the Operational

Requirements Manual (ORM) and have been designed to cover the expected range of magnitude and rates of change during abnormal operational transients without fuel damage.

Chapter 15, identifies and evaluates those conditions which threaten fuel integrity. With the selected variables and scram setpoints, adequate core margins are maintained relative to thermal hydraulic safety limits.

CPS/USAR CHAPTER 07 7.2-30 REV. 11, JANUARY 2005 7.2.2.1.1.1.6 Design Basis 7.1.2.1.1.1.1(6)

Neutron flux is the only essential variable of significant spatial dependence that provides inputs to the RPS. The basis for the number and locations follows. The other requirements are fulfilled through the combination of logic arrangement, channel redundancy, wiring scheme, physical isolation, power supply redundancy, and component environmental capabilities. Two transient analyses are used to determine the minimum number and physical location of required LPRMs for each APRM. (1) The first analysis is performed with operating conditions of 100% reactor power and 100% recirculation flow using a continuous rod withdrawal of the maximum worth control rod. In the analysis, LP RM detectors are mathematically removed from the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this condition. (2) The second analysis is performed with operating conditions of 100% reactor power and 100% recirculation flow using a reduction of recirculation flow at a fixed design rate. LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this condition. The results of the two analyses are analyzed and compared to establish the actual minimum number and location of LPRMs needed for each APRM channel. 7.2.2.1.1.1.7 Design Basis 7.1.2.1.1.1.1(7a through 7h)

Sensors, channels, and logics of the RPS are not used directly for automatic control of process systems. An isolated Neutron Monitoring System signal is used with the recirculation flow control system as described in Subsection 7.7.1.3. Therefore, failure in the controls and instrumentation of process systems cannot induce failure of any portion of the protection system. Failure of any one divisional RPS power supply would result in de-energizing one of the two scram valve pilot solenoids on each scram valve. Alternate power is available to the RPS buses. A complete sustained loss of electrical power to two or more power supplies would result in a scram. The RPS is designed so that it is only necessary for trip variables to exceed their trip setpoints for sufficient length of time to trip the analog comparater units and seal in the associated trip logic. Once this is accomplished, the scram will go to completion regardless of the state of the variable which initiated the protective action. When the initiating condition has cleared and a sufficient (10 seconds) time delay has occurred, the scram may be reset only by actuation of the scram reset switches in the main control room by the operator. Reactor protection cabling for scram solenoids is routed in separate conduits for each scram group.

CPS/USAR CHAPTER 07 7.2-31 REV. 11, JANUARY 2005 Physical separation and electrical isolation between redundant portions of the RPS is provided by separated process instrumentation, separated racks, and either separated or protected panels and cabling. Separate panels are provided for each division except for the principal plant console which has internal metal barriers. Where equipment from more than one division is in a panel, divisional separation is provided by fire barriers and/or physical distance of 6 inches or more where practicable. Where wiring must be run between redundant divisions, divisional separation is provided by electronic optical isolators. The ability of the RPS to withstand a safe shutdown earthquake is discussed in Section 7.2.1.2.

The ability of the RPS to function properly with a single failure is discussed in Section 7.2.2.1.2.3.1.2. The ability of the RPS to function properly while any one sensor or channel is bypassed or undergoing test or maintenance is discussed in Section 7.2.1.1.4.4.6. The RPS logic circuit is designed so that an automatic scram will be initiated when the required number of sensors for any monitored variables exceeds the scram setpoint. Separate racks are provided for the RPS instrumentation for each division and are installed in different locations. 7.2.2.1.1.1.8 Design Basis 7.1.2.1.1.1.1(8)

Access to trip settings, component calibration controls, test points, and other terminal points is under the control of plant operations supervisory personnel. Manual bypass of instrumentation and control equipm ent components is under the control of the operator in the main control room. If the ability to trip some essential part of the system is bypassed, this fact is continuously annunciated in the main control room. For the subsystem operational bypasses discussed in Subsection 7.2.1, bypassing of these subsystem components provides a continuous annunciation in the main control room. If other components are bypassed, such as taking a sensor out-of-service for calibration or testing, this condition will also be annunciated continuously in the main control room through the controlled manual actuation of the RPS system out-of-service annunciator associated with that sensor. 7.2.2.1.1.1.9 Other Design Basis Requirements The instruments and equipment of the reactor protection system must operate in environmental conditions corresponding to the zones defined in Section 3.11. The RPS components located inside the control room envelope will be exposed to a mild environment due to operation of the control room HVAC system as described in Section 9.4.1. The associated components that must function in the environment resulting from a reactor coolant pressure boundary break inside the drywell are the condensing chambers, the inboard main steam line isolation valve position switches, neutron monitoring system cabling, reactor vessel pressure taps, reactor vessel water level instrument taps, instrument sensing lines and drywell pressure taps (see Chapter 15). Special precautions are taken to ensure their CPS/USAR CHAPTER 07 7.2-32 REV. 11, JANUARY 2005 operability after the accident. The condensing chambers and all essential components of the control and electrical equipment are either similar to those that have successfully undergone qualification testing in connection with other projects, or additional qualification testing under simulated environmental conditions has been conducted. Equipment qualification information can be obtained from the respective qualification document packages referenced by component in Nuclear Station Engineering Department Maintenance Standard MS-02.00 (Reference 5). To ensure that the RPS remains functional, the number of operable channels for the essential monitored variables is maintained in accordance with Technical Specifications. In case of a loss-of-coolant accident, reactor shutdown occurs immediately following the accident as process variables exceed their specified set point. Operator verification that shutdown has occurred may be made by observing one or more of the following indications: (1) control rod status lamps indicating each rod fully inserted, (2) control rod scram pilot valve status lamps indicating open valves, (3) neutron monitoring channels and recorders indicating decreasing neutron flux. Following generator load rejection, a number of events occur in the following chronological order: (1) The pressure in the hydraulic oil lines to the control valves drops, and pressure sensors signal the RPS to scram. At the same time the turbine logic pressure controller initiates fast opening of the turbine bypass valves to minimize the pressure transient. Turbine stop valve closure and turbine control valve fast closure initiates the Recirculation Pump Trip (RPT) logic, which trips the recirculation pumps. (2) The reactor will scram unless the unit load is less than 33.3% below which the control valve fast closure pressure transient does not threaten the fuel thermal

limit. (3) The trip setting of the APRM channels will be automatically reduced as recirculation flow decreases (flow-referenced scram). Power level will have been reduced by a reactor scram and RPT initiation. The trip settings discussed in Subsection 7.2.1 are not changed to accommodate abnormal operating conditions. Transients requiring activation of the RPS are discussed in Chapter 15.

The discussions there designate which systems and instrumentation are required to mitigate the consequences of these transients. 7.2.2.1.1.1.9.1 Other Considerations Operability of the anticipatory signals from the turbine control valve fast closure or turbine stop valve closure following a safe shutdown earthquake is not a system design basis. As discussed in Subsection 5.2.2.2.2.2, closure of all the main steamline isolation valves without MSIV position switch trip produces similar effects which are slightly more severe. The design basis analysis is conducted for the MSIV closure.

CPS/USAR CHAPTER 07 7.2-33 REV. 11, JANUARY 2005 7.2.2.1.2 Conformance to Specific Regulatory Requirements 7.2.2.1.2.1 Conformance to NRC Regulatory Guides 7.2.2.1.2.1.1 Regulatory Guide 1.11 Conformance to Regulatory Guide 1.11 is discussed in Subsection 6.2.4.3.2.4. 7.2.2.1.2.1.2 Regulatory Guide 1.22 The system is designed so that it may be tested during plant operation from sensor device to final actuator device. The test must be performed in overlapping portions so that an actual reactor scram will not occur as a result of the testing. 7.2.2.1.2.1.3 Regulatory Guide 1.29 The electrical and mechanical devices, the circuitry between process instrumentation and protective actuators, and the monitoring devices of the RPS are classified as Seismic Category I, as discussed in Section 3.2. 7.2.2.1.2.1.4 Regulatory Guide 1.30 Conformance to Regulatory Guide 1.30 is discussed in Section 1.8.

7.2.2.1.2.1.5 Regulatory Guide 1.47 Regulatory Positions C.1, C.2 and C.3 Automatic indication is provided in the main control room to inform the operator that a system is out-of-service. Indicator lights indicate which part of a system is not operable. For example, the RPS system out-of-service annunciators energize whenever more than one RPS channel has an input variable out of service. By placing a trip module in calibration, indicator lights provide information as to which division is in calibration. Regulatory Position C.4 All the annunciators can be tested by depressing the annunciator test switches on the main control room benchboards. The following discussion expands the explanation of conformance to Regulatory Guide 1.47 to reflect the importance of providing accurate information for the operator and reducing the possibility for the indicating equipment to adversely affect its monitored safety system. (1) Individual indicator lights are arranged together on the main control room benchboards and principal plant console to indicate what function of the system is out of service, bypassed or otherwise inoperable. All bypass and inoperability indicators both at a system level and component level are grouped only with items that will prevent a system from operating if needed. (2) These indication provisions serve to supplement administrative controls and aid the operator in assessing the availability of component and system level protective actions. This indication does not perform a safety function.

CPS/USAR CHAPTER 07 7.2-34 REV. 11, JANUARY 2005 (3) All system out of service annunciator circuits are electrically independent of the plant safety systems to prevent the possibility of adverse effects. (4) Each indicator is provided with dual lamps. Testing will be included on a periodic basis when equipment associated with the indication is tested. 7.2.2.1.2.1.6 Regulatory Guide 1.53 Compliance with NRC Regulatory Guide 1.53 is attained by specifying, designing, and constructing the RPS to meet the single failure cr iterion, Section 4.2, of IEEE 279 "Criteria for Protection Systems for Nuclear Power Generating Stations," and IEEE 379 "IEEE Trial-Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems." Redundant sensors are used and the logic is arranged to ensure that a failure in a sensing element or the decision logic or an actuator will not prevent protective action. Separated channels are employed, so that a fault affecting one channel will not prevent the other channels from operating properly. 7.2.2.1.2.1.7 Regulatory Guide 1.62 Means are provided for manual initiation of reactor manual scram through the use of four armed pushbutton switches. These switches are located on the principal plant console. The amount of equipment common to initiation of both manual scram and automatic scram is kept to a minimum through implementation of manual scram as close as practicable to the final devices of (Load Drivers) the protection system. No single failure in the manual, automatic, or common portions of the protection system will prevent initiation of reactor scram by manual or automatic means. Manual initiation of reactor scram, once initiated, goes to completion as required by IEEE 279, Section 4.16. 7.2.2.1.2.1.8 Regulatory Guide 1.63 Conformance with this Regulatory Guide is discussed in Chapter 8, Section 8.1.6.1.12.

7.2.2.1.2.1.9 Regulatory Guide 1.68 Conformance with this Regulatory Guide is discussed in Chapter 14, Section 14.2.7 and Table 14.2-1. 7.2.2.1.2.1.10 Regulatory Guide 1.75 The RPS complies with the criteria set forth in IEEE 279, Paragraph 4.6 and Regulatory Guide 1.75. Class 1E circuits and Class 1E-associated circuits are identified and separated from redundant and non-Class 1E circuits. Isolation devices are provided in the design where an interface exists between redundant Class 1E divisions and between non-Class 1E and Class 1E or Class 1E-associated circuits. Independence and separation of safety-related systems is discussed in Section 7.1.2.6.19. Physical and electrical independence of the instrumentation devices of the system is provided by channel independence for sensors exposed to each process variable. Separate and CPS/USAR CHAPTER 07 7.2-35 REV. 11, JANUARY 2005 independent conduits for scram solenoid and neutron monitoring input cables are routed from each device to the respective main control room panel. Each division has a separate and independent main control room panel bay. Trip logic outputs are separate in the same manner as the divisions. Signals between redundant RPS divisions are electrically and physically isolated by Class 1E optical isolators. 7.2.2.1.2.1.11 Regulatory Guide 1.89 Written procedures and responsibilities are developed for the design and qualification of all RPS equipment. This includes preparation of specifications, qualification procedures and documentation for RPS equipment. Standards manuals are maintained containing specifications, practices, and procedures for implementing qualification requirements, and an auditable file of qualification documents is available for review. All of this is included in the design even though the RPS is not required to comply with Regulatory Guide 1.89. 7.2.2.1.2.1.12 Regulatory Guide 1.97 Refer to Section 7.1.2.6.23 for assessment of Regulatory Guide 1.97.

7.2.2.1.2.1.13 Regulatory Guide 1.100 Refer to Section 7.1.2.6.24 for assessment of Regulatory Guide 1.100. 7.2.2.1.2.1.14 Regulatory Guide 1.105 Refer to Section 7.1.2.6.25 for assessment of Regulatory Guide 1.105.

7.2.2.1.2.1.15 Regulatory Guide 1.118 Refer to Section 7.1.2.6.26 for assessment of Regulatory Guide 1.118.

Position C.5 for APRM: With respect to conformance to position C.5, the inherent time response of the in-core sensors used for APRM (fission detectors operating in the ionization chamber mode) is many orders of magnitude faster than the APRM channel response time requirements and the signal conditioning electronics. The sensors cannot be tested without disconnecting and reconnecting to special equipment. 7.2.2.1.2.2 Conformance to 10 CFR 50, Appendix A - General Design Criteria 7.2.2.1.2.2.1 General Design Criterion 1 The quality assurance program for the system assures sound engineering in all phases of design and construction through conformity to regulatory requirements and design bases described in the license application. The quality assurance program is discussed in Chapter 17. Documents are maintained which demonstrate that all the requirements of the quality assurance program are being satisfied. These records will be maintained during the life of the operating licenses.

CPS/USAR CHAPTER 07 7.2-36 REV. 11, JANUARY 2005 7.2.2.1.2.2.2 General Design Criterion 2 Wind and tornado loadings are discussed in Section 3.3, flood design is described in Section 3.4 and seismic qualification of instrumentation and electrical equipment is discussed in Section

3.10. 7.2.2.1.2.2.3 General Design Criterion 3 The fire protection system and its design bases are discussed in Subsection 9.5.1, Fire protection in cable systems is described in Subsection 8.3.1.4.2. 7.2.2.1.2.2.4 General Design Criterion 10 The RPS is designed to monitor certain reactor parameters, sense abnormalities, and to scram the reactor thereby preventing fuel design limits from being exceeded when trip points are exceeded. Scram trip set points are selected based on operating experience and by the safety design basis. There is no case in which the scram trip set points allow the core to exceed the

thermal/hydraulic safety limits. The system is designed to assure that the specified fuel and Reactor Coolant Pressure Boundary (RCPB) design limits are not exceeded during conditions of normal or abnormal operation. 7.2.2.1.2.2.5 General Design Criterion 13 Instrumentation is provided to monitor variables and systems over their respective anticipated ranges for normal operational, anticipated operational occurrences, and accident conditions to assure adequate safety. Each system input is monitored and annunciated. 7.2.2.1.2.2.6 General Design Criterion 15 The RPS acts to provide sufficient margin to assure that the design conditions of the RCPB are not exceeded during any condition of normal operation including anticipated operational occurrences. If the monitored variables exceed their predetermined settings, the system automatically responds to maintain the variables and systems within allowable design limits. 7.2.2.1.2.2.7 General Design Criterion 19 Controls and instrumentation are provided in the main control room. The reactor can also be shutdown in an orderly manner from outside the main control room as described in Subsection 7.4.1.4. 7.2.2.1.2.2.8 General Design Criterion 20 The system constantly monitors the appropriate plant variables to maintain the fuel barrier and primary coolant pressure boundary and initiates a scram automatically when the variables exceed the established setpoints.

CPS/USAR CHAPTER 07 7.2-37 REV. 11, JANUARY 2005 7.2.2.1.2.2.9 General Design Criterion 21 The system is designed with four redundant instrument channels and four independent and separated logic divisions and actuator divisions. No single failure can prevent a scram. The system can be tested during plant operation to assure its reliability. 7.2.2.1.2.2.10 General Design Criterion 22 The redundant portions of the system are separated so that no single failure or credible natural disaster can prevent a scram except the turbine scram inputs which originate in the non-seismic Turbine Building. Reactor pressure and power are diverse to the turbine scram variables. In addition, drywell pressure and water level are diverse variables. 7.2.2.1.2.2.11 General Design Criterion 23 The RPS is fail safe on loss of power. A loss of electrical power or air supply will not prevent a scram. Postulated adverse environments will not prevent a scram. 7.2.2.1.2.2.12 General Design Criterion 24 The system has no control function. It is interlocked to control systems through isolation devices. 7.2.2.1.2.2.13 General Design Criterion 25 The reactor protection system conforms to the requirements of General Criterion 25. The method of conformance is listed below: The redundant portions of the system are designed such that no single failure can prevent a scram. Functional diversity is employed by measuring flux, pressure, and level in the reactor vessel, which are all reactivity dependent variables. The RPS provides protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the reactor coolant pressure boundary. Any monitored variable which exceeds the scram set point will initiate an automatic scram and not impair the remaining variables from being monitored, and if one channel fails the remaining portions of the

RPS will function. 7.2.2.1.2.2.14 General Design Criterion 29 The RPS will provide a reactor scram in the event of anticipated operational occurrences. 7.2.2.1.2.3 Conformance with Industry Codes and Standards 7.2.2.1.2.3.1 IEEE 279 The reactor protection (trip) system conforms to the requirements of this standard. The following is a detailed discussion of this conformance.

CPS/USAR CHAPTER 07 7.2-38 REV. 12, JANUARY 2007 7.2.2.1.2.3.1.1 General Functional Requirement (IEEE 279, Paragraph 4.1)

The following RPS trip variables provide automatic initiation of protective action in compliance with this requirement: (1) Scram discharge volume high water level trip (2) Main steamline isolation valv e closure trip (Run mode only) (3) Turbine stop valve closure trip (4) Turbine control valve fast closure trip (5) Reactor vessel low water level trip (6) Reactor vessel high water level trip (Run mode only)

(7) Neutron monitoring (APRM) system trip a. Neutron flux trip

b. Simulated thermal power trip (8) Neutron Monitoring (SRM) System (non-coincident) trip (when the shorting links are removed) (9) Neutron Monitoring (IRM) System trip (10) Drywell high pressure trip (11) Reactor vessel high pressure trip The reactor system mode switch selects appropriate operating bypasses for various RPS variables in the Shutdown, Refuel, Startup, and Run modes of operation. Other manual controls, such as the discharge volume high water level bypass, the manual scram pushbutton switches, and the RPS reset switch are arranged so as to assure that the process variables providing automatic initiation of protective action will continue to remain in compliance with this requirement. The RPS reset switches are under the administrative control of the reactor operator. The automatic initiation requirement for protective action cannot be prevented by a reset switch. Manual reset by the operator bypasses the seal-in circuit to permit the RPS to be reset to its normally energized state when all instrument channels are within their normal (untripped) range of operation. (Administratively bypassed in the case of the discharge volume high water level). The RPS logic, trip actuator logic, and trip actuators are designed to comply with this requirement through automatic removal of electric power to the control rod drive scram pilot valves solenoids when one or more RPS variables exceeds the specified trip set point.

CPS/USAR CHAPTER 07 7.2-39 REV. 12, JANUARY 2007 7.2.2.1.2.3.1.2 Single Failure Criterion (IEEE 279, Paragraph 4.2)

The following RPS trip variables are individually implemented with four physically separated sensor channels in compliance with this requirement: (1) Scram discharge volume high water level trip (2) Turbine stop valve closure trip (3) Turbine control valve fast closure trip (4) Reactor vessel low & high water level trip (5) Neutron monitoring (APRM) system trip (6) Neutron monitoring (IRM) system trip (7) Drywell high pressure trip (8) Reactor vessel high pressure trip (9) Main steamline isolation valve closure trip RPS manual controls also comply with the single failure criterion. Four manual scram pushbuttons are arranged into two separate redundant groups on the principle plant console, and are separated by approximately six inches within each group to permit the operator to initiate manual scram with one motion of one hand. The two groups of manual scram pushbuttons are separated by approximately three feet, and the switch contact blocks are enclosed within metal barriers. The reactor mode switch consists of a single manual actuator connected to four distinct switch banks. Each bank is housed within a fire retardant compartment. Contacts from each bank are wired in conduit to individual logic cabinets. There are four separate scram discharge volume high-level bypass switches. In each division manual operation of a bypass switch and the mode switch establishes divisional bypass. Therefore, the design of the bypass function complies with this design requirement. There is no single failure of this bypass function that will defeat the safety function. The main steam line valve closure trip operating bypass is implemented by separate mode switch contacts in a similar manner. The turbine stop valve closure trip and control valve fast closure trip operating bypass complies with the single-failure criterion. Four pressure transmitters are mounted in two separate redundant groups connected to two separate turbine first stage pressure taps. Wiring from the pressure transmitters is routed in conduit to the termination cabinets in the main control room.

CPS/USAR CHAPTER 07 7.2-40 REV. 12, JANUARY 2007 The logic configuration for the bypass provides a single bypass associated with a single division for stop valve closure and control valve fast closure. Each division provides separate input to the RPS two-out-of-four trip logic. Therefore, no single failure of this bypass circuitry will interfere with the normal protective action of the RPS trip channels. The RPS reset switches and associated logic comply with this design requirement. The four divisions of reset switches are physically and electrically separated. Those portions of the RPS downstream of the instrument channels also comply with this design requirement. Any postulated single failure of a given trip logic will not affect the remaining three trip logics. Similarly, any single failure of a trip actuator will not affect the remaining trip actuators, and any single failure of one trip actuator (load driver) logic will not affect the other trip actuator logic networks. The cabling associated with one scram group is routed in a conduit with no other wiring. It is physically separated from wiring to the other scram groups to preclude a single failure. Wiring for scram solenoids A and B for one control rod group may be routed together within a single conduit. 7.2.2.1.2.3.1.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

The following RPS trip variables are implemented with components and modules which exhibit high quality and high reliability characteristics: (1) Scram discharge volume high water level trip; (2) Main steamline isolation valv e closure trip (Run mode only) (3) Turbine stop valve closure trip; (4) Turbine control valve fast closure trip; (5) Reactor vessel low water level trip; (6) Reactor vessel high water level trip (Run mode only);

(7) Neutron Monitoring (APRM) System trip; a. Neutron flux trip,

b. Simulated thermal power trip, (8) Neutron Monitoring (SRM) System (non-coincident) trip (when shorting links are removed) (9) Neutron Monitoring (IRM) System trip; (10) Drywell high pressure trip; (11) Reactor vessel high pressure trip.

CPS/USAR CHAPTER 07 7.2-41 REV. 12, JANUARY 2007 The RPS manual switches are also selected for quality and reliability. The RPS trip logic, trip actuator logic and trip actuators are solid state circuits of quality and reliability. 7.2.2.1.2.3.1.4 Equipment Qualification (IEEE 279, Paragraph 4.4)

Conformance to equipment qualification requirements for the RPS is discussed in Sections 3.10 and 3.11. 7.2.2.1.2.3.1.5 Channel Integrity (IEEE 279, Paragraph 4.5)

The components of the following RPS trip variables are specified to operate under normal and abnormal conditions of environment, energy supply, and accidents: (1) Scram discharge volume high water level trip; (2) Main steamline isolation valve closure trip; (3) Turbine stop valve closure trip (see Subsection 7.2.2.1.1.1.9.1);

(4) Turbine control valve fast closure trip (see Subsection 7.2.2.1.1.1.9.1);

(5) Reactor vessel low and high water level trips; (6) Neutron Monitoring (APRM) System trip a. High neutron flux, b. Simulated high thermal power, and c. Neutron Monitoring System (non-coincident) trip (when shorting links are removed); (7) Neutron Monitoring (IRM) System trip; (8) Drywell high pressure trip; (9) Reactor vessel high pressure trip. The RPS trip logic, trip actuators, and trip actuator logic, are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions and accidents. 7.2.2.1.2.3.1.6 Channel Independence (IEEE 279, Paragraph 4.6)

The following RPS trip variables are physically separated and electrically isolated from one another to meet this design requirement: (1) Scram discharge volume high water level trip; CPS/USAR CHAPTER 07 7.2-42 REV. 12, JANUARY 2007 (2) Turbine stop valve closure trip; (3) Turbine control valve fast closure trip; (4) Reactor vessel low and high-water level trips; (5) Drywell high-pressure trip; (6) Reactor vessel high-pressure trip; (7) Neutron monitoring trip; and (8) MSIV closure trip. The four channels of the turbine variables are physically separated.

The main steamline isolation valve closure trip is derived from eight individual sensors paired to provide four RPS channels. The eight IRM channels are physically and electrically separated into four groups, and the four APRM redundant channels are electrically isolated and physically separated from one another so as to comply with this design requirement. The manual scram pushbutton is a division component. The redundant manual trip divisions are physically separated to comply with this design requirement. The mode switch banks are physically separated and electrically isolated to comply with this design document. The circuitry for the RPS trip variable operating bypasses complies with this design requirement. Sufficient physical separation and electrical isolation exists to assure that the redundant operating bypass channels are satisfactorily independent. The four RPS reset logic inputs to the trip actuators are physically separated. Similarly, the RPS trip logic and trip actuator logics are physically separated. The wiring to each rod group scram solenoids A and B is routed in totally enclosed metallic raceways with no other wiring. 7.2.2.1.2.3.1.7 Control and Protection System Interaction (IEEE 279, Paragraph 4.7)

The channels for the following RPS trip variables are electrically isolated and physically separated from the plant control systems in compliance with this design requirement: (1) Scram discharge volume high water level trip (2) Main steamline isolation valve closure trip (3) Turbine stop valve closure trip (4) Turbine control valve fast closure trip CPS/USAR CHAPTER 07 7.2-43 REV. 12, JANUARY 2007 (5) Reactor vessel low and high water level trip (6) Neutron Monitoring (APRM) System trip (7) Neutron Monitoring (IRM) System trip (8) Neutron Monitoring System (non-coincident) trip (when shorting links are removed) (9) Drywell high-pressure trip (10) Reactor vessel high-pressure trip Outputs to annunciators in the main control room and to the PMS which provide a written log of the channel trips are through Class 1E isolation devices. There is no single failure that will prevent proper functioning of any protective function when it is required. Within the IRM and APRM modules (i.e., prior to their output trip unit driving the RPS), analog outputs are derived for use with main control room meters, recorders, and PMS. Electrical isolation has been incorporated into the design at this interface to prevent any single failure from influencing the protective output from the trip module. The trip module outputs are physically separated and electrically isolated from other plant equipment in their routing to the RPS panels. The manual scram pushbutton has no control system interaction. The RPS mode switch is used for protective functions and restrictive interlocks on control rod withdrawal and refueling equipment movement. Additional isolated contacts of the mode switch are used to disable certain computer inputs when the alarms would represent incorrect information for the operator. No control functions are associated with the mode switch. Hence, the switch complies with this design requirement.

The system interlocks to control systems only through isolation devices so that no failure or combination of failures in the control system will have any effect on the RPS. The RPS scram discharge volume high water level trip operating bypass complies with this design requirement. An output is given to the control rod block circuitry to prevent rod withdrawal whenever the trip channel bypass is in effect. The system interlocks to control rod block only through isolation devices so that no failure or combination of failures in the control system will have any effect on the RPS. The main steamline isolation valve closure trip bypass has no interaction with any control system in the plant. Turbine stop valve and control valve trip bypasses have no interaction with any control system in the plant. The RPS logic is totally separate from any plant control system. The scram solenoids are physically separate and electrically isolated from the other portions of the control rod drive hydraulic control unit (HCU).

CPS/USAR CHAPTER 07 7.2-44 REV. 12, JANUARY 2007 The transmission of signals from the RPS to c ontrol systems is thr ough isolation devices which are part of the RPS. No credible failure at the output of these isolation devices can prevent the RPS from meeting its minimum performance requirements. There are no single random failures which can cause a control system action that results in a condition requiring action by the RPS designed to protect against that condition. The only single credible event that can cause a control system action resulting in a condition requiring protective action and can concurrently prevent operation of a portion of the RPS is a safe shutdown earthquake. For this event, the Turbine Stop Valve Closure Trip and Turbine Control Valve Fast Closure Trip may be disabled. The reactor vessel high-pressure and high-power trips provide diverse protection for this event. 7.2.2.1.2.3.1.8 Derivation of System Inputs (IEEE 279, Paragraph 4.8)

The following RPS trip variables are direct measures of a reactor overpressure condition, a reactor over-power condition, a gross fuel damage condition, or abnormal conditions within the reactor coolant pressure boundary: (1) Reactor vessel low and high water level trips; (2) Neutron Monitoring (APRM) System trip; a. Upscale trip,

b. Thermal trip; (3) Neutron Monitoring (IRM) System trip; (4) Drywell high-pressure trip; and (5) Reactor vessel high pressure trip. The measurement of scram discharge volume water level is an appropriate variable for this protective function. The desired variable is available volume to accommodate a reactor scram. However, the measurement of consumed volume is sufficient to infer the amount of remaining available volume since the total volume is a fixed, predetermined value established by the design. The measurement of main steamline isolation valve position and turbine stop valve position is an appropriate variable for the reactor protection system. The desired variable is loss of the reactor heat sink; however, isolation or stop valve closure is the logical variable to infer that the steam path has been blocked between the reactor and the heat sink. Due to the normal throttling action of the turbine control valves with changes in the plant power level, measurement of control valve position is not an appropriate variable from which to infer the desired variable, which is rapid loss of the reactor heat sink. Consequently, a measurement related to control valve closure rate is necessary.

CPS/USAR CHAPTER 07 7.2-45 REV. 11, JANUARY 2005 Protection system design practice has discouraged use of rate sensing devices for protective purposes. In this instance, it was determined that detection of hydraulic actuator operation

would be a more positive means of determining fast closure of the control valves. Loss of hydraulic pressure in the electrohydraulic control (EHC) oil lines which initiates fast closure of the control valves is monitored. These measurements provide indication that fast closure of the control valves is imminent. This measurement is adequate and a proper variable for the protective function taking into consideration the reliability of the chosen sensors relative to other available sensors and the difficulty in making direct measurements of control valve fast-closure rate. Since the mode switch is used to bypass certain RPS trips depending upon the operating state of the reactor, the selection of particular contacts to perform this logic operation is an appropriate means for obtaining the desired function. The turbine stop valve closure trip bypass and control valve fast closure trip operating bypass permit continued reactor operation at low-power levels when the turbine stop or control valves are closed. The selection of turbine first stage pressure is an appropriate variable for this bypass function. In the power range of reactor operation, turbine first stage pressure is essentially linear with increasing reactor power. Consequently, this variable provides the desired measurement of power level. 7.2.2.1.2.3.1.9 Capability for Sensor Checks (IEEE 279, Paragraph 4.9)

During reactor operation, the analog outputs of each of the redundant devices for the following RPS trip variables may be directly cross-compared to meet this requirement: (1) Reactor vessel low and high water level trip; (2) Drywell high-pressure trip; and (3) Reactor vessel high-pressure trip; (4) Scram discharge volume high water level trip. During reactor operation, one transmitter of each of these variables may also be taken out-of-service at a time to perform calibration to a standard under administrative control. During this test, operation of the sensor and the RPS trip unit may be confirmed. At the conclusion of the test, administrative control must be used to ensure that the sensor has been properly returned to service. Annunciators and status lights continually indicate the out-of-service condition of all

trip units. In addition all trip modules may be tested with divisional trip logic by injecting an electronic calibration signal into the trip module input. During reactor operation, the sensors associated with the scram discharge volume highwater level trip may be valved out of service to perform a functional test. During the test, one RPS trip logic will be tripped and will produce both main control room annunciation and computer logging of the trip. At the conclusion of the test, administrative control is used to assure that the sensors

have been returned to service.

CPS/USAR CHAPTER 07 7.2-46 REV. 12, JANUARY 2007 The main steamline isolation valve position switches are tested during valve movements which cause the limit switches to operate at the setpoint value of the valve position.

For any single valve closure test, any one of four instrument will be tripped. This arrangement permits single valve testing without corresponding tripping of the RPS. The turbine stop valve position switches are also tested during valve movements which cause the limit switches to operate at the setpoint value. For any test of a single stop valve closure, an instrument channel will be placed in a tripped condition. The turbine control valve fast closure oil pressure switches may be tested during the routine turbine system tests. During any control valve fast-closure test, one RPS trip logic will be tripped and will produce both main control room annunciation and computer logging of the trip. During reactor operation in the RUN mode, the IRM detectors are stored below the reactor core in a low flux region. Movement of the detectors into the core will permit the operator to observe the instrument response from the different IRM channels and will confirm that the instrumentation is operable. In the power range of operation, the individual LPRM detectors will respond to local neutron flux and provide the operator with an indication that these instrument channels are responding properly. The four APRM channels may also be observed to respond to changes in the gross power level of the reactor to confirm their operation. Each APRM instrument channel may also be calibrated with a simulated signal introduced into the amplifier input and each IRM instrument channel may be calibrated by introducing an external signal source into the amplifier input. During these tests, proper instrument response may be confirmed by observation of instrument lights in the main control room and trip annunciators. Proper operation of the mode switch may be verified by the operator during plant operation by performing certain sensor tests to confirm proper RPS operation. Movement of the mode switch from one position to another is not required for these tests since the connection of appropriate sensors to the RPS logic as well as the bypass of inappropriate sensors may be confirmed from the sensor tests. 7.2.2.1.2.3.1.10 Capability for Test and Calibration (IEEE 279, Paragraph 4.10)

The following RPS trip variable sensors may be tested by cross-comparison of channels. They also have provisions for sensor testing and calibration during reactor operation: (1) Reactor vessel low and high water level trip; (2) Neutron Monitoring (APRM) System trip; (3) Neutron Monitoring (IRM) System trip; CPS/USAR CHAPTER 07 7.2-47 REV. 12, JANUARY 2007 (4) Drywell high-pressure trip; (5) Reactor vessel high pressure trip. In addition each channel trip unit may be calibrated individually for each process input by introducing an electronic calibration signal into the trip module to verify proper trip actuation. During plant operation, the operator can confirm that the main steamline isolation and turbine stop valve limit switches operate during valve motion from full open to full closed and vice versa by comparing the time that the RPS trip occurs with the time that the valve position indicator lights in the control room signaling that the valve is fully open and fully closed. This test does not confirm the exact setpoint, but does provide the operator with an indication that the limit switch operates between the limiting positions of the valve. During reactor shutdown, calibration of the main steamline isolation and turbine stop valve limit switch setpoint is at a valve position equal to the value in the Operat ional Requirements Manual (ORM). The APRMs are calibrated to reactor power by using a reactor heat balance and the Traversing In-Core Probe (TIP) System to establish the relative local flux profile. LPRM gain settings are determined from the local flux profiles measured by the TIP System once the total reactor heat balance has been determined. The gain-adjustment-factors for the LPRMs are produced as a result of the process computer nuclear calculations involving the reactor heat balance and the TIP flux distributions. These adjustments, when incorporated into the LPRMs, permit the nuclear calculations to be completed for the next operating interval and establish the APRM calibration relative to reactor power. During reactor operation, one manual scram pushbutton may be depressed to test the proper operation of the switch and division trip logic. Once the RPS division logic has been reset, the other switches may be depressed to test their operation one at a time. For each such operation, a main control room annunciation will be initiated and the performance monitoring system will print the identification pertinent to the trip. Operation of the reactor system mode switch from one position to another may be employed to confirm certain aspects of the RPS trip channels during periodic test and calibration at shutdown only. During tests of the trip channels, proper operation of the mode switch contacts may be easily verified by noting that certain sensors are connected to the RPS logic and that other sensors are bypassed in the RPS logic in an appropriate manner dependent on by the position of the mode switch. In the startup and run modes of plant operation, procedures are used to confirm that scram discharge volume high water level sensor trip channels cannot be bypassed as a result of the manual bypass switches. In the shutdown and refuel modes of plant operation, a similar procedure may be used to bypass all four scram discharge volume trip channels. Due to the

discrete ON/OFF nature of the bypass function, calibration is not meaningful.

CPS/USAR CHAPTER 07 7.2-48 REV. 12, JANUARY 2007 A manual scram switch permits each individual instrument channel, and trip logic to be tested on a periodic basis. Testing of each process sensor of the protection system also affords an opportunity to verify proper operation of these components. 7.2.2.1.2.3.1.11 Channel Bypass or Removal from Operation (IEEE 279, Paragraph 4.11)

The following RPS trip variables have no provision for sensor removal from service because of the use of valve position limit switches as the channel sensor. Channel bypass is discussed in Subsections 7.2.1.1.4.4.2 and 7.2.1.1.4.4.3. (1) Main steamline isolation valve closure trip and (2) Turbine stop valve closure trip Transmitters are normally tested during reactor operation by cross-comparison of channels. However, transmitters, level switches and pressure switches, may be valved out of service and returned to service under administrative control procedures. Since only one sensor is valved out-of-service at any given time during the test interval, protective capability for the following RPS trip variables is maintained through the remaining redundant instrument channels: (3) Reactor vessel low and high water level trip (4) Drywell high pressure trip (5) Reactor vessel high pressure trip (6) Scram discharge volume high water level trip (7) Turbine control valve fast closure trip Pressure switches are normally tested by removing the sensor from service. Since only one switch is removed at any given time during the test interval, protective capability from the remaining RPS pressure switch inputs is maintained.

The NS 4/RPS division of sensor bypass switches is provided to allow the bypass of a single division for test/calibration. When the bypass is in operation, an annunciator in the main control room is actuated. Only the non-coincident NMS trip (when shorting links are removed) is not bypassed by the NS 4/RPS division of sensor bypasses. The mode switch produces operating bypasses which need not be annunciated because they are removed by normal reactor operating sequence. 7.2.2.1.2.3.1.12 Operating Bypasses (IEEE 279, Paragraph 4.12)

The following RPS trip variables have no provision for an operating bypass: (1) Reactor vessel low water level trip; (2) Neutron Monitoring (APRM) System trip; CPS/USAR CHAPTER 07 7.2-49 REV. 12, JANUARY 2007 (3) Drywell high pressure trip and (4) Reactor vessel high pressure trip. An operating bypass of the scram discharge volume high water level trip is provided in the main control room for the operator to bypass the trip outputs in the shutdown and refuel modes of operation. Control of this bypass is achieved through administrative means, and its only purpose is to permit reset of the RPS following reactor scram to allow draining of the scram discharge volume. The bypass is manually initiated and must be manually removed to commence withdrawal of control rods after a reactor shutdown. An operating bypass is provided for the main steamline isolation valve closure trip. The bypass requires that the reactor system mode switch, which is under the administrative control of the operator, be placed in the shutdown, refuel, or startup positions. The only purpose of this bypass is to permit the RPS to be placed in its normal energized state for operation at low power levels with the main steamline isolation valves closed or not fully open. An operating bypass is provided for the neutron monitoring (IRM) system trip when the reactor mode switch is placed in the run position. An operating bypass is provided for the reactor vessel high water level trip. The bypass requires that the reactor system mode switch, which is under the administrative control of the operator, be placed in shutdown, refuel, or startup positions. For each of these operating bypasses, four independent bypass divisions are provided through the mode switch to assure that all of the protection system criteria are satisfied. An operating bypass of the turbine stop valve and control valve fast closure trip is provided whenever the turbine is operating at an initial power level below 33.3% of rated power. The purpose of the bypass is to permit the RPS to be placed in its normal energized state for operation at low power levels with the turbine stop valves not fully open. During normal plant operation above the switch setpoint, the bypass circuitry is in its passive, deenergized state. At these conditions, removal of the bypass for periodic test is permitted since it has no effect on plant safety. Under plant conditions at or below the switch setpoint, one bypass channel may be removed from service at a time without initiating protective action or affecting plant safety. This removal from service is accomplished under administrative control of plant personnel. 7.2.2.1.2.3.1.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)

The mode switch produced operating bypasses need not be annunciated because they are removed by normal reactor operating sequence. Although operating bypasses do not require annunciation, certain operating bypasses are annunciated in the main control room. The discharge volume high water level trip operating bypass, the main steam line isolation valve closure trip operating bypass, and the turbine stop and control valve fast-closure trips operating bypass are individually annunciated to the operator.

The main control room operator must exercise administrative control over nonoperating bypasses such as valving out-of-service of one RPS trip variable sensor at a time. The out of service condition is manually alarmed. To indicate a sensor bypass, the operator will manually CPS/USAR CHAPTER 07 7.2-50 REV. 12, JANUARY 2007 actuate the respective NS4/RPS sensor channel bypassed annunciator corresponding to the given sensor division. Also, the trip module in calibration will cause automatic actuation of the system out-of-service annunciator. 7.2.2.1.2.3.1.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14)

The operator has administrative control of the sensor instrument valves, as well as their associated trip module calibration controls. Manual bypassing of any IRM or APRM channel is accomplished with main control room NS 4/RPS division of sensor bypass switches under the administrative control of the operator. Manual controls for the scram discharge volume high water level trip operating bypass and the main steamline isolation valve closure trip operating bypass are located in the main control room, and under the direct administrative control of the operator. Manual keylock switches are used to control these operating bypasses. The mode switch selects the appropriate sensors for scram functions and provides appropriate trip bypasses and bypass permissive for the selected mode. The mode switch is a keylock switch under the administrative control of plant personnel. Divisional channel bypasses exist for all essential variables, except the non-coincident NMS channels which can be bypassed by individual selector switches. Only one division may be bypassed at a time, which converts the RPS system logic from a two-out-of-four to a two-out-of-three logic trip system. Interlocks are provided to prevent bypassing more than one logic division at a time. There are four keylocked bypass switches, one for each logic division, located in the main control room. Bypassing any single system logic division will not inhibit protective action when required. 7.2.2.1.2.3.1.15 Multiple Set Points (IEEE 279, Paragraph 4.15)

The design requirement is not applicable to the following RPS trip variables because the set point values are fixed and do not vary with other reactor or plant parameters; (1) Scram discharge volume high water level trip (2) Main steamline isolation valve closure trip (3) Turbine stop valve closure trip (4) Turbine control valve fast closure trip (5) Reactor vessel low and high water level trip CPS/USAR CHAPTER 07 7.2-51 REV. 12, JANUARY 2007 (6) Drywell high pressure trip (7) Reactor vessel high pressure trip The trip setpoint of each IRM channel is established for each range of IRM operation. The IRM is a linear, half-decade per range instrument. Therefore, as the operator switches an IRM from one range to the next, the trip set point tracks the operator's selection. In the run mode APRM system simulated thermal power trip varies automatically with the recirculation flow, and in modes other than run the APRM setdown function selects a more restrictive scram trip setpoint at a fixed 15%. The devices used to prevent improper use of the less restrictive setpoints are designed in accordance with criteria regarding performance and reliability of protection system equipment. For further discussion refer to Section 7.6.1.5.

Operation of the mode switch from one position to another bypasses various RPS trip channels in accordance with the reactor conditions implied by the given position of the mode switch. 7.2.2.1.2.3.1.16 Completion of Protective Action Once it is Initiated (IEEE 279, Paragraph 4.16) The sensor output of the following RPS trip variables remains in a tripped state whenever the trip set point is exceeded: (1) Scram discharge volume high water level trip (2) Main steam line isolation valve closure trip (3) Turbine stop valve closure trip (4) Turbine control valve fast closure trip (5) Reactor vessel low and high water level trip (6) Neutron Monitoring (APRM) System trip (7) Neutron Monitoring (IRM) System trip (8) Drywell high pressure trip (9) Reactor vessel high pressure trip It is only necessary that the process sensors remain in a tripped condition for a sufficient length of time to trip the analog trip modules and operate the seal-in circuitry provided the two-out-of-four logic is satisfied. Once this action is accomplished, the trip actuator logic proceeds to initiate reactor scram regardless of the state of the process sensors that initiated the sequence of events.

CPS/USAR CHAPTER 07 7.2-52 REV. 11, JANUARY 2005 Once the manual scram pushbuttons are depressed, the trip actuator logic proceeds to initiate reactor scram regardless of the state of the manual scram pushbuttons. The function of the mode switch is to provide appropriate RPS trip channels for the RPS trip logic on a steady-state basis for each of the four given reactor operating states: SHUTDOWN, REFUEL, STARTUP and RUN. Protective action, in terms of the needed transient response, is derived from the other portions of the trip channels independent of the mode switch. Hence, the mode switch does not influence the completion of protective action in any manner. The turbine operating bypass is placed into effect only when the turbine first stage pressure is below 33.3% of reactor power. For plant operation above this setpoint, the trip channels will initiate protective action once the division logics trip and seal in, and the actuators have deenergized the scram pilot valve solenoids. 7.2.2.1.2.3.1.17 Manual Actuation (IEEE 279, Paragraph 4.17)

Four manual scram pushbutton controls are provided on the principle plant console to permit manual initiation of reactor scram at the division level. The four manual scram pushbuttons (one in each of the four RPS trip logic divisions) are arranged in two-out-of-four logic. Failure of an automatic RPS function cannot prevent the manual portions of the system from initiating the protective action. The manual scram pushbuttons are wired as close as practicable to the scram load drivers in order to minimize the dependence of manual scram capability on other equipment. Additional back-up to these manual controls is provided by the SHUTDOWN position of the Reactor System Mode Switch. No single failure in the manual or automatic portions of the system can prevent either a manual or automatic scram. 7.2.2.1.2.3.1.18 Access to Set Point Adjustments, Calibration, and Test Points (IEEE 279, Paragraph 4.18)

During reactor operation, access to set point or calibration controls is not possible for the following RPS trip variables: (1) Main steamline isolation valve closure trip (2) Turbine stop valve closure trip (3) Turbine control valve fast closure trip NOTE - Turbine stop valve closure and turbine control valve fast closure trips may be accessible with radiation exposure. Access to setpoint adjustments, calibration controls, and test points for the following RPS trip variables is under the administrative control of plant personnel: (4) Scram discharge volume high water level trip (5) Reactor vessel low and high water level trips CPS/USAR CHAPTER 07 7.2-53 REV. 12, JANUARY 2007 (6) Neutron monitoring (APRM) system trip (7) Neutron monitoring (IRM) system trip (8) Drywell high pressure trip (9) Reactor vessel high pressure trip 7.2.2.1.2.3.1.19 Identification of Protective Actions (IEEE 279, Paragraph 4.19)

When any one of the redundant sensor trip modules exceeds its setpoint value for the following RPS trip variables, a main control room annunciator is initiated to identify the particular variable: (1) Scram discharge volume high water level trip (2) Turbine control valve fast closure trip (3) Reactor vessel low water level trip (4) Reactor vessel high water level trip (5) Neutron monitoring system trip (6) Drywell high pressure trip (7) Reactor vessel high pressure trip (8) Main steam isolation valve trip (9) Turbine stop valve trip Identification of the particular trip channel exceeding its set point is accomplished as a typed record from the performance monitoring system or visual observation of the annunciators. When any manual scram pushbutton is depressed, a main control room annunciation is initiated and a performance monitoring system record is produced to identify the tripped RPS trip logic. Identification of the mode switch in shutdown position is provided by PMS trip logic identification printout, the mode switch in shutdown position annunciator and all division trips. 7.2.2.1.2.3.1.20 Information Readout (IEEE 279, Paragraph 4.20)

The data presented to the main control room operator for each of the following RPS trip variables complies with this design requirement: (1) Scram discharge volume high water level trip (2) Main steam line isolation valve closure trip CPS/USAR CHAPTER 07 7.2-54 REV. 12, JANUARY 2007 (3) Turbine stop valve closure trip (4) Turbine control valve fast closure trip (5) Reactor vessel high water level trip (6) Reactor vessel low water level trip (7) Neutron monitoring system trip (8) Drywell high pressure trip (9) Reactor vessel high pressure trip 7.2.2.1.2.3.1.21 System Repair (IEEE 279, Paragraph 4.21)

During periodic testing of the sensor channels for the following RPS trip variables, the operator can determine any defective component and replace it during plant operation: (1) Reactor vessel high water level trip (2) Reactor vessel low water level trip (3) Drywell high pressure trip (4) Reactor vessel high pressure trip During periodic testing of the sensor channels for the following trip variables, all defective components can be identified. Replacement and repair of failed sensors can only be accomplished during reactor shutdown. All other components can be replaced, repaired, and adjusted during plant operation. (5) Turbine stop valve closure trip (6) Main steamline isolation valve closure trip (7) Scram discharge volume high water level trip (8) Neutron monitoring system (9) Turbine control valve fast closure trip Provisions have been made to facilitate repair of neutron monitoring system components during plant operation except for the detector. Replacement of the detector can be accomplished during plant shutdown. Replacement of IRM and LPRM detectors must be accomplished during plant shutdown. Repair of the remaining portions of the neutron monitoring system may be accomplished during CPS/USAR CHAPTER 07 7.2-55 REV. 12, JANUARY 2007 plant operation by appropriate bypassing of the defective instrument channel. The design of the system facilitates rapid diagnosis and repair. 7.2.2.1.2.3.1.22 Identification of Protection Systems (IEEE 279, Paragraph 4.22)

Each Nuclear System Protection system cabinet which contains RPS control room equipment is marked with the letter "NSPS" and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified specifically as Reactor Protection System wiring. The identification scheme used to distinguish between redundant cables and cable trays is described in Chapter 8. Redundant racks are identified by the color coded marker plates of instruments on the racks. 7.2.2.1.2.3.2 IEEE 308, Standard Criteria for Class 1E Power Systems for Nuclear Power Generating Stations Each of four separate RPS divisions, which includes sensors, trip modules and logic is powered by a redundant, separate Class 1E power source and the system complies with IEEE 308. The scram solenoids are powered by two separate non-Class 1E, non-divisional uninterruptible power supplies. 7.2.2.1.2.3.3 IEEE 317, Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations See Subsection 8.1.6.

7.2.2.1.2.3.4 IEEE 323, Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations The general Guide for Qualifying Class 1E Equipment is presented in Section 3.11. Records covering all essential components are maintained. 7.2.2.1.2.3.5 IEEE 336, Installation, Inspection, and Testing Requirements for Instrumentation and Electrical Equipment During the Construction of Nuclear Power Generating Stations The IEEE 336 requirements for installation, inspection and testing of Class 1E instruments and control equipment and systems during construction have been met through a quality assurance program. Conformance to IEE 336-1971 (ANSI N45.2.4-1972) is discussed in conjunction with Regulatory Guide 1.30. Refer to USAR Section 1.8. 7.2.2.1.2.3.6 IEEE 338, Standard Criteria for Periodic Testing of Nuclear Power Generating Station Safety Systems Periodic Testing of Protection Systems is complied with by being able to test the RPS from sensors to final actuators at any time during plant operation. The test must be performed in overlapping portions. The sensors associated with the NMS cannot be tested during operation.

CPS/USAR CHAPTER 07 7.2-56 REV. 11, JANUARY 2005 7.2.2.1.2.3.7 IEEE 344, Recommended Practices for SeismicQualification of Class 1E Equipment for Nuclear Power Generating Stations Seismic Qualification of Class 1E Electric Equipment requirements are satisfied by all Class I RPS equipment as described in Section 3.10. 7.2.2.1.2.3.8 IEEE 379, Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Class 1E Sys tem Application of the single-failure criterion to nuclear power generating station protection systems requirements are satisfied by consideration of the different single failure modes and carefully designing all single-failure modes out of the system, through redundant logic design and proper separation of redundant portions of the system. 7.2.2.1.2.3.9 IEEE 384, Standard Criteria for Independence of Class 1E Equipment and Circuits This standard requires that redundant portions of the system be physically separated from each other and from Non-Class 1E circuits. This includes process sensors, wiring, logic and actuators in plant and control room wireways and main control room panels. In addition, short circuit protection by grounded conduit or physical separation is required between wiring carrying essential power and nonessential RPS power. The standard requires that redundant sensors and their connections to the process system be sufficiently separated to assure that functional capability of the protection system will be maintained despite any single design basis event or resulting affect. This provision does not apply to turbine stop valve and control valve fast closure trips in the nonseismic turbine building during or after a safe shutdown earthquake.

Reactor pressure and power are diverse variables. The effect on sensor and sensing lines as a result of design basis events are discussed in Subsection 7.2.1.2.8. Redundant pressure taps are located at widely divergent points around the reactor vessel. The sensing lines are routed to the sensors through separate penetrations in the drywell. Redundant sensors are located on separated racks outside the drywell. The location and routing of sensors, sensing lines, and pressure taps meet the separation requirements of IEEE 384, section 5.8.

The discussion of compliance with the separation requirements of IEEE 384 for Class 1E power supplies for the RPS is provided in Chapter 8. RPS trip modules, logic and actuators are separated into four divisions contained in four separate logic panels. Whenever signals must pass between redundant logic divisions or between divisional and nondivisional circuits, they are electrically and physically isolated. 7.2.2.1.3 Additional Design Considerations Analyses 7.2.2.1.3.1 Spurious Rod Withdrawals Spurious control rod withdrawal will not normally cause a scram. A control rod withdrawal block may occur, however, (see Subsection 7.7.2.2.3). A scram will occur, however, if the spurious control rod withdrawal causes the average flux to exceed the trip setpoint.

CPS/USAR CHAPTER 07 7.2-57 REV. 11, JANUARY 2005 7.2.2.1.3.2 Loss of Plant Instrument Air System Loss of plant instrument air will cause gradual opening of the scram valves on the hydraulic control units which will insert all control rods. Full insertion will result as air pressure is lost at

the scram valves. 7.2.2.1.3.3 Loss of Cooling Water to Vital Equipment There is no loss of cooling water which will affect the RPS.

7.2.2.1.3.4 Plant Load Rejection Electrical grid disturbances could cause a significant loss of load which would initiate a turbine-generator overspeed trip and control valves fast closure, which may result in a reactor scram. The reactor scram occurs to anticipate an increase in reactor vessel pressure due to shutting off the path of steam flow to the turbine. Any additional increase in pressure will be prevented by the safety/relief valves which will open to relieve reactor pressure and close as pressure is reduced. The reactor core isolation cooling (RCIC) or high pressure core spray (HPCS) systems will automatically actuate and provide vessel makeup water if required. The fuel temperature or pressure boundary thermal/hydraulic limits are not exceeded during this event (Chapter 15). 7.2.2.1.3.5 Turbine Trip Initiation of turbine trip by the turbine system closes the turbine stop valves which may initiate a reactor scram. The stop valve closure scram anticipates a reactor pressure or power scram due to turbine stop valves closure. Any additional increase in reactor vessel pressure will be

prevented by the safety/relief valves which will open to relieve reactor vessel pressure and close as pressure is reduced. The RCIC and HPCS will automatically actuate and provide vessel makeup water if low water level occurs. Initiation of turbine trip by loss of condenser vacuum causes closure of the turbine stop valves and main steam isolation valves , initiating a reactor scram. The fuel temperature or pressure boundary, thermal/hydraulic limits are not exceeded during these events (Chapter 15).

7.2.3 References

(1) GE Topical Report, Power Generation Control Complex, NEDO-10466-A. (2) NUREG-0124 (Supplement to NUREG 75/110), Safety Evaluation Report, GESSAR 238 Nuclear Island Standard Design Supplement 1, September 1976, pp. 7-78, 15-3,4. (3) NUREG-0151, SER, GESSAR 251, Nuclear Steam Supply System Standard Design, March 1977. (4) NUREG-0124 Supplement 2, Jan. 1977, pp. 15-1,2. (5) Nuclear Station Engineering Department Maintenance Standard MS-02.00, Maintenance of Equipment Qualification Program Manual.

CPS/USAR CHAPTER 07 7.3-1 REV. 11, JANUARY 2005 7.3 ENGINEERED SAFETY FEATURE SYSTEMS

7.3.1 Description

This section will examine and discuss the instrumentation and control aspects of the following plant Engineered Safety Feature (ESF) Systems and the Essential Auxiliary Support (EAS) Systems. ESF Systems Emergency Core Cooling System (ECCS) - High Pressure Core Spray System (HPCS)

- Automatic Depressurization System (ADS)

- Low Pressure Core Spray System (LPCS) - RHR System, Low Pressure Coolant Injection Mode (LPCI)

Containment and Reactor Vessel Isolation Control System (CRVICS) Main Steam Isolation Valve Leakage Control System (MSIVLCS)

Combustible Gas Control System (CGCS)

Containment Heat Removal Systems

- RHR System, Containment Spray Mode - RHR System, Suppression Pool Cooling Mode Standby Gas Treatment System (SGTS)

Suppression Pool Makeup System (SPMU)

Main Control Room HVAC System Overpressurization Protection System Reactor Core Isolation Cooling System RHR System, Feedwater Leakage Control Mode (FWLC) EAS Systems Standby AC & DC Power System (Including Diesel Generators)

Shutdown Service Water System (SSWS)

Diesel Fuel Oil System

ESF Ventilation Systems - Essential Switchgear Heat Removal System - ECCS Equipment Room HVAC System

- Diesel Generator Room HVAC System

- Shutdown Service Water Pump Room HVAC System

- Combustible Gas Control System Equipment Cubicle Cooling System 7.3.1.1 System Description 7.3.1.1.1 Emergency Core Cooling Systems (ECCS) - Instrumentation and Controls 7.3.1.1.1.1 System Identification The ECCS are a network of the following systems. (1) High pressure core spray (HPCS) system.

(2) Automatic depressurization (ADS) system.

(3) Low pressure core spray (LPCS) system.

CPS/USAR CHAPTER 07 7.3-2 REV. 11, JANUARY 2005 (4) Low pressure coolant injection (LPCI) mode of the residual heat removal system (RHR). The purpose of ECCS instrumentation and controls is to initiate appropriate responses from the system to ensure that the fuel is adequately cooled in the event of a design basis reactor accident. The cooling provided by the system restricts the release of radioactive materials from the fuel by preventing or limiting the extent of fuel damage following situations in which coolant is lost from the reactor coolant pressure boundary. The ECCS instrumentation detect a need for core cooling systems operation, and the trip systems initiate the appropriate response. Included in this Section is a discussion of protective considerations which are taken between the high pressure reactor coolant system and the low pressure ECCS system. The high pressure/low pressure interlocks are examined in subsection 7.6.1.3. 7.3.1.1.1.2 Network Power Sources The instrumentation and controls of the ECCS network system are powered by the 125 Vdc and 120 Vac Essential systems. The redundancy and separation of these systems are consistent with the redundancy and separation of the ECCS functional requirements. The power sources for the ECCS network systems are described in detail in Chapter 8. 7.3.1.1.1.3 High Pressure Core Spray (HPCS) System - Instrumentation and Controls 7.3.1.1.1.3.1 System Identification The control and instrumentation components for the high pressure core spray (HPCS) system except as noted in 7.3.1.1.1.3.11 are located outside the containment. Pressure and level transmitters used for HPCS initiation are located on racks inside the containment, but outside the drywell. Cables connect the sensors to the comparator input cabinet and from the input cabinet to the trip logic output cabinets. The system is arranged to allow a full flow functional test during normal reactor power operation. The piping and instrumentation diagram is shown in Drawing M05-1074, the HPCS power system is shown in drawing E02-1HP99, and the HPCS one line diagram is shown in Drawing 762E298AC. Significant HPCS design parameters are provided on Table 6.3-8. 7.3.1.1.1.3.2 Power Sources The HPCS system is designed to operate from normal offsite power sources or from the Division 3 diesel generator if offsite power is not available. Level sensors and high drywell pressure sensors are powered by 24-Vdc from two separate and independent divisions (DIV-3 &

DIV-4). 7.3.1.1.1.3.3 Equipment Design The high pressure core spray system operates as an isolated system independent of electrical connections to any other system except the normal ac/dc power supply. The instrumentation necessary for the control and status indication of the HPCS system are classified as essential and as such are designed and qualified in a ccordance with applicable IEEE Standards.

CPS/USAR CHAPTER 07 7.3-3 REV. 11, JANUARY 2005 7.3.1.1.1.3.4 Initiating Circuits Reactor vessel low water level is monitored and indicated by four level transmitters (two in Div. 3 and two in Div. 4) that sense the difference between the pressure due to a constant reference leg of water and the pressure due to the actual height of water in the vessel. Each level transmitter provides an input to an analog trip module. The output signals from the analog trip modules feed a one-out-of-two twice logic. The initiation logic for HPCS sensors is shown in Figure 7.3-8. Drywell pressure is monitored by four pressure transmitters (two in Div. 3 and two in Div. 4). Instrument sensing lines that penetrate the drywell allow the transmitter to communicate with the drywell interior. Each drywell high-pressure trip channel provides an input into the trip logic shown in Figure 7.3-8. The trip logic inputs are electrically connected to a one-out-of-two twice logic circuit. The HPCS system is initiated on receipt of a valid reactor vessel low water level signal (Level 2) or drywell high-pressure signal. Makeup water is discharged to the reactor vessel until the reactor high water level (Level 8) is reached. The HPCS then automatically stops flow by closing the injection valve if the high water level signal is above the trip point. The system is arranged to allow automatic or manual operation. The HPCS initiation signal also initiates the HPCS Division 3 diesel generator. 7.3.1.1.1.3.5 Logic and Sequencing Either reactor vessel low water level or high drywell pressure automatically starts the HPCS as indicated in Figure 7.3-8. Two reactor vessel low water level trip settings are used to initiate the ECCS. The first low water level setting initiates the HPCS. The second low water level setting initiates the LPCI, and LPCS, and ADS. This setting also closes the main steam line isolation valves (see Subsection 7.3.1.1.2). Two AC operated pump suction valves are provided in the HPCS pump suction. One valve lines up pump suction from the RCIC storage tank, the other from the suppression pool. The control arrangement is shown in drawing E02-1HP99. Reactor grade water in the RCIC storage tank is the preferred source. On receipt of an HPCS initiation signal, the RCIC storage tank suction valve is automatically signaled to open (it is normally in the open position) unless the pump suction from suppression pool valve is open. If the water level in the RCIC storage tank falls below a preselected level, first the suppression pool suction valve automatically opens and then the RCIC storage tank suction valve automatically closes. Two level transmitters are used to detect low water level in the RCIC storage tank. Either of the two level transmitters can cause the suppression pool suction valve to open and the RCIC storage valve to close. The suppression pool suction valve also automatically opens if high water level is detected in the suppression pool. Two level transmitters monitor this water level and either transmitter can initiate opening of the suppression pool suction valve. To prevent losing suction to the pump on a manual or automatic transfer from the RCIC storage tank to the suppression pool, the RCIC storage tank suction valve is interlocked so that the suppression pool suction valve must be open before the tank valve closes. The instrumentation required to transfer RCIC and HPCS pumps suction from the CST to the suppression pool is seismically qualified. The instrumentation does conform to the single failure CPS/USAR CHAPTER 07 7.3-4 REV. 11, JANUARY 2005 criterion in that the instrumentation to transfer RCIC is electrical separation division 1 and the instrumentation to transfer HPCS is electrical separation division 3. The instrument sensing lines are protected from freezing by location inside the fuel building. (Q&R 421.1) HPCS injection of water is terminated automatically with closure of the HPCS injection valve. High reactor water level (Level 8) will cause the automatic termination signal. HPCS can be terminated manually by shutting off the pump or closing the injection valve. The system must be reset, after a manual termination, before an automatic restart would be possible. 7.3.1.1.1.3.6 Bypasses and Interlocks The HPCS pump motor, suppression pool suction valve and injection valve are provided with manual override control which permit the operator to have manual control of the system following a LOCA. During test operation, the HPCS pump discharge can be routed to the RCIC storage tank or suppression pool. Motor-operated valves are installed in the test lines. The piping arrangement is shown in Drawing M05-1074 (HPCS P&ID), The control scheme for the valves is shown in drawing E02-1HP99. On receipt of an HPCS initiation signal, the test line valves close and remain closed. Also the valves in the test line to the RCIC storage tank are interlocked closed, if the suppression pool suction valve is not fully closed, to maintain the quantity of water in the suppression pool. 7.3.1.1.1.3.7 Redundancy and Diversity The HPCS is actuated by reactor vessel low water level or drywell high pressure. Both of these conditions will result from a design basis loss-of-coolant accident. The HPCS system logic requires two independent reactor vessel water level measurements to concurrently indicate the high water level condition. When the high water level setpoint (Level 8) is reached following HPCS operation, flow to the reactor vessel is stopped by closing the injection valve until such time as the low water level initiation setpoint is reached. Should this latter condition recur, HPCS will be initiated to restore water level within the reactor. 7.3.1.1.1.3.8 Actuated Devices All automatic valves in the HPCS system are equipped with remote-manual test capability. The entire system can be manually operated from the main control room. Motor-operated valves are provided with limit switches to turn off the motor when the full open or closed positions are reached. Torque switches also control valve motor forces while the valves are seating. An ac motor-operated HPCS pump discharge valve is provided in the pump discharge pipeline. The control scheme for this valve is shown in drawing E02-1HP99. The valve opens on receipt of the HPCS initiation signal. The pump discharge valve closes automatically on receipt of a reactor high water level signal (Level 8).

CPS/USAR CHAPTER 07 7.3-5 REV. 11, JANUARY 2005 7.3.1.1.1.3.9 Separation 7.3.1.1.1.3.9.1 General Separation within the ECCS is such that no single failure can prevent core cooling when required. Control and instrumentation equipment wiring is segregated into four separate electrical divisions designated 1, 2, 3, and 4 (Figure 7.3-9). Similar separation requirements are also maintained for the control and motive power required. System separation is as follows: Division 1 Division 2 Division 3 Division 4 LPCS and RHR "A" RHR "B" and "C" HPCS HPCS ADS "A" RCIC ADS "B" Systems shown opposite each other are considered a backup to the other. Control logic for all Division 1 systems is powered by 125 Vdc NSPS bus A and for Division 2 systems is 125 Vdc NSPS bus B. Control logic for the Division 3 portion of HPCS is powered by 125 Vdc NSPS bus C. The Division 4 portion of HPCS for the control instrumentation logic is powered by

125 Vdc NSPS bus D from RPS system. 7.3.1.1.1.3.9.2 Separation HPCS is a Division 3 and 4 system. (Figure 7.3-9) In order to maintain the required separation, HPCS control logic, cabling, manual controls and instrumentation are mounted so that divisional separation is maintained. 7.3.1.1.1.3.10 Testability The high pressure core spray instrumentation and control system is capable of being tested during normal unit operation to verify the operability of each system component. Testing of the initiation transmitters which are located outside the drywell is accomplished by valving out each transmitter, one at a time, and applying a test pressure source. This verifies the operability of the transmitter, as well as the calibration range. The trip channel setpoint is verified by introducing a test signal with the calibration and observing the display and indicator light on the output of the trip channel trip device (see Subsection 7.1.2.10). Main control room indications are provided. Testing for functional operability of the control logic is accomplished by means of continuous automatic pulse testing. The Automatic Pulse Test (APT), the sixth test, discussed in RPS Testability 7.2.1.1.4.8 is also applicable for HPCS. Availability of the control equipment is verified during manual testing of the system with the pump discharge returning to the condensate storage tank. While the plant is at power, water is injected into the condensate storage tank by the high pressure core spray system during periodic testing. A design flow functional test of the HPCS system may be performed during plant shutdown by drawing suction from the suppression pool and discharging through a full flow test return line to the suppression pool.

CPS/USAR CHAPTER 07 7.3-6 REV. 11, JANUARY 2005 7.3.1.1.1.3.11 Environmental Considerations The only components located inside the drywell for HPCS system are the solenoid valve and valve position switches for the testable check valve on the pump discharge line, and maintenance block valve position switches. All other HPCS control and instrumentation equipment is located outside the drywell and is selected to meet the environmental considerations listed in Table 3.11-5. The level transmitters, instrument sensing lines, and process taps used to detect low water level in the RCIC storage tank are physically located inside the fuel building and thus are protected from the effects of cold weather. 7.3.1.1.1.3.12 Operational Considerations 7.3.1.1.1.3.12.1 General Information Under abnormal or accident conditions where the system is required, initiation and control are provided automatically for at least 10 minutes. After 10 minutes, operator action may be

required. 7.3.1.1.1.3.12.2 Reactor Operator Information Pressure in the HPCS pump suction line is monitored by a pressure transmitter to permit the determination of suction heat and pump performance. Numerous other indications pertinent to the operation and condition of the HPCS system are available to the control room operator as shown in Drawing M05-1074 (HPCS P&ID) and Drawing E02-1HP99. 7.3.1.1.1.3.12.3 Set Points Instrument requirements such as range, accuracy, and function for the measured variables may be found in the Design Specification Data Sheets. See the CPS Technical Specifications and the Operational Requirements Manual (ORM) for instrument set points and allowable values. 7.3.1.1.1.4 Automstic Depressurization System (ADS) Instrumentation and Controls 7.3.1.1.1.4.1 System Identification Automatic relief valves are installed on the main steam lines inside the drywell. The valves can be actuated in two ways; they will relieve pressure by a pressure transmitter and trip unit actuation with power or by mechanical actuation without power. The suppression pool provides a heat sink for steam relieved by these v alves. Relief valve operation may be controlled manually from the control room to hold the desired reactor pressure. The depressurization by automatic blowdown is intended to reduce the pressure during a loss-of-coolant accident in which the HPCS allows selected reactor variables to exceed the ADS initiation point. 7.3.1.1.1.4.1.1 Equipment Desiqn The ADS consists of redundant pressure and water level sensor trip channels arranged in separated logics that control separate solenoid-operated air pilots on each valve. These pilot valves control the pneumatic pressure applied to an air cylinder operator. The operator controls the safety relief valve. Accumulators are included with the control equipment to store pneumatic energy for relief valve operation.

CPS/USAR CHAPTER 07 7.3-7 REV. 11, JANUARY 2005 The accumulators can operate the safety relief valves two times at 70% of drywell design gage pressure following failure of the pneumatic supply to the accumulator. Cables from the sensors lead to two separate solid state safety system cabinets where the redundant logics are formed. Station batteries and solid state safety system power supplies energize the electrical control circuitry. The power supplies for the redundant divisions are separated to limit the effects of electrical failures. Electrical elements in the cont rol system energize to cause the relief valves to open. 7.3.1.1.1.4.1.2 Initiating Circuits Two ADS Subsystems for relief valve actuation are provided, ADS A and ADS B (see Figure 7.3-7). Division 1 sensors and control logic for low reactor water level and high drywell pressure initiate ADS A, and Division 2 sensors and control logic initiate ADS B. The Division 1 logic is mounted in a different cabinet than the Division 2 logic. The reactor vessel low water level initiation setting for the ADS is selected to depressurize the reactor vessel in time to allow adequate cooling of the fuel by the LPCI or LPCS system following a loss-of-coolant accident in which the HPCS fails to perform its function adequately.

The drywell high pressure setting is selected as low as possible without inducing spurious initiation of the automatic depressurization system. This provides timely depressurization of the reactor vessel if the HPCS fails to start or fails after it successfully starts following a loss-of-coolant accident. The low pressure pump discharge pressure setting used as a permissive for automatic depressurization is selected to assure that at least one of the three RHR pumps, or the LPCS pump, has received electrical power, started, and is capable of delivering water into the vessel. The setting is high enough to assure that the pump will deliver at near rated flow without being so low as to provide an erroneous signal that the pump is actually running. The pressure and level transmitters used to initiate one solenoid valve are separated from those used to initiate the other solenoid valve on the same ADS valve. Reactor vessel low water level is detected by six level sensors that measure differential pressure. Drywell high pressure is detected by four pressure sensors, which are located in the containment. The level instruments are piped so that an instrument sensing line break will not inadvertently initiate auto-blowdown. The drywell high pressure signals are arranged to seal into the control circuitry; they must be manually reset to clear. Time Delay Logics are used in each ADS control division. The first time delay is initiated by reactor vessel low water level (Level 1). It provides a bypass to the required coincident high drywell pressure signal by incorporating two 6-minute delay timers in a parallel circuit. This 6-minute delay length was calculated using the considerations described in Appendix D, Item II.K.3.18. If during the 6-minute delay, a high drywell pressure signal occurs, the ADS initiation signal proceeds beyond the 6-minute delay timers. If upon completion of the 6-minute delay, a high drywell pressure signal has not occurred, the ADS initiation signal proceeds further. Thus, automatic ADS initiation is provided, if required, for events such as a break external to the drywell or a stuck open SRV. The second delay time setting before actuation of the ADS is 105 seconds. It is initiated after confirming that water level is still below Level 3 and is long enough that the HPCS has time to operate, yet not so long that the LPCI and LPCS systems are unable to adequately cool the fuel if the HPCS fails to start. An alarm in the control room is annunciated when either of the two 105-second timers is timing. Resetting the ADS initiating signals recycles the timers.

CPS/USAR CHAPTER 07 7.3-8 REV. 11, JANUARY 2005 The primary level sensing logic does not seal itself in. Therefore, if the reactor level is restored sufficiently to reset the previous actuation setpoints before the 105-second timer times out, that timer automatically resets and auto-depressurization is aborted. Should additional level dips occur across the setpoints, the timer recycles with each one. The ADS actuation initiation logic seals itself in and must be manually reset to clear. The seal-in occurs only after solenoid energization and continues even if the initiating signals clear. There are no interlocks in the ADS circuitry whic h prevents the operator from manually resetting the ADS timers multiple times. However, this design is consistent with all recent GE BWR ADS designs. Deliberate repetitive operator action is required every 100-120 seconds to override ADS initiation. ADS will initiate automatically without the operator action. Symptom-oriented emergency procedures will address those instances where override of ADS is necessary. Those procedures will also address instances where confirmation of ADS actuation is required.

(Q&R 421.7) 7.3.1.1.1.4.1.3 Logic and Sequencing Three initiation signals are used for the ADS: reactor vessel low water level (level 3), drywell high pressure, and second (lower) reactor vessel low water level (level 1). Either of two logic paths will initiate automatic ADS actuation: 1. Coincident low water level (Level 3), a second (lower) low water level (Level 1), the 6-minute time delay sequentially with a 105-second time delay, and an ECCS pump

running; or 2. Coincident low water level (level 3), a second water level (Level 1), a high drywell pressure, a 105-second time delay, and an ECCS pump running. Drywell high pressure indicates a breach in the reactor coolant pressure boundary inside the drywell. A permissive signal indicating LPCI or LPCS pump discharge pressure is also used. Discharge pressure on any one of the three LPCI pumps or the LPCS pump is sufficient to give the permissive signal which permits automatic depressurization when the LPCI or LPCS systems are operable. After receipt of the initiation signals and after a delay provided by the 105-second time delay logic, each of the two solenoid pilot air valves are energized. This allows pneumatic pressure from the accumulator to act on the air cylinder operator. The air cylinder operator holds the relief valve open. Lights in the main control room indicate when the solenoid-operated pilot valves are energized to open a safety relief valve. The ADS Division 1 control logic actuates t he "A" solenoid pilot valve on each ADS valve. Similarly, the ADS Division 2 control logic actuates the "B" solenoid pilot valve on each ADS valve. Actuation of either solenoid pilot valve causes the ADS valve to open to provide depressurization. Manual inhibit switches are provided which prevent automatic ADS actuation, but do not inhibit the pressure relief function, manual ADS actuation, or individual SRV control.

CPS/USAR CHAPTER 07 7.3-9 REV. 11, JANUARY 2005 Manual reset circuits are provided for the ADS initiation signal and drywell high pressure signals. By manually resetting the initiation signal, the delay logic is recycled. The operator can use the reset push buttons to delay or prevent automatic opening of the relief valves if such delay or prevention is prudent. Manual actuation pushbuttons are provided to allow the operator to initiate ADS immediately (no time delay) if required. Such initiation is performed by first rotating the collars surrounding the pushbuttons for each of two channels within one of the two divisions. An annunciator will sound to warn the operator that ADS is armed for that division. If the two pushbuttons are then depressed, the ADS valves will open. Though such manual action is immediate, the rotating collar permissives and duality of button sets combined with annunciators assure manual initiation of ADS to be a deliberate act. Two control switches are available in the main control room for each safety/relief valve associated with the ADS. Each switch is associated with one of the two solenoid pilot valves and maintains the maximum electrical separation consistent with the required operability. The switch on the Division 1 (ESF Battery A) circuits is a three-position keylock type OFF-AUTO-OPEN located on the main control board. The OPEN position is for manual safety/relief valve operation. The Division 2 (ESF Battery B) switch may also be used for manual operation and has three positions (keylocked), OFF-AUTO-OPEN located on the Division 2 ADS panel. Manual opening of the relief valves provides a controlled nuclear system cool-down under conditions where the normal heat sink is not available. 7.3.1.1.1.4.1.4 Bypasses and Interlocks The operator can manually inhibit and/or manually delay the depressurizing action through the use of the manual inhibit switches and/or the manual reset switches, respectively. The manual inhibit switch prevents automatic ADS actuation, but does not inhibit the pressure relief function, manual ADS actuation, or individual SRV control. The manual reset switches reset both time delay logics to zero seconds and prevent depressurization for at least another 105 seconds.

The operator would make the decision to reset based on an assessment of other plant conditions. ADS is interlocked with the LPCS and RHR by means of pressure sensors located on the discharge of the LPCS or RHR pumps. These are the "low pressure ECCS pumps running" interlocks. However, there are no interlocks for manual initiation of ADS. 7.3.1.1.1.4.1.5 Redundancy and Diversity The ADS is initiated by either a coincident low reactor vessel water and a 6-minute time delay or a coincident high drywell pressure and low reactor vessel water level. The initiating circuits for each of these parameters are redundant as described by the circuit description of this Section. Diversity is provided by HPCS. Instrument requirements such as range, accuracy, and function for the measured variables may be found in the Design Specification Data Sheets. 7.3.1.1.1.4.1.6 Actuated Devices Refer to Section 5.2.2.4.1 for a detailed description of nuclear safety/relief valves. For the number and location of the safety/relief valves that are designated as ADS valves refer to Drawing 796E724 Sheet 6 of 6. Each ADS valve is equipped with two solenoid pilot valves CPS/USAR CHAPTER 07 7.3-10 REV. 11, JANUARY 2005 controlled by separate divisional logic. Actuation of either solenoid will open the associated ADS valve in its power operated mode. All ADS relief valves are actuated by any one of five methods. (1) Automatic action in 90-120 seconds resulting from the logic chains containing the high drywell pressure trip in either Division 1 or Division 2 control logic actuation, (2) Automatic action in 7.5 to 8 minutes resulting from the logic chains containing the 6-minute time delay in either Division 1 or Division 2 control logic actuation, (3) Manual action by the operator, (4) Pressure transmitter trip module contacts closing as a result of high reactor pressure, or (5) Mechanical actuation as a result of high reactor pressure (higher than pressure in item (4)). 7.3.1.1.1.4.1.7 Separation ADS is a Division 1 and Division 2 system except that only one set of relief valves is supplied. Each relief valve can be actuated by either of two solenoid pilot valves supplying air to the relief valve air piston operators. One of the solenoid pilot valves is operated by Division 1 logic and the other by Division 2 logic. Control logic manual controls and instrumentation are mounted so that Division 1 and Division 2 separation is maintained. Separation from Divisions 3 and 4 is likewise maintained. 7.3.1.1.1.4.1.8 Testability ADS has two complete control logics, one in Division 1 and one in Division 2. Each control logic has two circuits, both of which must operate to initiate ADS. One circuit contains time delay logic to give HPCS an opportunity to start. The ADS instrument channels signals are tested by cross comparison between the channels which bear a known relationship to each other.

Indication for each instrument channel is mounted in the respective logic cabinet. The logic is tested continuously by automatic pulse testing. The Automatic Pulse Test (APT), the sixth test, discussed in RPS Testability 7.2.1.1.4.8 is also applicable here for ADS. The instrument channel set points may be verified by introducing a test signal with the calibrator and move the signal towards trip (see Subsection 7.1.2.10). The set point is verified by observing the display and the indicator light on the output of the instrument channel trip device. Testing of ADS does not interfere with automatic operation if required by an initiation signal. The pilot solenoid valves can also be tested when the reactor is not pressurized. For further discussion of ADS control logic testability see Subsection 7.2.1.1.4.8.

7.3.1.1.1.4.1.9 Environmental Considerations The signal cables, solenoid valves, and safety/relief valve operators, are the only essential control and instrumentation equipment for the ADS located inside the drywell. These items, and all other equipment located outside the drywell, will operate in their worst-case environments shown in the Section 3.11 tables. Gamma and neutron radiation is also considered in the CPS/USAR CHAPTER 07 7.3-11 REV. 11, JANUARY 2005 selection of these items. Equipment located outside the drywell will also operate in their normal and accident environments. 7.3.1.1.1.4.1.10 Operational Considerations 7.3.1.1.1.4.1.10.1 General Information The instrumentation and controls of the ADS are not required for normal plant operations. When automatic depressurization is required, it will be initiated automatically by the circuits described in this Section. No operator action is required for at least 10 minutes following initiation of the system. 7.3.1.1.1.4.1.10.2 Reactor Operator Information A temperature element is installed on the safety/relief valve discharge piping several feet from the valve body. The temperature element is connected to a multipoint recorder in the control room to provide a means of detecting safety/relief valve leakage during plant operation. When the temperature in any safety/relief valve discharge pipeline exceeds a preset value, an alarm is sounded in the main control room. The alarm setting is enough above normal rated power drywell ambient temperatures to avoid spurious alarms, yet low enough to give early indication of safety/relief valve leakage. See 7.5.1 for discussion of suppression pool temperature monitors. 7.3.1.1.1.4.1.10.3 Set Points Instrument requirements such as range, accuracy, and function for the measured variables may be found in the Design Specification Data Sheets. Refer to the CPS Technical Specifications and Operational Requirements Manual (ORM) for setpoints and allowable values. Discussions on instrument accuracy may be found in Topical Report NEDO-21617-A. 7.3.1.1.1.4.2 Safety-Relief Valve Subsystem The nuclear pressure relief system is designed to prevent over-pressurization of the nuclear system that could lead to the failure of the reactor coolant pressure boundary. Details of the design bases are discussed in Subsection 5.2.2. 7.3.1.1.1.4.2.1 Equipment Design The automatic safety-relief system (drawing E02-1NB99) consists of redundant reactor pressure instrument channels arranged in separated logics that control separate solenoid-operated air pilots on each valve. These pilot valves control the pneumatic pressure applied to an air cylinder operator. Accumulators are included with the control equipment to store the pneumatic energy for relief valve operation. SRV's are initiated by reactor vessel pressure. Cables from the sensors for vessel pressure lead to two separate logic cabinets where the redundant logics are formed. Separate station batteries power the electrical control circuitry. The power supplies for the redundant logics are separated to limit the effects of electrical failures. Electrical elements in the control system energize to cause the relief valve to open.

CPS/USAR CHAPTER 07 7.3-12 REV. 11, JANUARY 2005 7.3.1.1.1.4.2.2 Initiating Circuits Reactor pressure is detected by four pressure transmitters (2 for each division), which are located in the containment. The logic requires a two-out-of-two trip on vessel pressure to prevent inadvertent SRV actuation. The logic is arranged such that no single failure will prevent SRV actuation or cause more than one SRV to inadvertently actuate. 7.3.1.1.1.4.2.3 Logic and Sequencing Two initiation signals are used for SRV actuation. Two-out-of-two reactor vessel high pressure signals are required to initiate the safety-relief valves. High vessel pressure indicates the need for SRV actuation to prevent nuclear steam overpressure. After receipt of the initiation signal, each of the two solenoid pilot air valves on each safety-relief valve is energized. Either or both solenoid actuations allow pneumatic pressure from the accumulator to act on the air cylinder operator. The air cylinder operator holds the relief valve open. Lights in the main control room indicate when the solenoid-operated pilot valves are energized to open a safety-relief valve. The SRV's remain open until system pressure drops below the high pressure setpoint. Manual system-level initiation of the SRV's is accomplished by a control switch in the Division 1 portion of the main control room panel or by a control switch in the Division 2 portion of the main control room panel.

Two redundant SRV trip systems are provided in the two divisional cabinets. Each division feeds its respective solenoid pilot valve. 7.3.1.1.1.4.2.4 Redundancy and Diversity The SRV logic is initiated by high reactor pressure. The initiating circuits for this variable are redundant, as explained in the circuit description of this Section. There is no diversity provided. 7.3.1.1.1.4.2.5 Actuated Devices Refer to Section 5.2.2.4.1 for a detailed description of the nuclear safety/relief valves. Refer to Drawing 796E724 Sheet 6 of 6 for the number and location of the valves. All relief valves are actuated by three methods: (1) automatic action resulting from the logic chains in either Division 1 or Division 2 trip system actuating; (2) manual action by the operator; and (3) mechanical actuation as a result of high reactor pressure SRV logic is a Division 1 and Division 2 system, except that only one set of relief valves is supplied. Each relief valve can be actuated by either of two solenoid pilot valves supplying air to the relief valve air piston operators. One of the solenoid pilot valves is operated by Division 1 and the other by Division 2. Logic circuitry, manual controls and instrumentation are mounted so CPS/USAR CHAPTER 07 7.3-13 REV. 11, JANUARY 2005 that Division 1 and Division 2 separation is maintained. Separation from Divisions 3 and 4 is likewise maintained. 7.3.1.1.1.4.2.6 Bypasses and Interlocks In order to assure that no more than one relief valve reopens following a reactor isolation event, two non-automatic depressurization system (ADS) safety/relief valves are provided with lower reopening and reclosing setpoints and three safety/relief valves (two non-ADS and one ADS) with lower reclosing setpoints. On initial relief mode actuation of any safety/relief valve (SRV) these setpoints override the normal setpoints and act to hold open these valves longer, thus preventing more than a single valve from reopening subsequently. This system logic is referred to as the low-low set relief logic and functions to ensure that the containment design basis of one safety/relief valve operating on subsequent actuations is met. When reactor pressure reaches any of the normal relief setpoint levels, low-low set logic automatically seals itself into control of the five selected valves and actuates the annunciator. This logic remains sealed in until manually reset by the operator. Once the low-low set valves have opened along with the others in their setpoint group, the low-low set logic acts to hold the low-low set valves open past their normal reclose point until the pressure decreases to a predetermined "low-low" setpoint. Thus, these valves remain open longer than the other safety/relief valves. This extended relief capacity assures that no more than one valve will reopen a second time. Also, the seal-in logic provides two of the low-low set valves with new reopening setpoints which are lower than their original SRV setpoints. These two valves provide redundancy in case of a single valve failure. The low-low set logic is designed with the same redundancy and single failure criteria as the safety-relief logic; i.e., no single electrical failure will: (1) prevent any low-low set valve from opening, (2) cause inadvertent seal-in of low-low set logic, or (3) cause more than one valve to

inadvertently open or stick open. The five valves associated with low-low set are arranged in three independent secondary setpoint groups or ranges (low, medium, high). The "low" and "medium" pressure ranges consists of one valve each, having both "reopen" and "reclose" setpoints independently and uniquely adjustable. These are set considerably lower than their normal SRV setpoints. The remaining three valves are simultaneously controlled by the "high" range sensors which have an independently adjustable "reclose" setpoint. The normal SRV opening setpoint is retained for this valve group though reclose is extended in the low-low set operating mode. The sensors are arranged in two trains for each division. These conform to safety relief logics "A" and "E" for Division 1 and "B" and "F" for Division 2. The single-failure criterion is maintained because 2-out-of-2 logic trains (per division) are required to open the valves and 1-out-of-2 in each division acts to reclose them. The input signals to the valve solenoids are also separated such that no single valve logic or load driver card failure within the NSPS will actuate the ADS or open a single or multiple ADS/SRV. The low range sensors which control the first valve solenoid are placed in logic E[F] and the medium range sensors which control the second valve solenoids are placed in logic A[B]. The highest pressure sensors act on three valves simultaneously. Therefore, these are also arranged in redundant 2-out-of-2 (A.E)+(B.F) logic to maintain "single Failure proof" integrity.

CPS/USAR CHAPTER 07 7.3-14 REV. 11, JANUARY 2005 7.3.1.1.1.4.2.7 Testability The SRV system has two complete logics, one in Division 1 and one in Division 2. Either one can initiate depressurization. Each logic has two trains, both of which must operate to actuate the SRV. The SRV instrument channels signals are tested by cross-comparison between the channels which bear a known relationship to each other. Indication for each instrument channel is mounted in the respective logic cabinets. The logic is tested continuously by automatic pulse testing. The Automatic Pulse Test, (APT), the sixth test, discussed in RPS Testability 7.2.1.1.4.8 is also applicable here for SRV. The instrument channel setpoints may be verified by introducing a test signal with the calibrator and to move the signal towards trip. The setpoint is verified by observing the display and the indicator light on the output of the instrument channel trip device. Testing does not interfere with automatic operation if required by an initiation signal. For further discussion of ADS control logic testability see Subsection 7.2.1.1.4.8.

7.3.1.1.1.4.2.8 Environmental Considerations The solenoid valves and their cables and the safety-relief valve operators are the only control and instrumentation equipment for the SRV system located inside the drywell. Equipment located outside the drywell will also operate in their normal and accident environments. Subsection 7.5.1.4.2.4 for further discussion of suppression pool temperature monitors. 7.3.1.1.1.5 Low Pressure Core Spray (LPCS) - Instrumentation and Controls 7.3.1.1.1.5.1 System Identification The Low Pressure Core Spray (LPCS) system will supply sufficient cooling water to the reactor vessel to adequately cool the core following a design basis loss-of-coolant accident. Significant LPCS design parameters are provided in Table 6.3-8. 7.3.1.1.1.5.2 Equipment Design The LPCS includes one ac pump, appropriate valves, and piping to route water from the suppression pool to the reactor vessel (see Drawing M05-1073 (LPCS P&ID). Except for the testable check valve, which is inside the drywell, the transmitter and valve closing mechanisms for the LPCS system are located in the containment and auxiliary building. Cables from the sensors are routed to the analog trip modules, then to the decision logic cards and then to the output load drivers. 7.3.1.1.1.5.3 Power Sources The LPCS pump and automatic valves are powered from the division 1 ESF ac bus that is capable of receiving standby power. Control power for the LPCS comes from ESF battery A. Control and motive power for the LPCS is from the same source as for LPCI Loop A. 7.3.1.1.1.5.4 Initiating Circuits Reactor vessel low water level is monitored by two level transmitters that sense the difference between the pressure due to a constant reference leg of water and the pressure due to the CPS/USAR CHAPTER 07 7.3-15 REV. 11, JANUARY 2005 actual height of water in the vessel. Each level transmitter provides an input to an analog trip module located in the divisional cabinet in the main control room. Drywell pressure is monitored by two pressure transmitters mounted on instrument racks in the containment. Instrument sensing lines that terminate in the containment allow the transmitters to communicate with the drywell interior. Each drywell pressure transmitter provides an input to an analog trip module located in the divisional cabinet in the main control room. Two reactor vessel low water level trip units and two drywell high pressure trip units are electrically connected in a one-out-of-two twice arrangement so that no single event can prevent initiation of LPCS. (See Figure 7.3-7) Instrument requirements such as range, accuracy, and function for the measured variables may be found in the Design Specification Data Sheets. The LPCS initiation signal also initiates the Division I diesel generator.

7.3.1.1.1.5.5 Logic and Sequencing The LPCS initiation logic is depicted in Figure 7.3-7 in a one-out-of-two-twice network using level and pressure trip units. The initiation signal will be generated when: (1) Both level trip units are tripped, or (2) both pressure trip units are tripped, or (3) either of two other combinations of one level sensor and one pressure sensor is tripped. Once an initiation signal is received by the LPCS control circuitry, the signal is sealed in until manually reset. The seal-in feature is shown in EO2-lLP99. 7.3.1.1.1.5.6 Bypasses and Interlocks The LPCS pump motor and injection valve are provided with manual override controls which permits the operator manual control of the system following automatic initiation. Two pressure transmitters are installed in the pump discharge pipeline upstream of the pump discharge check valve. This pressure signal is used in the ADS to indicate that the LPCS pump is running. 7.3.1.1.1.5.7 Redundancy and Diversity The LPCS is actuated by reactor vessel low water level and/or drywell high pressure. Both of these conditions will result from a design basis loss-of-coolant accident. As described in Subsection 7.3.1.1.1.5.5, "Logic and Sequencing," if one low level transmitter or trip unit fails, either high drywell pressure or a combination of low level and drywell pressure transducers will initiate LPCS. If one high drywell pressure transmitter or trip unit fails either low level or a combination of low level and high drywell pressure trip units will initiate the LPCS system. LPCS is a single pump system but is backed up by LPCI A within ECCS Division 1. Two CPS/USAR CHAPTER 07 7.3-16 REV. 11, JANUARY 2005 pressure transmitters monitor the pressure between the injection valve and the testable check valve. Division 1 system (LPCS, RHR A) and the Division 2 systems (RHR B, RHR C) are further backed-up by the Division 3 HPCS. 7.3.1.1.1.5.8 Actuated Devices The control arrangement for the LPCS Pump is shown in drawing E02-1LP99, The LPCS pump can be controlled by a control room remote switch or by the automatic control system.

Control arrangements for the automatic valves in the LPCS system are shown in drawing E02-1LP99. Motor-operated valves are provided with limit switches to turn off the motor when the full open or close positions are reached. Torque switches are also provided to control valve motor forces when valves are closing. Thermal over-load devices are placed in service during system test, maintenance or valve repositioning during normal operation. All motor-operated valves have limit switches that provide main control room indication of valve position. Each automatic valve can be operated from the main control room. The LPCS system pump suction valve to the suppression pool is normally open. To position the valve, a keylock switch located in main control room is used. On receipt of a LPCS initiation signal, the LPCS test line valve is signaled to close (it is normally closed during operation) to assure that the main system pump discharge is correctly routed. The LPCS injection valve is automatically opened upon receipt of the initiation signal when the low reactor pressure permissive is satisfied. (As discussed in Section 7.6.1.3.) 7.3.1.1.1.5.9 Separation LPCS is a Division 1 system. In order to maintain the required separation, LPCS logic, manual controls, cabling and instrumentation are mounted so that separation from other divisions is maintained. 7.3.1.1.1.5.10 Testability The LPCS is capable of being tested during normal operation. Pressure and low water level initiation transmitters are individually valved out of service and subjected to a test pressure.

This verifies the operability of the transmitter as well as the calibration range. The instrument channel trip set point is verified by manually introducing a test signal with the calibrator and observing the channel display and the indicator light on the output of the control device (see Subsection 7.1.2.10). The logic is tested by automatic pulse testing. The Automatic Pulse Test (APT), the sixth test, discussed in RPS Testability 7.2.1.1.4.8 is also applicable here for LPCS.

Other control equipment is functionally tested during manual testing of each loop. Indications in

the form of panel lamps and annunciators are provided in the main control room. For further discussion of LPCS control logic testability see Subsection 7.2.1.1.4.8.

CPS/USAR CHAPTER 07 7.3-17 REV. 11, JANUARY 2005 7.3.1.1.1.5.11 Environmental Considerations The only control component pertinent to LPCS system operation that is located inside the drywell is the control mechanism for the check valve on the LPCS injection line. This item, and all other equipment located outside the drywell, will operate in their worst-case environments as shown in the Section 3.11 tables. 7.3.1.1.1.5.12 Operational Considerations 7.3.1.1.1.5.12.1 General Information When the LPCS is required for abnormal and accident conditions, it will be initiated automatically and no operator action will be required for at least 10 minutes. After this time, manual operation may be initiated. 7.3.1.1.1.5.12.2 Reactor Operator Information Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess LPCS system operation. Valves have indications of full open and full closed positions. The pump has indications for pump running and pump stopped. Alarm and indication devices are shown in Drawings M05-1073 (LPCS P&ID) and

E02-lLP99. A leak detection syst em continuously confirms the integrity of the LPCS and RHR A injection lines piping to the reactor vessel. A differential pressure transmitter measures the pressure difference between the two injection lines. If the LPCS and RHR A piping is not broken/displaced, the pressure difference will be very small between these lines. If piping integrity is lost, an increase in differential pressure will initiate an alarm in the control room. 7.3.1.1.1.5.12.3 Set Points Instrument requirements such as range, accuracy, and function for the measured variables may be found in the Design Specification Data Sheets. See the Operational Requirements Manual (ORM) for instrument setpoints. 7.3.1.1.1.6 Low Pressure Coolant Injection (LPCI) - Instrumentation and Controls 7.3.1.1.1.6.1 System Identification Low pressure coolant injection (LPCI) is an operating mode of the residual heat removal system (RHR). The RHR system and its operating modes are discussed in Chapter 5. Because LPCI is designed to provide water to the reactor vessel following the design basis loss-of-coolant accident, the controls and instrumentation for it are discussed here. Significant LPCI design parameters are provided in Table 6.3-8. 7.3.1.1.1.6.2 Equipment Design Drawing M05-1075 (RHR P&ID) shows the entire RHR system, including the equipment used for LPCI operation. Control and instrumentation required for the operation of the LPCI mode are essential.

CPS/USAR CHAPTER 07 7.3-18 REV. 11, JANUARY 2005 The instrumentation for LPCI operation controls other valves in the RHR. This ensures that the water pumped from the suppression pool by the main system pumps is routed directly to the reactor. These interlocking features are described in this Subsection. LPCI operation uses three pump loops, each loop with its own separate vessel injection nozzle. Drawing M05-1075 (RHR P&ID) shows the location of instruments, control equipment, and LPCI components. Except for the LPCI testable check valves, the components pertinent to LPCI operation are located outside the drywell. Motive power for the RHR system pumps is supplied from ac buses that can receive standby ac power. Two pumps are powered from the division 2 ESF bus and the third pump from the division 1 ESF bus, which also powers the LPCS. Motive power for the automatic valves comes from the bus that powers the pumps for that loop. Control power for the LPCI components comes from the dc buses. Trip channels for LPCI B and LPCI C are shown in drawing E02-1RH99. Trip channels for LPCI A are similar to Channel B. LPCI is arranged for automatic and remote-manual operation from the control room.

7.3.1.1.1.6.3 Initiating Circuits LPCI A LPCI A is initiated from the LPCS logic circuits, described in subsection 7.3.1.1.1.5.4, "Initiating Circuits." LPCI B and C Reactor vessel low water level is monitored by two level transmitters mounted on instrument racks in the containment that sense the difference between the pressure due to a constant reference leg of water and the pressure due to the actual height of water in the vessel. Each level transmitter provides an input to an analog trip module unit located in the control room. Drywell pressure is monitored by two pressure transmitters mounted on instrument racks in the containment. Each drywell transmitter provides an input to an analog trip module unit located in

the main control room. The signals from level trip units and the two pressure trip units are electrically connected in a one-out-of-two-twice arrangement so that no single instrument failure event can prevent initiation of LPCI B and C. The initiation logic for LPCI B and C is shown in Figure 7.3-8. Instrument requirements such as range, accuracy, and function for the measured variables may be found in the Design Specification Design Sheets. The LPCI B and C initiation logic also initiates the Division II diesel/generator.

CPS/USAR CHAPTER 07 7.3-19 REV. 11, JANUARY 2005 7.3.1.1.1.6.4 Logic and Sequencing The overall LPCI operating sequence following the receipt of an initiation signal is as follows: (1) The valves in the suction paths from the suppression pool are normally open except in shutdown cooling mode and require no automatic action to line up suction, (2) The LPCI system pump C starts immediately, taking suction from the suppression pool. The LPCI A and B pumps start after a time delay to limit the loading of the standby power sources, (3) Valves used in other RHR modes (except pump suction) are automatically positioned so the water pumped from the suppression pool is routed for LPCI operation, (4) When nuclear system pressure has dropped to a value at which the LPCI system pumps are capable of injecting water into the vessel, the LPCI injection valves automatically open, and water is delivered to the reactor vessel until vessel water level is adequate to provide core cooling and the LPCI pumps are manually shut off. LPCI A initiation logic is common to the LPCS and is separated From the initiation logic for LPCI B and LPCI C. Each initiation uses the same logic form; however, LPCI A uses only Division 1 logic, and LPCI B and LPCI C use only Division 2 logic. Each logic consists of two level instrument channels and two drywell high pressure instrument channels. After an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset. The seal-in feature is shown in drawing EO2-lRH99. 7.3.1.1.1.6.5 Bypasses and Interlocks The LPCI pump motor and injection valve are provided with manual override controls which permit the operator manual control of the system following automatic initiation. 7.3.1.1.1.6.6 Redundancy and Diversity The LPCI is actuated by reactor vessel low water level and/or drywell high pressure. Both of these conditions will result from a design basis loss-of-coolant accident and may result from lesser LOCAs. As described in 7.3.1.1.1.5.7, the LPCS "Redundancy and Diversity," if one low level transmitter or trip unit fails, either the high drywell pressure or a combination of low level and drywell pressure transmitters and trip units will initiate LPCI. Two pressure transmitters monitor pressure between the injection valve and the testable check valve. These two divisions of low pressure emergency core cooling systems are further backed-up by the Division 3 HPCS. 7.3.1.1.1.6.7 Actuated Devices The functional control arrangement for the LPCI system pumps is shown in drawing EO2-lRH99. Sequential loading times are provided in Table 8.3-13.

CPS/USAR CHAPTER 07 7.3-20 REV. 11, JANUARY 2005 Two pressure transmitters and trip units are installed in each pump discharge pipeline to verify that pumps are operating following an initiation signal. The pressure signal is used in the automatic depressurization system to verify availability of low pressure core cooling. All automatic valves used in the LPCI function are equipped with remote-manual test capability. The entire system can be operated from the main control room. Motor-operated valves have limit switches to turn off the motor when the full open or close positions are reached. Torque switches are also provided to control valve motor forces when valves are seating. Thermal overload devices are used to provide alarms of overload conditions and to protect motors from overload conditions by temporarily defeating the bypass during valve repositioning for routine operation, maintenance and testing. Valves that have vessel and containment isolation requirements are described in Subsection 7.3.1.1.2. The RHR system pump suction valves from the suppression pool are normally open. To reposition the valves, a keylock switch must be turned in the main control room. On receipt of a LPCI initiation signal, certain reactor shutdown cooling system valves and the RHR test line valves are signaled to close (although they are normally closed) to assure that the RHR system pump discharge is correctly routed. If in shutdown cooling mode, operator action is required to place the system in LPCI mode. Time delay logic similar to that used in the RHR system pump control circuitry cancels the LPCI open signal to the heat exchanger bypass valves after a 10-minute delay. The signal cancellation allows the operator to control the flow through the heat exchangers for other post-accident purposes. 7.3.1.1.1.6.8 Separation LPCI circuits are in Division 1 (RHR A) and Division 2 (RHR B and C). In order to maintain the required separation, LPCI logic circuits manual controls, cabling and instrumentation are mounted so that Divisions 1 and 2 separation is maintained. Separation from Division 3 is likewise maintained. 7.3.1.1.1.6.9 Testability The LPCI is capable of being tested during normal operation. Drywell pressure and low water level initiation transmitters are individually valved out of service and subjected to a test pressure. This verifies the operability of the transmitters as well as the calibration range. The instrument channel trip set point is verified by manually introducing a test signal with the calibrator and observing the channel display and the indicator light on the output of the trip device (see 7.1.2.10). The logic is tested by automatic pulse testing. The Automatic Pulse Test (APT), the sixth test, discussed in RPS Testability 7.2.1.1.4.8 is also applicable here for this LPCI function of RHR. Other control equipment is functionally tested during normal testing of each loop. Indications in the form of panel lamps and annunciators are provided in the control room. For further discussion of LPCI control logic testability see Subsection 7.2.1.1.4.8.

CPS/USAR CHAPTER 07 7.3-21 REV. 11, JANUARY 2005 7.3.1.1.1.6.10 Environmental Considerations There are no control components pertinent to LPCI operation that are located inside the drywell. Other equipment, located outside the drywell, is selected in consideration of the normal and accident environments in which it must operate (see Table 3.11-5). 7.3.1.1.1.6.11 Operational Considerations 7.3.1.1.1.6.11.1 General Information The pumps, valves, piping, etc., used for the LP CI are used for other modes of the RHR. Initiation of the LPCI mode is automatic and no operator action is required for at least

10 minutes. The operator may control the RHR system manually to use its capabilities in the other modes if the core is being cooled by other emergency core cooling systems. 7.3.1.1.1.6.11.2 Reactor Operator Information Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess LPCI operation. Valves have indications of full open and full closed positions. Pumps have indications for pump running and pump stopped. Alarm and indication devices are shown in Drawings M05-1075 (RHR P&ID) and E02-lRH99. 7.3.1.1.1.6.11.3 Set Points Setpoints are discussed in the Operational Requirements Manual (ORM). 7.3.1.1.2 Containment and Reactor Vessel Isolation Control System (CRVICS) -

Instrumentation and Controls 7.3.1.1.2.1 System Identification The containment and reactor vessel isolation control system includes the sensors, channels, transmitters, and remotely activated valve closing mechanisms associated with the valves which, when closed, effect isolation of the containment or reactor vessel, or both. The CRVICS includes all systems and portions of systems that are required for reactor vessel and containment isolation during the various modes of operation. The CRVICS consists principally of instrumentation and actuation logic associated with the following systems, which perform the process monitoring and isolation signal development functions. a. Nuclear Boiler System b. Nuclear Steam Supply Shutoff System c. Process Radiation Monitoring System

d. Leak Detection System
e. Reactor Protection System The purpose of the system is to prevent the release of radioactive materials. The power generation objective of this system is to avoid spur ious closure of particular isolation valves as a CPS/USAR CHAPTER 07 7.3-22 REV. 11, JANUARY 2005 result of single failure. A specific identification of the number of instrument channels available for monitoring various parameters of CRVICS is depicted in Table 7.3-7. 7.3.1.1.2.2 System Power Sources Power for the system logics of the isolation control system and Main steam line isolation valves supplied as shown in Figure 7.2-9 and Drawing E02-1RP99. Motor-operated isolation valves receive motive and control power from emergency buses. Power for the operation of two redundant valves in a line is supplied from separate ESF buses. Instrument channel trip units, transmitters and logic (with the exception of Division 3 Turbine Building area high temperature logic) are powered by ac/dc power supplies (NSPS Inverters or bypass regulating transformers) whose AC power is supplied from 1A1, 1B1 and 1C1 safety buses. The Division 3 Turbine Building area temperature logic power is supplied by Division 3 120VAC bus. The main steam line valves isolation motive power is accumulator air and spring force. Direct solenoid isolation valves in the RHR and Reactor Wa ter Sample are isolated by spring force. Motive and control power for the outboard and inboard motor operated isolation valves is supplied from the ESF division 1 and 2 buses, respectively. 7.3.1.1.2.3 System Equipment Design Pipelines that penetrate the containment and drywell and directly communicate with the reactor vessel have two isolation valves, one inside the drywell and one outside the containment.

These automatic isolation valves are considered essential for protection against the gross release of radioactive material in the event of a breach in the reactor coolant pressure

boundary. Power cables run in raceways from the electrical source to each motor-operated isolation valve. Solenoid valve power goes from its source to the control devices for the valve. The main steam line isolation valve controls include pneumatic piping and an accumulator for those valves which use air as the emergency motive power source in addition to springs. Pressure, flow temperature, and water level sensors are mounted on instrument racks in either the containment, auxiliary building, or the turbine building. Valve position switches are mounted on valves. Switches are encased to protect them from environmental conditions. The cables from each sensor are routed in a conduit and/or cable tray to the main control room. All signals

transmitted to the main control room are electrical; no pipe from the nuclear system penetrates the main control room. The sensor cables and power supply cables are routed to cabinets in the main control room, where the system logic is located. 7.3.1.1.2.4 System Initiating Circuits During normal plant operation, the isolation control system and trip logics that are essential to safety are energized. When abnormal conditions are sensed, the instrument channel trips, which causes the trip logic to respond and the actuators to deenergize and thereby initiate isolation. For the main steam line and main steam line drain isolation valve control, four instrument channels are provided for each measured variable. The instrument channel trips are combined CPS/USAR CHAPTER 07 7.3-23 REV. 11, JANUARY 2005 into a two-out-of-four logic using isolation modules to assure that no single failure in one channel can prevent the safety action by disabling another channel nor can a single failure of one division logic prevent isolation from the remainder of the system (see Figure 7.3-2). The basic logic scheme for process lines, other than the main streamlines is that the Division 1 and 4 instrument channels, monitoring an essential variable, provide inputs in a two-out-of-two logic configuration to the Division 1 trip logic. Similarly, Division 2 and 3 instrument channels provide inputs in a two-out-of-two configuration to the Division 2 trip logic. Four instrument channels for each monitored variable are provided to ensure that the protective action occurs when required and to prevent inadvertent isolation resulting from a single instrument channel malfunction. When more than one essential variable is monitored by instrument channels (i.e., level and pressure), the basic arrangement of inputs to the trip logic is one-out-of-two, twice. However, when the essential monitored variable is either high area temperature or high differential flow (i.e., RWCU system), only one instrument trip is required for isolation. The trip logic output provides input to actuation devices (i.e., load drivers, relays, pilot solenoids), which, in turn, initiate the protective function via the actuated device (i.e., isolation valve). Two independent and identical trip logics provide a separate trip logic to each redundant isolation valve in a given process line (Division 1 trip logic for the outboard valves and division 2 trip logic for the inboard valves). Whenever a trip logic has been activated, the logic latches in the trip condition even if the initiating signal clears. Direct operator action is required (via a logic reset) to manually reset the trip condition. (The initiating signal must be cleared before the logic can be reset.) The isolation valve cannot be reopened until the trip logic is reset (except for specific valves where a manual override capability has been provided. This override capability is under administrative controls. For a more detailed logic description, see Figure 7.3-2.) The reactor water cleanup system and residual heat removal system isolation valves are each controlled by two actuator (divisions 2 and 1) circuits, one for the inboard and the outboard

valves, respectively. The control system for the automatic isolation valves is designed to provide closure of valves in time to limit the loss of coolant from the reactor and thereby limit the release of radioactive material to the environment to levels below regulatory guidelines. A secondary design function is to prevent uncovering the fuel as a result of a break in those pipelines that the valve isolates. 7.3.1.1.2.4.1 Isolation Functions and Settings The isolation functions for all valves are listed in Table 6.2-47. Isolation trip settings of the reactor vessel isolation control system are listed in the Operational Requirements Manual (ORM). The safety design bases of these isolation signals are discussed in the following Paragraphs, and drawing E02-1NB99 illustrates how these signals initiate closure of isolation valves. 7.3.1.1.2.4.1.1 Reactor Vessel Low water Level 7.3.1.1.2.4.1.1.1 Identification A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the reactor coolant pressure boundary and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes.

CPS/USAR CHAPTER 07 7.3-24 REV. 11, JANUARY 2005 Reactor vessel low water level initiates closure of various valves. The valves isolated are listed in the Operational Requirements Manual (ORM). The closure of these valves is intended to isolate a breach in any of the pipelines in which the valves are contained, conserve reactor coolant by closing off process lines, and limit the escape of radioactive materials from the containment through process lines that communicate with the containment interior. Three reactor vessel low water level isolation trip settings are used to complete the isolation of the containment and the reactor vessel. The first, and highest, reactor vessel low water level

isolation trip setting initiates closure of RHR valves associated with shutdown cooling and discharge to radwaste. The second reactor vessel low water level isolation trip setting initiates closure of all valves in major process pipelines except the main steam lines. The main steam lines are left open to allow the removal of heat from the reactor core. The third (and lowest) reactor vessel low water level isolation trip setting completes the isolation of the containment and reactor vessel by initiating closure of the main steam line isolation valves and drain valves. The first low water level setting is the RPS low water scram setting. Level 3 is set high enough to indicate inadequate vessel water makeup possibly indicative of a breach in the reactor coolant pressure boundary (RCPB) or process piping containing reactor coolant yet far enough below normal operation levels to avoid spurious isolation due to expected system transients. The second low water level setting is selected to initiate isolation at the earliest indication of a possible breach in the reactor coolant pressure boundary, yet far enough below normal operational levels to avoid spurious isolation. Isolation of the following pipelines is initiated when reactor vessel low water level fails to this first setting. The specific isolation valves are listed in Table 6.2-47. The third (and lowest) of the reactor vessel low water level isolation settings is selected low enough to allow the removal of heat from the reactor for a predetermined time following the scram. Isolation of pipelines is initiated when the reactor vessel water level falls to this third setting. The specific valves are listed in Table 6.2-47. Reactor vessel low water level signals are initiated from four differential pressure transmitters. They sense the difference between the pressure caused by a constant reference leg of water and the pressure caused by the actual water level in the vessel. Four pairs of instrument sensing lines, attached to taps above and below the water level in the reactor vessel, are required for the differential pressure measurement and terminate outside the drywell and inside the containment. The pairs are physically separated from each other and tap off the reactor vessel at widely separated points at two elevations. This arrangement assures that no single failure of a sensing line can prevent isolation, if required. 7.3.1.1.2.4.1.1.2 Power Supplies Power is also supplied from a 120 vac non-divisional bus. The instrument channels are supplied from 120 Vac NSPS busses "A" "B", "C", and "D" through dc logic power supplies (Divisional).

Main steam line isolation valves "A" solenoids are supplied from the 120 Vac RPS Bus "A" (Non-Divisional).

CPS/USAR CHAPTER 07 7.3-25 REV. 11, JANUARY 2005 Main steam line isolation valves "B" solenoids are supplied from the 120 Vac RPS Bus "B" (Non-Divisional). ESF power is the control power source for all MOV and solenoid-operated isolation valves. Containment and drywell isolation valve motors or pilot solenoids, as appropriate, are powered from the redundant ESF buses. 7.3.1.1.2.4.1.1.3 Initiating Circuits Four water level sensing circuits monitor the reactor vessel water level. Each level circuit is associated with a different instrument channel. Four level transmitters are installed at separate locations in the containment and are connected by four pairs of instrument lines to separate locations on the reactor vessel. This allows the earliest practical detection of reactor vessel low water level. 7.3.1.1.2.4.1.1.4 Logic and Sequencing When reactor vessel low water level is detected, trip signals are transmitted to the CRVICS, which initiates closure of the isolation valves, and other isolation valves necessary to isolate the containment and drywell, as described in Subsection 7.3.1.1.2.4. There are four instrument channels provided to assure that the protective action occurs when required, but prevents inadvertent isolation resulting from instrumentation malfunctions. The output trip signals of the instrumentation channels are combined into two-out-of-four logics for MSLIVs and MSL drain valves and two-out-of-two logics for other isolation valves. Logic trips are arranged in two-out-of-two for the MSLIVs and MSL drain valves and one-out-of-two twice logics for other isolation functions. 7.3.1.1.2.4.1.1.5 Redundancy and Diversity Redundancy of trip initiation for reactor vessel low water level is provided by four level transmitters installed at separated locations in the containment building. Each transmitter is supplied from a separate divisional power supply. Diversity of trip initiation signals for a pipe break inside the containment is provided by reactor vessel low water and drywell high pressure. A decrease in reactor vessel water level or an increase in drywell pressure due to pipe break will initiate containment isolation. 7.3.1.1.2.4.1.1.6 Bypasses and Interlocks Each logic division is provided with a bypass switch. This bypass is indicated in the main control room and interlocked such that only one division of sensor channel inputs can be bypassed at a time. 7.3.1.1.2.4.1.1.7 Testability Testability is discussed in Subsections 7.3.2.2.2.3.1.9 and 7.3.2.2.2.3.1.10.

CPS/USAR CHAPTER 07 7.3-26 REV. 11, JANUARY 2005 7.3.1.1.2.4.1.2 Deleted 7.3.1.1.2.4.1.3 Main Steam Line - Area High Ambient Temperature 7.3.1.1.2.4.1.3.1 Identification High ambient temperature in the main steam line tunnel or turbine building in which the main steam lines are located outside of the primary containment could indicate a leak in a main steam line. The automatic closure of various v alves prevents the excessive loss of reactor coolant and the release of a significant amount of radioactive material from the reactor coolant pressure boundary. When high temperatures occur the following pipelines are isolated: (1) All four main steam lines, (2) Main steam line drain. (3) Reactor water cleanup system (Tunnel temperature only) The instrumentation for monitoring the main steam line tunnel temperatures is described in Subsection 7.6.1.4. The high temperature trip is set far enough above the temperature expected during operation at rated power to avoid spurious isolation, yet low enough to provide early indication of a steam line leak.

High ambient temperature in the vicinity of the main steam lines is detected by dual element thermocouples located near the main steam lines between the primary containment wall and the turbine. The ambient detectors are located or shielded so that they are sensitive to air temperature and not the radiated heat from hot equipment. Ambient detector outputs feed temperature switches (TSs). The cooling water temperature detectors are located in the supply and return lines of the main steam line tunnel area coolers. TSs provide contacts for the alarm and isolation initiation channels of CRVICS. The second element of certain dual element thermocouples is also monitored for main control room readout. A total of four main steam line high ambient temperature channels are provided in the main steam tunnel. A total of five channels is provided for the turbine building. Each main steam line isolation logic channel is tripped by high ambient te mperature in the main steam tunnel or by high ambient temperature in the turbine building. 7.3.1.1.2.4.1.3.2 Power Supplies Power Supplies are discussed in Section 7.3.1.1.2.2.

7.3.1.1.2.4.1.3.3 Initiating Circuits In each division one ambient temperature sensing channel monitors the main steam line tunnel area temperature, and five ambient temperature channels monitor the main steam line area temperature in the turbine building. Each ambient temperature trip channel consists of six temperature elements and six temperature switches. The ambient temperature elements are physically located near the main steam lines.

CPS/USAR CHAPTER 07 7.3-27 REV. 11, JANUARY 2005 7.3.1.1.2.4.1.3.4 Logic and Sequencing When a predetermined increase in main steam line tunnel ambient temperature is detected, trip signals are transmitted to the CRVICS. The containment and reactor vessel isolation control system initiates closure of all main steam line isolation and drain valves, and the reactor water cleanup system isolation valves. The main steam line isolation and drain valves will also receive a closure signal from the CRVICS when a predetermined increase in turbine building ambient temperature is detected. Four instrumentation circuits (divisions) are provided for each channel to assure protective action when needed and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signal of the instrument channels are combined a two-out-of-four logic. The output trip signals of the logic divisions are combined in a two-out-of-two logic. Divisions 1 and 4 or Division 2 and 3 are required to initiate main steam line and main steam line drain isolation.

Thus, failure of one division does not result in inadvertent actuation. 7.3.1.1.2.4.1.3.5 Redundancy and Diversity Redundancy of trip initiation signals for high am bient temperature is provided by multiple thermocouples installed at different locations within the main steam line tunnel and turbine building. The temperature switch (TS) associated with each thermocouple provides an input to one of four channels. Ambient TS channel A trip is supplied from 120 Vac NSPS Bus A and TS channel B is supplied from 120 vac NSPS Bus B. Ambient TS channel C is supplied from 120 vac NSPS Bus C, and TS channel D is supplied from 120 vac NSPS Bus D.

Diversity of trip initiation signals for main steam line leak is provided by main steam line tunnel ambient temperature and main steam line high flow instrumentation. An increase in ambient temperature or main steam line flow, will initiate main steam line and main steam line drain valve isolation. 7.3.1.1.2.4.1.3.6 Subsystem Bypasses and Interlocks There are no interlocks to other systems from main steam line high area temperature trip.

Keylocked bypass switches are provided which allow a bypass of the A or C isolation channel when the switch is in the bypass position. This bypass allows testing of the 120 Vac power monitor without causing an isolation to occur. The isolation channel B and D circuit arrangement allows power monitor testing without causing an isolation, therefore no bypass switches are provided for channels B and D. 7.3.1.1.2.4.1.3.7 Testability Testability is discussed in Subsection 7.6.1.4.5.

CPS/USAR CHAPTER 07 7.3-28 REV. 11, JANUARY 2005 7.3.1.1.2.4.1.4 Main Steam Line-High Flow 7.3.1.1.2.4.1.4.1 Identification Main steam line high flow could indicate a main steam line break. Automatic closure of isolation valves prevents excessive loss of reactor coolant and release of significant amounts of radioactive material from the reactor coolant pressure boundary. On detection of main steam line high flow, the following pipelines are isolated: (1) All four main steam lines, (2) Main steam line drain. The main steam line high flow trip setting is high enough to permit isolation of the one main steam line for test at rated power without causing an automatic isolation of the other steam lines, yet low enough to permit early detection of a steam line break. High flow in each main steam line is sensed by four differential pressure transmitters that sense the pressure difference across a single flow element in each line. 7.3.1.1.2.4.1.4.2 Power Supplies Power supplies are discussed in Section 7.3.1.1.2.2.

7.3.1.1.2.4.1.4.3 Subsystem Initiating Circuits Sixteen differential pressure transmitters, four for each main steam line, monitor the main steam line flow. Each differential pressure channel on a single main steam line is associated with a different electrical division. Four differential pressure transmitters are installed to sense flow in each main steam line and allow the earliest possible detection of a main steam line leak. 7.3.1.1.2.4.1.4.4 Logic and Sequencing When excessive main steam line flow is detected, trip signals are transmitted to CRVICS. The containment and reactor vessel isolation control system initiates closure of all main steam line isolation and drain valves. Four instrumentation logic divisions are provided to assure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signals of the instrumentation channels are combined into two-out-of-four logics. The output trip signals of the logic divisions are combined in two-out-of-two logics for the main steam line drain valves and in a two-out-of-two logic for the MSIV's. Failure of any one division does not result in inadvertent actuation. 7.3.1.1.2.4 1.4.5 Redundancy and Diversity Redundancy of trip initiation signals for high flow is provided by four differential pressure transmitters connected to each main steam line. Each differential pressure transmitter on a single steam line is associated with a different electrical division. Diversity of trip initiation signals is described in Subsection 7.3.1.1.2.4.1.3.5.

CPS/USAR CHAPTER 07 7.3-29 REV. 11, JANUARY 2005 7.3.1.1.2.4.1.4.6 Subsystem Bypasses and Interlocks Each logic division is provided with a bypass switch. This bypass is indicated in the main control room and interlocked such that only one division of sensor channel inputs can be bypassed at a time. There are no interlocks to other systems from main steam line high flow trip signals. 7.3.1,1.2.4.1.4.7 Subsystem Testability Testability is discussed in Subsections 7.3.2.2.2.3.1.9 and 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.1.5 Main Turbine Inlet - Low Steam Pressure 7.3.1.1.2.4.1.5.1 Identification Low steam pressure at the turbine inlet while the reactor is operating could indicate a malfunction of the nuclear system pressure controller in which the turbine control valves or turbine bypass valves become fully open, and cause rapid depressurization of the nuclear system. Such depressurization could cause damage to vessel internals, and a thorough vessel inspection or core inspection might be required prior to returning the reactor to power operation.

To avoid the time consuming consequences of a rapid depressurization, the steam pressure at the turbine inlet is monitored. Pressure falling below a preselected value with the reactor in the RUN mode initiates isolation of the following pipelines: (1) All four main steam lines, (2) Main steam drain line. The low steam pressure isolation setting was selected far enough below normal turbine inlet pressures to avoid spurious isolation, yet high enough to provide timely detection of a pressure controller malfunction. Although this isolation function is not required to satisfy any of the safety design bases for this system, the discussion is included to complete the listing of isolation functions. Main steam line low pressure is monitored by four pressure transmitters that sense pressure downstream of the outboard main steam line isolation valves. The sensing point is located as close as possible to the turbine stop valves. 7.3.1.1.2.4.1.5.2 Power Supplies Subsystem power supplies are as described in Section 7.3.1.1.2.2. 7.3.1.1.2.4.1.5.3 Initiating Circuits Four pressure transmitters monitor main steam line manifold pressure. Each pressure transmitter is associated with a different logic. The locations of the pressure transmitters provide the earliest practical detection of low main steam line pressure.

CPS/USAR CHAPTER 07 7.3-30 REV. 11, JANUARY 2005 7.3.1.1.2.4.1.5.4 Logic and Sequencing When a predetermined value of main steam line pressure is detected, trip signals are transmitted to the CRVICS. The containment and reactor vessel isolation control system initiates closure of all main steam line isolation valves and drain valves. Four instrumentation channels are provided to assure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signals of each of the instrumentation channels are combined into two-out-of-four logics. The output trip signals of the logic divisions are combined in two-out-of-two logics for main steam line drain and two-out-of-two twice for the MSIV's. Failure of any one division does not result in

inadvertent actuation. 7.3.1.1.2.4.1.5.5 Redundancy and Diversity Redundancy of trip initiation signals for low pressure is provided by four pressure transmitters which measure main steamline manifold pressure. Each pressure transmitter is associated with one of four instrument channels. 7.3.1.1.2.4.1.5.6 Bypasses and Interlocks The main steam line low pressure trip is bypassed by the reactor mode switch in the Shutdown, Refuel, and Startup modes of reactor operation. In the RUN mode, the low pressure trip function is operative. In addition, each logic division is provided with a bypass switch. This bypass is indicated in the main control room and interlocked such that only one division of sensor channel inputs can be bypassed at a time. There are no interlocks to other systems from main steam line low pressure trip signals. 7.3.1.1.2.4.1.5.7 Testability Testability is discussed in Sections 7.3.2.2.2.3.1.9 and 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.1.6 Drywell High Pressure 7.3.1.1.2.4.1.6.1 Identification High pressure in the drywell could indicate a breach of the reactor coolant pressure boundary inside the drywell. The automatic closure of various valves prevents the release of significant amounts of radioactive material from the containment. The pipelines which are isolated on detection of high drywell pressure are listed in Table 6.2-47. The drywell high pressure isolation setting was selected to be as low as possible without inducing spurious isolation trips. Drywell pressure is monitored by multiple pressure transmitters that are mounted on instrument racks in the containment and connected to the drywell through instrument lines.

CPS/USAR CHAPTER 07 7.3-31 REV. 11, JANUARY 2005 7.3.1.1.2.4.1.6.2 Subsystem Power Supplies Subsystem power supplies are as discussed in Section 7.3.1.1.2.2.

7.3.1.1.2.4.1.6.3 Initiating Circuits Four pressure sensors monitor drywell pressure. One pressure sensor is associated with each instrument channel. Four pressure transmitters are installed at different locations outside the drywell which provide inputs to analog trip modules and provide the earliest practical detection of a line break inside the drywell. 7.3.1.1.2.4.1.6.4 Logic and Sequencing When a significant increase in drywell pressure is detected, trip signals are transmitted to the CRVICS. The containment and reactor vessel isolation control system initiates closure of selected isolation valves. Four instrument channels are provided to assure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signals of the instrument channels are combined into two-out-of-two logic. Division logic 2 and 3 or Division logic 1 and 4 are required to initiate closure of inboard or outboard valves, respectively. Thus, failure of any one logic channel does not result in inadvertent actuation. 7.3.1.1.2.4.1.6.5 Redundancy and Diversity Redundancy of trip initiation signals for drywell high pressure is provided by four redundant pressure transmitters installed at different locations around the drywell. Each transmitter is associated with one of four instrument channels. Diversity of trip initiation signals for line breaks inside of the drywell is provided by drywell high pressure and reactor low water level. An increase in drywell pressure or a decrease in reactor water level will initiate containment isolation. 7.3.1.1.2.4.1.6.6 Bypasses and Interlocks Bypasses are discussed in Section 7.2.

There are no interlocks for drywell high pressure trip signals.

7.3.1.1.2.4.1.6.7 Testability Testability is discussed in Subsections 7.3.2.2.2.3.1.9 and 7.3.2.2.2.3.1.10.

CPS/USAR CHAPTER 07 7.3-32 REV. 11, JANUARY 2005 7.3.1.1.2.4.1.7 Not Used 7.3.1.1.2.4.1.8 Not Used 7.3.1.1.2.4.1.9 Reactor Water Cleanup (RWCU) System-High Differential Flow 7.3.1.1.2.4.1.9.1 Identification High differential flow in the reactor water cleanup system could indicate a breach of the pressure boundary in the RWCU system. The RWCU system flow at the inlet to the system (suction from reactor recirculation lines) is compared with the sum of the flows at the outlets of the system (return to feedwater and flow to the Main Condenser). High differential flow initiates isolation of the RWCU system. 7.3.1.1.2.4.1.9.2 Power Supplies Trip logic channels for outboard and inboard valves are supplied from NSPS 120 Vac Bus A and B, respectively. 7.3.1.1.2.4.1.9.3 Initiating Circuits Six differential pressure instruments monitor the reactor water cleanup system flow. Two monitor RWCU pump-suction flow from the recirculation lines, two monitor the flow to the feedwater system, and two monitor the flow to the main condenser. One of each of the redundant sets of flow monitoring instruments is associated with one instrument channel. The second set of flow monitoring instruments is associated with the other instrument channel. The locations of the flow elements on the respective pipelines provide the detection of reactor water cleanup system line breaks. 7.3.1.1.2.4.1.9.4 Logic and Sequencing When a predetermined increase in reactor water cleanup system differential flow is detected, trip signals are transmitted to the CRVICS. The containment and reactor vessel isolation control system initiates closure of all reactor water cleanup system isolation valves. Two instrumentation trip channels are provided to assure protective action, when required. The output trip signal of each instrumentation channel initiates one logic channel trip. The Division 1 logic signal closes the outboard RWCU isolation valve and the Division 2 logic signal closes the inboard RWCU valve. 7.3.1.1.2.4.1.9.5 Redundancy and Diversity Redundancy of trip initiation signals for high differential flow is provided by two sets of differential flow monitors. Each differential flow monitor is supplied from the appropriate logic channel power source. Diversity of trip initiation signals for reactor water cleanup system line break is provided by instrumentation for reactor water level or equipment area ambient temperature. A decrease in reactor vessel water levels, or an increase in ambient temperature or differential temperature will initiate reactor water cleanup system isolation.

CPS/USAR CHAPTER 07 7.3-33 REV. 11, JANUARY 2005 7.3.1.1.2.4.1.9.6 Bypasses and Interlocks Reactor water cleanup system high differential flow trip is bypassed by an automatic timing circuit during normal reactor water cleanup system surges. This time delay bypass prevents inadvertent system isolation during system operational changes. The RWCU System high differential flow trip can be bypassed for instrument channel maintenance, testing, or calibration. The RWCU system high differential flow trip can also be bypassed when necessary to prevent inadvertent system isolations of the RWCU system. This may result from system surges anticipated to last longer than the time delay bypass which may occur during RWCU system operational mode changes or when operating in the blowdown mode. Bypassing of both divisions 1 and 2 of RWCU Leak Detection for the purpose of preventing high differential flow trips for this purpose is limited to reactor coolant conditions when the reactor coolant Iodine 131 dose equivalent activity is less than or equal to 1.8x10

-3 micro curies per gram, and is further limited to the requirements of the Technical Specifications for the differential flow

instrumentation. There are no interlocks to other systems prov ided from the reactor water cleanup system high differential flow trip signals. The RWCU inlet flow signal interlocks the RWCU pumps to stop the pumps when flow is below a predetermined value. 7.3.1.1.2.4.1.9.7 Testability Testability is discussed in Subsection 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.1.10 Reactor Water Cleanup (RWCU) System-Area High Temperature 7.3.1.1.2.4.1.10.1 Identification High temperature in the equipment room areas of the reactor water cleanup system or main steamline tunnel could indicate a breach in the pressure boundary in the cleanup system. High ambient temperature in the equipment areas or in the main steamline tunnel initiates isolation of the reactor water cleanup system. 7.3.1.1.2.4.1.10.2 Subsystem Power Supplies Trip logic channels for the outboard and inboard valves are supplied from NSPS 120 Vac Bus A and B, respectively. 7.3.1.1.2.4.1.10.3 Subsystem Initiating Circuits Ten ambient temperature instrument channels monitor the reactor water cleanup system area temperatures. Five area temperature switches are associated with each logic channel. Two ambient temperature elements are located in each of the following locations: Pump Room 1, Pump Room 2, Pump Room 3, Heat Exchanger Room East, Heat Exchanger Room West. The locations of the temperature elements provide the earliest practical detection of any hot reactor water cleanup system line break.

CPS/USAR CHAPTER 07 7.3-34 REV. 11, JANUARY 2005 Additionally, one ambient temperature monitoring circuit in each of two divisions monitoring main steam line tunnel temperature will cause an isolation of the RWCU System inboard or outboard isolation valves. These monitors are the same units which effect isolation of the main steam lines. 7.3.1.1.2.4.1.10.4 Logic and Sequencing When a predetermined value of reactor water cleanup system area ambient temperature is detected, trip signals initiate closure of all RWCU system isolation valves. Two independent instrument channels are provided. The output trip signal of each instrument channel initiates a channel logic trip and closure of either the inboard or outboard reactor water cleanup system isolation valves. Protection against inadvertent isolation due to instrumentation malfunction is not required or provided. 7.3.1.1.2.4.1.10.5 Redundancy and Diversity Redundancy of trip initiation signal's for high ambient temperature is provided by two ambient temperature elements installed in each reactor water cleanup system area with each associated with a different channel logic.

Diversity is discussed in Subsection 7.3.1.1.2.4.1.9.5. 7.3.1.1.2.4.1.10.6 Bypasses and Interlocks Reactor water cleanup system high ambient temperature trips can be bypassed during instrument channel testing, by two keylocked bypass switches. There are no interlocks to other systems from the reactor water cleanup system high ambient temperature trip signals. 7.3.1.1.2.4.1.10.7 Testability Testability is discussed in Subsection 7.3.2 2.2.3.1.10.

7.3.1.1.2.4.1.11 RHR System-Area High Temperature 7.3.1.1.2.4.1.11.1 Identification High temperature in the area of the RHR system pumps could indicate a breach in the nuclear process barrier in the RHR system. High equipment area ambient temperature in the area ventilation initiate isolation of the RHR shutdown cooling system, sample valves and drainage valves to the radwaste system. High temperature in the areas occupied by the RHR system piping outside the drywell is sensed by temperature elements that indicate possible pipe breaks. Temperature sensors in the equipment area and t he inlet and outlet ventilation ducts of the RHR equipment areas will, when a high temperature is detected, cause isolation.

CPS/USAR CHAPTER 07 7.3-35 REV. 11, JANUARY 2005 The second element of the Division 1 dual element thermo-couples is monitored on a recorder in the main control room. 7.3.1.1.2.4.1.11.2 Power Supplies Subsystem power supplies are as discussed in Subsection 7.3.1.1.2.4.1.9.2. 7.3.1.1.2.4.1.11.3 Initiating Circuits Four ambient temperature instrument channels monitor the RHR system areas temperature. Two ambient temperature channels are associated with the same logic channel. The remaining temperature channels are associated with a different logic channel. The ambient temperature elements are located in each RHR equipment area.

Two pairs of temperature elements are located in the ventilation supply and ventilat ion exhaust of each RHR equipment area. The locations of the temperature elements provides the earliest practical detection of any RHR system line break. 7.3.1.1.2.4.1.11.4 Subsystem Logic and Sequencing When a predetermined RHR area ambient temperature is detected, trip signals initiate closure of the RHR system isolation valves. Two instrumentation channels are provided to assure protective action, when required. The output trip signal of each instrument channel initiates a channel logic trip and closure of either the inboard or outboard RHR system isolation valv es. To close both the inboard and outboard isolation valves, both division logics must trip. Protection against inadvertent isolation due to instrumentation malfunction is not required or provided. 7.3.1.1.2.4.1.11.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals for high ambient temperature is provided by two ambient temperature elements installed in each RHR equipment area. These are connected to different channel logics. Each redundant temperature switch is supplied from a different power source.

Diversity of trip initiation signals for RHR line break is provided by ambient temperature instruments. An increase in ambient temperature will initiate RHR shutdown cooling isolation. 7.3.1.1.2.4.1.11.6 Subsystem Bypasses and Interlocks A bypass/test keyswitch is provided in each logic channel for the purpose of testing the temperature monitor without initiating RHR system isolation. Placing the keyswitch in bypass position in one logic channel will not prevent operation of the temperature monitors in the opposite logic channel from initiating RHR system isolation. 7.3.1.1.2.4.1.11.7 Testability Testability is discussed in Subsection 7.3.2.2.2.3.1.10.

CPS/USAR CHAPTER 07 7.3-36 REV. 11, JANUARY 2005 7.3.1.1.2.3.1.12 Not Used 7.3.1.1.2.4.1.13 Not Used 7.3.1.1.2.4.1.14 Main Condenser Vacuum Trip 7.3.1.1.2.4.1.14.1 Identification In addition to the turbine stop valve trip on low condenser vacuum, which is a standard component of turbine system instrumentation, a main steamline isolation valve trip from the low condenser vacuum instrumentation system is provided.

A main turbine condenser low vacuum signal could indicate a leak in the condenser or low cooling water flow or both. Initiation of automatic closure of isolation valves will prevent excessive loss of reactor coolant and the possible release of significant amounts of radioactive material from the nuclear system process barrier. Upon detection of turbine condenser low vacuum, the following lines will be isolated: (1) All four main steamlines, (2) Main steamline drain. There are four independent main condenser vacuum transmitters for the purpose of providing an isolation signal to the main steam isolation valves. Each vacuum transmitter has its own isolation valve, separate sensing line connected to the condenser and pressurizing source connection for testing. The wiring and separation requirements for these sensors are in accordance with IEEE-279. The vacuum trip setting is selected so that it is compatible with safe turbine and main condenser operation at design conditions, thereby minimizing the probability of turbine or condenser damage with subsequent loss of reactor coolant and release of radioactive

material. 7.3.1.1.2.4.1.14.2 Power Supplies Subsystem power supplies are as discussed in Section 7.3.1.1.2.2.

7.3.1.1.2.4.1.14.3 Initiating Circuits Four pressure sensing instrument channels monit or main condenser vacuum. Each instrument channel is associated with a different channel logic. The four pressure transmitters sense pressure in the condenser which provides the earliest practical detection of a main condenser overpressure condition. Each transmitter provides an input to an analog trip unit which provides the trip signal. 7.3.1.1.2.4.1.14.4 Logic and Sequencing When a predetermined value of main condenser vacuum is detected, trip signals initiate closure of all main steam line isolation and drain valves. Four instrument channels are provided to assure protective action, when required, and to prevent inadvertent isolation resultin g from instrumentation malfunction.

CPS/USAR CHAPTER 07 7.3-37 REV. 11, JANUARY 2005 The output trip signals of the instrumentation channels are combined into two-out-of-four logics. The output trip signals of the division logics are combined in two-out-of-two logics for the main steam line drains and two-out-of-two twice logic for the MSIV's. Failure of any one instrument channel does not result in inadvertent isolating action. 7.3.1.1.2.4.1.14.5 Redundancy and Diversity Redundancy of trip initiation signals for low vacuum is provided by four pressure transmitters. Each pressure transmitter is connected to one of four instrument channels. 7.3.1.1.2.4.1.14.6 Bypasses and Interlocks Main condenser low vacuum-trip can be bypassed manually for system startup. Each logic division is provided with a bypass switch This bypass is indicated in the main control room and is interlocked such that only one division of sensor channel inputs can be bypassed at a time. There are no interlocks to other systems for main condenser low vacuum trip signals. 7.3.1.1.2.4.1.14.7 Testability Testability is discussed in Subsection 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.1.15 Manual Isolation (System Level) 7.3.1.1.2.4.1.15.1 Identification The CRVICS has four divisionally separated armed pushbuttons for system level manual initiation of isolation. When an armed pushbutton is depressed the corresponding logic will be de-energized causing a logic trip. 7.3.1.1.2.4.1.15.2 Power Sources The manual isolation circuits are powered from four NSPS divisional power supplies. 7.3.1.1.2.4.1.15.3 Initiating Circuits The four armed pushbuttons are located at the main control room panel. When depressed they initiate isolation functions for a11 the system listed in subsection 7.3.1.1.2.1. 7.3.1.1.2.4.1.15.4 Logic and Sequencing When the four armed pushbuttons are depressed isolation is initiated.

Two of the four pushbuttons will initiate outboard isolation and the remaining two the inboard isolation. The output trip signals of each pushbutton are combined in two-out-of-two logic.

CPS/USAR CHAPTER 07 7.3-38 REV. 11, JANUARY 2005 7.3.1.1.2.4.1.15.5 Bypasses and Interlocks No operational bypasses or interlocks are provided with this subsystem. 7.3.1.1.2.4.1.15.6 Redundancy and Diversity The number of armed pushbuttons provide the required redundancy. The failure of a single component will not prevent a manual protective action. In addition, a single failure will not initiate an isolation function due to the use of independent push buttons and logics. Diversity is provided for manual isolation by individual valve control switches. 7.3.1.1.2.4.1.15.7 Testability The operability of each armed pushbutton can be tested during power operation by depressing only one pushbutton at a time. 7.3.1.1.2.4.1.15.8 Environmental Considerations The manual isolation function is designed and has been qualified to meet the environmental considerations indicated in Section 3.11. In addition it has been seismically qualified as described in Section 3.10. 7.1.1.2.4.1.15.9 Operational Considerations Manual Isolation is a back-up to the automatic isolation initiation logic. 7.3.1.1.2.4.2 System Instrumentation Sensors providing inputs to the containment and reactor vessel isolation control system are not used for the automatic control of the process system, thereby achieving separation of the protection and process systems. Channels are physically and electrically separated to reduce the probability that a single physical event will prevent isolation. Redundant channels for one monitored variable provide inputs to the division logics through isolation devices. The functions of the sensors in the isolation control system are shown in Figures 7.3-2 and 7.3-3. Table 7.3-7 lists instrument characteristics. 7.3.1.1.2.5 System Logic The basic logic arrangement is one in which a particular automatic isolation valve is controlled by either one or two division trip and actuator logics. A division trip logic for a particular valve receives input signals from either one, two or four sensing channels depending on the monitored variable. At least four trip channel inputs to the division trip logic for each essential monitored variable are required to provide outputs to the trip actuator logics for each MSIV and each main steam line drain isolation valve. All other valves require two sensing channel inputs unless the essential monitored variable is one of the following; high area temperature, high flow, reactor low water level or reactor high pressure. For these variables only one sensing channel input is required for each trip channel. To initiate valve closure, the trip actuator logics of two divisions must be tripped for each MSIV or each main steam line drain isolation valve and one division for each of the other valves.

CPS/USAR CHAPTER 07 7.3-39 REV. 11, JANUARY 2005 Two-out-of-four channel logic and two-out-of-two trip logic is used to control each MSIV and each main steam line drain isolation valve and either two-out-of-two or one-out-of-one logic to control the other valves. The logic strings for this control are shown in drawing E02-1NB99. The variables that initiate automatic closure of the MSIV and main steam line drain isolation valves are: (1) low reactor water level, (2) deleted, (3) high main steam line flow, (4) high main steam line tunnel temperature, (5) low steam line pressure, (6) main condenser low vacuum, (7) turbine building high temperature. Drywell and containment isolation valves are controlled by drywell pressure and reactor low water level signals. In this arrangement, two drywell pressure sensors are combined with two water level sensors. This trip logic could be termed two-out-of-two and the trip actuator logic one-out-of-one for each signal applied to each valve. These same drywell pressure and water level logics are used for initiation of the standby gas treatment system. The reactor water sample valves are controlled by reactor low water level signals. This trip logic is one-out-of-two applied to each valve.

The RHR isolation valves are controlled by reactor high pressure, high area temperature, and reactor low water level. The reactor low water level trip could be termed two-out-of-two and the trip actuator logic one-out-of-one for each signal applied to each valve. Reactor high pressure trip logic is two-out-of-two for each signal applied to each valve. The reactor water cleanup isolation valves are controller by two division logics, using high flow, high area temperature, area differential temperature, low water level signals, and standby liquid control system operation. One division logic in this form is applied to each valve. The isolation variables are listed in Table 6.2-47.

7.3.1.1.2.6 System Sequencing A discussion of all sequencing of all subsystems of the CRVICS is provided in Subsection 7.3.1.1.2.4. 7.3.1.1.2.7 System Bypasses and Interlocks System bypasses and interlocks are discussed for each subsystem of the isolation system in Subsection 7.3.1.1.2.4.1.

CPS/USAR CHAPTER 07 7.3-40 REV. 11, JANUARY 2005 7.3.1.1.2.8 System Redundancy and Diversity The variables which initiate isolation are listed in the circuit description, Subsection 7.3.1.1.2.4.1. Also listed there are the number of initiating sensors and channels for the isolation valves. 7.3.1.1.2.9 System Actuated Devices The main steam line isolation valves are spring and pneumatic closing, piston-operated valves. They close by spring power on loss of pneumatic pressure to the valve operator. This is fail-safe design. The control arrangement is shown in drawing E02-1NB99. Closure time for the valves is adjustable between 3 and 10 seconds, but the valve closure is set to be within 3 to 5 seconds. Referring to Figure 7.3-4, there is a piston in hydraulic cylinder which is linked to the valve poppet. The hydraulic fluid is in an enclosed system which allows it to move from beneath the piston through a manually controlled orifice (speed control valve 6) to above the piston. The orifice is set during testing prior to plant operation. The valve closure time is rechecked in accordance with procedures following any work performed on the valve. A socket setscrew locks the set position following the closure time set adjustments. Each valve is piloted by two ac operated actuators. An accumulator located close to each isolation v alve provides pneumatic pressure for valve closing in the event of failure of the normal air supply system. For containment isolation, motor-operated and solenoid operated valves are the actuated devices. Motor operated valves motive and contr ol power is from essential ESF power. Direct solenoid valves are energized open and close on isolation by spring power. Control power is supplied by essential ESF power. To limit radiological release and to reduce the loss of reactor coolant as a result of pipe line break, the valve closing mechanisms are designed to meet the minimum closing rates specified in Table 6.2-47. 7.3.1.1.2.10 System Separation Sensor devices are separated physically such that no single failure can prevent the safety action. By the use of conduit and separated cable trays, the same criterion is met from the sensors to the logic cabinets. The logic cabinets are so arranged that redundant equipment and wiring are not present in the same cabinet. Redundant equipment and wiring may be present in control room bench boards and logic output cabinets where separation is achieved by a six inch air space or surrounding redundant wire and equipment in metal encasements. From comparator input cabinets to the logic output cabinets and from the logic cabinets to the isolation valves, separated cable or conduit are employed to complete adherence to the separation criterion. A brief description of Power Generation and Control Complex (PGCC) considerations and the relation of PGCC to system separation is given in Subsection 7.2.1.1.9. Detailed design basis, description, and safety evaluation aspects for a PGCC system are comprehensively documented and presented in GE Topical Report, "Power Generation Control Complex,"

NEDO-10466-A and its amendments.

CPS/USAR CHAPTER 07 7.3-41 REV. 11, JANUARY 2005 7.3.1.1.2.11 System Testability The main steam line and main steam line drain isolation valve instrumentation is capable of complete testing during power operation. The isolation signals include low reactor water level, high main steam line flow, high main steam line t unnel temperature, low condenser vacuum, high turbine building temperature, and low turbine pressure. The water level, turbine pressure and steam line flow sensors are pressure or differential pressure type sensors which may be valved out of service one at a time and functionally tested using a test pressure source. The radiation measuring amplifier is provided with a test switch and internal test voltage source by which operability may be verified. Functional operability of the temperature switches may be verified by applying a heat source to the locally mounted temperature sensing elements. Control room indications include annunciation, indicating lights and computer printout. The condition of each sensor is indicated by at least one of these methods in addition to annunciators common to sensors of one variable. In addition, the functional availability of each isolation valve may be confirmed by completely or partially closing each valve individually at reduced power using test switches located in the main control room. Valve indicator lights in the control room provide indication of isolation valve position. The cleanup system isolation signals include low reactor water level, equipment area high ambient temperature, high differential flow, high temperature downstream of the non-regenerative heat exchanger, and standby liquid control system actuation. The water level and flow sensors are of the differential pressure type and can be periodically tested by valving each sensor out of service and applying a test pressure. The temperature switches may be functionally tested by removing them from service and applying a heat source to the temperature sensing elements. The differential flow instrument channels may be tested by applying a test input. The various trip actuations are annunciated in the main control room.

Also, valve indicator lights in the main control room provide indication of cleanup isolation valve position. The drywell and containment isolation signals include low reactor water level, and high drywell pressure. The water level sensor is of the differential pressure type and can be periodically tested by valving each sensor out of service and applying a test pressure. The drywell pressure sensor can be periodically tested in the same manner. The various trip actuations are annunciated in the main control room. Also, valve indicator lights in the main control room provide indication of cleanup isolation valve position. The reactor water sample isolation signal is low reactor water level. Testability is discussed under main steam line and main steam line drain testability. The RHR system isolation signals include low reactor water level, equipment area high ambient temperature and high reactor pressure. The water level sensors are of the differential pressure type and can be periodically tested by valving each sensor out of service and applying a test pressure. The reactor pressure sensor can be periodically tested in the same manner. The temperature switches may be functionally tested by removing them from service and applying a heat source to the temperature sensing elements. The various trip actuations are annunciated in the main control room. Also, valve indicator lights in the main control room provide indication of cleanup isolation valve position. The instrument channel operability is checked by cross comparison between channels, the trip setpoint is verified by manually introducing a test signal and observing the channel meter and CPS/USAR CHAPTER 07 7.3-42 REV. 11, JANUARY 2005 the indicator light on the output of the trip device. For a description of logic testing, see Subsection 7.2.1.1.4.8, "Testability". 7.3.1.1.2.12 System Environmental Considerations The physical and electrical arrangement of the Containment and Reactor Vessel Isolation Control System was selected so that no single physical event will prevent achievement of isolation functions. Temperature, pressure, humidity, and radiation are considered in the selection of equipment for the system. Cables used in high radiation areas have radiation-resistant insulation. Shielded cables are used where necessary to eliminate interference from magnetic fields. Special consideration has been given to isolation requirements during a loss-of-coolant accident inside the drywell. Components of the Containment and Reactor Vessel Isolation Control System that are located inside the drywell and that must operate during a loss-of-coolant accident are the cables, control mechanisms, and valve operators of isolation valves inside the drywell. These isolation components are required to be functional in a loss-of-coolant accident environment. (See Section 3.11.5). Electrical cables are selected with insulation designed for this service. Closing mechanisms and valve operators are considered satisfactory for use in the isolation control system only after completion of environmental testing under loss-of-coolant accident conditions or submission of evidence from the manufacturer describing the results of suitable prior tests. 7.3.1.1.2.13 System Operational Considerations Isolation input variables are indicated on meters in the trip units of the main control room. (See Paragraph 7.3.1.1.2.1 for the isolation initiating signals.) Recorders show reactor vessel pressure and water level. Also provided is the wide range water level indicator. Isolation system and valve status are shown by indicator lights and logged into the display control system. 7.3.1.1.2.13.1 General Information The containment and reactor vessel isolation control system is not required for normal operation. This system is initiated automatic ally when one of the monitored variables exceeds preset limits. No operator action is required for at least 10 minutes following initiation. All automatic isolation valves can be closed by manual operation of switches in the main control room, thus providing the reactor operator with control which is independent of the automatic isolation functions. 7.3.1.1.2.13.2 Reactor Operator Information Once isolation is initiated, the valve continues to close even if the condition that caused isolation is restored to normal. The reactor operator must manually reset the tripped logic and operate switches in the main control room to reopen a valve that has been automatically closed. Unless a manual bypass under administrative control is provided, the operator cannot reopen the valve until the conditions that initiated isolation have cleared.

CPS/USAR CHAPTER 07 7.3-43 REV. 12, JANUARY 2007 A trip of an isolation control system channel is annunciated in the main control room so that the reactor operator is immediately informed of the condition. The response of isolation valves is indicated by OPEN-CLOSED indicator lights. Inputs to annunciators, control systems, and the process computer are isolated electrically and physically from safety circuits so that no malfunction of the annunciating, or computing equipment or control systems can functionally disable the system. Direct signals from the isolation system sensors are not used as inputs to annunciating or data logging equipment.

Isolation is provided between the primary signal and the information output. 7.3.1.1.2.13.3 SetPoints Refer to the Operational Requirements Manual for the safety setpoint information. 7.3.1.1.3 MSIV - LCS Instrumentation and Controls Note: As a result of the re-analysis of the Loss of Coolant Accident (LOCA) using Alternative Source Term (AST) Methodology, it is no longer necessary to credit the Main Steam Isolation Valve Leakage Control System (MSIVLCS) for post-LOCA activity leakage mitigation. The system has been left in place as a passive system and is not required to perform any safety function.

CPS/USAR CHAPTER 07 7.3-44 REV. 12, JANUARY 2007 This page left blank intentionally CPS/USAR CHAPTER 07 7.3-45 REV. 12, JANUARY 2007 7.3.1.1.4 RHR/Containment Spray Cooling Mode - Instrumentation and Controls 7.3.1.1.4.1 System Identification Containment spray cooling is an operating mode of the Residual Heat Removal System. It is designed to provide the capability of condensing steam in the suppression pool air volume and/or the containment atmosphere and cooling non-condensibles therein. The mode is automatically or manually initiated when necessary.

CPS/USAR CHAPTER 07 7.3-46 REV. 11, JANUARY 2005 The RHR system is shown in P&ID M05-1075.

7.3.1.1.4.2 Power Sources Power for the RHR system pumps is supplied from two ac buses that can receive standby ac power. Motive and control power for the two loops of containment spray cooling instrumentation and control equipment are the same as that used for LPCI A and LPCI B; see

Subsection 7.3.1.1.1.6. 7.3.1.1.4.3 Equipment Design Control and instrumentation for the following equipm ent is required for this mode of operation: (1) Two RHR main system pumps. (2) Pump suction valves. (3) Containment spray cooling discharge valves. Variables needed for automatic operation of the equipment are low reactor water level, and/or high drywell pressure and high containment pressure. The instrumentation for containment spray cooling operation assures that water will be routed automatically from the suppression pool to the containment air volume. Containment spray cooling operation uses two pump loops, each loop with its own separate discharge valve. All components pertinent to containment spray cooling operation are located outside of the drywell. Motive and control power for the two loops of containment spray cooling instrumentation and control equipment are the same as that used for RHR A and RHR B. The containment spray cooling system can be manually initiated from the main control room if drywell pressure is above the high set point. 7.3.1.1.4.4 Initiating Circuits 7.3.1.1.4.4.1 Containment Spray A Containment and drywell pressure is monitored by two absolute pressure transmitters mounted in instrument racks in the containment. Cables from these transmitters are routed to the main control room logic cabinets. The two containment pressure and the two drywell pressure transmitters and trip units are electrically connected so that no single sensor failure can prevent initiation of containment spray A. The above sensors in combination with a ten minute time delay logic initiated by a loss-of-coolant accident (reactor low water level and/or high drywell pressure) provide the automatic initiating signal for containment spray A. This signal is sealed in and must be manually reset.

CPS/USAR CHAPTER 07 7.3-47 REV. 11, JANUARY 2005 A timer reset switch is utilized in the containment spray cooling auto-initiation logic to delay (10 minutes) automatic initiation of the spray. This additional time period will allow operator assessment of the pending action. The operator may use this feature to further delay automatic initiation of the containment spray cooling if such a delay is prudent. If the operator allows the time delay to expire and the LOCA and containment high pressure signals are still present, the containment spray cooling will be initiated. In the event that the operator deems the containment spray cooling necessary after resetting the timer, he may initiate the sprays

manually. 7.3.1.1.4.4.2 Containment Spray B Initiation of containment spray B is identical to that of 'A' except that an additional time delay of 90 seconds is added which precludes simultaneous starting of both loops. 7.3.1.1.4.5 Logic and Sequencing The operating sequence of containment spray cooling following receipt of the necessary initiating signals is as follows: (1) The RHR system is in the injection mode (LPCI).

(2) Valves in other RHR modes are automatically positioned or remain as positioned during LPCI. (3) Shutdown service water supply and discharge valves to the RHR heat exchanger are signaled to open. The shutdown service water (tube) side heat exchanger bypass valves are manually operated and locked closed. (4) If the RHR (shell) side heat exchanger inlet and outlet valves are both fully open, the heat exchanger bypass valve on the RHR side is signaled to close. If either heat exchanger valve is partially closed the bypass valve auto-shut safety function does not operate and the valve remains open. This provides the containment spray function, but without the heat exchangers first cooling the suppression pool water. (5) The containment spray cooling discharge valve is automatically opened after the time delay unless the operator manually resets the time delay. The containment spray cooling system will continue to operate until the drywell pressure or containment pressure drops below the trip point and the operator depresses the reset pushbutton removing the logic seal-in, thus the associated trip modules are reset. The operator can then initiate another mode of RHR. 7.3.1.1.4.6 Bypasses and Interlocks No bypasses are provided for the containment spray cooling system. Interlocks are provided to correctly line up RHR system valves to perform the containment spray cooling functions. These are shown in drawing E02-1RH99.

CPS/USAR CHAPTER 07 7.3-48 REV. 11, JANUARY 2005 7.3.1.1.4.7 Redundancy and Diversity Redundancy is provided for the containment spray cooling function by two separated divisional loops. Redundancy of initiation sensors is described in section 7.3.1.1.4.4 under "Initiating Circuits." The initiating circuits for containment spray are not diverse. 7.3.1.1.4.8 Actuated Devices Drawing E02-1RH99 shows functional control arrangement of the containment spray cooling system. The RHR A and RHR B loops are utilized for containment spray. Therefore, the pump and valves are the same for LPCI and containment spray cooling except that each has its own discharge valve. See Section 7.3.1.1.1.6.7, "LPCI Actuated Devices" for specific information. 7.3.1.1.4.9 Separation Containment spray cooling is a Division 1 (RHR A) and a Division 2 (RHR B) system. Manual controls, logic circuits, cabling, and instrumentation for containment spray cooling are mounted so that Division 1 and Division 2 separation is maintained. Separation from Divisions 3 and 4 is also maintained. 7.3.1.1.4.10 Testability The containment spray system is capable of being tested up to the last discharge valve during normal operation. Drywell and containment pressure and reactor vessel water level initiation channels are tested by cross comparison between related channels. Any disagreement between the display readings for the channels would indicate a failure. The instrument channel trip set point is verified by manually introducing a test signal with the calibration, and observing the channel display and indicator light on the output of the trip device (see Subsection 7.1.2.10). Testing for functional operability of the control logics is accomplished by use of continuous automatic pulse testing. The Automatic Pulse Test (APT), the sixth test, discussed in RPS Testability 7.2.1.1.4.8 is also applicable here for the containment spray function of RHR. Other control equipment is functionally tested during manual testing of each loop. Indication in the form of panel lamps and annunciators are provided in the control room. 7.3.1.1.4.11 Environmental Considerations Refer to Table 3.11-5 for environmental qualifications of the subject system equipment. 7.3.1.1.4.12 Operational Considerations 7.3.1.1.4.12.1 General Information Containment spray cooling is a mode of the RHR, and is not required during normal operation. 7.3.1.1.4.12.2 Reactor Operator Information Temperature, flow, pressure, and valve position indications are available in the main control room for the operator to assess containment spray cooling operation. Alarms and indications are shown in Drawing M05-1075 (RHR P&ID) and drawing E02-lRH99.

CPS/USAR CHAPTER 07 7.3-49 REV. 11, JANUARY 2005 7.3.1.1.4.12.3 Setpoints For setpoints refer to the Operational Requirements Manual.

7.3.1.1.5 Shutdown Service Water Svstem Instrumentation and Controls 7.3.1.1.5.1 System Identification The Shutdown Service Water System (SSWS) is designed to provide a reliable source of cooling water for station auxiliaries which are essential to safe shutdown of the reactor following the unlikely event of a loss-of-coolant-accident (LOCA) or a complete loss of offsite ac power. Also, the system is designed to maintain the required flow of cooling water to the Residual Heat Removal (RHR) heat exchangers, to allow the reactor to cool down to a safe condition from normal operating power levels (i.e., maximum decay and residual heat). The SSWS is a nuclear safety-related system composed of three independent subsystems (Divisions 1, 2, and 3) that correspond to electrical separation Divisions 1, 2, and 3. 7.3.1.1.5.2 Power Sources The power sources for each subsystem's instrumentation and controls are the same electrical separation division as the subsystem they are monitoring or controlling and are capable of receiving standby power. 7.3.1.1.5.3 Equipment Design The instrumentation and controls for the SSWS provide the facilities for the main control room operator to monitor system pressures and flows, to be alerted by alarms of system malfunction or automatic operations, and to manually control system operation. The instrumentation also provides automatic initiation of the system. A pressure transmitter located downstream of the SSWS strainers provides the control room with indication of system pressure and automatically initiates SSWS pump operation on low system pressure. Local indication of the discharge pressure of each pump is also provided. A flow nozzle is located downstream of the strainer and of the plant service water inlet supply line to monitor system flow. The nozzle is used for periodic system testing to satisfy the In-Service Inspection requirements of ASME Section XI and permanent instrumentation is provided. Additionally there is an orifice type flow element upstream of the RHR heat exchangers for monitoring flow rate of cooling water through the heat exchanger. This flow is measured by a differential pressure transmitter which transmits a signal to an indicator in the main control room. A temperature element, located downstream of each of the RHR heat exchangers, provides inputs to a temperature recorder in the main control room. The recorder initiates a high temperature annunciator in the main control room. Local temperature indicators are provided to monitor the discharge water temperature from serviced equipment. The SSWS system radiation level is an important parameter in detecting RHR heat exchanger tube leaks. Off-line radiation monitors draw a sample from each RHR heat exchanger water CPS/USAR CHAPTER 07 7.3-50 REV. 11, JANUARY 2005 discharge pipe and initiate a high radiation alarm in the main control room on high radiation. The monitors are described in Subsection 11.5.2. 7.3.1.1.5.4 Initiating Circuits Each SSW subsystem pump can be manually started and stopped from the main control room during normal and abnormal operating conditions. This capability is augmented during abnormal operating conditions of loss of offsite electric power or loss-of-coolant accident (LOCA). A LOCA (with or without loss of off-site electric power) will automatically start each

pump. The shutdown service water system provides the backup water supply for cooling equipment, normally supplied from the non-essential plant serv ice water system (PSWS). A pressure transmitter connected downstream of the SSWS/PSWS header will sense a low pressure when the PSWS pump flow decreases. An analog comparator unit connected to each transmitter will automatically start the associated shutdown service water pump. 7.3.1.1.5.5 Logic and Sequencing A manual or automatic pump start signal will aut omatically shut the SSW/PSWS isolation valve thus isolating the essential SSWS from the nonessential PSWS. Operation of the pumps in conjunction with the emergency diesel generator logic and sequencing is described in Subsection 8.3.1.1.2. 7.3.1.1.5.6 Bypasses and Interlocks SSWS isolation valves for individual cooling loads are automatically opened by the system logic controlling the equipment being cooled. These interlocks are described elsewhere in Sections 7.3 and 7.6. The SSWS provides water to the deluge systems of the standby gas treatment system room main control room air supply filter packages, and the main control room makeup air filter packages. The SSWS also supplies emergency makeup water, main control room air supply filter packages, and the main control for the spent fuel storage pool. Manual controls are provided for both the pool makeup water and the deluge valves. These controls are discussed elsewhere in Section 7.3. 7.3.1.1.5.7 Redundancy and Diversity The shutdown service water system is composed of three independent subsystems consisting of a pump, strainer, cooling loads, and controls and instrumentation. The redundancy required for a safety-related system is provided by the three independent subsystems in the shutdown service water system. 7.3.1.1.5.8 Actuated Devices The normal and emergency operation of each shutdown service water system involves the following devices: (1) shutdown service water pumps (actuation described in Subsection 7.3.1.1.5.4).

(2) shutdown service water strainer CPS/USAR CHAPTER 07 7.3-51 REV. 11, JANUARY 2005 (3) shutdown service water/plant service water nonessential header isolation valves (actuation described in Subsection 7.3.1.1.5.5) (4) individual cooling load isolation valves. A service water strainer is provided on each subsystem. Each strainer is an automatic differential pressure sensed initiated backwash device which is provided with manual control, automatic control and main control room alarms. Each strainer has a control switch, located on the respective motor control center, to manually initiate strainer self-cleaning (backwash). In addition, the Division 1and 2 service water strainer backwash is automatically initiated by high differential pressure and a timer stops the cycle of the strainer backwash. The Division 3 backwash is automatically initiated either by high differential pressure or at a preset pump operating time signal. A second timer stops the cycle of the strainer backwash. The timer settings can be adjusted/readjusted based on station operating experience. A strainer bypass is provided for each subsystem which may be used if there is a malfunction or other problem with the strainer. A third operational mode is provided to flow water through the strainer and the bypass simultaneously. Individual cooling load isolation valves are either air-operated or motor-operated type valves. These valves open or close based on a signal indicating the component being cooled is operating. The air-operated valves will fail in the open position upon loss of air pressure or electrical power. The motor-operated valves will fail-as-is, until emergency power is supplied in the predetermined sequence. 7.3.1.1.5.9 Separation The instrumentation and controls of each SSWS subsystem are independent from the others. In order to maintain the required separation, the logic circuits, cabling, and instrumentation are mounted so that Divisions 1, 2, and 3 separation is maintained. There are no electric connections among the three subsystems. A piping crosstie is provided between the Division 1 and Division 2 subsystems. Two isolation valves, one for each division, are provided and are normally closed. The crosstie may only be opened by operator action from the main control room. 7.3 1.1.5.10 Testability The control and logic circuitry of each SSW subsystem can be tested during normal operating conditions. All components are accessible for inspection and calibration. Testing of the system will not prevent its safe operation in the event an automatic initiation should occur. 7.3.1.1.5.11 Environmental Considerations The SSWS instrumentation and controls have been qualified for the environmental conditions in which they must perform the safety-related functions.

CPS/USAR CHAPTER 07 7.3-52 REV. 11, JANUARY 2005 7.3.1.1.5.12 Operational Considerations Under conditions where the PSWS is available or no LOCA condition exists, the SSWS pumps and strainers are not operated. The PSWS will provide the cooling water to the SSWS cooling loads as required. 7.3.1.1.6 Main Control Room HVAC Cont rol System - Instrumentation and Controls The controls and instrumentation for the main control room HVAC system function to ensure that main control room personnel can remain inside all spaces served by the control room HVAC during normal conditions in compliance with Criterion 19 of Appendix A to 10CFR50, as detailed in section 9.4.1.4, and to ensure the habitability of the main control room under all station accident conditions, as described in Section 6.4 and Section 9.4. The design bases for the control and instrumentation are described in Subsection 7.1.2.1.15. The piping and instrumentation diagram for the main control room system is shown in Drawing M05-1102. 7.3.1.1.6.1 Power Supply The main control room HVAC system is comprised of redundant supply air fans, return air fans, electric heating coils (not safety-related), refrigeration units, chilled water pumps, supply air filter packages, makeup air filter trains consisting of electrical heating coils, fans and filters. Power supply for instrument and main control systems for each main control room HVAC system is fed from separate essential ac buses which can receive standby ac power. Motive power for isolation dampers, controls, and instrumentation comes from the bus that powers the corresponding equipment train. 7.3.1.1.6.2 Initiating Circuits, Logic, and Sequencing Various components of each redundant main control room HVAC system are initiated as described below: (1) System trains are started and stopped by control switches on the Balance-of-Plant benchboard. Train start signal first opens the two position zone isolation and return air dampers and then after a time delay, it starts the respective supply fan, and opens the respective minimum outside air dampers provided no abnormal signals are present. Train start signal also provides a permissive to the respective return air fan, makeup air fan and associated makeup air dampers and the chilled water pump. (2) The supply and return air fans are started and stopped manually by control switches provided on local panels and automatically on start signal (after a time delay) from the respective train initiating switches on the Balance-of-Plant benchboard. The selection of remote train and selector switch is made through a remote-local selector switch provided on the LCP. Makeup air fans are started and stopped (after a time delay) by control switches provided on local panels and on the Balance-of-Plant benchboard and automatically on high radiation signals in minimum outside air intakes (after a time delay). HVAC equipment room supply fans are started and stopped by control switches on the Balance-of-Plant benchboard.

CPS/USAR CHAPTER 07 7.3-53 REV. 11, JANUARY 2005 (3) Chilled water pumps are started and stopped manually by control switches on the local control panel and automatically on start signal from the respective train initiating switches on the Balance-of-Plant benchboard. (4) Water chillers are automatically controlled by a temperature signal. Service water pressure and water pumps running are permissive signals which are required before the chiller can be manually started from the chiller control panel. (5) On any equipment malfunction alarm on the main control board, the redundant HVAC system is manually started. (6) The radiation detection system detects high radiation in the vicinity of the minimum outside air intake ducts and initiates the following actions when a system trip occurs: a. alarms the high radiation levels in the affected intake on the Balance-of-Plant benchboard, b. closes the normal path of makeup air supply to the main control room HVAC system, c. causes makeup air from outside to be routed through the appropriate makeup air filter train. (7) On detection of combustion products in the main control room by the ionization detection system, an alarm is annunciated on the Balance-of-Plant benchboard and the system,s supply air is routed through the normally bypassed smoke and odor adsorbing filters. a. In addition, if the quality of outside air is proper, the operator can by remote manual operation of purge switch on the Balance-of-Plant benchboard OPEN the outside air intake dampers and fully OPEN the exhaust damper and close the recirculation air damper for purging the main control room air. (8) The following actions will be initiated upon manual activation of the chlorine mode. a. trips the makeup air fan, b. closes all damper in the outside air intakes for the main control room HVAC system, c. recirculates the room air through odor- and smoke-removing charcoal,

d. trips the locker room exhaust fan. 7.3.1.1.6.3 Bypass and Interlocks (1) The two position zone isolation and return air dampers are interlocked to open on (i) start signal from the train control switch provided the system remote/local CPS/USAR CHAPTER 07 7.3-54 REV. 11, JANUARY 2005 selector switch is on remote, (ii) start signal from the supply fan local control switch provided the system remote/local selector switch is on local. (2) The minimum outside air dampers are interlocked to open on (i) start signal from the main control switch provided the system remote/local selector switch is on remote, (ii) start signal from the supply fan local control switch provided the system remote/local selector switch is on local and provided the abnormal signal from the high radiation detection system is not present. (3) Supply fan is interlocked to start/stop on start/stop signal from the train control switch. (4) Chilled water pump is interlocked to stop on stop signal from the supply fan. This interlock is not bypassed. (5) Return fan is interlocked with respective supply fan. Return fan cannot run unless the respective supply fan is running. (6) The supply air filter bypass isolation damper is interlocked to open with the start of the respective supply fan. This interlock is bypassed by the radiation detection system, chlorine mode initiation and the ionization detection system. This damper is also interlocked to close when the respective absorber isolation dampers are proved open by limit switches. This interlock is not bypassed. (7) The supply air filter absorber isolation dampers are interlocked to open automatically on a trip signal from radiation detection system or ionization detection system or manual initiation of the chlorine mode. This interlock is not

bypassed. (8) Makeup air isolation dampers are interlocked to open first on start signal to fan and then the fan starts after a time delay. (9) Electric heating coil in the makeup air filter package is interlocked to energize on start signal from the makeup air fan. (10) Maximum outside intake dampers are interlocked to open or close when the maximum outside exhaust dampers are opened or closed. These dampers are interlocked to close immediately on signal from chlorine mode initiation. (11) Electric heating coil in the main control room air handling unit is interlocked to de-energize when any of the heater safeties are not satisfied. The heating coil contact is also interlocked to energize on start signal from the supply fan. An SCR temperature controller regulates the main control room supply air temperature. (12) Locker exhaust fan is interlocked to shutdown when either fan discharge damper is closed. (13) Each chiller is interlocked with proof of chilled water flow of the respective pump. Each chiller is interlocked to shutdown when the mixed air temperature upstream of the cooling coil is below its freeze protection setpoint.

CPS/USAR CHAPTER 07 7.3-55 REV. 11, JANUARY 2005 7.3.1.1.6.4 Redundancy/Diversity Instrumentation and controls for each redundant main control room HVAC system are completely independent of each other. 7.3.1.1.6.5 Actuated Devices The normal and emergency operation of each main control room HVAC sy stem involves the following actuated devices: (1) supply air fan, (2) return air fan, (3) supply air electric heating coil, (4) chilled water pump, (5) refrigeration unit, (6) makeup air electric heating coil, (7) makeup air fan, and (8) corresponding isolation and modulating control dampers. 7.3.1.1.6.6 Separation The channels and logic circuits are physically and electrically separated to preclude the possibility that a single failure will prevent operation of the main control room HVAC system. Electrical cables for instrumentation and control on each main control room HVAC system are routed separately. 7.3.1.1.6.7 Testability Means have been provided for checking the operational availability of complete Control Room Ventilation systems separately at sensor, module, and control channel basis and jointly as a complete system during normal operation or shutdown period. This is accomplished in the following ways, as appropriate. 7.3.1.1.6.7.1 Sensor Checks Sensors required for sensing parameters such as control room ambient temperature, pressure, and humidity are easily accessible and are checked in the following ways: (1) by perturbing the monitored variable; or (2) by introducing and varying, as appropriate, a substitute input to the sensor of the same nature as the measured variable; or (3) by monitoring the parameter through other accurately calibrated instruments and comparing the output of sensors in use with the output of a calibrated instrument.

CPS/USAR CHAPTER 07 7.3-56 REV. 11, JANUARY 2005 7.3.1.1.6.7.2 Module Checks Temperature transmitters, controllers, and the damper actuators are easily accessible and are tested in the following ways: (1) by introducing a variable input signal and monitoring the corresponding outputs by use of other calibrated instruments; or (2) by introducing a steady input signal and forcing the output of the controller to change by varying the setpoint; or (3) by measuring the output of the controller and examining the damper position at corresponding input signals to the damper actuator. All instruments used are highly precision type and calibrated for proper testing. 7.3.1.1.6.7.3 Channel Checks After checks have been proven to be satisfactory at the module level, each channel is checked and monitored for satisfactory operation. 7.3.1.1.6.7.4 System Checks After each channel has been checked and proven to be operating properly, the whole instrument and control system is tested jointly. 7.3.1.1.6.8 Environmental Considerations Temperature, pressure, humidity, and radiation dosage are considered in selection of equipment, instrumentation, and controls for the main control room HVAC system. The environmental zone maps are shown in Section 3.11 and the HVAC system is discussed in Section 9.4. 7.3.1.1.6.9 Operational Considerations The main control room HVAC system is required during normal and abnormal station operating conditions. The automatic circuitry is designed to start the emergency equipment, if the signal for its initiation is received, as described in this Section. Provisions are made to allow manual control and operation of the various components of the main control room HVAC system from the Balance-of-Plant benchboard or from the local control panel. 7.3.1.1.6.10 Supporting Systems A fire protection system is designed to supply station fire protection/shutdown service (as back up) water to each makeup air/supply air charcoal filter bed. This system is described as follows: (1) Two motor-operated deluge water valves are provided in parallel for each adsorber, one of which supplies water from the Fire Protection system and the

other from Shutdown Service Water. (2) Two solenoid valves are provided in parallel for each filter package drain line.

CPS/USAR CHAPTER 07 7.3-57 REV. 11, JANUARY 2005 (3) Each motor-operated valve has a separate handswitch on the Balance-of-Plant benchboard. (4) Two temperature sensors and two temperature control units are provided for each filter package: a. Either one of the temperature sensors and control units shall annunciate at the main control panel on high temperature to alert an operator to high temperature conditions. The operator must decide whether it is necessary to open either one of the deluge valves described in items 1a or 1b. Opening of the deluge valve will energize a solenoid valve in the adsorber drain line causing it to open. b. Either one of the temperature sensors and control units annunciate at the main control panel on high-high temperature. The operator may elect to open one or both deluge valves. Opening the deluge valve will energize and open a solenoid valve in the absorber drain line. c. If either of the deluge valves for the control room HVAC make up fan air filter package (0VC09SA/SB) is opened, the make up air fan will trip off and the appropriate drain valve will open. If any of the deluge valves for the control room HVAC supply air filter package (OVC07SA/SB) is opened, the adsorber isolation dampers will close, the bypass isolation damper will open, the appropriate drain valve will open and the control room supply fan (OVC03CA/CB) will trip off. 7.3.1.1.7 Combustible Gas Control System (CGCS) 7.3.1.1.7.1 System Identification The CGCS system consists of two major safety-related subsystems, drywell-containment mixing system and the hydrogen recombiner system. The drywell containment mixing system consists of two redundant compressors, each with its own piping, motor-operated suction valve and instrumentation. The system is designed to pum p the atmosphere from the drywell through the suppression pool into the containment. The discharge, having mixed with the containment atmosphere, flows back into the drywell through air testable check valves. Each compressor, along with its corresponding suction valve and controls and instrumentation is powered from a separate Class 1E power source.

The hydrogen recombiner system consists of two redundant recombiners, each with its own piping and motor-operated containment isolation valves. The system is designed to take suction from the containment building, to re combine any hydrogen and oxygen and to discharge back into the containment building. Each recombiner along with its isolation valves and controls and instrumentation is powered from a separate Class 1E power source. Final system drawings for the CGS are referenced. The system P&ID is Drawing M05-1063. 7.3.1.1.7.2 Initiating Circuits The drywell-containment mixing system is manually initiated from the main control room. One control switch initiates a compressor and opens its suction valve. Similarly a second control switch initiates the alternate compressor and its suction valve.

CPS/USAR CHAPTER 07 7.3-58 REV. 11, JANUARY 2005 The hydrogen recombiner system is manually initiated from the main control room, one control switch opens both containment isolation valves for a given recombiner. A separate control switch initiates the recombiner. Similarly, two control switches are provided for the alternate recombiner and its containment isolating valves. Local control switches are provided at the control panel to allow testing. 7.3.1.1.7.3 Logic and Sequencing The drywell-containment mixing system is designed such that a compressor starts and its suction valve opens (after a time delay) w hen initiated from the main control room.

The hydrogen recombiner system is designed such that when the control switch is placed in the start position power is fed to the local control panel. A timer starts the recombiner after a time delay. The timer is provided to eliminate any spurious alarms. Local handswitches allow for testing providing the main control room switch is in the TEST position. The containment isolation valves which are normally closed during plant operation will automatically close upon receiving a LOCA signal, should they be open for testing. Should system initiation be required, the valves are opened by placing the control switch in the OPEN position. 7.3.1.1.7.4 Bypasses and Interlocks Both the drywell containment mixing system and the hydrogen recombiner system are manually initiated. Therefore, there are no bypasses in the system. The containment isolation valves can be opened from the main control room when required for system initiation. For further description see Subsection 6.2.4. The recombiner system is interlocked such that no component may be tested locally without the main control room switch for that component being placed in the TEST position. Once a system (Mixing Compressor or Recombiner) is initiated, operator action is required to shut off the system. 7.3.1.1.7.5 Redundancy and Diversity Two completely independent and redundant drywell-containment mixing systems and recombiner systems are provided, including independent and redundant logic systems and mechanical equipment. The two logic systems and their associated mechanical devices are powered from separate ESF buses. Physical and electrical separation is maintained between

the two systems. Diversity is provided for the containment isolation valves by initiation from diverse signals (low reactor water level or high drywell pressure). The mixing compressors and recombiners are manually initiated by separate switches and controls. 7.3.1.1.7.6 Actuated Devices The actuated devices of the CGCS system are the mixing compressors and suction valves, the hydrogen recombiners and their containment isolation valves. Only the recombiners are provided with remote manual test capability. The system can be manually operated from the CPS/USAR CHAPTER 07 7.3-59 REV. 11, JANUARY 2005 main control room. All actuated devices are provided with status indicators in the main control room. 7.3.1.1.7.7 Separation The two drywell mixing compressors along with their associated piping, valves, controls and instrumentation are completely separated from each other both electrically and physically. Similarly, the two hydrogen recombiners along with their associated piping, valves, controls and instrumentation are separated from each other both electrically and physically. 7.3.1.1.7.8 Testability All components of the CGCS system are fully accessible and can be tested during normal plant operation or shutdown. 7.3.1.1.7.9 Environmental Conditions All safety-related controls and instrumentation are qualified for the environment in which they are located under both normal and accident conditions. 7.3.1.1.7.10 Operational Considerations Once initiated, no further operator action is required other than to shutdown the system when conditions warrant. 7.3.1.1.8 Standby Power System Instrumentation and Controls This system is discussed in Chapter 8.

7.3.1.1.9 Standby Gas Treatment System - Instrumentation and Controls 7.3.1.1.9.1 Power Supply Power supply for the various components of each SGTS train is from separate essential ac buses that can receive standby ac power. Control power for isolation valves, dampers and controls comes from the bus that powers the corresponding equipment train. Redundant motor-operated dampers are fed with power from independent essential buses. Solenoid valves operating redundant dampers are fed with power from independent essential buses. 7.3.1.1.9.2 Initiating Circuits, Logic, and Sequencing Various components of each redundant SGTS system are initiated as described below: (1) The system is automatically started in response to any one of the following signals: a. high drywell pressure,

b. low reactor water level, CPS/USAR CHAPTER 07 7.3-60 REV. 11, JANUARY 2005 c. high radiation in containment refueling pool exhaust duct, d. high radiation in containment building exhaust duct,
e. high radiation in fuel building exhaust duct,
f. high radiation in continuous containment purge duct. (2) The system can also be started manually from the main control room. (3) Standby Gas Treatment System Equipment Train (SGTSET) primary fans are started (i) automatically on the presence of any one of the signals described

above, (ii) manually by independent control switches provided in the main control room. (4) Primary fans are stopped (i) automatically on receipt of deluge valve open signal from the fire protection system, (ii) manually by same control switches in the main control room. (5) SGTSET cooling fans automatically start after shutdown of the primary fans and stop after a set time delay. (6) The cooling fans stop automatically on receipt of a charcoal adsorber bed deluge valve open signal, or start of the primary fan. (7) The cooling fans can be operated manually by independent control switches in the main control room if added cooling of the charcoal beds is required. 7.3.1.1.9.3 Bypasses and Interlocks (1) Auto start of a SGTS equipment train closes the normally open fuel building supply and exhaust isolation dampers. (2) Manual/Auto start of SGTS primary fan opens the train inlet and outlet isolation dampers and energizes the flow control damper to modulate. This interlock is not bypassed during the SGTS operation. (3) The SGTS cooling fan is interlocked to start whenever the primary fan stops. This interlock can be bypassed by manual operation of the control switch in the main control room. Cooling fan is also interlocked to stop on receipt of deluge valve open signal from the fire protection system. (4) Cooling fan start signal opens outside atmosphere isolation dampers for cooling air to the SGTS train. (5) SGTS electric heating coil is energized or de-energized whenever the primary fan is started or stopped. The heating coil is interlocked to trip whenever any one of the heater safeties is not satisfied. (6) Manual/Auto start of the SGTS primary fan opens the normally closed intake isolation dampers from various areas, e.g., RWCU pump rooms, fuel building, etc.

CPS/USAR CHAPTER 07 7.3-61 REV. 11, JANUARY 2005 7.3.1.1.9.4 Redundancy/Diversity Instrumentation and controls for each standby redundant gas treatment system are completely independent of each other. 7.3.1.1.9.5 Actuated Devices The normal and emergency operation of each standby gas treatment system involves the following actuated devices: (1) Primary fan, (2) Electric heating coil, (3) Various associated isolation dampers, (4) Modulating flow control damper, (5) Cooling fan. 7.3.1.1.9.6 Separation The channels and logic circuits are physically and electrically separated to preclude the possibility that a single failure will prevent operation of standby gas treament system. Electrical cables for instrumentation and control on each standby gas treatment system are routed separately. 7.3.1.1.9.7 Testability Means have been provided for checking the operational availability of complete Standby Gas Treatment System separately at sensor, module, and control channel basis and jointly as a complete system during normal operation or shutdown period. This is accomplished in the following ways, as appropriate. 7.3.1.1.9.7.1 Sensor Checks Sensors required for sensing parameters such as inlet/outle temperature and filter differential pressure, are easily accessible and are checked in the following ways: (1) by perturbating the monitored variable; or (2) by introducing and varying, as appropriate, a substitute input to the sensor of the same nature as the measured variable; or (3) by monitoring the parameter through other accurately calibrated instruments and comparing the output of sensors in use with the output of a calibrated instrument. 7.3.1.1.9.7.2 Module Checks Temperature transmitters, flow controllers, and the damper actuators are easily accessible and are tested in the following ways:

CPS/USAR CHAPTER 07 7.3-62 REV. 11, JANUARY 2005 (1) by introducing a variable input signal and monitoring the corresponding outputs by use of other calibrated instruments; or (2) by introducing a steady input signal and forcing the output of the controller to change by varying the setpoint. 7.3.1.1.9.7.3 Channel Checks After checks have been proven to be satisfactory at the module level, each channel is checked and monitored for satisfactory operation. 7.3.1.1.9.7.4 System Checks After each channel has been checked and proven to be operating properly, the whole instrument and control system is tested jointly. 7.3.1.1.9.8 Environmental Considerations Temperature, pressure, humidity, and radiation dosage are considered in selection of various equipment, instrumentation, and controls for t he standby gas treatment system. These are described in detail in Section 3.11. 7.3.1.1.9.9 Operational Considerations The standby gas treatment system is required during normal (for testing only) and abnormal station operating conditions. The automatic circuitry is designed to start the emergency equipment, if the signal for its initiation is received, as described in this Section. Provisions are made to allow manual control and operation of the standby gas treatment system from the main control room. 7.3.1.1.9.10 Supporting Systems A fire protection system designed to supply station fire protection or shutdown service (as back up) water to each charcoal adsorber, has been provided. This system is described as follows: (1) Two deluge valves, manually operated by a handswitch in the main control room, are mounted near charcoal adsorber. The deluge valves in parallel are connected to the station fire protection system and the shutdown service water system as a back up to the station fire protection system. 2) One temperature sensor and temperature control unit with dual settings are provided for each charcoal absorber: a. One set of contacts annunciate in the main control room on high temperature to alert the operator to rising charcoal temperature. b. Another set of contacts provide annunciation at the main control panel on high-high temperature. The station operator may elect to flood the adsorber by opening a deluge valve with a control switch on the main control board.

CPS/USAR CHAPTER 07 7.3-63 REV. 11, JANUARY 2005 c. Either contact closure on high or high-high temperature annunciate in the main control room. Two high temperature stages for annunciation are

provided. 7.3.1.1.10 Suppression Pool Makeup System 7.3.1.1.10.1 System Identification The suppression pool makeup system consists of two redundant lines from the upper containment pool to the suppression pool. Also included in the system are two motor-operated valves in each line along with suppression pool level instrumentation and the initiating circuitry to operate the valves. 7.3.1.1.10.2 Equipment Design The suppression pool makeup system is designed to add water to the suppression pool following a LOCA so that there will be an increased supply of water to the ECCS pumps. Four differential pressure type level transmitters measure suppression pool level. Each provides a signal to an initiation circuit which opens the corresponding valves following a LOCA. 7.3.1.1.10.3 Power Sources Two separate ESF buses provide power to the system. The valves in one line are powered from one of the buses. Similarly the valves in the other line are powered from the other bus. The level instrumentation and initiating circuits are powered from the same electrical separation division which power their associated valves. 7.3.1.1.10.4 Initiating Circuits The Suppression Pool Makeup System is both manually and automatically initiated. The four level transmitters provide signals to corresponding trip units. Each trip unit contributes to a one-out-of-two logic which will initiate the opening of both valves in either line providing a LOCA has occurred. Each valve may be opened from the main control room during normal plant operation or after a LOCA. The reactor mode switch permissive in the suppression pool makeup system initiation circuitry has been removed. Two additional switches, one in each electrical separation division, have been added to replace the reactor mode switch permissive in each suppression pool makeup system initiation circuit (Q&R 421.3). 7.3.1.1.10.5 Logic and Sequencing The suppression pool makeup system is automatically initiated by low-low suppression pool level signal if a LOCA signal is present. It can also be manually initiated. Automatic or manual initiation can occur only when the permissive switch is in the ENABLE position. There is no automatic sequencing of the suppression pool makeup system.

CPS/USAR CHAPTER 07 7.3-64 REV. 11, JANUARY 2005 7.3.1.1.10.6 Bypasses and Interlocks The reactor mode switch permissive (bypass) has been removed from the suppression pool makeup system initiation circuitry. Two additional switches, one in each electrical separation division, have been added to replace the reactor mode switch permissive. The switches, or other administrative measures, may be used to disable initiation of the suppression pool makeup system and prevent inadvertent actuation during refueling. The suppression pool makeup system is interlocked to prevent automatic actuation without a coincident LOCA. 7.3.1.1.10.7 Redundancy and Diversity Two completely independent and redundant suppression pool makeup lines are provided, including independent and redundant logic systems and mechanical equipment. The two logic systems and their associated motor-operated valves are powered from separate ESF buses. Physical and electrical separation is maintained between the two systems. Diversity is assured by both automatic and manual initiation of the system.

7.3.1.1.10.8 Actuated Devices The actuated devices of the suppression pool makeup system are the four motor-operated valves. All are provided with test capability and status indication in the main control room. 7.3.1.1.10.9 Separation The two lines of the suppression pool makeup system along with their associated valves, controls and instrumentation are both physically and electrically separated from each other. 7.3.1.1.10.10 Testability All components of the suppression pool makeup system are accessible and testable during normal plant operation and shutdown. 7.3.1.1.10.11 Environmental Conditions All safety-related controls and instrumentation are qualified for the environment in which they are located under both normal and accident conditions. 7.3.1.1.10.12 Operational Considerations Once the suppression pool makeup system is initiated, no further operator action is required.

7.3.1.1.11 Diesel Fuel Oil-Instrumentation and Controls 7.3.1.1.11.1 System Identification The Diesel Fuel Oil Storage and Transfer System is designed to provide sufficient storage and supply capabilities of diesel fuel oil to ensure operation of the Emergency Diesel Generators for a minimum of 7 days at maximum post-LOCA load demands. The system consists of three independent subsystems, one for each of the three emergency diesel generators. Each subsystem is identical except for storage capacity and consists of a CPS/USAR CHAPTER 07 7.3-65 REV. 11, JANUARY 2005 storage tank, transfer pump, day tank, and the associated piping, valves, strainers, filters, controls, and instrumentation to monitor system status and operation to ensure that the system satisfies the requirements. Each subsystem (division) is physically and electrically independent and separated from the other divisions. The diesel fuel oil transfer pump takes suction from the storage tank and discharges to the day tank. The diesel fuel oil booster pumps, integral to and driven by the diesel engines, obtain fuel oil from the day tanks and discharge to the diesel engine fuel manifolds. The booster pumps are part of the diesel generator system and are described in Subsection 9.5.4. 7.3.1.1.11.2 Power Sources Each transfer pump and its controls and instrumentation receives power from its respective divisional ESF power bus that is capable of receiving standby power. 7.3.1.1.11.3 Equipment Design Each subsystem is identical and therefore only one is described in the following Subsections. Each subsystem consists of storage tank and day tank level instrumentation, transfer pump controls, and transfer pump discharge pressure indication. 7.3.1.1.11.4 Initiating Circuits Storage tank and day tank level is monitored by level transmitters which provide inputs to analog comparator trip units. The trip units will actuate annunciators in the main control room on low storage tank fuel oil level and low day tank fuel oil level. The day tank trip units and diesel generator running signals control the fuel oil transfer pump automatically. The transfer pumps may be manually started from the main control room. 7.3.1.1.11.5 Logic and Sequencing The day tank level is controlled manually or automatically from the main control room by operating the transfer pump. By positioning handswitches in the START position, the transfer pump will start and transfer fuel oil from the storage tanks to the respective day tank. Placing the respective handswitch in the STOP position stops the transfer pump if the associated diesel engine is not running. The transfer pumps are controlled automatically by the fuel oil day tank level trip units. The first trip unit will start the transfer pump on low fuel oil level; the second will stop the pump on high fuel oil level only if the diesel engine is not running. Each transfer pump will start when its diesel engine has started, regardless of day tank fuel oil level. 7.3.1.1.11.6 Bypasses and Interlocks No bypasses are provided for the diesel fuel oil system. The transfer pumps are interlocked with the diesel start signals.

CPS/USAR CHAPTER 07 7.3-66 REV. 11, JANUARY 2005 7.3.1.1.11.7 Redundancy and Diversity No control redundancy or diversity is provided within each subsystem. Each subsystem is independent of the other subsystems. Day tank fuel oil level indication redundancy and diversity is provided for by the use of a local tank connected level indicator and a remote electrical indicator in the main control room. The remote indicator receives its signal from a local tank connected level transmitter. 7.3.1.1.11.8 Actuated Devices The diesel fuel oil system actuates only the tr ansfer pumps and main control room annunciator. 7.3.1.1.11.9 Separation Each diesel fuel oil subsystem is separated from the others. In order to maintain the required electrical separation, the logic circuits, cabling, and instrumentation are separated and mounted so that Division 1, 2, and 3 physical separation is maintained. There are no electrical or piping interconnections among the three subsystems. 7.3.1.1.11.10 Testability Each transfer pump is capable of being tested at all times. Each transfer pump is started from the main control room and operation can be verified by observing the local transfer pump discharge pressure gauges and the respective storage and day tank fuel oil levels. If the day tank is full, the pump can be tested because the day tank is equipped with a recirculating overflow line which discharges back to the storage tank. 7.3.1.1.11.11 Environmental Considerations The diesel fuel oil controls and instrumentation located in the main control room have been qualified for their environment. The transmitter modules used for storage tank and day tank fuel oil level sensing are located near the tank and are environmentally qualified to preclude a component or system failure. 7.3.1.1.11.12 Operational Considerations 7.3.1.1.11.12.1 General Information The diesel fuel oil storage tanks are normally maintained filled. Each transfer pump supplies its respective fuel oil day tank. To ensure that each day tank is maintained near full, the transfer pump associated with each diesel generator will automatically start whenever the diesel generator is started or when a low fuel oil level trip for the day tank is actuated. An overflow line for each day tank will recirculate any excess fuel oil back to its respective storage tank. 7.3.1.1.11.12.2 Reactor Operator Information Storage tank fuel oil level indication is provided for operator information in the main control room. Day tank fuel oil level indication is provided on a tank fuel oil level trip unit located in the main control room. Tank level alarms and transfer pump running, stopped, auto trip and control power available indications are also provided. Local indications are provided for transfer pump discharge pressure and day tank fuel oil level.

CPS/USAR CHAPTER 07 7.3-67 REV. 11, JANUARY 2005 7.3.1.1.11.12.3 Set Points Set points are determined based upon gallons of fuel oil. Level, measured in units of pressure by a level transmitter, is determined from: (1) Tank geometry (number of gallons at a given level). (2) Elevation of transmitter in relation to the sensing line tank connection elevation. 7.3.1.1.12 Diesel-Generator Room HVAC System Instrumentation and Controls 7.3.1.1.12.1 Power Supply Ventilation equipment, instruments and controls for the Diesel-Generator Room Ventilation System are fed with power from an independent Class 1E safety power bus, which serves the same division as the diesel generator. 7.3.1.1.12.2 Initiating Circuits, Logic, and Sequencing The instruments and controls for each Diesel-G enerator Room Ventilation system function are described below: (1) Diesel-Generator Room Vent Fans are started (i) manually by independent control switches provided on a benchboard in the main control room, (ii) automatically on a signal initiated by the respective diesel generator start sequence. (2) The Diesel-Generator Room Vent Fans are stopped (i) manually by the same control switches on the MCB, (ii) automatically on receipt of (a) trip signal from the diesel generator and the room temperature less than or equal the setpoint, (b) fire protection signal from the CO 2 fire protection system. (3) Diesel-Generator Oil Room Exhaust Fans are started manually by independent control switches provided in the main control room. The division 1 exhaust fan will automatically start when the remote shutdown panel transfer switch is turned

to emergency. (4) Diesel-Generator Oil Room Exhaust Fans are stopped (i) manually by the same control switches in the main control room (ii) automatically on receipt of fire protection signal from the CO 2 fire protection system (5) A temperature controller, located at the Diesel-Generator Room Vent Fan discharge modulates the outside air, return air and exhaust air dampers, when the Diesel Generator is in operation, to maintain the mixed air temperature at the predetermined setpoint. 7.3.1.1.12.3 Bypasses and Interlocks The diesel Generator Auto interlock to start and stop the ventilation fan is bypassed by the manual start and stop position of the control switch. Outside air, return air and CPS/USAR CHAPTER 07 7.3-68 REV. 11, JANUARY 2005 exhaust air dampers are interlocked to energize at the initiation of the Diesel Generator Room Ventilation Fan. This interlock is not bypassed. 7.3.1.1.12.4 Redundancy/Diversity Independent instruments and controls are provided for each independent diesel generator room ventilation system. 7.3.1.1.12.5 Actuated Devices The following devices are actuated by the start of a diesel generator: (1) Diesel-Generator Room Ventilation Fan, (2) Outside air damper, (3) Return air damper, (4) Exhaust air damper. 7.3.1.1.12.6 Separation The instrumentation and control circuits of each diesel generator room ventilation system are physically and electrically separated to preclude the possibility that a single failure affecting one diesel generator room ventilation system will prevent operation of the other subsystem. 7.3.1.1.12.7 Testability Means have been provided for checking the operational availability of complete Diesel Generator Room Ventilation Control systems separately at sensor module and control channel basis and jointly as a complete system during the diesel operation or shutdown period. This is accomplished in the following ways, as appropriate. 7.3.1.1.12.7.1 Sensor Checks Sensors required for sensing the loss of offsite power, diesel room ambient temperature, oil storage room ambient temperature, oil day tank room ambient temperature, supply air temperature, differential pressure across fans and the smoke detection are easily accessible and are checked in the following ways: (1) by perturbing the monitored variable; or (2) by introducing and varying, as appropriate, a substitute input to the sensor of the same nature as the measured variable; or (3) by monitoring the parameter through other accurately calibrated instruments and comparing the output of sensors in use with the output of a calibrated instrument.

CPS/USAR CHAPTER 07 7.3-69 REV. 11, JANUARY 2005 7.3.1.1.12.7.2 Module Checks Temperature transmitters, controllers, current relays, auxiliary electric relays, smoke detection actuating module and the damper actuators are easily accessible and are tested in the following

ways: (1) by introducing a variable input signal and monitoring the corresponding outputs by use of other calibrated instruments; or (2) by introducing a steady input signal and forcing the output of the controller to change by varying the setpoint; or (3) by measuring the output of the controller and examining the damper position at corresponding input signals to the damper actuator. All instruments used are highly precision type and calibrated for proper testing. 7.3.1.1.12.7.3 Channel Checks After checks have been proven to be satisfactory at the module level, each channel is checked and monitored for satisfactory operation. 7.3.1.1.12.7.4 System Checks After each channel has been checked and proved to be operating properly, the whole instrument and control system is tested jointly. 7.3.1.1.12.8 Environmental Considerations Temperature, pressure, humidity, and radiation dosage are considered in the selection of instruments, controls and devices for the Diesel Generator Room Ventilation system. The environmental zone maps are shown in Section 3.11 and the ventilation system is discussed in Section 9.4. 7.3.1.1.12.9 Operational Considerations The Diesel Generator Room Ventilation system is required during abnormal station operating conditions. Diesel fuel oil storage room and oil day tank room ventilation is provided during both normal and abnormal station operation conditions. The automatic circuitry is designed to start the emergency equipment if the signal for its initiation is received as described in

Subsection 9.4.5.1. 7.3.1.1.12.10 Supporting Systems A CO Fire Protection System has been provided to serve various areas of the diesel generator facility.

CPS/USAR CHAPTER 07 7.3-70 REV. 11, JANUARY 2005 7.3.1.1.13 Shutdown Service Water Pump Room Ventilation System - Instrumentation and Controls 7.3.1.1.13.1 Power Supply Cooling and Ventilation equipment, instruments and controls for the SSW Pump Room Cooling System are fed with power from an independent Class 1E safety power bus, which serves the same division as each respective SSW pump. 7.3.1.1.13.2 Initiating Circuits, Logic, and Sequencing The instruments and controls for each Shutdown Service Water Pump Room Ventilation system function are described below: (1) SSW pump room cooling fans are started (i) manually by independent control switches provided in the main control room, (ii) automatically on a signal initiated by the SSW pump start sequence, (iii) automatically by SSW pump room temperature in excess of the setpoint, (i v) manually by the emergency position of an independent selector switch on the remote shutdown panel (DIV. 1 ONLY). (2) The SSW pump room cooling fans are stopped (i) automatically when both the SSW pump is shutdown and the SSW pump room temperature falls below the setpoint, (ii) manually by the pull-to-lock position of independent control switches in the main control room, (iii) manual by the stop position of the independent control switches in the main control room only if the automatic interlock requirements have been satisfied. 7.3.1.1.13.3 Bypasses and Interlocks (1) The SSW pump start and SSW pump room temperature automatic interlocks for cooling fan activation during the test mode are bypassed by the start position of an independent control switch located in the main control room. Automatic interlocks for DIV. 1 can also be bypassed during the test mode by the emergency position of an independent selector switch on the remote shutdown

panel. (2) The SSW cooling fan can be stopped only if the associated pump room temperature interlocks are satisfied. (3) Cooling coil water valves are automatically interlocked with the cooling fan to open on fan start and close on fan stop. This interlock is not bypassed. 7.3.1.1.13.4 Redundancy/Diversity Independent instruments and controls are provided for each redundant SSW Pump Room Cooling systems. 7.3.1.1.13.5 Actuated Devices The following devices are actuated by the start of the SSW Pump CPS/USAR CHAPTER 07 7.3-71 REV. 11, JANUARY 2005 (1) SSW pump room cooling fan, (2) Cooling coil valves. 7.3.1.1.13.6 Separation The logic circuits of each SSW Pump Room Cooling system are physically and electrically separated to preclude the possibility that a single failure at one SSW Pump Room Cooling system will prevent operation of the other system. Electrical cables for instrumentation and control for each are routed separately. 7.3.1.1.13.7 Testability Means have been provided for checking the operational availability of complete SSW Pump Room Cooling control systems separately at sensor module and control channel basis and jointly as a complete system during the pump operation or shutdown period. This is accomplished in the following ways; as appropriate. 7.3.1.1.13.7.1 Sensor Checks Sensors required for sensing SSW Pump Room ambient temperature, differential pressure across fans etc., and time delay relays are easily accessible and are checked in the following

ways: (1) by perturbing the monitored variable; or (2) by introducing and varying, as appropriate, a substitute input to the sensor of the same nature as the measured variable; or (3) by monitoring the parameter through other accurately calibrated instruments and comparing the output of sensor in use with the output of a calibrated instrument. 7.3.1.1.13.7.2 Module Checks Temperature transmitters, temperature relays, current relays, and auxiliary electric relays are easily accessible and are tested in the following ways: (1) by introducing a variable input signal and monitoring the corresponding outputs by use of other calibrated instruments; or (2) by introducing a steady input signal and forcing the output of the controller to change by varying the setpoint. 7.3.1.1.13.7.3 Channel Checks After checks have been proven to be satisfactory at the module level, each channel is checked and monitored for satisfactory operation. 7.3.1.1.13.7.4 System Checks After each channel has been checked and proved to be operating properly, the whole instrument and control system is tested jointly.

CPS/USAR CHAPTER 07 7.3-72 REV. 11, JANUARY 2005 7.3.1.1.13.8 Environmental Considerations Temperature, pressure, humidity, and radiation dosage are considered in the selection of various instruments, controls and devices for the SSW Pump Room Cooling system. These are described in detail in Section 3.11. 7.3.1.1.13.9 Operational Considerations The SSW Pump Room Cooling system is required during normal and abnormal station operating conditions. SSW Pump Room ventilation is provided during both normal and abnormal station operation conditions. The automatic circuitry is designed to start the cooling equipment if the signal for its initiation is received as described in Subsection 9.4.5.4. 7.3.1.1.13.10 Supporting Systems A Station Fire Protection System has been provided to serve the SSW Pump Rooms. 7.3.1.1.14 Essential Switchgear Heat Removal HVAC System - Instrumentation and Controls 7.3.1.1.14.1 Power Supply Instruments and controls are fed from the same independent engineered safety buses feeding the associated essential switchgear heat removal HVAC system supply and exhaust fans. 7.3.1.1.14.2 Initiating Circuits, Logic, and Sequencing The instruments and controls for heat removal systems are initiated as described below: (1) Nuclear safety-related heat removal supply fans are automatically started when the equipment room ambient temperature rises above the high setpoint and

stopped when the room ambient temperature drops below the reset value. The fans can be manually started and stopped by control switches located on the Balance-of-Plant benchboard in the main control room. Auto-signal can be overridden by the selection of pull-to-lock position on the control switch. (2) Supply fan discharge isolation damper is energized to open at the same time the supply fan is initiated to start. (3) The liquid line solenoid valves are energized to open as soon as the supply air pressure differential is established across the supply fan. This in turn, starts the refrigeration condensing unit. When the supply fan stops as a result of the equipment room ambient temperature dropping to the reset value, supply air pressure differential decreases, resulting in the liquid line solenoid valve de-energizing and closing. This, in turn, causes the refrigerator compressor suction pressure to decrease which results in unloading the compressor and stopping it upon further drop in load below the minimum capacity. (4) Non-safety-related heat removal supply fans are selected to start or stop manually through a control switch located on Balance-of-Plant benchboard in the main control room. These fans are interlocked to stop automatically when the CPS/USAR CHAPTER 07 7.3-73 REV. 11, JANUARY 2005 related nuclear safety-related supply fan starts. A pull-to-lock feature has been provided on the control switch. (5) Supply fan discharge isolation damper is energized to open at the same time non-safety-related supply fan is initiated to start. (6) The chilled water valve is modulated by a pneumatic temperature controller, switchgear room ambient temperature is sensed through a pneumatic

temperature transmitter to maintain the room ambient temperature. (7) Battery room exhaust fans are started and stopped manually through their respective control switch located at the Balance-of-Plant benchboard in the main

control room. (8) The fan discharge isolation dampers are interlocked with the related exhaust fan to start opening as soon as the respective exhaust fan is initiated to start and close as soon as the exhaust fan is initiated to stop. (9) Return air fans are started and stopped manually through their respective control switches located at the Balance-of-Plant benchboard in the main control room. 7.3.1.1.14.3 Bypasses and Interlocks (1) The non-safety-related supply fans are interlocked with their nuclear safety-related companion supply fans so that the non-safety-related fan will shutdown if the safety-related fan was started. The non-safety-related fan will not start if the

companion safety-related fan was running. (2) Fan discharge isolation dampers are interlocked to open as soon as the associated supply fan is initiated to start. (3) The liquid line solenoid valves are energized to open as soon as the supply air pressure differential is established across the supply fan which starts when equipment room ambient temperature rises above a preset value. This in turn starts the refrigeration condensing unit. When the supply fan stops as a result of

the equipment room ambient temperature dropping to the reset value, supply air pressure differential decreases, resulting in the liquid line solenoid valve de-energizing and closing. This, in turn, causes the refrigerator compressor suction pressure to decrease which results in unloading the compressor and stopping it upon further drop in load below the minimum capacity. The low suction pressure is sensed by a pressure switch which will stop the compressor. The compressor will also be automatically stopped if abnormal operating conditions are detected. (4) The nuclear safety-related fans are interlocked to shutdown when the equipment room ambient temperature drops below the reset value. (5) The nuclear safety-related fans are interlocked so that the room temperature controller is bypassed when selection of control switch to the manual start or stop position is made.

CPS/USAR CHAPTER 07 7.3-74 REV. 11, JANUARY 2005 7.3.1.1.14.4 Redundancy/Diversity Independent instruments and controls are provided for each redundant Essential Switchgear Room Heat Removal system. 7.3.1.1.14.5 Actuated Devices The following devices are actuated by the start of Switchgear Heat Removal system supply fans: (1) Related fan discharge isolation dampers.

(2) Refrigeration condensing unit when related nuclear safety-related supply fan is started. (3) Chilled water valve is activated to modulate as soon as the related non-safety related fan is started. (4) Exhaust fan discharge isolation dampers are actuated as soon as their respective fans are initiated to start. 7.3.1.1.14.6 Separation The logic circuits of each Switchgear Heat Re moval Control system are physically and electrically separated to preclude the possibility that a single failure at one Switchgear Heat Removal System will prevent operation of the other system. Electrical cables for instrumentation and control for each Switchgear Heat Removal System are routed separately. 7.3.1.1.14.7 Testability Means have been provided for checking the operational availability of complete Switchgear Heat Removal Control system separately at sensor module and control channel level and jointly as a complete system during the ECCS operation or shutdown period. This is accomplished in the following ways, as appropriate. 7.3.1.1.14.7.1 Sensor Checks Sensors required for the sensing of the loss of offsite power Switchgear Heat Removal equipment cubicle ambient temperature, supply air temperature and differential pressure across fans are easily accessible and are checked in the following ways: (1) by perturbing the monitored variable; or (2) by introducing and varying, as appropriate, a substitute input to the sensor of the same nature as the measured variable; or (3) by monitoring the parameter through other accurately calibrated instruments and comparing the output of sensor in use with the output of a calibrated instrument.

CPS/USAR CHAPTER 07 7.3-75 REV. 11, JANUARY 2005 7.3.1.1.14.7.2 Module Checks Temperature transmitters, controllers, current relays, auxiliary electric relays and the control valve actuator are easily accessible and are tested in the following ways: (1) by introducting a variable input signal and monitoring the corresponding outputs by use of other calibrated instruments; or (2) by introducing a steady input signal and forcing the output of the controller to change by varying the setpoint. 7.3.1.1.14.7.3 Channel Checks After checks have been proven to be satisfactory at the module level, each channel is checked and monitored for satisfactory operation. 7.3.1.1.14.7.4 System Checks After each channel has been checked and proved to be operating properly, the whole instrument and control system is tested jointly. 7.3.1.1.14.8 Environmental Considerations Temperature, pressure, humidity, and radiation dosage are considered in the selection of various instruments, controls and devices for the Switchgear Heat Removal Control system. These are described in detail in Sections 3.11 and 9.4. 7.3.1.1.14.9 Operational Considerations The Switchgear Heat Removal Control systems for all rooms is required to operate satisfactorily during normal and abnormal station operating conditions. 7.3.1.1.15 ECCS Equipment Room HVAC System - Instrumentation and Controls 7.3.1.1.15.1 Power Supply Equipment, instruments and controls for the Emergency Core Cooling Ventilation System are fed with power from an independent Class 1E power bus, which serves the same division as the ECCS Ventilation equipment. 7.3.1.1.15.2 Initiating Circuits, Logic, and Sequencing The instruments and controls for each Emergency Core Cooling Ventilation system function are described below: (1) Except for the RHR heat exchanger rooms, each cooling fan will start automatically whenever the ECCS equipment in the respective cubicle is operated. Except for the HPCS, MSIV Inboard and MSIV Outboard room coolers each cooling fan is interlocked to start automatically if the respective equipment cubicle ambient temperature rises above the high setpoint. The control valve on the cooling coils will open as soon as the cooling fan starts and close when the respective fan stops.

CPS/USAR CHAPTER 07 7.3-76 REV. 11, JANUARY 2005 (2) Except for the MSIV Inboard and Outboard rooms, each fan can be started and stopped manually through a control switch located in the main control room. The MSIV Inboard and MSIV Outboard Room cooling fans can be started and stopped manually by control switches located on a local panel. (3) The LPCS, RHR and RCIC pump room cooling fans will stop automatically whenever the ECCS equipment in the respective cubicle is shutdown and the

cubicle ambient temperature is norm al. The RHR heat exchanger room cooling fans stop automatically only when cubicle ambient temperature returns to normal. HPCS, MSIV Inboard and MSIV Outboard room cooling fans are interlocked to stop automatically only when the respective ECCS equipment is shutdown. 7.3.1.1.15.3 Bypasses and Interlocks The ECCS Vent fan auto interlock to start and stop is bypassed by the manual start pull to lock and stop position of the control switch. The cooling coils two position (open-close) control valve is interlocked to open as soon as the respective cooling fan is started, the valve will close as soon as the fan stops. 7.3.1.1.15.4 Redundancy/Diversity Independent instruments and controls are provided for each redundant ECCS Equipment Room Ventilation system. 7.3.1.1.15.5 Actuated Devices The following are ECCS Equipment Room HVAC actuated devices: (1) ECCS Equipment Room vent fans (2) ECCS Equipment Room cooling coil control valves 7.3.1.1.15.6 Separation The logic circuits of each Emergency Core Cooling Ventilation control systems are physically and electrically separated to preclude the possibility that a single failure at one ECCS

Equipment Room will prevent operation of the other system. Electrical cables for instrumentation and control for each ECCS Room are routed separately. 7.3.1.1.15.7 Testability Means have been provided for checking the operational availability of complete Emergency Core Cooling Ventilation system separately at sensor module and control channel level and jointly as a complete system during the ECCS operation or shutdown period. This is accomplished in the following ways, as appropriate. 7.3.1.1.15.7.1 Sensor Checks Sensors required for the sensing of the loss of offsite power, ECCS equipment cubicle ambient temperature, supply air temperature and differential pressure across fans are easily accessible and are checked in the following ways:

CPS/USAR CHAPTER 07 7.3-77 REV. 11, JANUARY 2005 (1) by perturbing the monitored variable; or (2) by introducing and varying, as appropriate, a substitute input to the sensor of the same nature as the measured variable; or (3) by monitoring the parameters through other accurately calibrated instruments and comparing the output of sensor in use with the output of a calibrated instrument. 7.3.1.1.15.7.2 Module Checks Temperature transmitters, controllers, current relays, auxiliary electric relays and the control valve actuator are easily accessible and are tested in the following ways: (1) by introducing a variable input signal and monitoring the corresponding outputs by use of other calibrated instruments; or (2) by introducing a steady input signal and forcing the output of the controller to change by varying the setpoint. 7.3.1.1.15.7.3 Channel Checks After checks have been proven to be satisfactory at the module level, each channel is checked and monitored for satisfactory operation. 7.3.1.1.15.7.4 System Checks After each channel has been checked and proved to be operating properly, the whole instrument and control system is tested jointly. 7.3.1.1.15.8 Environmental Considerations Temperature, pressure, humidity, and radiation dosage are considered in the selection of various instruments, controls and devices for the Emergency Core Cooling Ventilation system. These are described in detail in Section 3.11. 7.3.1.1.15.9 Operational Considerations The Emergency Core Cooling Ventilation systems for all rooms is required to operate satisfactorily during normal and abnormal station operating conditions. The automatic circuitry is designed to start the emergency equipment if the signal for its initiation is received as described in Subsection 9.4.5.3. 7.3.1.1.16 Suppression Pool Cooling Mode-(RHR) - Instrumentation and Controls 7.3.1.1.16.1 System Identification Suppression pool cooling is an operating mode of the Residual Heat Removal System. It is designed to provide the capability of removing heat from the suppression pool water volume. The system is manually initiated when necessary.

CPS/USAR CHAPTER 07 7.3-78 REV. 11, JANUARY 2005 7.3.1.1.16.2 Power Sources Power for the RHR system is supplied from two ac buses that can receive standby ac power. Motive and control power for the two loops of suppression pool cooling instrumentation and control equipment are the same as that used for LPCI A and LPCI B; see Subsection 7.3.1.1.1.6. 7.3.1.1.16.3 Equipment Design Control and instrumentation for the following equipm ent is required for this mode of operation: (1) Two RHR main system pumps, (2) Pump suction valves, and (3) Suppression pool discharge valves. Suppression pool cooling uses two pump loops, each loop with its own separate discharge valve. All components pertinent to suppression pool cooling operation are located outside of the drywell. The suppression pool cooling mode is manually initiated from the main control room. This mode is put into operation to limit the water temperature in the suppression pool. 7.3.1.1.16.4 Initiating Circuits Initiation of suppression pool cooling is perfo rmed manually by the control room operator. Initiation of suppression pool cooling "B" is identical to that of "A". 7.3.1.1.16.5 Logic and Sequencing The operating sequence of suppression pool cooling following receipt of the necessary initiating signals is as follows: (1) The RHR system pumps continue to operate. (2) Valves in other RHR modes are m anually positioned or re main as positioned during LPCI. (3) The service water pumps are started.

(4) Service water discharge valves to the RHR heat exchanger are opened. The suppression pool cooling mode will continue to operate until the operator closes the suppression pool cooling discharge valves. The operator can then initiate another mode of RHR. 7.3.1.1.16.6 Bypasses and Interlocks The suppression pool cooling mode is interlocked with the reactor low water and reactor low pressure. Once reactor vessel water level is restored, LPCI manual override is provided by the LPCI valve control switch in the close position.

CPS/USAR CHAPTER 07 7.3-79 REV. 11, JANUARY 2005 7.3.1.1.16.7 Redundancy and Diversity Redundancy is provided for the suppression pool cooling function by two separate logics, one for each loop. 7.3.1.1.16.8 Actuated Devices Drawing E02-1RH99 shows functional control arrangement of the suppression pool cooling mode. The RHR A and RHR B loops are utilized for suppression pool cooling. Therefore, the pump and valves are the same for LPCI and suppression pool cooling except that each mode has its own discharge valves. 7.3.1.1.16.9 Separation Suppression pool cooling is a Division 1 (RHR A) and a Division 2 (RHR B) system. Manual control, logic circuits, cabling, and instrumentation for suppression pool cooling are mounted so that Division 1 and Division 2 separation is maintained. 7.3.1.1.16.10 Testability Suppression pool cooling is capable of being tested during normal operation.

Testing for functional operability of the control logic can be accomplished by use of continuous automatic pulse testing. The Automatic Pulse Test (APT), the sixth test, in RPS Testability 7.2.1.4.8 is also applicable here for the suppression pool cooling function of RHR. Other control equipment is functionally tested during manual testing of each loop. Indication in the form of panel indicators and annunciators are provided in the control room. 7.3.1.1.16.11 Environmental Conditions Refer to Section 3.11 for environmental qualifications of the system components. 7.3.1.1.16.12 Operational Considerations 7.3.1.1.16.12.1 General Information Suppression pool cooling is a mode of the RHR and can be used during normal power operation to limit suppression pool temperature. 7.3.1.1.16.12.2 Reactor Operator Information Sufficient temperature, flow, pressure, and valve position indications are available in the main control room for the operator to accurately assess suppression pool cooling operation. Alarms and indications are shown in drawing E02-1RH99. 7.3.1.1.16.12.3 Set Points There are no set points. The system is manually initiated.

CPS/USAR CHAPTER 07 7.3-80 REV. 11, JANUARY 2005 7.3.1.1.17 CGCS Equipment Cubicle Cooling System 7.3.1.1.17.1 System Identification The CGCS Equipment Cubicle Cooling System is designed to remove equipment heat from the CGCS equipment cubicles and maintain temperatures within the equipment design limits.

There are two redundant systems in separate cubicles and each cubicle is provided with an independent cooling system. The controls and instrumentation for each cooling system are independent. 7.3.1.1.17.2 Power Supply Equipment controls and instrumentation for each CGCS Equipment Cubicle Cooling System train are powered from a separate Class 1E power source. 7.3.1.1.17.3 Equipment Design The controls and instrumentation of the CGCS Equipment Cubicle Cooling System are safety-related. The instrumentation and power supply are designed to meet IEEE-279 and IEEE-308 criteria. 7.3.1.1.17.4 Initiating Circuits and Logic The instrument and control functions for each CGCS Equipment Cubicle Cooling System train are described below: 1. Each cubicle cooling fan will automatically start when the respective CGCS equipment starts. The fan can be started manually from a control switch on the local control panel. 2. Each cubicle fan will be automatically stopped when its respective CGCS equipment is not running. 7.3.1.1.17.4.1 Indication and Annunciation Indication and annunciation are provided as follows: 1. Each control switch is provided with ON, AUTO-TRIP and OFF indicating lights showing the operating status of the fan-coil unit. 2. Each fan trip is also annunciated on the local control panel.

3. A common trouble alarm is provided in the main control room.
4. A local differential pressure indication is provided for each fan-coil unit. 7.3.1.1.17.5 Bypass and Interlocks
1. The fan-coil unit will not run when its respective control switch is in pull-to-lock position.
2. A motor-operated valve controlling the flow of water to each fan-coil unit automatically opens when its associated fan is started and can not be closed until its associated fan is

stopped.

CPS/USAR CHAPTER 07 7.3-81 REV. 11, JANUARY 2005 7.3.1.1.17.6 Redundancy and Diversity The CGCS Equipment Cubicle Cooling System is designed with redundancy. The controls for each train are separate and independent. 7.3.1.1.17.7 Actuated Devices Starting any of the fans opens the motor-oper ated valve supplying water from the shutdown service water system to the associated cooling coil in the fan-coil unit. 7.3.1.1.17.8 Testability Means have been provided for checking the operational availability of complete CGCS Equipment Cubicle Cooling System separately at sensor, module, and control channel level and jointly as a complete system during normal operation or shutdown period. This is accomplished in the following ways, as appropriate. 7.3.1.1.17.8.1 Sensor Checks Sensors are easily accessible and checked in the following ways: (1) by perturbing the monitored variable; or (2) by introducing and varying, as appropriate, a substitute input to the sensor of the same nature as the measured variable; or (3) by monitoring the parameter through other accurately calibrated instruments and comparing the output of sensors in use with the output of a calibrated instrument. 7.3.1.1.17.8.2 Module Checks Modules are easily accessible and are tested in the following ways: (1) by introducing a variable input signal and monitoring the corresponding outputs by use of other calibrated instruments; or (2) by introducing a steady input signal and forcing the output of a controller to change by varying the setpoint. 7.3.1.1.17.8.3 Channel Checks After checks have been proven to be satisfactory at the module level, each channel is checked and monitored for satisfactory operation. 7.3.1.1.17.8.4 System Checks After each channel has been checked and proven to be operating properly, the whole instrument and control system is tested jointly.

CPS/USAR CHAPTER 07 7.3-82 REV. 11, JANUARY 2005 7.3.1.1.17.9 Environmental Conditions All safety-related controls and instrumentation are qualified for the environment in which they are located under both normal and accident conditions. 7.3.1.1.17.10 Operational Considerations The system is designed so that no operator action is required for the system to function normally, however, manual operation is also possible. Sufficient indications and alarms are provided for operator interaction, if needed, and monitoring. 7.3.1.1.18 Reactor Core Isolation Cooling System This system is discussed in Section 7.4.1.1.

7.3.1.1.19 Feedwater Leakage Control Mode (FWLC) - Instrumentation and Controls 7.3.1.1.19.1 System Identification Feedwater leakage control is an operating mode of the Residual Heat Removal System. In this mode, RHR flow is diverted to create a wate r seal on the outboard feedwater system containment isolation check valves (1B21-F032A

/B) and gate valves (1B21-F065A/B) after a DBA LOCA to prevent the release of containment atmosphere through the feedwater piping release path. It is required to be manually initiated approximately 20 minutes after a DBA LOCA.

Opening of the valves is prevented by signals from pressure switches if feedwater line pressures are greater than the RHR line maximum operating pressure. The RHR system is shown in P&ID M05-1075.

7.3.1.1.19.2 Power Sources The instrumentation and controls of the two FWLC valves are powered by separate 120 vac divisional power that can receive standby ac power. Each of the two loops is powered by a different division. 7.3.1.1.19.3 Equipment Design The feedwater leakage control valves are des igned to divert flow from the RHR LPCI, suppression pool cooling, or containment spray modes without reducing flow in those modes below the modes' functional design bases. Pressure switches provide permissives to ensure the FWLC valves are not inadvertently opened when feedwater pressure is above the operational pressure of the RHR system. 7.3.1.1.19.4 Initiating Circuits The feedwater leakage control valves are manually initiated from the main control room. 7.3.1.1.19.5 Logic and Sequencing The sequence of manual initiation of the FWLC mode is described in Section 5.4.7.2.6 (2). The logic of the valve permissives is described in Section 7.3.1.1.19.6.

CPS/USAR CHAPTER 07 7.3-83 REV. 11, JANUARY 2005 7.3.1.1.19.6 Bypasses and Interlocks Permissives are provided to ensure that the Division 1 FWLC valve is not opened, or does not remain open, unless both feedwater isolation v alves (1B21-F065A and lB21-F065B) are closed and the pressure in the feedwater lines is low enough as not to exceed the maximum operation pressure of the Division 1 RHR system. Permissives are also provided to ensure that the Division 2 FWLC valve is not opened, or does not remain open, unless the pressure in the feedwater lines is low enough as not to exceed the maximum operation pressure of the Division 2 RHR system. 7.3.1.1.19.7 Redundancy and Diversity Redundancy is provided by the FWLC function by two separated divisional loops. 7.3.1.1.19.8 Actuated Devices The actuated devices for the FWLC mode are the two FWLC motor operated valves. 7.3.1.1.19.9 Separation FWLC is a Division 1 (RHR A) and Division 2 (RHR B) subsystem. Manual controls, logic circuits, cabling, and instrumentation for FWLC are mounted so that Division 1 and Division 2 separation is maintained. 7.3.1.1.19.10 Testability The FWLC mode will be tested in reactor modes 4 or 5.

7.3.1.1.19.11 Environmental Considerations FWLC electrical cables are environmentally qualified for the harsh areas in which they are located. All other instrumentation and control components are located in mild environmental areas and therefore do not require environmental qualification. 7.3.1.1.19.12 Operational Considerations 7.3.1.1.19.12.1 General Information The FWLC mode will not be initiated until approximately 20 minutes after a LOCA. The FWLC mode can be utilized during operation of RHR in the LPCI, suppression pool cooling, or containment spray cooling modes. 7.3.1.1.19.12.2 Reactor Operator Information Valve position indications are available in the main control room (indicator lights and computer output). RHR system out-of-service annunciation is provided for FWLC valve overload or power loss. 7.3.1.1.19.12.3 Set Points Setpoints for the pressure. switch permissives are shown in the Instrumentation Setpoint Log.

CPS/USAR CHAPTER 07 7.3-84 REV. 11, JANUARY 2005 7.3.1.2 Design Basis Information IEEE Standard 279 defines the requirements fo r design bases. Using the IEEE 279 format, the following nine Paragraphs fulfill this requirement for systems and equipment described in this Section. 7.3.1.2.1 Conditions The plant conditions which require protective action involving the systems of this Section and other Sections are examined and presented in Chapter 15, Appendix 15A. 7.3.1.2.2 Variables The plant variables which require monitoring to provide protective actions for ECCS and containment isolation functions are identified in the Design Specification Data Sheets and the CPS Technical Specifications. For other ESF described, refer to the individual system discussions or to Chapter 15 where safety analysis parameters for each event are cited. 7.3.1.2.3 Numbers of Sensors and Location The number of instrument channels provided to monitor each variable are depicted in Tables 7.3-7 thru 7.3-11. The minimum number of channels required are listed in CPS Technical Specifications. For other ESF described, refer to the individual system discussions or to Chapter 15 where safety analysis parameters for each event are cited. 7.3.1.2.4 Operational Limits Operational limits for each safety-related variable trip setting are selected to be far enough above or below normal operating levels so that a spurious ESF system initiation is avoided. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or the nuclear system process barrier, is kept within acceptable bounds. 7.3.1.2.5 Margin Between Operational Limits The margin between operational limits and the limiting conditions of operation for the ESF systems are those parameters as listed in the Technical Specifications and the Operational Requirements Manual (ORM) for the ECCS. The margin includes the consideration of sensor accuracy, response times and set point drift. Suitable indication is provided to alert the reactor operator of the onset of unsafe conditions. 7.3.1.2.6 Levels Requiring Protective Action Levels requiring protective action are listed in trip level settings CPS Operational Requirements Manual. 7.3.1.2.7 Range of Energy Supply and Environmental Conditions of Safety Systems (See Table 3.11-5 and Subsection 3.1.2.1.4.1 for environmental conditions and Chapter 8 for the range of energy supply.)

CPS/USAR CHAPTER 07 7.3-85 REV. 11, JANUARY 2005 CRVICS channel, logic and main steam line isolation valve 120 Vac power is provided by the NSPS buses. The CRVICS circuitry will operate without failure within the range of -10% to

+10% of rated voltage. ECCS 125 Vdc power is provided by the station batteries, the HPCS battery, and the 125 Vdc Division 4 battery. ECCS 120 Vac power is provided by the NSPS busses. ESF systems motor-operated valve power is supplied from motor control centers provided with essential power sources. 7.3.1.2.8 Malfunctions, Accidents, and Other Unusual Events Which Could Cause Damage to Safety System Chapter 3 covers the description of the following credible accidents and events; floods, storms, tornados, earthquakes, fires, LOCA, pipe break outside containment, and feedwater line break. Each of these events is discussed below for the ESF systems and ECCS.

Floods The buildings containing ESF systems and ECCS components have been designed to meet the PMF (Probable Maximum Flood) at the site location. This ensures that the buildings will remain water-tight under PMF conditions including wind generated wave action and wave runup.

Storms and Tornados The buildings containing ESF components have been designed to withstand meteorological events described in Section 3.3.2. for miscellaneous station property during a postulated tornado, but this will not impair the protection system capabilities.

Earthquakes The structures containing ESF components have been seismically qualified as described in Sections 3.7 and 3.8, and will remain functional during and following a safe shutdown earthquake (SSE). Seismic qualification of instrumentation and electrical equipment is discussed in Section 3.10.

Fires To protect the ESF systems in the event of a postulated fire, the redundant portions of the systems are separated by fire barriers. If a fire were to occur within one of the sections or in the area of one of the panels, the ESF systems functions would not be prevented by the fire. The use of separation and fire barriers ensures that even though some portion of the systems may be affected, the ESF systems will continue to provide the required protective action. Fire protection systems and program are discussed in Subsection 9.5.1, and the Clinton Power Station Fire Protection Evaluation Report.

LOCA The following ESF system components are located inside the drywell and would be subjected to the effects of a design basis loss-of-coolant accident (LOCA):

CPS/USAR CHAPTER 07 7.3-86 REV. 11, JANUARY 2005 Reactor vessel pressure and reactor vessel water level instrument taps and sensing lines and drywell pressure sensing lines, which terminate outside the drywell. These items have been environmentally qualified to remain functional during and following a LOCA as discussed in Section 3.11 and indicated in Table 3.11-5. 7.3.1.2.9 Minimum Performance Requirements The Operational Requirements Manual provides instrument setpoints and response time requirements which incorporate the effects of instrument performance such as accuracy, range, magnitude and rates of change of sensed variables. Further descriptions of instrument performance requirements are included in the applicable System Design Specifications and Engineering Calculations. 7.3.1.3 Final System Drawings Logic, schematic, electrical interconnection which were supplied under separate cover are discussed in Section 1.7.1.

7.3.2 Analysis

7.3.2.1 Emergency Core Cooling Systems (ECCS) - Instrumentation and Controls 7.3.2.1.1 General Functional Requirement Conformance Chapters 15.0, "Accident Analyses," and 6.0, "Engineered Safety Features," evaluate the individual and combined capabilities of the emergency core cooling systems. For the entire range of nuclear process system break sizes, the cooling systems prevent fuel cladding temperatures from exceeding the limits of 10 CFR 50.46. Instrumentation for the emergency core cooling systems must respond to the potential inadequacy of core cooling regardless of the location of a breach in the reactor coolant pressure boundary. Such a breach inside or outside the containment is sensed by reactor low water level. The reactor vessel low water level signal is the only emergency core cooling system initiating function that is completely independent of breach location. Consequently, it can actuate HPCS, LPCS, and LPCI. The other major initiating function, drywell high pressure, is provided because pressurization of the drywell will result from any significant nuclear system breach anywhere inside the drywell. The initiation of the automatic depressurization system, by employing both reactor vessel low water level and drywell high pressure in coincidence, requires that the nuclear system breach be inside the drywell. For a nuclear system breach outside the drywell but inside containment, only a reactor vessel low water level signal, two sequential time delays, and an ECCS pump running signal are required for initiation of the ADS. This control arrangement is satisfactory in view of the automatic isolation of the reactor vessel for breaches outside the drywell and because the automatic depressurization system is required only if the HPCS fails. An evaluation of emergency core cooling systems controls shows that no operator action is required to initiate the correct responses of the emergency core cooling systems. However, the control room operator can manually initiate every essential operation of the emergency core CPS/USAR CHAPTER 07 7.3-87 REV. 11, JANUARY 2005 cooling systems. Alarms and indications in the control room allow the operator to assess situations that require the emergency core cooling system and verify the responses of each system. This arrangement limits safety dependence on operator judgment, and design of the emergency core cooling systems control equipment has appropriately limited response. The redundance of the control equipment for the emergency core cooling systems is consistent with the redundancy of the cooling systems themselves. The arrangement of the initiating signals for the emergency core cooling systems, as shown in Figures 7.3-7 and 7.3-8, is also consistent with the arrangement of the systems themselves. No failure of a single initiating trip channel can prevent the start of the cooling systems when required or inadvertently initiate these same systems. An evaluation of the control schemes for each emergency core cooling system component shows that no single control failure can prevent the combined cooling systems from providing the core with adequate cooling. In performing this evaluation the redundancy of components and cooling systems was considered. The minimum number of trip channels required to maintain functional performance is given in Tables 7.3-8, 7.3-9, 7.3-10, and 7.3-11. Determinations of these minimums considered the use and redundancy of sensors in control circuitry and the reliability of the controlled equipment in any individual cooling system. The control arrangement used for the automatic depressurization system is designed to avoid spurious actuation (see Table 7.3-9). The ADS relief valves are controlled by two trip systems per division, both of which must be in the tripped state to allow system initiation. Within each trip system, either a coincident low reactor water level trip and 6-minute time delay, or a coincident high drywell pressure trip and low reactor water level trip are required in addition to a 105-second time delay to initiate a trip system. The conditions represented by Tables 7.3-8, 7.3-9, 7.3-10 and 7.3-11 are a result of a functional analysis of each individual emergency core cooling system. Because of the redundant methods of supplying cooling water to the fuel in a loss-of-coolant accident situation and because fuel cooling must be assured in such a situation, the minimum trip channel conditions in the referenced tables exceed those required operationally to assure core cooling capability.

The only equipment protective devices that can interrupt planned emergency core cooling system operation are those that must act to prevent complete failure of the component or system. In no case can the action of a protective device prevent other redundant cooling systems from providing adequate cooling to the core. Controls for ECC systems are located in the main control room and are under supervision of the main control room operator. The environmental capabilities of instrumentation for the emergency core cooling systems are discussed in the descriptions of the individual systems. Components that are located inside the drywell and are essential to emergency core cooling system performance are designed to operate in the drywell environment resulting from a loss-of-coolant accident. Essential instruments located outside the drywell are also qualified for the environment in which they must perform their essential function.

CPS/USAR CHAPTER 07 7.3-88 REV. 11, JANUARY 2005 Special consideration has been given to the performance of reactor vessel water level sensors, pressure sensors, and condensing chambers during rapid depressurization of the nuclear system. (See Supplement 1 of NEDO-24708 - "Additional Information Required for NRC Staff Generic Report on Boiling Water Reactors".) Capability for emergency core cooling following a postulated accident may be verified by observing the following indications: (1) annunciators and status lights for HPCS, LPCS, LPCI and ADS (2) flow and pressure indications for each emergency core cooling system, (3) valve position lights indicating open or closed valves, (4) relief valve position inferred from reactor pressure indications and discharge pipe temperature monitors, (5) supplementary performance monitoring system logging of trips in the emergency core cooling network. A system failure analysis is provided and discussed in Section 6.3, "Emergency Core Cooling System." 7.3.2.1.2 Specific Regulatory Requirements Conformance The following compliance statements are applicable to all modes of RHR operation (i.e., containment spray mode, suppression pool cooling mode, and shutdown cooling mode) to the extent stated in the related compliance Sections of Subsections 7.3.2 and 7.4.2. 7.3.2.1.2.1 Regulatory Guides 7.3.2.1.2.1.1 Regulatory Guide 1.6 In accordance with Regulatory Guide 1.6, ECCS electric power loads are divided into Division 1, Division 2 and Division 3 so that loss of any one division will not prevent the minimum safety functions from being performed. No interconnections exist which can compromise redundant

power sources. 7.3.2.1.2.1.2 Regulatory Guide 1.11 Conformance to this Regulatory Guide is discussed in Subsection 6.2.4.

7.3.2.1.2.1.3 Regulatory Guide 1.22 Conformance to this regulatory guide is achieved by providing syst em and component testing capabilities either during reactor power operation or shutdown. 7.3.2.1.2.1.4 Regulatory Guide 1.29 Instrumentation is classified as Seismic I and is covered under Subsection 3.10.

CPS/USAR CHAPTER 07 7.3-89 REV. 11, JANUARY 2005 7.3.2.1.2.1.5 Regulatory Guide 1.30 The requirements for the installation, inspection, and testing included in ANSI N45.2.4 (IEEE Std. 336) have been implemented during construction phase. Conformance to IEEE 336-1971 (ANSI N45.2.4-1972) is discussed in conjunction with Regulatory Guide 1.30. Refer to USAR Section 1.8. 7.3.2.1.2.1.6 Regulatory Guide 1.32 Conformance is described in the conformance to General Design Criterion 17 and Industry Standard IEEE 308. Also see Subsection 7.1.2.6.8. 7.3.2.1.2.1.7 Regulatory Guide 1.47 Automatic indication is provided in the control room to inform the operator that a system is inoperable. Indication is provided to show that eit her a system or a part of a system is not operable. An example of automatic indication of ECCS inoperability is demonstrated by the instruments which form part of a one-out-of-two-twice logic and can be removed from service for calibration. The importance of providing accurate information for the reactor operator and reducing the possibility for the indicating equipment to adversely affect its monitored safety system are discussed in the following Paragraphs: (1) Individual indicators are arranged together on the main control room panel to indicate what function of the system is out of service, bypassed or otherwise inoperable. All bypass and inoperability indicators, both at a system level and component level, are grouped only with those items that will prevent a system from operating if needed. (2) As a result of design, preop testing and startup testing, no erroneous bypass indication is anticipated. (3) These indication provisions serve to supplement administrative controls and aid the operator in assessing the availability of component and system level protective actions. This indication does not directly provide safety functions. (4) The annunciator initiation signals are provided through isolation devices and cannot prevent required protective actions. (5) Each indicator, which can be individually tested, will be provided with dual lamps. Testing of these indicators is accomplished when the associated equipment is periodically tested. Also see Subsection 7.1.2.6.11.

7.3.2.1.2.1.8 Regulatory Guide 1.53 Compliance with NRC Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the emergency core cooling systems so that they meet the single failure criterion described in Section 4.2 of IEEE 279 and IEEE 379. Redundant sensors are used, and the CPS/USAR CHAPTER 07 7.3-90 REV. 11, JANUARY 2005 logic is arranged to reduce the possibilities that a failure in a sensing element or the decision logic or an actuator will prevent or spuriously initiate protective action. Separated channels are employed, so that a fault affecting one channel will not prevent the other channels from operating properly. Facilities for testing are provided so that the equipment can be operated in various test modes to confirm that it will operate properly when called upon. Testing incorporates all elements of the system under one test mode or another, including sensors, logic, actuators, and actuated equipment. The testing is planned to be performed at intervals so that there is an extremely low probability of failure in the periods between tests. During testing there are always enough channels and systems available for operation to provide proper protection. 7.3.2.1.2.1.9 Regulatory Guide 1.62 Means are provided for manual initiation of Emergency Core Cooling at the system level through the following armed pushbutton switches: (1) HPCS: One switch in Division 3 (2) ADS: Four switches, two in Division 1 and two in Division 2 (3) LPCS/LPCI (RHR) A: One switch in Division 1 (4) LPCI (RHR)

B/LPCI (RHR)

C: One switch in Division 2 Operation of these switches accomplishes the initiation of all actions performed by the automatic initiation circuitry. The amount of equipment common to initiation of both manual and automatic emergency core cooling is kept to a minimum through implementation of manual initiation of emergency core cooling at the final devices of the protection system. No failure in the manual, automatic or common portions of the protection system will prevent initiation of a sufficient amount of emergency core cooling equipment by manual or automatic means. Manual initiation of emergency core cooling, once initiated, goes to completion as required by IEEE 279 Section 4.16. 7.3.2.1.2.1.10 Regulatory Guide 1.63 Conformance to Regulatory Guide 1.63 is discussed in Subsection 8.1.6.1.12.

7.3.2.1.2.1.11 Regulatory Guide 1.75 Separation within the ECCS is such that controls, instrumentation, equipment and wiring is segregated into four separate divisions designated 1, 2, 3 and 4. Control and motive power separation is maintained in the same manner. Separation is provided to maintain the CPS/USAR CHAPTER 07 7.3-91 REV. 11, JANUARY 2005 independence of the 4 divisions of circuit and equipment so that the protection functions required during and following any design basis event can be accomplished. (1) All redundant equipment and circuits within ECCS require divisional separation. All pertinent documents and drawings identify in a distinctive manner separation and safety related status for each redundant division. (2) All redundant circuits and equipment are located within safety class enclosures. Separation is achieved by barriers, isolation devices and/or physical distance.

This type of separation between redundant systems assures that a single failure of one system will not affect the operation of the other redundant system. (3) The separation of redundant Class 1E circuits and equipment within the ECCS is such that no physical connections are made between divisions. This separation criteria assures that the failure of equipment of one redundant system cannot disable circuits or equipment essential to the operation of the other redundant systems. (4) Associated circuits are in accordance with class 1E circuit requirements up to and including the isolation devices. Circuits beyond the isolation devices do not again become associated with Class 1E circuits. Pertinent design documents and drawings identify the associated circuits in a distinctive manner. (5) Separation between Class 1E and non-Class 1E circuits will meet the same minimum requirements as for separation between redundant Class 1E circuits or they will be treated as associated circuits. 7.3.2.1.2.1.12 Regulatory Guide 1.89 Conformance to Regulatory Guide 1.89 is discussed in Subsection 3.11.

7.3.2.1.2.1.13 Regulatory Guide 1.97 See Subsection 7.1.2.6.23 for discussion of the degree of conformance.

7.3.2.1.2.1.14 Regulatory Guide 1.100 See Section 3.10 for discussion of the degree of conformance. 7.3.2.1.2.1.15 Regulatory Guide 1.105 See Subsection 7.1.2.6.25 for discussion of the degree of conformance.

7.3.2.1.2.1.16 Regulatory Guide 1.118 See Subsection 7.1.2.6.26 for discussion of the degree of conformance.

CPS/USAR CHAPTER 07 7.3-92 REV. 11, JANUARY 2005 7.3.2.1.2.2 10 CFR 50 Appendix A See Subsection 7.1.2.7 for discussion of Criterion 1 through 5. (1) Criterion 10 The emergency core cooling system has been designed with appropriate margin to assure that acceptable fuel design limits are not exceeded during any condition of normal operation including the effects of anticipated operational occurrence. (2) Criterion No. 13 Conformance to this requirement is achieved by monitoring appropriate variables over the range expected and providing containment isolation, emergency core cooling, and other functions to maintain the variables within the prescribed ranges. (3) Criteria 17 and 18 ECCS power supply loads are rigorously divided into Division 1, Division 2, and Division 3. The independence of these circuits prevents compromise, and enhances inspection of safety-related pow er supply systems. See also Section 3.1. (4) Criteria 19 through 22, 24, 29, 33, 35, and 37 Conformance to these criteria are discussed in Subsections 7.3.1.1.1.3, 7.3.1.1.1.4, 7.3.1.1.1.5 and 7.3.1.1.1.6. See also Section 3.1. 7.3.2.1.2.3 Industry Standards 7.3.2.1.2.3.1 IEEE 279 Criteria for Protection Systems for Nuclear Power Generating Stations Compliance of the Emergency Core Cooling Systems with IEEE 279 is detailed below. 7.3.2.1.2.3.1.1 General Functional Requirement (IEEE 279 Paragraph 4.1)

Automatic initiation of the ECCS is provided for by sensors measuring reactor vessel low water level and drywell high pressure. The following systems are individually initiated by automatic means: (1) HPCS (2) ADS, including SRV subsystem

(3) LPCS (4) LPCI mode of the RHR System-LPCI (RHR)

CPS/USAR CHAPTER 07 7.3-93 REV. 11, JANUARY 2005 This automatic initiation is accomplished with precision and reliability commensurate with the overall ECCS objective and is effective over the full range of environmental conditions depicted below: (1) Power supply voltages HPCS: HPCS has its own dc control, ac control, and motor power which is independent of offsite power and onsite power for Divisions 1 and

2 ECCS. ADS: Tolerance is provided for complete loss of one division of ac and dc power, but not for loss of both Divisions 1 and 2 sources for

ADS. LPCS: System will not tolerate Division 1 ac or dc power failure; however, network redundancy assures adequate core cooling capability.

LPCI: (RHR) Tolerance is provided to any degree of (RHR) Division 1 and 2 ac power supply failure such that failures cannot negate successful low pressure cooling. DC power supply failure will affect only one

of the two LPCI Divisions. Tolerance to supply voltage variations, short of power loss, is discussed in NEDO-21617-A, "Analog Transmitter/Trip Unit System for Engineered Safeguard Sensor Trip Inputs". (2) Power supply frequency HPCS: Full range of frequency available is tolerated.

ADS: No ac controls are used. LPCS: Excessive frequency reduction is indicative of an onsite power supply failure and equipment shutdown in that division is required.

LPCI: (RHR) Excessive frequency reduction is indicative of an onsite power supply failure and equipment shutdownin that division is required.

(3) Temperature HPCS; ADS; LPCS; and LPCI(RHR): Operable at all temperatures that can result from an accident. See also Section 3.11.

(4) Humidity HPCS; ADS; LPCS; and LPCI(RHR):

Operable at humidities, including steam that can result from a loss-of-coolant accident. See also Section 3.11.

CPS/USAR CHAPTER 07 7.3-94 REV. 11, JANUARY 2005 (5) Pressure HPCS; ADS; LPCS; and LPCI (RHR):

Operable at all pressures resulting from a LOCA as required. See also Section 3.11.

(6) Vibration HPCS; ADS; LPCS; and LPCI (RHR):

Tolerance to conditions stated in Section 3.10. (7) Malfunctions Overall ECCS:

Network tolerance to any single component or division failure to operate on command. (8) Accidents HPCS; ADS; LPCS; and LPCI (RHR):

Network tolerance to all design basis accidents without malfunction.

(9) Fire Overall ECCS: Network tolerance to single divisional wireway fires or mechanical damage. (10) Explosion HPCS; ADS; LPCS; and LPCI (RHR):

Explosions are not defined in design bases. (11) Missiles ADS: Separate routing of the ADS conduits within the drywell reduces to a very low probability the potential for missile damage to more than one conduit to ADS or damage to the pilot solenoid assemblies of ADS values.

Overall ECCS:

Network tolerance to any single missile destroying no more than one pipe, wireway, or cabinet.

CPS/USAR CHAPTER 07 7.3-95 REV. 11, JANUARY 2005 (12) Lightning HPCS and ADS:

Ungrounded dc system not subject to lightning strikes.

LPCS and LPCI(RHR): Tolerance to lightning damage limited to one auxiliary bus system. See comments under (1) and (2). (13) Flood HPCS; ADS; LPCS; and LPCI (RHR):

All control equipment is located above flood level by design. (14) Earthquake HPCS; ADS; LPCS; and LPCI (RHR): Tolerance to conditions stated in Section 3.10. (15) Wind and Tornado HPCS; ADS; LPCS; and LPCI (RHR)

Seismic class 1 building houses all control equipment. It is built to withstand high winds (see 7.3.1.2.8). (16) System Response Time HPCS; ADS; LPCS; and LPCI (RHR):

Responses are within the requirements of need to start ECCS. (17) System Accuracies HPCS; ADS; LPCS; and LPCI (RHR):

Accuracies are within that needed for correct timely action. (18) Abnormal Ranges of Sensed Variables HPCS; ADS; LPCS; and LPCI (RHR):

Sensors will not malfunction or "Freeze" due to saturation when overranged. 7.3.2.1.2.3.1.2 Single Failure Criterion (IEEE 279 Paragraph 4.2)

HPCS: The HPCS, by itself, is not required to meet the single failure criterion. The control logic circuits for initiation and control are housed in a single division 3 electronic panel and the CPS/USAR CHAPTER 07 7.3-96 REV. 11, JANUARY 2005 power supply for the control logic and other HPCS equipment is from division 3 power sources. The HPCS initiation sensors and wiring up to the HPCS logic cabinet are designed to accept a single failure criterion. Physical separation of instrument lines is provided so that no single instrument rack destruction or single instrument line or pipe failure can prevent HPCS initiation. The HPCS initiation sensors are located in Division 3 and

Division 4. ADS: The ADS system, comprised of two independent sets of controls for the two pilot solenoids, meets the single failure criterion. This arrangement utilizes two out of two logic in each of the control divisions which prevents the single failure from causing inadvertent systems initiation or failure to initiate when required. The input signals to the valve solenoids are also separated such that no single valve logic or load driver card failure within the NSPS will actuate the ADS or open a single or multiple ADS/SRV.

Tolerance to single failures in accordance with IEEE 379 has been incorporated. SRV: The SRV function, comprised of two independent sets of controls for the two pilot solenoids on each SRV meets all credible aspects of the single failure criterion. More than one failure would have to occur to cause inadvertent actuation or failure to actuate of more than one SRV. Tolerance to the above ADS single failures or events have been incorporated into the control system design and installation. LPCS: The LPCS by itself, is not required to meet the single failure criterion. The LPCS logic circuits for initiation and control are housed in a single electronic panel and the power supply for the control logic and other equipment is from power sources within division 1. This logic also initiates LPCI Loop A. Failure of a single LPCS initiation sensor will not degrade LPCS action. LPCI: Redundancy in equipment and control logic circuitry is provided so that it is highly unlikely that the complete LPCI loops can be rendered inoperative. LPCS and LPCI control logic circuits work in conjunction. LPCS control logic initiates Loop A pump and valves. LPCI control logic initiates Loop B and C pumps and valves. Tolerance to single failures in accordance with IEEE 379 is provided in the control logic and initiation circuitry so that a single failure would not disable all three loops: 7.3.2.1.2.3.1.3 Quality Components (IEEE-279 Paragraph 4.3)

HPCS: Components used in the HPCS control system have been carefully selected for the specific application. Ratings have been selected to ensure against significant deterioration during anticipated duty over the lifetime of the plant as illustrated below: (1) Controls are energized to operate and have brief and infrequent duty cycles. (2) Motor starters and breakers are effectively derated for motor starting applications since their nameplate ratings are based on short circuit interruption capabilities as well as on continuous current carrying capabilities.

CPS/USAR CHAPTER 07 7.3-97 REV. 11, JANUARY 2005 Short-circuit current-interrupting capabilities are many times the starting current for the motors being started, so that normal duty does not begin to approach maximum equipment capability. (3) Motor starting equipment ratings include allowance for a much greater number of operating cycles than the emergency core cooling application will demand, even including testing. (4) Instrumentation and controls are the heavy duty industrial type which have been subjected to the manufacturers normal quality control and have undergone functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications, or qualified by tests, are selected for use in the HPCS control system. Furthermore, a quality assurance program is required to be implemented and documented by equipment vendors, with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. ADS: Components used in the ADS control system including the SRV function have been carefully selected for the specific application. Ratings have sufficient conservatism to ensure against significant deterioration over the lifetime of the plant as described below: (1) Controls are energized to operate and have brief and infrequent duty cycles.

(2) Instrumentation and controls are the heavy duty industrial type which have been subjected to the manufacturer's normal quality control and have undergone functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications, or qualified by tests, are selected for use in the ADS. Furthermore, a quality assurance program is required to be implemented and documented by equipment vendors, with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. LPCS: The discussion in this Section for HPCS applies equally to the LPCS.

LPCI: The discussion in this Section for HPCS applies equally to the LPCI subsystem.

7.3.2.1.2.3.1.4 Equipment Qualification (IEEE 279 Paragraph 4.4)

HPCS: No components of the HPCS control system are required to operate in the drywell environment except for the condensation pots of the vessel level transmitters. Other process sensor equipment for HPCS initiation is located outside the drywell and is capable of accurate operation in ambient temperature conditions that result from abnormal (loss-of-ventilation and loss-of-coolant accident) conditions.

CPS/USAR CHAPTER 07 7.3-98 REV. 11, JANUARY 2005 Panels and electronic cabinets are located in the main control room or other rooms with a safety-related HVAC system. The HPCS control system components have demonstrated their reliable operability in previous applications in nuclear power plant protection systems or in extensive industrial use. (See sections 3.10 and 3.11.) ADS: The solenoid valves, their cables, and the relief valve mechanical operators of the automatic depressurization system and SRV subsystem are located inside the drywell and must remain operable in the loss-of-coolant accident environment. These items are selected with capabilities that permit proper operation in the most severe environment resulting from a design basis loss-of-coolant accident and have been environmentally tested to verify the selection. Gamma and neutron radiation is also considered in the selection of these items and only materials which are expected to tolerate the integrated dosage superimposed on other environmental factors for at least a 40-year period of normal plant operation without excessive deterioration are used (i.e., no need for a replacement is anticipated). Other components of the ADS control system which are required to operate in the drywell environment are the condensate pots for the vessel level sensors. All other sensory equipment is located outside the drywell and is capable of accurate operation

with wider swings in ambient temperature than results from normal or abnormal (loss-of-ventilation and loss-of-coolant accident) conditions. Reactor vessel level sensors are of the same type as for the RPS and meet the same standards. Drywell high pressure sensors are of the same type as used for the RPS and meet the same standards. Control panels and logic cabinets are located in the main control room or auxiliary room environment which presents no new or unusual operating considerations. LPCS: No components of the LPCS control system are required to operate in the drywell environment except for the condensation pots of the vessel level sensors and the testable check valve. Other process sensor equipment for LPCS initiation is located outside the drywell and is capable of accurate operation in ambient temperature conditions that result from abnormal (loss-of ventilation and loss-of-coolant accident) conditions. Panels and the main logic cabinets are located in the main control room.

Components in the LPCS control system have demonstrated their reliable operability in previous applications in nuclear power plant protection systems, in extensive industrial use or by testing. (See Section 3.10 and 3.11.) LPCI: No components of the LPCI System are required to operate in the drywell environment except for the condensate pots used with the vessel level sensors. All other sensory equipment is located outside the drywell and is capable of acceptable operation with wider changes in ambient temperature than results from normal or abnormal (loss-of-ventilation and loss-of-coolant accident) conditions. Reactor vessel level sensors are of the same type as for the RPS and meet the same standards. Drywell high pressure sensors are of the same type as used for the RPS and meet the same standards. The testable check valves which are located inside the drywell are considered to be part of the piping system rather than part of the control system. Control panels and logic CPS/USAR CHAPTER 07 7.3-99 REV. 11, JANUARY 2005 cabinets are located in a main control room environment which presents no new or unusual operating considerations. Most components used in the LPCI subsystem have demonstrated reliable operation in similar nuclear power plant protection systems or in industrial applications or by testing. 7.3.2.1.2.3.1.5 Channel Integrity (IEEE 279 Paragraph 4.5)

The ECCS system instrument initiation channels (low water level and high drywell pressure) are designed to satisfy the channel integrity objective without taking credit for safe failure modes of

equipment. The ECCS instrumentation located inside the drywell has been environmentally qualified to meet the accident and environmental conditions described in Subsection 3.11 and Table 3.11-5. The ECCS instrumentation located outside the drywell including the drywell pressure sensors and instrument sensing lines have been environmentally qualified to meet the accident and environmental conditions described in Section 3.11. ECCS equipment is protected from changes in the power supply as described in 7.3.2.1.2.3.1.1 and 7.3.1.1.1.2. Therefore, ECCS is provided with sufficient channel integrity to assure protective action when required. The SRV system initiation channels (high reactor pressure) satisfy the channel integrity objective of the Subsection. The LPCS system instrument initiation channels (low water level and high drywell pressure) are designed to satisfy the channel integrity objective without taking credit for safe failure modes of

operation. The LPCI system initiation channels (low water level or high drywell pressure) are designed to satisfy the channel integrity objective without taking credit for "SAFE" failure modes of equipment. 7.3.2.1.2.3.1.6 Channel Independence (IEEE 279 Paragraph 4.6)

HPCS: Channel independence for initiation sensors monitoring each variable is provided by mechanical separation. The A and C sensors for reactor vessel level, for instance, are located on one local instrument rack and the B and D sensors are located on a second instrument rack widely separated from the first. The redundant sensors have process taps which are widely separated. Disabling of one or both sensors in one location does not disable the control for initiation. HPCS independence from the other redundant ECCS equipment is maintained. ADS: Channel independence for sensors exposed to each variable is provided by electrical and mechanical separation. The A and E sensors for reactor vessel level, for instance, are located on one local instrument rack identified as Division 1 equipment and the B and F sensors are located on a second instrument rack widely separated from the first and identified as Division 2 equipment. The A and E sensors have a common pair of CPS/USAR CHAPTER 07 7.3-100 REV. 11, JANUARY 2005 process taps which are widely separated from the corresponding taps for sensors B and F. Disabling of one or both sensors in one location does not disable the control for both of the auto depressurization control divisions. Logic components for the ADS and SRV are separated into Division 1 and Division 2 located in separate cabinets. ADS and SRV manual controls are separated on the main control panels by metal barriers. LPCS: Channel independence does not strictly apply to the LPCS system since it has a single divisional logic trip system. Independence is provided between LPCS and the redundant portions of the ECCS network in Divisions 2 (LPCI) and 3 (HPCS). LPCI: Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. The A and E sensors for reactor vessel low water level, for instance, are located on one local instrument rack that is identified as Division 1 equipment, and the B and F sensors are located on a second instrument rack, widely separated from the first and identified as Division 2 equipment. The A and E sensors have a common process tap, which is widely separated from the corresponding tap for sensors B and F. Disabling of one or all sensors in one location does not disable the control for the other Division. Logic cabinets for Division 1 are in a separate location from that of Division 2, and each division is complete in itself, with its own Class 1E battery control and instrument power bus, power distribution buses, and motor control centers. The divisional split is carried all the way from the process taps to the final control element, and includes both control and motive power supplies. 7.3.2.1.2.3.1.7 Control and Protection Interaction (IEEE 279 Paragraph 4.7)

The HPCS, ADS, LPCS and LPCI systems are designed as safety systems and are designed to be independent of plant control systems. 7.3.2.1.2.3.1.8 Derivation of System Inputs (IEEE 279 Paragraph 4.8)

HPCS: Inputs that start the HPCS system are direct measures of the variables that indicate the need for high pressure core cooling; viz., reactor vessel low water level or high drywell pressure. ADS: Inputs that start the auto-depressurization system are direct measures of the variables that indicate both the need and acceptable conditions for rapid depressurization of the reactor vessel; viz., reactor vessel low water level concurrent with high drywell pressure or reactor vessel low water level followed by a 6-minute time delay, and at least one low pressure core cooling subsystem developing adequate discharge pressure, plus adequate time delay to allow HPCS to operate if available. LPCS: Inputs that start the LPCS system are direct measures of the variables that indicate the need for low pressure core cooling; viz., reactor vessel low water level, and high drywell pressure. Reactor vessel level and drywell pressure sensors are described in Subsection 7.3.1.1.1.5.4.

CPS/USAR CHAPTER 07 7.3-101 REV. 11, JANUARY 2005 LPCI: Inputs that start the LPCI subsystem are direct measures of the variables that indicate the need for low pressure core cooling; viz., reactor vessel low water, high drywell pressure, and reactor low pressure. Reactor vessel level is sensed by vessel water level transmitters. Drywell high pressure is sensed by pressure transmitters. 7.3.2.1.2.3.1.9 Capability of Sensor Checks (IEEE 279 Paragraph 4.9)

All sensors are of the pressure sensing type and are installed with calibration taps and instrument valves, to permit testing during normal plant operation or during shutdown. The sensors can be calibrated by application of pressure from a low pressure source (instrument air, inert gas bottle, water, etc.) after closing instrument valve and opening the calibration valve. However, transmitter output is continually monitorable from the control room by observing meters on master trip units. Accuracy checks can be made by cross comparison of each of the 4 channels (A, E, B & F). For this reason, transmitters need not be valved out of service more than once per operating fuel cycle. The trip units mounted in the main control room are calibrated separately by introducing a calibration source and verifying the set point through the use of a digital readout on the trip calibration module. 7.3.2.1.2.3.1.10 Capability for Test and Calibration (IEEE 279 Paragraph 4.10)

HPCS: The HPCS control system is capable of being completely tested during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. Sensors can be exercised by applying test pressures. Logic can be exercised by means of remote plug-in test fixtures used alone or in conjunction with single sensor tests. Pumps can be started by the appropriate breakers, to pump against system injection valves and/or return to the suppression pool through test valves while the reactor is at pressure. Motor-operated valves can be exercised by the appropriate control relays and starters, and all indications and annunciations can be observed as the system is tested. Check valves are tested manually during plant shutdown. HPCS water will not actually be introduced into the vessel except initially before fuel loading. ADS: The auto-depressurization system is not tested in its entirety during actual plant operation but provisions are incorporated so that operability of all elements of the system can be verified at periodic intervals. The operability of individual valves may be verified by means of the individual control switches on the main control room panels. Transmitter open-circuit or short-circuit failures are immediately detected and annunciated by action from the mated trip units. In addition, the analog transmitter outputs are constantly metered in the main control room and can be cross-checked by comparison to the other three redundant channels which monitor the same parameter.

Therefore, transmitters need only be surveillance tested once per fuel cycle. Testing of control circuitry is accomplished at the control cabinets by means of the automatic pulse test equipment described in Section 7.3.1.1.1.4.1.8. LPCS: The discussion in this Section regarding HPCS test and calibration applies equally to the LPCS.

CPS/USAR CHAPTER 07 7.3-102 REV. 11, JANUARY 2005 LPCI: The discussion in this Section regarding HPCS test and calibration applies equally to the LPCI subsystem. 7.3.2.1.2.3.1.11 Channel Bypass or Removal from Operation (IEEE 279 Paragraph 4.11)

HPCS: Calibration of a sensor that introduces a single instrument channel trip will not cause a protective action without the coincident trip of a second channel.There are no instrument channel bypasses. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning if accident conditions occur. ADS: Calibration of each trip unit will introduce a single instrument channel trip. This does not cause a protective action without the coincident trip of the other channel. Removal of an instrument channel from service during calibration will be brief and will not significantly increase the probability of failure to operate. There are no channel bypasses in the auto depressurization system, however, a manual inhibit switch is provided which prevents automatic ADS actuation. Removal of a trip unit from operation during calibration does not prevent the redundant division from functioning if accident conditions occur. The manual reset buttons can delay the auto-depressurization for a limited time. However, releasing either one of the two reset buttons will allow automatic timing and action to restart if the sensor permissives so dictate. SRV: There are no channel bypasses in the SRV subsystem.

LPCS: The discussion in this Section regarding HPCS channel bypass is equally applicable to the LPCS system. LPCI: The discussion in this Section regarding HPCS channel bypass is equally applicable to the LPCI subsystem. 7.3.2.1.2.3.1.12 Operating Bypasses (IEEE 279 Paragraph 4.12)

HPCS: There are no operating bypasses in the HPCS.

ADS: There are no operating bypasses in the ADS (or SRV function).

SRV: There are no channel bypasses in the SRV subsystem.

LPCS: There are no operating bypasses in the LPCS.

LPCI: The LPCI subsystem has no provision for operating bypasses. 7.3.2.1.2.3.1.13 Indication of Bypasses (IEEE 279 Paragraph 4.13)

Automatic bypass indication is provided as described in 7.3.2.1.2.1.7.

LPCI: There are no automatic bypasses of any par t of the LPCI control system. Deliberate opening of the valve motor breaker will give indication in the control room, because both valve position lights would be deenergized and the divisional "Power Loss or Thermal Overload of Any Valve" indicator would turn on. It is not practically possible to monitor all elements of the subsystem (including all normally deenergized current carrying parts) continually for continuity and thus give CPS/USAR CHAPTER 07 7.3-103 REV. 11, JANUARY 2005 indication of inoperability in the control room. This would introduce excessive complexity and could adversely affect reliability or cause inadvertent false operation. The racking-out of 4160 volt breakers is controlled procedurally and access is limited to authorized personnel. Consequently, this is considered equivalent to removing a valve or pump for maintenance. Abnormal position of the breaker is indicated in the main control room. 7.3.2.1.2.3.1.14 Access to Means for Bypassing (IEEE 279 Paragraph 4.14)

HPCS/ADS/LPCS/LPCI (RHR): Access to motor control centers and instrument valves is controlled as discussed for the LPCI subsystem in this section. Access to other means of bypassing are located in the main control room and therefore are under the administrative control of the operators. Control power breakers are in dc distribution cabinets which are lockable and under administrative control of the operator. LPCI: Access to switch-gear, motor control centers and instrument valves may be procedurally controlled by the following means: (1) Lockable doors on the emergency switchgear rooms, and (2) Lockable breaker control switch handles in the motor control centers, and (3) Restricted access to ESF instruments and valves outside the containment, and (4) Administrative control of access to containment. 7.3.2.1.2.3.1.15 Multiple Trip Settings (IEEE 279 Paragraph 4.15)

This Section is not applicable to the HPCS, ADS, LPCS, or LPCI systems because all trip set points are fixed. Except for SRV, for which all trip points are fixed except the low-low set values. The requirement is met with single failure-proof set point transfer as discussed in Subsection 7.3.1.1.1.4.2.6. 7.3.2.1.2.3.1.16 Completion of Protective Action Once Initiated IEEE 279 Paragraph 4.16)

HPCS: The final control elements for the HPCS system are essentially bistable, i.e., motor-operated valves stay open or closed once they have reached their desired position, even though their starter may drop out (which they do when the limit switch is reached). In the case of pump starters, the auto-initiation signal is electrically sealed in. Thus protective action once initiated (i.e., flow established) must go to completion or continue until terminated by deliberate operator action or automatically stopped on high vessel water level or system malfunction trip signals. ADS: Each of the redundant depressurization control subsystems seals in electrically and remains energized until manually reset by one of the two reset pushbuttons.

CPS/USAR CHAPTER 07 7.3-104 REV. 11, JANUARY 2005 SRV: SRV actuation remains energized until reactor pressure is reduced to below the high pressure setpoint. LPCS: The final control elements for the LPCS system are essentially bistable, i.e., pump breakers stay closed without control pow er, and motor-operated valves stay open once they have reached their open position, even though the motor starter may drop out (which will occur when the valve open limit switch is reached). In the event of an interruption in ac power, the control system will reset itself and recycle on restoration of power. Thus protective action once initiated must go to completion or continue until terminated by deliberate operator action. LPCI: The discussion provided in this Section for the LPCS is equally applicable to the LPCI subsystem. 7.3.2.1.2.3.1.17 Manual Initiation (IEEE 279 Paragraph 4.17) Paragraph 4.17)

HPCS: The HPCS has an armed manual initiation pushbutton in parallel with the automatic initiation output circuit. With exception of the high level interlock, the manual initiation function does not depend on devices common to automatic control. ADS: The ADS has four manual initiation switches. Two switches are in each of the two ADS systems (A&B). Both switches for one system have to be closed to manually initiate ADS. To further preclude inadvertent actuation, each switch is equipped with a collar which must be turned before electrical contacts of the pushbutton are effective. Thus, to initiate ADS manually, the operator must turn two collars and depress two pushbuttons.

Whenever a collar is turned, an annunciator is actuated. The ADS automatic initiation time delay logic (105 seconds) is provided to give HPCS ample time to automatically restore vessel level so that ADS actuation will not be needed. This time delay is not provided for manual initiation since the operator will not initiate ADS until he determines it necessary. SRV: Each SRV can individually be manually initiated, using either logic division control switch for each SRV. The position of the control switches is key locked under administrative control. LPCS: The LPCS has an armed manual initiation pushbutton in parallel with the automatic initiation logic. This manual initiation will also initiate LPCI A. LPCI: In no event can failure of an automatic control circuit for equipment in one division disable the manual electrical control circuit for the other LPCI division. Single electrical failures cannot disable manual electric control of the LPCI function. LPCI A has an armed manual initiation pushbutton in parallel with the automatic intiation logic which will also initiate LPCS. The LPCI B and C systems have an armed manual initiation pushbutton in parallel with the automatic initiation logic.

CPS/USAR CHAPTER 07 7.3-105 REV. 11, JANUARY 2005 7.3.2.1.2.3.1.18 Access to Setpoint Adjustments (IEEE 279 Paragraph 4.18)

Set point adjustments for the HPCS, ADS, LP CS, and LPCI system instrument channels are accomplished at the main bistable trip unit located in the main control room and under administrative control of the operator. The logic cabinets are access controlled to prevent unauthorized actuation. Because of these restrictions, compliance with this requirement of IEEE 279 is considered complete. 7.3.2.1.2.3.1.19 Identification of Protective Actions (IEEE 279 Paragraph 4.19)

HPCS, Protective actions are directly indicated and identified by annunciator operation, and ADS, sensor logic indicator lights. Either of these indications should be adequate, so this LPCS, combination of annunciation and visible verification fulfills the requirements of this LPCI: criterion. Specific ADS protective actions so indicated are: (1) ADS 105-second time delay initiated (either one of two),

(2) ADS control power failure (any normal supply deenergized),

(3) ADS logic channel energized (either one of two),

(4) High drywell pressure sealed in (any one of four),

(5) Relief valves discharge pipe high temperature (any one). (6) Reactor vessel low water level 3 (7) LPCS/RHR permissive (8) ADS A(B) out of service (9) Logic or sensor malfunction or in calibration mode (10) ADS manually inhibited (either one of two)

(11) ADS logic sealed in (any one of four) SRV: The following SRV indications are provided: (1) high vessel pressure (each channel);

(2) relief valve discharge pipe high temperature (any one); and (3) low-low setpoint logic sealed in. 7.3.2.1.2.3.1.20 Information Readout (IEEE 279 Paragrapn 4.20)

HPCS: The HPCS control system is designed to provide the operator with accurate and timely information pertinent to its status. It does not introduce signals into other systems that could cause anomalous indications confusing to the operator. There are many passive as well as active elements of this energize-to-operate system which are not continuously CPS/USAR CHAPTER 07 7.3-106 REV. 11, JANUARY 2005 monitored for operability. Periodic testing is the means provided for verifying the operability of the HPCS components and, by proper selection of test periods to be compatible with the historically established reliability of the components tested, complete and timely indications are made available. Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the HPCS function is available and/or operating properly. See Section 7.3.1.1.1.3.12.2. ADS: The information provided to the operator pertinent to ADS status is as follows: (1) indications listed in Subsection 7.3.2.

(2) Logic command position lights for each valve (3) Reactor vessel level indication in the control room (4) Drywell pressure indication in the main control room. From the foregoing it can be seen that change of state of any active component from its normal condition is called to the operator's attention; therefore, the indication is considered to be complete and timely. The condition of the ADS pertinent to plant safety is also considered to be adequately covered by the indications and alarms delineated above. See Section 7.3.1. SRV: The information provided to the operator pertinent to SRV status is as follows: (1) indicators listed in 7.3.2.1.2.3.1.19; (2) logic command position lights for each valve; and (3) reactor vessel pressure indications: a. reactor vessel pressure is indicated in the main control room. From the foregoing it can be seen that change of status of any active component from its normal condition is called to the operator's attention; therefore, the indication is considered to be complete and timely. The condition of the SRV subsystem pertient to plant safety is also considered to be adequately covered by the indications delineated above. LPCS: Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the LPCS function is available and/or operating properly. LPCI: Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the LPCI function is available and/or operating properly. 7.3.2.1.2.3.1.21 System Repair (IEEE 279 Paragraph 4.21)

The HPCS, ADS, LPCS and LPCI control systems are designed to permit repair or replacement of components. Recognition and location of a failed component should be accomplished during periodic testing. The pulse test system will make the detection and location quickly and accurately, and CPS/USAR CHAPTER 07 7.3-107 REV. 11, JANUARY 2005 components are mounted in such a way that they can be conveniently replaced in a short time. For example, estimated replacement time for the trip units used is less than 30 minutes. Sensors which are connected to the instrument piping cannot be changed so readily, but they are required to be connected with separable screwed or bolted fittings to effectively reduce changeout time. 7.3.2.1.2.3.1.22 Identification (IEEE 279 Paragraph 4.22)

The ECCS panels for HPCS, ADS, LPCS and LPCI are identified by color coded nameplates. The nameplate shows the division to which each panel or rack is assigned. The system to which each component belongs is identified on the panels. 7.3.2.1.2.3.2 IEEE 308 Class 1E ac and dc power supply system ECCS loads are physically separated and electrically isolated into redundant load groups so that safety actions provided by redundant counterparts are not compromised. Refer to Subsection 8.3. 7.3.2.1.2.3.3 IEEE 323 See Section 3.11.

7.3.2.1.2.3.4 IEEE 336 Conformance to IEE 336-1971 (ANSI N45.2.4-1972) is discussed in conjunction with Regulatory Guide 1.30. Refer to USAR Section 1.8. 7.3.2.1.2.3.5 IEEE 338 The design of the ECCS permits periodic testing as described in Subsection 7.3.1.1.1.

7.3.2.1.2.3.6 IEEE 344 See Section 3.10. 7.3.2.1.2.3.7 IEEE 379 The Single Failure Criterion of IEEE 279 Paragraph 4.2 as further defined in IEEE 379 "Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems" is met as described in 7.3.2.1.2.3.1.2. 7.3.2.1.2.3.8 IEEE 384 The criteria for independence of IEEE 279, Paragr aph 4.6 as further defined in IEEE 384, are met as described in Subsection 7.3.2.1.2.3.1.6.

CPS/USAR CHAPTER 07 7.3-108 REV. 11, JANUARY 2005 7.3.2.2 Containment and Reactor Vessel Isolation Control System (CRVICS) -

Instrumentation and Controls 7.3.2.2.1 General Functional Requirements Conformance The CRVICS is analyzed in this Subsection. This system is described in Subsection 7.3.1.1.2, and that description is used as the basis for this analysis. The safety design bases and specific regulatory requirements of this system are stated in Subsection 7.1.2.1.2. This analysis shows conformance to the requirements given in that Subsection. The CRVICS in conjunction with other safety systems, are designed to provide timely protection against the onset and consequences of the gross release of radioactive materials from fuel and reactor coolant pressure boundaries. Chapter 15.0 identifies and evaluated postulated events that can result in gross failure of fuel and reactor coolant pressure boundaries. The consequences of such gross failures are described and evaluated. Chapter 15.0 also evaluates a gross breach in a main steamline outside the containment during operation at rated power. The evaluation shows that the main steamlines are automatically isolated in time to prevent the loss of coolant from being great enough to allow uncovering of the core. These results are true even if the longest closing time of the valve is assumed. 7.3.2.2.2 Specific Regulatory Requirements Conformance 7.3.2.2.2.1 NRC Regulatory Guides 7.3.2.2.2.1.1 Regulatory Guide 1.11 Conformance to Regulatory Guide 1.11 is discussed in Subsection 6.2.4.3.2.4.

7.3.2.2.2.1.2 Regulatory Guide 1.22 MSIV: The main steamline isolation valves, associated logic, and sensor devices may be tested from the sensor device or final actuated devices in overlapping portions as described in Section 7.3.1.1.2.11. Other Isolation Valves: Except for the main steamline isolation valves, all isolation valves may be tested from sensor to actuator during plant operation. The test may cause isolation of the process lines involved, but this is tolerable. 7.3.2.2.2.1.3 Regulatory Guide 1.29 All electrical and mechanical devices and circuitry between process instrumentation and protective actuators and monitoring of systems important to safety are classified as Seismic Category I. 7.3.2.2.2.1.4 Regulatory Guide 1.30 Conformance to Regulatory Guide 1.30 is discussed in conjunction with IEEE 336-1971 (ANSI N45.2.4-1972). Refer to USAR Section 1.8.

CPS/USAR CHAPTER 07 7.3-109 REV. 11, JANUARY 2005 7.3.2.2.2.1.5 Regulatory Guide 1.47 MSIV and Other Isolation Valves: Automatic or manual indication will be provided in the control room to inform the reactor operator that a system is inoperable. Status lights will be provided to indicate which part of a system is not operable. For example, the containment and reactor vessel isolation system out-of-service indicators will be activated whenever one trip unit of an input variable is in calibration. The operator may manually actuate the out-of-service indication to cover situations which cannot be automatically indicated. The following discussion expands the explanation of conformance to Regulatory Guide 1.47 to reflect the importance of providing accurate information for the operator and reducing the possibility for the indicating equipment to adversely affect its monitored safety system. (1) Individual indicator lights are arranged together on the control room panel to indicate what function of the system is out of service, bypassed or otherwise inoperable. (2) These indication provisions serve to supplement administrative controls and aid the operator in assessing the availability of component and system level protective actions. (3) All annunciator circuits are electrically isolated from the plant safety systems to prevent the possibility of adverse effects. (4) Each indicator light is provided with dual lamps. Provision for testing is included. Periodic testing can be done when equipment associated with the indication is tested. MSL High Radiation Monitoring: This subsystem meets the requirements of this guide as discussed in this Section for MSIV. 7.3.2.2.2.1.6 Regulatory Guide 1.53 MSIV, Other Isolation Valves and MSL High Radiation Monitoring:

Compliance with NRC Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the engineered safeguards systems to meet the single failure criterion, Section 4.2 of IEEE 279 "Criteria for Protection Systems for Nuclear Power Generating

Stations," and IEEE 379 "IEEE Trial-Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems." Redundant portions of the CRVICS are separated and isolated to ensure that a failure will not prevent protective action. Separated channels are employed, so that a fault affecting one channel will not prevent the other redundant channels from operating properly. Facilities for testing are provided so that the equipment can be operated in various test modes to confirm that it will operate properly when required. Testing incorporates all CPS/USAR CHAPTER 07 7.3-110 REV. 11, JANUARY 2005 elements of the system under one test mode or another, including sensors, logic, actuators, and actuated equipment. The testing is performed at intervals so that there is an extremely low probability of failure in the periods between tests. During testing there are always enough channels and systems available for operation to provide proper protection. 7.3.2.2.2.1.7 Regulatory Guide 1.62 MSIV and Other Isolation Valves: Means are provided for manual initiation of reactor isolation at the system level through the use of four armed pushbutton switches. Operation of these switches accomplishes the initiation of all actions performed by the automatic initiation circuitry. The amount of equipment common to initiation of both manual reactor isolation and automatic isolation is kept to a minimum through implementation of manual reactor isolation as close as practicable to the final actuating devices of the system. No single failure in the manual, automatic or common portions of the system will prevent initiation of reactor isolation by manual or automatic means. Manual initiation of reactor isolation, once initiated, goes to completion as required by IEEE 279 Section 4.16. 7.3.2.2.2.1.8 Regulatory Guide 1.63 Conformance to Regulatory Guide 1.63 is discussed in Section 8.1.6.1.12.

7.3.2.2.2.1.9 Regulatory Guide 1.73 Conformance to Regulatory Guide 1.73 is discussed in Subsection 8.1. 7.3.2.2.2.1.10 Regulatory Guide 1.75 Physical independence of electric systems of the Nuclear Steam Supply Shutoff System is provided by separation and isolation of redundant portions of the CRVICS, including sensors, wiring, logic devices, and actuating equipment. Signals between redundant Class 1E divisions and between Class 1E and non-Class 1E circuits are electrically isolated or physically separated to preclude a credible single failure from preventing the safety function. 7.3.2.2.2.1.11 Regulatory Guide 1.89 The qualification of Class I equipment for the CRVICS System is covered by Subsection 3.11. 7.3.2.2.2.1.12 Regulatory Guide 1.97 See Subsection 7.1.2.6.23 for discussion of the degree of conformance.

7.3.2.2.2.1.13 Regulatory Guide 1.100 See Section 3.10 for discussion of the degree of conformance.

CPS/USAR CHAPTER 07 7.3-111 REV. 11, JANUARY 2005 7.3.2.2.2.1.14 Regulatory Guide 1.105 See Subsection 7.1.2.6.25 for discussion of the degree of conformance.

7.3.2.2.2.1.15 Regulatory Guide 1.118 See Subsection 7.1.2.6.26 for discussion of the degree of conformance. 7.3.2.2.2.2 Conformance to 10 CFR 50 Appendix A (1) Criterion 10 Appropriate margin has been provided to assure that specified acceptable fuel design limits are not exceeded. (See the CPS Technical Specifications.) (2) Criterion 13 MSIV and Other Isolation Valves: The integrity of the reactor core and the reactor coolant pressure boundary is assured by monitoring the appropriate plant variables and automatically closing various isolation valves if the variables exceed predetermined values.

MSL High Radiation Monitoring: These monitors conform to criterion 13 in that the instruments employed more than adequately cover the anticipated range of radiation under normal operating conditions with sufficient margin to include postulated accident conditions. (3) Criterion 19 MSIV and Other Isolation Valves: Controls and instrumentation are provided in the control room. (4) Criterion 20 MSIV and Other Isolation Valves: The Containment and Reactor Vessel Isolation Control System automatically isolates the appropriate process lines. No operator action is required to effect an isolation.

MSL High Radiation Monitoring: The monitoring conforms to criterion 20 in that activation of the trip circuits will result in indication and, depending upon the specific trip, a trip signal being sent to the reactor protection system.

CPS/USAR CHAPTER 07 7.3-112 REV. 11, JANUARY 2005 (5) Criterion 21 MSIV, Other Isolation Valves, and MSL High Radiation Monitoring: Redundancy is designed in by the system logic structure. Redundant portions of CRVICS are separated. Signals between redundant Class 1E divisions and Class 1E and non-Class 1E circuits are isolated so that no single failure can prevent protective action. Inservice test ability of the entire system is possible in overlapping portions. (6) Criterion 22 MSIV and Other Isolation Valves: Redundant divisions are physically separated so that no single failure can prevent an isolation. Functional diversity of sensed variables is utilized.

MSL High Radiation Monitoring: These monitors conform to criterion 22 in that the effects of natural phenomena and normal operation (including testing) will not result in the loss of protection. (7) Criterion 23 MSIV and Other Isolation Valves: The system logic and actuator signals are failsafe. The motor operated valves will fail as is on loss of power.

MSL High Radiation Monitoring: This subsystem conforms to criterion 23 in that the trip circuits associated with each channel have been designed to specifically fail-safe in the event of loss of power. (8) Criterion 24 MSIV, Other Isolation Valves and MSL High Radiation Monitoring: The system has no control functions. The equipment is physically separated from the control system equipment to the extent that no single failure in the control system can prevent isolation. (9) Criterion 29 MSIV, Other Isolation Valves and MSL High Radiation Monitoring: No anticipated operational occurrence will prevent this equipment from performing its safety function.

CPS/USAR CHAPTER 07 7.3-113 REV. 11, JANUARY 2005 (10) Criterion 34 Isolation signals are provided for the shutdown cooling subsystem of the RHR System. (11) Criterion 64 MSL High Radiation Monitoring: Continuous radiation monitoring is provided for the MSIV discharge path under all reactor conditions. 7.3.2.2.2.3 Industry Codes and Standards 7.3.2.2.2.3.1 IEEE 279 7.3.2.2.2.3.1.1 General Functional Requirement (IEEE 279 Paragraph 4.1)

CRVICS: The CRVICS initiates automatic closure of specific isolation valves from trip signals generated by specified process variables and maintains the valves in a closed position without further application of power until such time as a manual reset is permissible. The control system from each sensor to final control signal to the valve actuator, is capable of initiating appropriate action. The control initiation time is significantly lower than the minimum required valve closure time. Speed of the sensors and valve actuators are chosen to be compatible with the isolation function considered. Accuracies of each of the sensing elements are sufficient to accomplish the isolation initiation within required limits without interfering with normal plant operation. The reliability of the isolation control system is compatible with the reliability of the actuated equipment (valves). The CRVICS equipment is designed for the full range of environmental conditions enumerated as follows: (1) Power supply Voltage Tolerance exists to any degree of power supply failure in one motive power system or one control power system. (2) Power Supply Frequency Tolerance exists to any degree of power supply failure in one power system or one control power system.

(3) Temperature System operates within required time limit at all temperatures that can result from an accident.

CPS/USAR CHAPTER 07 7.3-114 REV. 11, JANUARY 2005 (4) Humidity System operates within required time limit at humidities (steam) that can result from a loss of coolant accident.

(5) Pressure System operates at all pressures resulting from LOCA as required.

(6) Vibration Tolerance to conditions stated in Section 3.10. (7) Malfunctions System is tolerant to any single component malfunction in any mode.

(8) Accidents Tolerance exists for any design basis accident without malfunction of either subsystem.

(9) Fire System is tolerant to any single raceway fire, or fire within a single enclosure. (10) Explosion Explosions are not defined in design bases. (11) Missiles System has tolerances to any single missile destroying no more than one pipe, raceway, or cabinet. (12) Lightning Tolerance to lightning damage is limited to one auxiliary bus system. (13) Flood All control equipment is located above flood level by design. (14) Earthquake Tolerance to conditions stated in Section 3.10. (15) Wind and Tornado Seismic Class 1 buildings house all isolated control equipment. The buildings are built to withstand high winds. (See subsection 7.3.1.2.8.)

CPS/USAR CHAPTER 07 7.3-115 REV. 11, JANUARY 2005 (16) System response time Responses are within the requirements of need to initiate CRVICS. (17) System accuracies Accuracies are within that needed for correct timely action. (18) Abnormal ranges of sensed variables Sensors are not subject to saturation when overranged. 7.3.2.2.2.3.1.2 Single Failure Criterion (IEEE 279 Paragraph 4.2)

CRVICS: Tolerance to the following single failures has been incorporated into the control system design and installation by means of logic redundancy, physical separation of redundant portions of the system, and isolation between redundant safety circuits: (1) Single open circuit, (2) Single short circuit, (3) Single logic gate failure to turn on, (4) Single logic gate failure to turn off.

(5) Single module failure (including multiple shorts, opens and grounds), (6) Single control cabinet bay destruction (including multiple shorts, opens and grounds), (7) Single instrument panel destruction (including multiple shorts, opens and grounds), (8) Single raceway destruction (including multiple shorts, opens and grounds),

(9) Single control power supply failure (any mode), (10) Single motive power supply failure (any mode), (11) Single control circuit failure, (12) Single sensing line (pipe) failure, and (13) Single electrical component failure.

CPS/USAR CHAPTER 07 7.3-116 REV. 11, JANUARY 2005 7.3.2.2.2.3.1.3 Quality of Components and Modules (IEEE 279 Paragraph 4.3)

CRVICS: Components used in the isolation system have been carefully selected on the basis of suitability for the specific application. All of the sensors and logic devices are of the same types used in the RPS. Ratings have been selected with sufficient conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the

plant. Furthermore, a quality control and assurance program is required to be implemented and documented by equipment vendors to comply with the requirements set forth in 10CFR50, Appendix B. Minimum maintenance has been assumed to have been achieved if components can be reasonably expected to last 40 years or more without wearing out or failing under their maximum anticipated duty cycle (including testing). 7.3.2.2.2.3.1.4 Equipment Qualification (IEEE 279 Paragraph 4.4)

CRVICS: No sensor components of the isolation system are required to operate in the drywell environment with the exception of the condensing chambers. All other sensory equipment is located outside the drywell and is capable of accurate operation with wider swings in ambient temperature than results from normal or abnormal (loss of ventilation and loss-of-coolant accident) conditions. Reactor vessel level sensors are of the same type as for the RPS and meet the same standards. Drywell high pressure sensors are of the same type used for the RPS and meet the same standards. On the component and module level, qualification tests will be conducted to qualify the items for these application and expected operational environments (see Sections 3.10 and 3.11). 7.3.2.2.2.3.1.5 Channel Integrity (IEEE 279 Paragraph 4.5)

CRVICS: The isolation system is designed to tolerate the spectrum of conditions listed under the general requirements and the single failure criterion defined in IEEE 379. It therefore satisfies the channel integrity objective of this Paragraph. 7.3.2.2.2.3.1.6 Channel Independence (IEEE 279 Paragraph 4.6)

The redundant divisions of this protective function are physically separated to meet this design requirement. Channel independence for sensors exposed to each process variable is provided by mechanical separation. Physical separation is maintained between redundant elements

of the CRVICS.

CPS/USAR CHAPTER 07 7.3-117 REV. 11, JANUARY 2005 7.3.2.2.2.3.1.7 Control and Protection Interaction (IEEE 279 Paragraph 4.7)

CRVICS: (1) Classifications of Equipment - There is no control function in the system; it is strictly a protection system. (2) Isolation Devices - There are no transmissions of signals from this protection system equipment to control system equipment. Therefore, no isolation is required. (3) Single Random Failure. No single random failure of a control system or multiple failures resulting from a single event can prevent the isolation safety function.

See Chapter 15. 7.3.2.2.2.3.1.8 Derivation of System Inputs (IEEE 279 Paragraph 4.8)

CRVICS: The inputs which initiate isolation valve closure are direct measures of conditions that indicate a need for isolation, viz., reactor vessel low level, drywell high pressure, and pipe break detection. Pipe break detection is effected by measuring main steam line high flow and main steam line space high temperature to detect loss of coolant rather than detecting actual physical damage in the pipe itself. 7.3.2.2.2.3.1.9 Capability for Sensor Checks (IEEE 279 Paragraph 4.9)

CRVICS: The reactor vessel instruments can be checked by cross comparing instrument channels or one at a time by application of simulated signals. These include level, pressure, and flow. During operation, radiation sensors may be cross-checked. During shutdown, they may be bench calibrated. Temperature sensors used in leak detection are cross-checked in a manner similar to radiation sensors. Also, since the thermocouples are the duel-element type, each element may be compared with its mate (see Subsection 7.3.1.1.2.4.1.3.1). 7.3.2.2.2.3.1.10 Capability for Test and Calibration (IEEE 279 Paragraph 4.10)

CRVICS: All active components of the CRVICS can be tested and calibrated during plant operation. Pressure, level, and flow transmitter channels can be cross-checked or valved out of service for calibration against a pressure source. The radiation and temperature sensors can be cross-checked for verification of operability, and they do not require actual calibration on a frequent basis. The logic is tested by automatic pulse testing. The sixth test, the Automatic Pulse Test (APT), discussed in RPS Testability 7.2.1.1.4.8 is also applicable here for CRVICS.

CPS/USAR CHAPTER 07 7.3-118 REV. 11, JANUARY 2005 7.3.2.2.2.3.1.11 Channel Bypass or Removal from Operation (IEEE 279 Paragraph 4.11)

CRVICS: Valving out of a sensor for calibration will be indicated by manual actuation of the out-of-service indicator. A trip module in calibration will cause automatic actuation of the out-of-service indicator. Calibration of either the transmitter or trip module will cause a channel and logic trip, but not a protective action. Closure of the motor-operated valves can be prevented by shutting off electric power to the motor starters. This action will be indicated in the main room by valve position indication lights going out. Both indication lights are deenergized because their power supply is taken from the same circuit as the valve motor starter. 7.3.2.2.2.3.1.12 Operating Bypasses (IEEE 279 Paragraph 4.12)

CRVICS: The isolation valve control system has two bypasses. One is the main steam line low pressure bypass which is imposed by means of the mode switch in the other-than-run mode. The mode switch cannot be left in this position above approximately 15% of rated power without initiating a neutron flux scram. Therefore, the bypass is removed by the normal reactor operating sequence in accordance with the intent of IEEE 279, although it is a manual action that removes it rather than an automatic one. The low condenser vacuum bypass is imposed by means of a manual bypass switch. Bypass removal is accomplished manually by placing the bypass switch in the automatic position. Hence, the bypass is considered an operating bypass in accordance with

IEEE 279. 7.3.2.2.2.3.1.13 Indication of Bypasses (IEEE 279 Paragraph 4.13)

CRVICS: The mode switch bypass of the main steam line low pressure isolation signal is not indicated directly in the control room. The bypass of the low condenser vacuum is directly indicated in the main control room. Instrument bypasses for calibration and certain other bypass conditions cannot be automatically indicated. These can be manually indicated by the operator. 7.3.2.2.2.3.1.14 Access to Means for Bypassing (IEEE 279 Paragraph 4.14)

CRVICS: The mode switch and condenser vacuum bypass switches are the only bypass switches affecting the CRVICS. They are centrally located on the operators main control console and reactor core cooling benchboard, respectively, and are key operated. 7.3.2.2.2.3.1.15 Multiple Setpoints (IEEE 279 Paragraph 4.15)

Paragraph 4.15 of IEEE 279 is not applicable because all set points are fixed.

CPS/USAR CHAPTER 07 7.3-119 REV. 11, JANUARY 2005 7.3.2.2.2.3.1.16 Completion of Protection Action Once Initiated (IEEE 279), Paragraph 4.16)

CRVICS: All isolation actions are sealed in by logic, so valves go to the closed position completing the protective action. Manual reset action is provided by reset switches, so that inboard valves will be reset independent of outboard valves. This feature is incorporated only to augment the electrical separation of the inboard and outboard valves and not for any need to reset them separately. 7.3.2.2.2.3.1.17 Manual Action (IEEE 279 Paragraph 4.17)

CRVICS: The CRVICS has four divisionally separated manual initiation switches which will separately activate the four MSLIV logic divisions and initiate the isolation system at the system level. The logic for manual initiation is one-out-of-two-twice for the main steam line isolation valves and one-out of-two for the other isolation valves. The manual initiation circuits are redundant, separated, testable during power operation, and meet the single failure criterion. The separation of devices is maintained in both the manual and automatic portion of the system so that no single failure in either the manual or automatic portions can prevent an isolation by either manual or automatic means. 7.3.2.2.2.3.1.18 Access to Setpoint Adjustments (IEEE 279 Paragraph 4.18)

CRVICS: Setpoint adjustments for the CRVICS system sensors are integral with the trip unit located in the main control room; therefore access is under administrative control. 7.3.2.2.2.3.1.19 Identification of Protective Actions (IEEE 279 Paragraph 4.19)

CRVICS: Any one of the instrument channels actuates an annunciator, so that no single channel "trip" will go unnoticed. In addition, indicator lights are provided to show trip unit trip. 7.3.2.2.2.3.1.20 Information Readout (IEEE 279 Paragraph 4.20)

CRVICS: The information presented to the reactor operator by CRVICS is as follows:

(1) Each process variable which has reached a trip point initiates trip unit status lights to identify the tripped channel CPS/USAR CHAPTER 07 7.3-120 REV. 11, JANUARY 2005 (2) System level annunciation of out-of-service conditions with status lights to inform the operator of the specific out-of-service condition. (3) Indication of steam leaks in each of t he systems monitored, viz., main steam, cleanup, and RHR (4) Open and closed position indicator lights for each isolation valve (5) Supplementary computer readout of trips on main steam line tunnel temperature or main steam line excess flow 7.3.2.2.2.3.1.21 System Repair (IEEE 279, Paragraph 4.21)

CRVICS Those components which are expected to have a moderate need for replacement are designed for convenient removal. This includes the temperature signal amplifier units and thermocouples. The amplifier units are of the circuit card or replaceable module type construction and the temperature sensors are replaceable units. Pressure sensors, vessel level sensors, and radiation sensors can be replaced in a reasonable length of time. These devices are considered to be permanently installed although they have nonwelded connections at the instrument, which will allow replacement. All devices in the system can be reasonably expected to last forty years without failure, with the duty cycle expected to be imposed, including testing. However, failures can be detected during periodic testing and replacement time will be nominal.

The main steam tunnel temperature sensors are not accessible during normal plant operation because of radiation from the main steam lines. However, duel element sensors are wired out to accessible locations, thus permitting substitution for a failed sensor during operation. The failed sensor can be replaced during shutdown. 7.3.2.2.2.3.1.22 Identification of Protection Systems (IEEE 279 Paragraph 4.22)

CRVICS: Cabinets and panels which house the divisionally separated isolation system equipment are identified by a distinctive color marker plate listing the system name and designation of the separation division of the system. Cables, conduits and raceways are color coded by division. 7.3.2.2.2.3.2 Conformance to IEEE 308 Class 1E ac power supply systems are physically separated and electrically isolated into redundant load groups so that safety actions provided by redundant counterparts are not compromised. See Subsection 8.3. 7.3.2.2.2.3.3 Conformance to IEEE 317 Conformance to IEEE 317 is discussed in conjunction with Regulatory Guide 1.63 in Subsection 8.1.6.1.12.

CPS/USAR CHAPTER 07 7.3-121 REV. 12, JANUARY 2007 7.3.2.2.2.3.4 Conformance to IEEE 323 The components of the CRVICS are covered by Subsection 7.1.2.5.4.

7.3.2.2.2.3.5 Conformance to IEEE 336 Conformance to IEEE 336-1971 (ANSI N45.2.4-1972) is discussed in conjunction with Regulatory Guide 1.30. Refer to USAR Section 1.8. 7.3.2.2.2.3.6 Conformance to IEEE 338 The system is completely testable in overlapping segments during reactor operation. Tests will check the sensors through to the final actuators and demonstrate independence of channels and detect failures. 7.3.2.2.2.3.7 Conformance to IEEE 344 The seismic qualification of components of CRVICS is covered in Section 3.10. 7.3.2.2.2.3.8 Conformance to IEEE 379 The single failure criterion of IEEE 279 as defined by IEEE 379 is fully complied with in the design of the CRVICS. The logic structure defines system redundance and redundant portions of the system are separated to preclude a credible single failure. Signals between redundant Class 1E circuits and between Class 1E and non-Class IE circuits are isolated to prevent interaction with non-Class 1E circuits. Also, wiring carrying ESF power is short-circuit separated from nonessential power wiring to preclude a single failure from propagating to redundant ESF power supplies. 7.3.2.2.2.3.9 Conformance to IEEE 384 Conformance with this standard is covered by compliance with Regulatory Guide 1.75 as discussed in Subsection 7.3.2.2.2.1.10. 7.3.2.3 Main Steam Isolation Valve-Leakage Contr ol System - (MSIV-LCS) - Instrumentation and Controls Note: As a result of the re-analysis of the Loss of Coolant Accident (LOCA) using Alternative Source Term (AST) Methodology, it is no longer necessary to credit the Main Steam Isolation Valve Leakage Control System (MSIVLCS) for post-LOCA activity leakage mitigation. The system has been left in place as a passive system and is not required to perform any safety function.

CPS/USAR CHAPTER 07 7.3-122 REV. 12, JANUARY 2007 This page left blank intentionally CPS/USAR CHAPTER 07 7.3-123 REV. 12, JANUARY 2007 This page left blank intentionally CPS/USAR CHAPTER 07 7.3-124 REV. 12, JANUARY 2007 This page left blank intentionally CPS/USAR CHAPTER 07 7.3-125 REV. 12, JANUARY 2007 This page left blank intentionally CPS/USAR CHAPTER 07 7.3-126 REV. 12, JANUARY 2007 This page left blank intentionally CPS/USAR CHAPTER 07 7.3-127 REV. 11, JANUARY 2005 7.3.2.4 Containment Spray Cooling Mode (RHR) - Instrumentation and Controls 7.3.2.4.1 General Functional Requirement Conformance When the RHR system is in the containment spray cooling mode, the pumps take suction from the suppression pool, pass it through the RHR heat exchangers, and inject it into the containment atmosphere. In the event that containment pressure exceeds a predetermined limit, after a predetermined interval following a LOCA, the RHR system flow will be automatically diverted to containment spray headers (Containment Spray Cooling Mode of RHR). The flow of the RHR pump will pass through the containment spray nozzles to quench any steam and cool non-condensibles in the

containment atmosphere. 7.3.2.4.2 Specific Regulatory Requirements Conformance 7.3.2.4.2.1 Regulatory Guides Conformance 7.3.2.4.2.1.1 Regulatory Guide 1.6 Conformance to this regulatory guide is achieved by dividing the containment spray cooling electric power loads into Division 1 (Containment Spray Cooling A) and Division 2 (Containment Spray Cooling B) so that loss of any one division will not prevent the minimum safety functions from being performed. No inter-connections exist which can compromise redundant power sources. 7.3.2.4.2.1.2 Regulatory Guide 1.11 Conformance to Regulatory Guide 1.11 is discussed in Subsection 6.2.4.

7.3.2.4.2.1.3 Regulatory Guide 1.22 Conformance to this regulatory guide is achieved by providing syst em and component testing capability, either during reactor power operation or shutdown. 7.3.2.4.2.1.4 Regulatory Guide 1.29 All electrical and mechanical devices and circuitry between process instrumentation and protective actuators and monitoring of systems important to safety are classified as Seismic Category I, and is covered under Section 3.10. 7.3.2.4.2.1.5 Regulatory Guide 1.30 The quality assurance requirements of IEEE 336 are applicable during the plant design and construction phases (see Section 7.1) and will also be implemented as an operational QA program during plant operation in response to Regulatory Guide 1.30. Conformance to Regulatory Guide 1.30 is discussed in conjunction with IEEE 336-1971 (ANSI N45.2.4-1972).

Refer to USAR Section 1.8.

CPS/USAR CHAPTER 07 7.3-128 REV. 11, JANUARY 2005 7.3.2.4.2.1.6 Regulatory Guide 1.32 Conformance is described in the conformance to General Design Criterion 17 (see Subsection 7.3.2.1.2.1.6) and IEEE 308. 7.3.2.4.2.1.7 Regulatory Guide 1.47 Indication and annunciation is provided in the main control room to inform the operator that a system or part of a system is inoperable. See Subsection 7.1.2.6.11 for a discussion of the bypass indication capability provided. 7.3.2.4.2.1.8 Regulatory Guide 1.53 The system is designed with two independent and redundant logics to assure that no single failure can prevent the safety function. 7.3.2.4.2.1.9 Regulatory Guide 1.62 System initiation is manual from the main control room. Interlocks are provided to prevent inadvertent manual initiation during normal reactor power operation. The manual controls are easily accessible to the operator so that action can be taken in an expeditious manner. Operation of the manual initiation accomplishes all of the actions performed by the automatic initiation circuitry. No single failure in the manual, automatic or common portion of the protection system will prevent initiation by manual means. Manual initiation, once initiated, goes to completion as required by IEEE 279, Section 4.16 unless overridden by a higher priority safety function, such as LPCI mode. 7.3.2.4.2.1.10 Regulatory Guide 1.63 Conformance to Regulatory Guide 1.63 is discussed in Subsection 8.1.6.1.12. 7.3.2.4.2.1.11 Regulatory Guide 1.73 Conformance to Regulatory Guide 1.73 is discussed in Subsection 8.1.

7.3.2.4.2.1.12 Regulatory Guide 1.75 Physical independence of electrical systems is provided by separation and isolation of redundant portions of the system, including sensors, wiring, logic devices, and actuating equipment. Signals between redundant Class 1E divisions and between Class 1E and non-Class 1E circuits are electrically and physically isolated to preclude a credible single failure from preventing the safety function. In addition, short circuit separation between wires carrying essential and non-essential power is provided within a division by grounded metallic conduit. This prevents a single short-circuit failure from propagating to redundant power supplies. 7.3.2.4.2.1.13 Regulatory Guide 1.89 A discussion of the degree of conformance is contained in Section 3.11.

CPS/USAR CHAPTER 07 7.3-129 REV. 11, JANUARY 2005 7.3.2.4.2.2 Conformance to 10 CFR 50, Appendix A, General Design Criteria (1) Criterion 13: Instrumentation and Control - Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, anticipated operational occurrences, and accident conditions to assure adequate safety. (2) Criterion 20: Protection System Functions - Sensors are provided which sense accident conditions and initiate the Containment Spray Cooling System as described in Subsection 7.3.1.1.4.4. (3) Criterion 21: Protection System Reliability and Testability - Functional reliability of the Containment Spray Cooling System is assured by compliance with the requirements of IEEE standard 279 as described in subsection 7.3.1.2 and 7.3.2.4.3.1. Testing is in compliance with IEEE standard 338 as described in subsection 7.3.2.4.3.6. (4) Criterion 22: Protection System Independence - Independence of the Containment Spray Cooling System is assured by design which includes redundancy in subsection 7.3.1.1.4.7. (5) Criterion 23: Protection System Failure Modes - A single failure in a division of system logic is acceptable because a redundant division of equipment is available to fulfill the required safety action. The motor operated valves fail "as-is" on loss of power. (6) Criterion 24: Separation of Protection and Control Systems - The Containment Spray Cooling System is separated from cont rol systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to both, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. (7) Criterion 34: Residual Heat Removal - A system is provided to remove reactor residual heat to assure that the specified acceptable fuel design limits are not exceeded. (8) Criterion 38: Containment Heat Removal - The containment spray cooling mode (RHR) conforms with the criterion for containment heat removal. It performs the safety function of rapidly reducing containment pressure and temperature by condensing any steam in the containment atmosphere outside the drywell, following a loss-of coolant accident (LOCA). Heat is removed from the containment, while the water drawn from the containment suppression pool passes through the RHR heat exchangers before being injected into the containment atmosphere. The independence and redundancy of the two loops, RHR-A and RHR-B, including the equipment used in the containment spray mode, are discussed in Subsections 7.3.1.1.1.6 and 7.3.1.1.4. (9) Criterion 40: Testing of Containment Heat Removal System - Conformance to the testability requirements of this criterion by the containment spray (RHR) is discussed in Subsections 7.3.2.4.3.1.9 and 7.3.2.4.3.1.10. Testability of the CPS/USAR CHAPTER 07 7.3-130 REV. 11, JANUARY 2005 RHR-A and RHR-B loops, including the equipment used in the containment spray mode, is discussed in Subsection 7.3.1.1.1.6. 7.3.2.4.3 Conformance to Industry Codes and Standards 7.3.2.4.3.1 IEEE 279 7.3.2.4.3.1.1 General Functional Requirement (IEEE 279 Paragraph 4.1)

AUTO-INITIATION (1) Appropriate Action: Appropriate action for the containment spray mode is defined as activating equipment for introducing water into the containment spray discharge valves.

(2) Precision The sensory equipment will positively initiate action before process variables go beyond precisely established limits.

(3) Reliability Reliability of the control system is compatible with the controlled equipment. (4) Over Full Range of Environmental Conditions a. Power Supply Voltage Tolerance is provided to any degree of ac power supply voltage fluctuation within one division such that voltage regulation failures in one division cannot negate successful low pressure core cooling. DC power supply failure will likewise affect only one of the two containment spray divisions. Power supply tolerance to voltage fluctuation within a division is discussed in Licensing Topical Report NEDO-21617-A. b. Power Supply Frequency Same as (4)a. above. Excessive frequency reduction is indicative of an onsite power supply failure, and equipment shutdown in that division is

required. c. Temperature Operable at all temperatures that can result from any design basis loss-of-coolant (LOCA) accident. d. Humidity Operable at humidities (steam) that can result from LOCA.

CPS/USAR CHAPTER 07 7.3-131 REV. 11, JANUARY 2005 e. Pressure Operable at all pressures resulting from a LOCA as required.

f. Vibration Tolerance to conditions stated in Section 3.10. g. Malfunctions Tolerance to any single component failure to operate on command. h. Accidents Tolerance to all design basis accidents without malfunction. i. Fire Tolerance to a single raceway or enclosure fire or mechanical damage. j. Explosion Explosions not defined in design basis. k. Missiles Tolerance to any single missile destroying no more than one pipe, raceway, or electrical enclosure. l. Lightning Tolerance to lightning damage limited to one auxiliary bus system. See comments under (4)a above. m. Flood All control equipment is located above flood level by design or protected against flooding. n. Earthquake Tolerance to conditions stated in Section 3.10. o. Wind Seismic Class I building houses all control equipment. The building is built to withstand high winds (see 7.3.1.2.8). p. System Response Time Responses are within the requirements of the need to start containment spray.

CPS/USAR CHAPTER 07 7.3-132 REV. 11, JANUARY 2005 q. System Accuracies Accuracies are within that needed for correct timely action. r. Abnormal Ranges of Sensed Variables Sensors do not saturate when overranged. 7.3.2.4.3.1.2 Single-Failure Criterion (IEEE 279 Paragraph 4.2)

Redundancy in equipment and control logic circuitry is provided so that it is not possible that the complete containment spray mode can be rendered inoperative using single failure criteria. Two division logics are provided. Division 1 logic is provided to initiate loop A equipment and Division 2 logic is provided to initiate loop B equipment. Tolerance to single failures in accordance with IEEE 379 is provided in the sensing channels, trip logic, actuator logic, and actuated equipment so that a single failure will be limited to the possible disabling of only one loop. 7.3.2.4.3.1.3 Quality Components (IEEE 279 Paragraph 4.3)

Components used in the containment spray mode have been carefully selected on the basis of suitable conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant as illustrated below: (1) Controls are energized to operate and have brief and infrequent duty cycles. (2) Motor starters and circuit breakers are effectively derated for motor starting applications since their nameplate ratings are based on short-circuit interruption capabilities as well as on continuous current carrying capabilities. Short-circuit current-interrupting capabilities are many times the starting current for the motors being started. (3) Normal motor starting equipment ratings include allowance for a much greater number of operating cycles than the emergency core cooling application will demand, including testing. (4) Instrumentation and controls are rated for application in the normal, abnormal, and accident environments in which they are located. (5) Panel mounted components are subjected to the manufacturers' normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel assembly. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications, or qualified by tests, are selected for use. Furthermore a quality assurance program is required to be implemented and documented by equipment vendors, with the intent of complying with the requirements set forth in 10CFR50, Appendix B.

CPS/USAR CHAPTER 07 7.3-133 REV. 11, JANUARY 2005 7.3.2.4.3.1.4 Equipment Qualification (IEEE 279 Paragraph 4.4)

No components of the containment spray mode are required to operate in the drywell environment. All sensory equipment is located outside the drywell but inside the containment and is capable of accurate operation with wider variations in ambient temperature than results from normal or abnormal (loss-of-ventilation and loss-of-coolant accident) conditions. 7.3.2.4.3.1.5 Channel Integrity (IEEE 279 Paragraph 4.5)

The containment spray mode instrument channels (low water level or high drywell pressure or high containment pressure) are designed to satisfy the channel integrity objective. 7.3.2.4.3.1.6 Channel Independence (IEEE 279 Paragraph 4.6)

Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. The A and E sensors for reactor vessel low water levels, for instance, are located on one local instrument panel that is identified as Division 1 equipment, and the B and F sensors are located on a second instrument panel, widely separated from the first and identified as Division 2 equipment. The A and E sensors have a common process tap, which is widely separated from the corresponding tap for sensors B and F. Disabling of one or all sensors in one location does not disable the control for the other division. Logic cabinets for Division 1 are in a separate physical location from those of Division 2, and each division is complete in itself, with its own Class 1E battery control and instrument bus, power distribution buses, and motor control centers. The divisional split is carried all the way from the process taps to the final actuated equipment, and includes both control and motive power supplies. 7.3.2.4.3.1.7 Control and Protection Interaction (IEEE 279 Paragraph 4.7)

The containment spray mode is a safety system designed to be independent of plant control systems. Annunciator circuits receiving outputs from the system cannot impair the operability of the system control because of electrical isolation. 7.3.2.4.3.1.8 Derivation of System Inputs (IEEE 279 Paragraph 4.8)

The inputs which are permissive for the containment spray mode are direct measures of the variables that indicate need for containment cooling. Drywell and containment high pressure is sensed by pressure transmitters. Reactor vessel level is sensed by vessel water level transmitters. 7.3.2.4.3.1.9 Capability for Sensor Checks (IEEE 279 Paragraph 4.9)

The reactor vessel level, drywell high pressure and containment high pressure transmitter can be checked for operability by valving out each transmitter and applying a test pressure source. This verifies the operability of the sensors as well as the calibration range. The trip units mounted in the main control room are calibrated separately by introducing a calibration source and verifying the set point through the use of a digital readout on the trip calibration module.

CPS/USAR CHAPTER 07 7.3-134 REV. 11, JANUARY 2005 7.3.2.4.3.1.10 Capability for Test and Calibration (IEEE 279 Paragraph 4.10)

The containment spray mode is capable of being completely tested during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. Motor-operated valves can be exercised by the appropriate control logic and starters, and all indications and annunciations can be observed as the system is tested. The instrument channel trip set point may be tested by introducing a test signal of sufficient magnitude to trip the instrument channel trip device. The change of state of the trip device may be observed by visual inspection of the trip device output indicator light on the logic cabinet (see NEDO-21617-A). Calibration of the mechanical portion of the sensing elements may be performed when the plant is shut down. The transmitter must be valved such that a test pressure can be applied. 7.3.2.4.3.1.11 Channel Bypass or Removal from Operation (IEEE 279 Paragraph 4.11)

Calibration of each sensor will introduce a single instrument channel trip. This does not cause a protective function without coincident operation of a second channel. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning if accident conditions occur. 7.3.2.4.3.1.12 Operating Bypasses (IEEE 279 Paragraph 4.12)

Containment spray has no operating bypasses.

7.3.2.4.3.1.13 Indication of Bypasses (IEEE 279 Paragraph 4.13)

See Subsection 7.3.1.1.4.6.

7.3.2.4.3.1.14 Access to Means for Bypassing (IEEE 279 Paragraph 4.14)

Access to switchgear and motor control centers is procedurally controlled by lockable breaker control switch handles in the motor control centers. 7.3.2.4.3.1.15 Multiple Trip Settings (IEEE 279 Paragraph 4.15)

There are no multiple trip settings.

7.3.2.4.3.1.16 Completion of Protection Action Once it is Initiated (IEEE 279 Paragraph 4.16)

The final control elements for the containment spray system are essentially bi-stable, i.e., pump breakers stay closed without control power, and motor-operated valves stay open once they have reached their open position, even though the motor starter may drop out (which will occur when the valve open limit switch is reached). Thus, protective action once initiated will go to completion or continue until terminated by deliberate operator action.

CPS/USAR CHAPTER 07 7.3-135 REV. 11, JANUARY 2005 If RHR A or B is operating in containment spray mode and there is a subsequent LOOP, manual restart of containment spray will be required. Automatic restarting of containment spray following a LOOP is not required because this scenario would require the LOOP to occur greater then 10 minutes following a LOCA. This is beyond the design basis for the plant. 7.3.2.4.3.1.17 Manual Actuation (IEEE 279 Paragraph 4.17)

In no event can failure of an automatic control circuit for equipment in one division disable the manual electrical control circuit for the other containment spray division. Single electrical failures cannot disable manual control of the containment spray function. Both containment spray A and B have manual initiation switches in parallel with the automatic initiation logic output circuits. 7.3.2.4.3.1.18 Access to Set Point Adjustment (IEEE 279 Paragraph 4.18)

Set point adjustments for the containment spray mode trips are accomplished at the bi-stable trip unit located in the main control room and are therefore under administrative control of the operator. The logic cabinets are locked to prevent unauthorized actuation. Because of these restrictions, compliance with this requirement of IEEE 279 is considered complete. 7.3.2.4.3.1.19 Identification of Protective Actions (IEEE 279 Paragraph 4.19)

Protective actions are directly indicated and identified by annunciator operation, and instrument channel indicator lights. Because either of these indications should be adequate, this combination of annunciation and visible verification fulfills the requirements of this criterion. 7.3.2.4.3.1.20 Information Readout (IEEE 279 Paragraph 4.20)

Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the containment spray function is available and/or operating properly. 7.3.2.4.3.1.21 System Repair (IEEE 279 Paragraph 4.21)

The containment spray mode is designed to permit repair or replacement of components.

All devices in the system are designed for a 40-year lifetime under the imposed duty cycles with periodic maintenance. Since this duty cycle is composed mainly of periodic testing rather than operation, lifetime is more a matter of "shelf life" than active life. However, all components are selected for continuous duty plus thousands of cycles of operation, far beyond that anticipated in actual service. The pump breakers are an exception to this with regard to the large number of operating cycles available. Nevertheless, even these breakers should not require contact replacement within 40 years, assuming periodic pump starts each 3 months. Recognition and location of a failed component will be accomplished during periodic testing. The simplicity of the logic will make the detection and location relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time. Sensors CPS/USAR CHAPTER 07 7.3-136 REV. 11, JANUARY 2005 which are connected to the instrument piping are connected with separable screwed or bolted fittings to expedite changeout. 7.3.2.4.3.1.22 Identification (IEEE 279 Paragraph 4.22)

A colored nameplate identifies each logic cabinet and instrument panel that are part of the containment spray system. The nameplate shows the division to which each panel or cabinet is assigned, and also identifies the function in the system of each item on the control panel. Identification of cables and raceways is discussed in Subsection 8.3.1.3.

Panels in the control room are identified by tags which indicate the system logic contained in each panel. 7.3.2.4.3.2 IEEE 308 Class 1E loads are physically separated and electrically isolated into independent load groups, including the instrumentation and controls used in the containment spray mode of the RHR system. A failure in one group will not interfere with proper operation of the redundant portions of the system. Details of the Class 1E power system are discussed in Chapter 8. 7.3.2.4.3.3 IEEE 317 See 7.1.2.5.3. 7.3.2.4.3.4 IEEE 323 Refer to Section 3.11 for a discussion of system compliance for this standard.

7.3.2.4.3.5 IEEE 336 Conformance to 1EEE 336-1971 (ANSI N45.2.4-1972) is discussed in conjunction with Regulatory Guide 1.30. Refer to USAR Section 1.8. 7.3.2.4.3.6 IEEE 338 The capability for testing the containment spray mode (RHR) instrument and control system is discussed in Subsection 7.3.2.4.3.1.9 and 7.3.2.4.3.1.10. 7.3.2.4.3.7 IEEE 344 Refer to Section 3.10 for discussion of system compliance to this standard.

7.3.2.4.3.8 IEEE 379 The single-failure criterion of IEEE 279, Paragraph 4.2 as further defined in IEEE 379, "Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection System" is met as described in Subsection 7.3.2.4.3.1.2.

CPS/USAR CHAPTER 07 7.3-137 REV. 11, JANUARY 2005 7.3.2.4.3.9 IEEE 384 The criteria for independence of IEEE 279 Paragraph 4.6, as further defined in IEEE 384, are met as described in Subsection 7.3.2.4.3.1.6. 7.3.2.4.3.10 IEEE 387 The diesel engine-generators of divisions 1 and 2 are applied as standby power supplies for the RHR system, including the equipment used in the containment spray mode. See subsection 7.3.2.4.3.2 for discussion of conformance to criteria for standby power supplies of IEEE 308 as amplified by IEEE 387. 7.3.2.5 Shutdown Service Water System Instrumentation and Controls 7.3.2.5.1 Conformance to General Functional Requirements Chapter 15 "Accident Analyses," and Subsection 9.2.1, "Shutdown Service Water System," evaluate the individual and combined capabilities of the shutdown service water system. 7.3.2.5.2 Conformance to Specific Regulatory Requirements 7.3.2.5.2.1 Conformance to 10 CFR 50 Appendix A Criterion 13 -- Instrumentation is provided to monitor the system over its normal operating range. Interlocking signals including alarms are provided for abnormal or accident conditions.

Criterion 44 -- The SSWS provides transfer of heat from systems and components.

Components important to safety to the ultimate heat sink under normal and accident operating conditions. Three independent subsystems are provided to assure that the system safety function can be accomplished, assuming a single failure.

Criterion 45 -- Provisions are included to satisfy the In-Service Inspection requirements of ASME Section XI.

Criterion 46 -- Appropriate controls and instrumentation are provided to permit periodic functional testing. 7.3.2.5.2.2 Conformance to Industry Standards 7.3.2.5.2.2.1 IEEE 279, Criteria for Protection Systems for Nuclear Power Generating Stations 7.3.2.5.2.2.1.1 General Functional Requirements (IEEE 279, Paragraph 4.1)

The general functional requirements of this system are discussed in Subsection 7.3.2.5.1. 7.3.2.5.2.2.1.2 Single Failure Criterion (IEEE 279, Paragraph 4.2)

The SSWS consists of three subsystems. The three subsystems feature separate and independent sets of controls and instrumentations and meet the single failure criterion.

CPS/USAR CHAPTER 07 7.3-138 REV. 11, JANUARY 2005 7.3.2.5.2.2.1.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

Components used in the SSWS have been carefully selected on the basis of suitability for the specific application. The logic relays have been selected with conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant. A quality assurance program is implemented and documented by equipment vendors with the intent of complying with requirements set forth in 10 CFR 50, Appendix B. 7.3.2.5.2.2.1.4 Equipment Qualification (IEEE 279, Paragraph 4.4)

Class 1E Equipment Qualification is demonstrated by the vendors or others by type tests in accordance with the purchase specification. Where necessary, operating experience or analysis is used to supplement type tests. 7.3.2.5.2.2.1.5 Channel Integrity (IEEE 279, Paragraph 4.5)

The SSWS is designed to maintain its functional capability under the environmental conditions, electrical transients, and malfunctions that may occur in the design-basis LOCA. 7.3.2.5.2.2.1.6 Channel Independence (IEEE 279, Paragraph 4.6)

Channel independence for sensors is provided by electrical and mechanical separation. Physical separation is maintained between the subsystems to increase reliability of operation. The SSWS is sufficiently separated to give a high degree of reliability. 7.3.2.5.2.2.1.7 Control and Protection Systems Interaction (IEEE 279, Paragraph 4.7)

There is no interaction between the SSWS and the reactor protection system (RPS).

7.3.2.5.2.2.1.8 Derivation of System Inputs (IEEE 279, Paragraph 4.8)

All input signals to the instrumentation and control systems are derived from direct meansurement of system variables. 7.3.2.5.2.2.1.9 Capability of Sensor Checks (IEEE 279, Paragraph 4.9)

The sensors which are used for inputs to the SSWS can be checked one at a time by application of simulated signals during normal plant operation. 7.3.2.5.2.2.1.10 Capability of Test and Calibration (IEEE 279, Paragraph 4.10)

All active components of the SSWS can be tested during plant operation. Operation of the pumps with manual switches verifies the ability of the pumps to operate properly. Instrument setpoints are tested by simulated signals to verify the setpoints are within limits. 7.3.2.5.2.2.1.11 Channel Bypass or Removal from Operation (IEEE 279, Paragraph 4.11)

The design of the three independent subsystems permits the removal from operation of one subsystem for testing, calibration, or maintenance without affecting the ability of the other subsystems to perform their required safety functions.

CPS/USAR CHAPTER 07 7.3-139 REV. 11, JANUARY 2005 7.3.2.5.2.2.1.12 Operating Bypasses (IEEE 279, Paragraph 4.12)

Not applicable to the SSWS.

7.3.2.5.2.2.1.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)

When parts of the system have been deliberately made inoperative for test, calibration or maintenance, an indication of this condition is provided in the main control room. 7.3.2.5.2.2.1.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14)

Not applicable to the SSWS.

7.3.2.5.2.2.1.15 Multiple Set Points (IEEE 279, Paragraph 4.15)

There are no multiple set points in the SSWS.

7.3.2.5.2.2.1.16 Completion of Protection Action Once Initiated (IEEE 279, Paragraph 4.16)

Completion of action is assured by the control ci rcuitry which performs an automatic transfer to the SSWS system. Return to the PSWS is prevented until the accident initiation signals are reset and operator manual action is completed. 7.3.2.5.2.2.1.17 Manual Actuation (IEEE 279, Paragraph 4.17)

The SSWS can be initiated manually, at subsystem level, from the main control room. 7.3.2.5.2.2.1.18 Access to Set Point Adjustments, Calibration,and Test Points (IEEE 279, Paragraph 4.18)

Access to setpoint adjustments, calibration points and test points are provided by administrative controls to qualified plant personnel. 7.3.2.5.2.2.1.19 Identification of Protective Actions (IEEE 279, Paragraph 4.19)

Meters and recorders located in the main control room provide indication of process variables necessary for the operator to verify the proper operation of the SSWS. 7.3.2.5.2.2.1.20 Information Read-Out (IEEE 279, Paragraph 4.20)

Meters and recorders in the main control room provide indication of process variables necessary for proper operation of the SSWS. 7.3.2.5.2.2.1.21 System Repair (IEEE 279, Paragraph 4.21)

The system is designed to provide easy recognition of malfunctioning equipment through proper test procedures. Accessibility is provided for the sensors and controls to facilitate repair or adjustment.

CPS/USAR CHAPTER 07 7.3-140 REV. 11, JANUARY 2005 7.3.2.5.2.2.1.22 Identification of Protection Systems (IEEE 279, Paragraph 4.22)

Nameplates identify the electrical separation divis ion for each instrument panel or instrument or both. 7.3.2.5.2.2.2 Compliance to IEEE 323 The Class 1E equipment qualification is demonstrat ed by the vendor or others by tests in accordance with the purchase specification. Where necessary, operating experience or analysis is used to supplement type tests. Qualification documentation is maintained to verify that the equipment is qualified. 7.3.2.5.2.2.3 Compliance to IEEE 338 The operability of the SSWS can be verified and credible failures are detectable through testing during normal plant operation. Each subsystem logic through the final actuators may be tested independent of the other subsystem. The input sensors and setpoints are checked by the application of simulated signals. A failure of a subsystem while testing will not prevent the

subsystem from being initiated. 7.3.2.5.2.2.4 Compliance to IEEE 344 Capability of the instruments and controls to meet seismic requirements is demonstrated by the manufacturer or others. Documentation to verify that the equipment is seismically qualified is maintained. 7.3.2.5.2.2.5 Compliance to IEEE 379 See subsection 7.3.2.5.2.2.1.2.

7.3.2.6 Main Control Room HVAC System Instrumentation and Controls 7.3.2.6.1 Specific Conformance of the Instrumentation and Control to IEEE 279 7.3.2.6.1.1 General Functional Requirements (IEEE 279, Paragraph 4.1)

Instruments and controls provided for each of the control room redundant HVAC systems perform their normal safety function during all phases of station operation and during design basis events to maintain main control room habitability. 7.3.2.6.1.2 Single Failure Criterion (IEEE-279 Paragraph 4.2)

Independent instrumentation and controls are provided for each of the two redundant systems. Single failure criterion is met in that the instrumentation and controls associated with one system will not affect the safety related function of the other redundant system. 7.3.2.6.1.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

Components used in the main control room HVAC system have been carefully selected on the basis of suitability for the specific application. The logic relays have been selected with conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant.

CPS/USAR CHAPTER 07 7.3-141 REV. 11, JANUARY 2005 A quality assurance program is required to be implemented and documented by equipment vendors with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. 7.3.2.6.1.4 Equipment Qualification (IEEE-279, Paragraph 4.4)

The nuclear safety-related instrumentation and controls for the main control room HVAC system are qualified by type test and/or analyses in conformance with the contract specification. 7.3.2.6.1.5 Channel Integrity (IEEE-279 Paragraph 4.5)

Instrumentation and controls for the control room HVAC System are qualified to maintain their functional capability under extreme conditions specified in the design environmental parameters. 7.3.2.6.1.6 Channel Independence (IEEE 279 Paragraph 4.6)

The main control room HVAC system instruments and controls channels are independent from each other. Electrical and physical separation is maintained between the instruments and controls provided for the redundant HVAC systems, and no interface exists between the control channels. 7.3.2.6.1.7 Control and Protection System Interaction (IEEE 279 Paragraph 4.7) 7.3.2.6.1.7.1 Classification of Equipment (IEEE 279 Paragraph 4.7.1)

The instruments and controls provided for the main control room HVAC system are designed such that both protective and control functions are not performed by the same control device or equipment. 7.3.2.6.1.7.2 Isolation Devices, Single Random Failure and Multiple Failures Resulting from a Credible Single Event (Paragraphs 4.7.2, 4.7.3, 4.7.4 of IEEE 279)

Does not apply based on Subsection 7.3.2.12.1.7.1. 7.3.2.6.1.8 Derivation of System Input (IEEE 279 Paragraph 4.8)

The signals for essential instruments are direct measures of desired variable parameters.

7.3.2.6.1.9 Capability for Sensor Checks (IEEE 279 Paragraph 4.9)

The sensors which are used for input to the control room HVAC system can be checked one at a time by application of simulated signals during normal plant operation. 7.3.2.6.1.10 Capability for Test and Calibration (IEEE 279 Paragraph 4.10)

The instruments and controls for the main control room HVAC system are located such that they are accessible for periodic testing and calibration without affecting the safety function of the other related instruments.

CPS/USAR CHAPTER 07 7.3-142 REV. 11, JANUARY 2005 7.3.2.6.1.11 Channel Bypass or Removal from Operation (IEEE 279 Paragraph 4.11)

There are no instrument channel bypasses associated with the Control Room HVAC System. Calibration of a sensor that introduces a single instrument channel trip will not cause a protective action without the coincident trip of a second channel. The removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning if accident conditions occur. 7.3.2.6.1.12 Operating Bypass (IEEE 279 Paragraph 4.12)

There are no operating bypasses for the Control Room HVAC System. 7.3.2.6.1.13 Indication of Bypasses (IEEE 279 Paragraph 4.13)

There are no instrumentation bypasses for the Control Room HVAC System. Off normal or trouble conditions are alarmed in the main control room. 7.3.2.6.1.14 Access to Means for Bypassing (IEEE 279 Paragraph 4.14)

There are no instrumentation bypasses for the Control Room HVAC System. Maintenance activities such as channel calibration and functional checks are procedurally controlled. 7.3.2.6.1.15 Multiple Set Points (IEEE 279 Paragraph 4.15)

The design of the main control room HVAC syst em control and instrumentation does not require provisions for multiple control setpoints. 7.3.2.6.1.16 Completion of Protective Action Once It Is Initiated (IEEE 279 Paragraph 4.16)

The main control room HVAC system receives signals from radiation detectors in the outside air intake. Once initiated, action takes place at system level and shall go to completion. Only deliberate operator action shall cause return to operation. 7.3.2.6.1.17 Manual Initiation (IEEE 279 Paragraph 4.17)

Manual initiation of the HVAC fans can be accomplished by operator actuation of control switch located in the main control room. 7.3.2.6.1.18 Access to Set Point Adjustments, Calibrations, and Test Points (IEEE 279 Paragraph 4.18)

Access to set point adjustments calibrations and test points are under administrative control. 7.3.2.6.1.19 Identification of Protective Action (IEEE 279 Paragraph 4.19)

Local indicating lights are provided for each of the radiation detection channels.

7.3.2.6.1.20 Information Read Out (IEEE 279 Paragraph 4.20)

Alarms and indicators are provided in the main control room and on local panels.

CPS/USAR CHAPTER 07 7.3-143 REV. 11, JANUARY 2005 7.3.2.6.1.21 System Repair (IEEE 279 Paragraph 4.21)

The control room HVAC system instrumentation and controls are located to facilitate the recognition location, replacement, repair or adjustment of any malfunctioning instrument(s). 7.3.2.6.1.22 Identification (IEEE 279 Paragraph 4.22)

Nameplates identify the electrical separation divis ion for each instrument panel or instrument or both. 7.3.2.6.2 Specific Conformance of the Instrumentation and Controls to General Design Criteria, 10 CFR 50 Appendix A 7.3.2.6.2.1 Criterion 13 - Instrumentation and Controls Control room HVAC system instrumentation and controls for each system have been provided to monitor and maintain room temperature at a predetermined setpoint. 7.3.2.6.2.2 Criterion 19 - Control Room The main control room HVAC system provides radiation protection for the control room to permit access and occupancy under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body or its equivalent to any part of the body for the duration of the accident. 7.3.2.6.3 Conformance to Regulatory Guide 1.47 An inoperable subsystem or the unavailability of a major component such as pumps, fans, chillers or dampers is automatically indicated and alarmed in the Control Room. Subsystem inoperable status can also be indicated and alarmed manually by operator selection. 7.3.2.7 Combustible Gas Control System 7.3.2.7.1 Conformance with General Functional Requirements General Functional Requirements for the CGCS system are discussed in Subsection 6.2.5.1. 7.3.2.7.2 Conformance with Specific Regulatory Requirements 7.3.2.7.2.1 Conformance with 10 CFR 50 General Design Criteria General Design Criteria, established in Appendix A of 10 CFR 50, which are generally applicable to all ECCS systems are discussed in Subsection 7.3.2.1. Those with specific impact on the CGCS are described in this Section.

Criterion 13: Instrumentation Control The Containment Atmospheric Monitoring System provides appropriate information to allow the operator to evaluate the need for manual initiation of the CGCS. The variables monitored are described in Subsection 7.6.1.10. Compressor differential pressure is monitored in the main control room. Both the compressors and recombiners are provided with local instrumenation CPS/USAR CHAPTER 07 7.3-144 REV. 11, JANUARY 2005 which are monitored while testing or operating. Abnormalities are alarmed in the main control room. The ranges provided assure continuous monitoring during system operation. The system operates in order to maintain combustible gas concentration levels below the flammable range.

Criterion 41: Containment Atmosphere Cleanup The CGCS serves to control the concentration of hydrogen in the containment and drywell atmosphere. Refer to Subsection 6.2.5.1 for a description of CGCS operation. Redundancy is described in Subsection 6.2.5.1. Isolation is accomplished automatically by air testable check valves for drywell penetrations and by four motor-operated valves for containment penetrations. The CGCS purge and vacuum relief lines are normally at atmospheric pressure. There is therefore no need for a leak detection system for these lines.

Criterion 43: Testing of Containment Atmosphere Cleanup Systems Testing of the CGCS is discussed in Subsections 6.2.5.1.4.

Criterion 54: Piping Systems Penetrating Containment Leak detection and isolation are discussed under Criterion 41 above. Redundancy is discussed in Subsections 6.2.5. System testing is discussed in Subsection 6.2.5.1.4.

Criterion 56: Primary Containment Isolation The hydrogen recombiners are located outside the primary containment. Automatic isolation is provided upon detection of a LOCA by motor-operated valves outside of the penetration. These valves are located as close as practical to the penetration and may be opened to allow operation of the hydrogen recombiners. 7.3.2.7.2.2 Conformance to IEEE Standard 279 The CGCS is designed to conform to the requirements of Section 4 of IEEE Standard 279, Criteria for Protection Systems for Nuclear Power Generating Stations, as described in this

Section. 7.3.2.7.2.2.1 General Functional Requirements (IEEE 279, Paragraph 4.1)

A complete description of the post-LOCA is found in Subsections 6.2.1 and 6.2.3. As demonstrated by the accident description and analysis discussions of Section 6.2.5.1.3, it has been calculated that operation of the drywell-containment mixing compressors and hydrogen recombiners is not required immediately after the event. As a consequence, operation of both the mixing compressors and recombiners is manually initiated. 7.3.2.7.2.2.2 Single Failure Criterion (IEEE 279, Paragraph 4.2)

The CGCS, is comprised of two independent sets of controls for the physically separated actuated systems, and meets single failure criteria.

CPS/USAR CHAPTER 07 7.3-145 REV. 11, JANUARY 2005 7.3.2.7.2.2.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

Components used in the CGCS have been carefully selected on the basis of suitability for the specific application. The logic relays have been selected with conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant. A quality assurance program is required to be implemented and documented by equipment vendors with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. 7.3.2.7.2.2.4 Equipment Qualification (IEEE 279, Paragraph 4.4)

The CGCS essential components meet the equipment requirements described in Sections 3.10 and 3.11. 7.3.2.7.2.2.5 Channel Integrity (IEEE 279, Paragraph 4.5)

Type testing of components, separation of sensors and channels, and qualification of cabling are utilized to ensure that the channels will maintain the functional capability required under applicable design basis conditions. Loss of or damage to any one channel will not prevent the action of the redundant channel. The process transmitters are located in the containment and are specified and rated for the intended

service. 7.3.2.7.2.2.6 Channel Independence (IEEE 279, Paragraph 4.6)

Channel independence is provided by electrical and physical separation between the redundant systems. 7.3.2.7.2.7 Control and Protection System Interaction (IEEE 279, Paragraph 4.7)

The nonessential vacuum relief valve test circuitry is entirely separate and isolated from the CGCS. Isolation circuits are provided between the CGCS and the computer and annunciator circuits. 7.3.2.7.2.2.8 Derivation of System Inputs (IEEE 279, Paragraph 4.8)

The signals used for system inputs are direct measures of the desired variables. Manual initiation of the hydrogen recombiners is based on main control room indication of hydrogen levels. 7.3.2.7.2.2.9 Capability for Sensor Checks (IEEE 279, Paragraph 4.9)

The sensors which are used for input to the CGCS can be checked one at a time by application of simulated signals during normal plant operation. 7.3.2.7.2.2.10 Capability for Test and Calibration (IEEE 279, Paragraph 4.10)

Testing of CGCS is discussed in Subsection 6.2.5.1.4. All instrumentation is accessible for periodic calibration and testing during normal plant operation or while shutdown.

CPS/USAR CHAPTER 07 7.3-146 REV. 11, JANUARY 2005 7.3.2.7.2.2.11 Channel Bypass or Removal from Operation (IEEE 279, Paragraph 4.11)

Any one of the system channels may be tested, calibrated, or repaired without initiating system action. The single failure criterion continues to be met during these conditions. 7.3.2.7.2.2.12 Operating Bypasses (IEEE 279, Paragraph 4.12)

There are no operating bypasses in the CGCS. Portions of the CGCS may, however, be manually bypassed by pulling a fuse or tripping the feeder breakers to an emergency switchgear section or "racking out" a compressor motor starter feeder breaker at a motor control center. 7.3.2.7.2.2.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)

Not Applicable.

7.3.2.7.2.2.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14)

Not Applicable. 7.3.2.7.2.2.15 Multiple Set Points (IEEE 279, Paragraph 4.15)

There are no multiple set points in the CGCS.

7.3.2.7.2.2.16 Completion of Protective Action Once It Is Initiated (IEEE 279, Paragraph 4.16)

Not Applicable. 7.3.2.7.2.2.17 Manual Initiation (IEEE 279, Paragraph 4.17)

Each compressor with its suction valve, recombiner and its associated suction/return valves is capable of individual manual initiation fr om the Main Control Room. 7.3.2.7.2.2.18 Access to Set Point Adjustments (IEEE 279, Paragraph 4.18)

Set point adjustments for the devices which are used by the combustible gas control systems are located on the instrument panels and are accessible during normal plant operation but are under administrative controls. 7.3.2.7.2.2.19 Identification of Protective Actions (IEEE 279, Paragraph 4.19)

The system is manually initiated. The status of each component of the system is also indicated by status lights in the control room. 7.3.2.7.2.2.20 Information Readout (IEEE 279, Paragraph 4.20)

Refer to Section 7.5 for a discussion of safety-related display information.

CPS/USAR CHAPTER 07 7.3-147 REV. 11, JANUARY 2005 7.3.2.7.2.2.21 System Repair (IEEE 279, Paragraph 4.21)

Identification of a defective device is accomplished by observation of system status lights, by indication provided for system parameters, or by testing as described in Subsection 6.2.5.1.4. Replacement or repair of devices is accomplished with the affected device taken out of service. 7.3.2.7.2.2.22 Identification (IEEE 279, Paragraph 4.22)

Nameplates identify the electrical separation divis ion for each instrument panel or instrument or both. 7.3.2.7.2.3 Conformance to IEEE Standard 338 All components of the CGCS can be tested during plant operation. Valves and compressors can be tested from control room switches to verify operability. Each trip channel can be individually tested without initiating protective action. Upon the occurrence of a LOCA, any test will be automatically overridden by the LOCA signal. Refer to Subsection 6.2.5.1.4 for a discussion of testing of CGCS mechanical equipment. 7.3.2.7.2.4 Branch Technical Position EICSB 19 Branch Technical Position ICSB 19, "Acceptability of Design Criteria for Hydrogen Mixing and Drywell Vacuum Relief Systems," has been delet ed from Appendix 7A of the Standard Review Plan, NUREG-800 Revision 2. 7.3.2.8 Standby Power System - Instrumentation and Controls 7.3.2.8.1 HPCI Instrumentation and Controls Refer to Section 8.3.

7.3.2.8.2 Emergency Diesel-Generator System See Section 8.3 for this information. 7.3.2.9 Standby Gas Treatment Sy stem Instrumentation and Controls 7.3.2.9.1 Specific Conformance of t he Instrumentation and Control of IEEE 279 7.3.2.9.1.1 General Functional Requirements (IEEE 279, Paragraph 4.1)

The standby gas treatment system will perform its normal and safety function during all phases of station operation and during a postulated accident condition. The standby gas treatment system is automatically initiated in response to any one of the signals described in Subsection 7.3.1.1.9.2. The system can also be manually initiated from the main control room. 7.3.2.9.1.2 Single-Failure Criteria (IEEE 279, Paragraph 4.2)

The standby gas treatment system consists of two full-capacity independent equipment trains which are powered from independent Class 1E buses and actuated by independent control circuits. Indications are powered from separate electrical sources for the two independent equipment trains. This satisfies the single failure criteria.

CPS/USAR CHAPTER 07 7.3-148 REV. 11, JANUARY 2005 7.3.2.9.1.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

Components used in the standby gas treatment have been carefully selected on the basis of suitability for the specific application. The logic relays have been selected with conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant. A quality assurance program is required to be implemented and documented by equipment vendors with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. 7.3.2.9.1.4 Equipment Qualification (IEEE 279, Paragraph 4.4)

The nuclear safety-related instrumentation and controls for the standby gas treatment system are qualified by type test and/or analyses in conformance with the contract specification. 7.3.2.9.1.5 Channel Integrity (IEEE 279, Paragraph 4.5)

Instrumentation and controls for the standby gas treatment system are qualified to maintain their functional capability under extreme conditions specified in the design environmental parameters. 7.3.2.9.1.6 Channel Independence (IEEE 279, Paragraph 4.6)

Electrical and mechanical separation is maintained between the instrumentation and controls of the redundant trains. 7.3.2.9.1.7 Control and Protection Interaction (IEEE 279, Paragraph 4.7) 7.3.2.9.1.7.1 Classification of Equipment (IEEE 279, Paragraph 4.7.1)

Instruments and controls for the standby gas treatment system provide filtration control and isolation function only. The protective action signal originates from separate devices. There is no interaction between these devices and instruments used for control function. 7.3.2.9.1.7.2 Isolation Devices (IEEE 279, Paragraph 4.7.2)

The transmission of signals from protection system equipment for control system passes through isolation devices which are classified as part of the protection system and meet all the

requiremetns of IEEE-279. No credible failure at the output of the isolation device(s) prevents the associated protective system channels from meeting the minimum performance requirements specified in the design basis. 7.3.2.9.1.7.3 Single Random Failure (IEEE 279, Paragraph 4.7.3)

A control system action caused by a single random failure at a SGTS system channel will not interact with reactor protection system. A credible failure of one SGTS train will not prevent the proper operation of the redundant train. 7.3.2.9.1.7.4 Multiple Failures Resulting From a Credible Single Event (IEEE 279, Paragraph 4.7.4)

A control system action caused by a multiple failure resulting from a credible single event at a SGTS channels will not interact with the RPS.

CPS/USAR CHAPTER 07 7.3-149 REV. 11, JANUARY 2005 7.3.2.9.1.8 Derivation of System Inputs (IEEE 279, Paragraph 4.8)

The signals for essential instruments are direct measures of desired variable parameters.

7.3.2.9.1.9 Capability for Sensor Checks (IEEE 279, Paragraph 4.9)

The sensors which are used for input to the stand by gas treatment system can be checked one at a time by application of simulated signals during normal plant operation. 7.3.2.9.1.10 Capability for Test and Calibration (IEEE 279, Paragraph 4.10)

The instruments and controls for the standby gas treatment are located such that they are accessible for periodic testing and calibration without affecting the safety function of the other associated instruments. 7.3.2.9.1.11 Channel Bypass or Removal from Operation (IEEE 279, Paragraph 4.11)

Either train may be shutdown for repair work by placing the control switch in the pull-to-lock position. This action is annunciated in the main control room. 7.3.2.9.1.12 Operating Bypa sses (IEEE 279, Paragraph 4.12)

Not applicable.

7.3.2.9.1.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)

The pull-to-lock control switch selection for each fan causes all corresponding indicating lights in the main control room to go out. 7.3.2.9.1.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14)

The handswitches in the main control room are under the administrative control of the operators. 7.3.2.9.1.15 Multiple Setpoints (IEEE 279, Paragraph 4.15)

This is not applicable. 7.3.2.9.1.16 Completion of Protective Action Once it is Initiated (IEEE 279, Paragraph 4.16)

It is not necessary that the actions of this sy stem go to completion. Only by deliberate operator action can the action be stopped or reversed. 7.3.2.9.1.17 Manual Initiation (IEEE 279, Paragraph 4.17)

Startup of major components of each equipment train can be initiated from the main control room bench board.

CPS/USAR CHAPTER 07 7.3-150 REV. 11, JANUARY 2005 7.3.2.9.1.18 Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Paragraph 4.18)

Access to setpoints, and calibrations, are under administrative control.

7.3.2.9.1.19 Identification of Prot ective Actions (IEEE 279, Paragraph 4.19)

Indication and annunciation are provided on panels in the main control room for any one of the initiating conditions described in Subsection 7.3.1.1.9.2. 7.3.2.9.1.20 Information Readout (IEEE 279, Paragraph 4.20)

As appropriate, indicators are provided in the main control room and on local panels. Important alarm conditions are annunciated in the main control room and indicated locally. These alarms and indicators provide the operators with accurate , complete and timely status information. 7.3.2.9.1.21 System Repair (IEEE 279, Paragraph 4.21)

The standby gas treatment system instrumentation and controls are located to facilitate the recognition, location, replacement, repair, or adjustment of any malfunctioning instrument(s). 7.3.2.9.1.22 Identification (IEEE 279, Paragraph 4.22)

Nameplates identify the electrical separation divis ion for each instrument panel or instrument or both. All interconnecting wires and cables are properly identified with tags. 7.3.2.9.2 Specific Conformance of Instruments and Controls to General Design Criteria 10 CFR 50, Appendix A Criterion 13 Instrumentation and Control Instrumentation and controls for the standby gas treatment system have been provided to limit the offsite dose to the limits of 10 CFR 100 and to maintain a negative pressure in the secondary containment under abnormal station operating conditions. 7.3.2.10 Suppression Pool Makeup System 7.3.2.10.1 Conformance with General Functional Requirements General functional requirements for the suppression pool makeup system are described in Subsection 6.2.7.2. 7.3.2.10.2 Conformance with Specific Regulatory Requirements 7.3.2.10.2.1 Conformance With 10 CFR 50, General Design Criteria General design criteria, established in Appendix A of 10 CFR 50, which are generally applicable to all ECCS systems are discussed in Subsection 7.3.2.1. Those with specific impact on the suppression pool makeup system are discussed in this Section.

CPS/USAR CHAPTER 07 7.3-151 REV. 11, JANUARY 2005 Criterion 13: Instrumentation and Controls Instrumentation is provided with the suppression pool makeup system to monitor suppression pool level over the full range of anticipated levels during normal operations and accident conditions as required to initiate the system.

Criterion 35: Emergency Core Cooling The suppression pool makeup system maintains the suppression pool as an adequate source of core cooling water for the five ECCS pumps. The rate and volume of dump is sufficient to

prevent the five ECCS pumps from lowering the suppression pool water level below the elevation required for minimum vent coverage and ECCS pump NPSH.

Criterion 37: Testing of Emergency Core Cooling System Provisions are included in the suppression pool makeup system to allow periodic testing of each component in the system without initiating protective action during reactor operation. 7.3.2.10.2.2 Conformance to IEEE Standard 279 The suppression pool makeup system is designed to conform with the requirements of Section 4 of IEEE Standard 279, Criteria for Protection Systems for Nuclear Power Generating Stations, as described below: Requirement 4.1: General Functional Requirement The suppression pool makeup system is automatically initiated whenever the conditions it monitors require system action. Requirement 4.2: Single Failure Criterion The suppression pool makeup system, comprised of two independent and redundant actuation systems, meets all credible aspects of the single failure criterion. By providing two initiation signals from primary sensors in each actuation system, and by using separate relay logic circuits for the two valves in each system, it is assured that no single failure of an instrument or relay can cause an inadvertent dump of the upper containment pool or prevent a dump from occurring if conditions require it. Requirement 4.3: Quality of Components and Modules Components used in the suppression pool makeup system have been carefully selected on the basis of suitability for the specific application. The logic relays have been selected with conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant. A quality assurance program is required to be implemented and documented by equipment vendors with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. Requirement 4.4: Equipment Qualification The suppression pool makeup system components meet the equipment qualification requirements described in Sections 3.10 and 3.11.

CPS/USAR CHAPTER 07 7.3-152 REV. 11, JANUARY 2005 Requirement 4.5: Channel Integrity Type testing of components, separation of sensors and channels, and qualification of cabling are utilized to ensure that the channels will maintain the functional capability required under applicable design basis conditions. Loss of or damage to any one channel will not prevent the action of the redundant channel. Requirement 4.6: Channel Independence Channel independence for sensors is provided by electrical and mechanical separation.

Requirement 4.7: Control and Protective System Interaction No portion of the suppression pool makeup system is used for control functions.

Requirement 4.8: Derivation of System Inputs The level transmitters which provide signals as inputs to the suppression pool makeup system give a direct measure of the desired variable, suppression pool level.

Requirement 4.9: Capability for Sensor Checks The sensors which are used for input to the suppression pool makeup system can be checked one at a time by application of simulated signals during normal plant operation. Requirement 4.10: Capability for Test and Calibration Electronic trip calibration units are provided for this and other systems. The primary sensors provide an analog (4-20 mA) signal to trip units in the main control room. The trip units provide contact outputs to drive the system relay logic and initiate system action. A calibration unit mounted in the same rack as the trip units provides means to perform an inplace calibration check or setpoint adjustment. Refer to Subsection 7.3.1.1.10.10 for a discussion of inservice testability. Requirement 4.11: Channel Bypass or Removal from Operation Either of the two channels may be removed from operation. System action is assured by the redundant channel which operates the valves in the alternate dump line. While a trip unit may be bypassed, however, system action will not be initiated unless there is a LOCA or the control switch is placed in the open position.

Requirement 4.12: Operating Bypasses Refer to Subsection 7.3.1.1.10.6 for a discussion of suppression pool makeup system bypasses. It may also be bypassed by manually opening a valve motor starter feeder breaker at a motor-control center. The bypass is under the control of supervisory personnel and is not intended to be automatically overcome by accident detection signals.

CPS/USAR CHAPTER 07 7.3-153 REV. 11, JANUARY 2005 Requirement 4.13: Indication of Bypasses Bypass of either train of the suppression pool makeup system is continuously indicated in the main control room. Requirement 4.14: Access to Means for Bypassing Access to means for bypassing the suppression pool makeup system is under administrative control. Handswitches for system bypass are located in the main control room. Requirement 4.15: Multiple Setpoints There are no multiple setpoints in the suppression pool makeup system.

Requirement 4.16: Completion of Protective Action Once It is initiated.

Once initiated, either automatically or manually, operator action is required to stop the flow of upper containment pool water to the suppression pool. Requirement 4.17: Manual Initiation The suppression pool makeup system may be manually initiated on a system level from main control room handswitches. No failure in one division of the suppression pool makeup system can prevent operation of the redundant system. Requirement 4.18: Access to Setpoint Adjustments, Calibration and Test Points The electronic trip and calibration units are under administrative control in the main control room. Requirement 4.19: Identification of Protective Actions Initiation of the suppression pool makeup system is annunciated in the main control room. The status of each device in the system is indicated in the main control room. Requirement 4.20: Information Readout Refer to Section 7.5 for a discussion of safety-related display instrumentation.

Requirement 4.21: System Repair Identification of a defective channel is accomplished by observation of system status lights or by testing as described in Subsection 7.3.2.10.2.3. Replacement or repair of components is accomplished with the affected channel bypassed. The affected trip function then operates with a single sensor. Requirement 4.22: Identification Nameplates identify the electrical separation divis ion for each instrument panel or instrument or both. All interconnecting wires and cables are properly identified with tags.

CPS/USAR CHAPTER 07 7.3-154 REV. 11, JANUARY 2005 7.3.2.10.2.3 Conformance to IEEE Standard 338 All components of the suppression pool makeup system can be tested during plant operation. Each trip channel can be individually tested without initiating protective action. The dump valves can be individually opened from main control room handswitches to test their operation. Interlocks are provided to prevent an inadvertent dump of the upper containment pool water during refueling. 7.3.2.11 Diesel Oil-Instrumentation and Controls 7.3.2.11.1 Conformance to General Functional Requirements Conformance to general functional requirements is also described in Subsection 9.5.4. The diesel fuel oil system is an auxiliary system for the emergency diesel generators. The functional requirements of the diesel fuel oil system assure that the generators always have a source of fuel and in the quantity required. The diesel fuel oil system is designed and operated to assure a supply of fuel oil from the day tank to the diesel generators. Sufficient fuel oil is maintained in the storage tank as described in Subsection 9.5.4. Low level alarms in the main control room, remote indication, and visual inspection provide indication of storage tank fuel oil volume. Day tank fuel oil volume is controlled by the operation of the transfer pumps. Set points for pump start and stop are chosen to assure that the day tank has the required volume of fuel oil. Should the generator be started for any reason, the transfer pumps will also start. The flow capacity of the transfer pumps is greater than the full load requirements of the diesel generators assuring continuous fuel oil availability from the day tank. Oil in excess of that required to keep the day tank full is recirculated to the storage tank. Low levels are also alarmed in the main control room. Flow from the day tank to the generator is by gravity. With sufficient fuel oil volume in and makeup flow to the day tank, supply to the generator is maintained. Should the generator start signal fail to start the transfer pump, the day tank level switch will start the pump to add fuel oil to the day tank. Low level (transfer pump start) is determined such that the volume of fuel oil in the tank at low level is sufficient to start the generator. Temperature monitoring is not provided for the diesel fuel oil storage and transfer system. 7.3.2.11.2 Conformance to Specific Regulatory Requirements 7.3.2.11.2.1 Conformance to 10 CFR 50, Appendix A Criterion 13 Conformance is achieved by monitoring day tank and storage tank levels over the expected range and by providing controls to maintain the required volume of fuel oil in the day tank.

CPS/USAR CHAPTER 07 7.3-155 REV. 11, JANUARY 2005 Criterion 17, 18 The diesel fuel oil system is divided into Division 1, Division 2, and Division 3. The independence of these divisions prevents compromise and enhances inspection of safety-

related power supply systems. 7.3.2.11.2.2 Conformance to Industry Standards 7.3.2.11.2.2.1 IEEE 279, Criteria for Protection Systems for Nuclear Power Generating Stations 7.3.2.11.2.2.1.1 General Functional R equirements (IEEE 279, Paragraph 4.1)

The diesel fuel oil transfer pumps may be started manually from the main control room. When started, the pump is stopped automatically on high day tank level and generator stop signal. The pump can be stopped manually under conditions which could cause system damage or under conditions where system operation is neither necessary nor appropriate. 7.3.2.11.2.2.1.2 Single Failure Criterion (IEEE 279, Paragraph 4.2)

The single failure criterion is met by providing three separate and independent subsystems in the diesel fuel oil system. No single failure of one subsystem will affect either of the other two subsystems from performing their respective safety functions. 7.3.2.11.2.2.1.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

Components used in the diesel fuel oil system have been carefully selected on the basis of suitability for the specific application. The logic relays have been selected with conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant. A quality assurance program is required to be implemented and documented by equipment vendors with the intent of complying with requirements set forth in 10 CFR 50, Appendix B. 7.3.2.11.2.2.1.4 Equipment Qualification (IEEE 279, Paragraph 4.4)

Class 1E equipment qualification is demonstrated by the vendors or others by type tests in accordance with the purchase specification. Where necessary operating experience or analysis is used to supplement type tests. 7.3.2.11.2.2.1.5 Channel Integrity (IEEE 279, Paragraph 4.5)

The diesel fuel oil system is designed to maintain its functional capability under the environmental conditions, electrical transients, and malfunctions that may occur in the design basis LOCA. 7.3.2.11.2.2.1.6 Channel Independence (IEEE 279, Paragraph 4.6)

Channel independence for sensors is provided by electrical and mechanical separation. Physical separation is maintained among the three subsystems to increase reliability of operation. There are no interfaces among the subsystems.

CPS/USAR CHAPTER 07 7.3-156 REV. 11, JANUARY 2005 7.3.2.11.2.2.1.7 Control and Protection System Interaction (IEEE 279, Paragraph 4.7)

There are no control functions in the diesel fuel oil system.

7.3.2.11.2.2.1.8 Derivation of System Inputs (IEEE 279, Paragraph 4.8)

All input signals to the instrumentation and control systems are derived from direct measurement of system variables. 7.3.2.11.2.2.1.9 Capability of Sensor Checks (IEEE 279, Paragraph 4.9)

The sensors which are used for input to the diesel fuel oil system can be checked one at a time by application of simulated signals during normal plant operation. 7.3.2.11.2.2.1.10 Capability of Test and Calibration (IEEE 279, Paragraph 4.10)

All active components of the diesel fuel oil system can be tested during plant operation. Pumps can be tested by operating manual switches in the control room and observing indicating lights. Instrument setpoints are tested by simulated signals to verify the setpoints are within limits. 7.3.2.11.2.2.1.11 Channel Bypass or Removal from Operation (IEEE 279, Paragraph 4.11)

The diesel fuel oil system can be tested without channel bypass or removal from operation. Testing of transfer pumps will add oil to the day tank or will result in excess day tank fuel oil overflow returning to the storage tank. 7.3.2.11.2.2.1.12 Operating Bypasses (IEEE 279, Paragraph 4.12)

This requirement is not applicable to the diesel fuel oil system because no operating channel bypasses are provided. 7.3.2.11.2.2.1.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)

When parts of the system have been deliberately made inoperative for test calibration or maintenance, an indication of this condition is provided in the main control room. 7.3.2.11.2.2.1.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14)

Not applicable to the diesel fuel oil system.

7.3.2.11.2.2.1.15 Multiple Set Points (IEEE 279, Paragraph 4.15)

All set points are fixed. However, transmitter calibration changes may be periodicaly required due to change in fuel oil grades (changes in specific gravity) which effectively changes setpoints in units of gallons. Administrative controls are used whenever such a change is required. 7.3.2.7.2.2.1.16 Completion of Protection Action Once Initiated (IEEE 279, Paragraph 4.16)

The diesel fuel oil system will remain in continuous operation after system initiation unless manually terminated or the diesel generator stops and there is a high level in the day tank.

CPS/USAR CHAPTER 07 7.3-157 REV. 11, JANUARY 2005 7.3.2.11.2.2.1.17 Manual Actuation (IEEE 279, Paragraph 4.17)

Each diesel fuel oil subsystem can be initiated manually from the main control room.

7.3.2.11.2.2.1.18 Access to Set Point Adjustments, Calibration, and Test Point (IEEE 279, Paragraph 4.18)

Access to setpoint adjustments, calibration points and test points are under administrative control. 7.3.2.11.2.2.1.19 Identification of Protective Actions (IEEE 279, Paragraph 4.19)

Initiation of each diesel fuel oil subsystem is indicated in the main control room.

7.3.2.11.2.2.1.20 Information Read-Out (IEEE 279, Paragraph 4.20)

Meters located in the control room provide indication of process variables necessary for the proper operation of the diesel fuel oil system. Indicator lights actuated by pump controls provide pump status information. 7.3.2.11.2.2.1.21 System Repair (IEEE 279, Paragraph 4.21)

The system is designed to provide easy recognition of malfunctioning equipment through proper test procedures. Accessibility is provided for the sensors and controls to facilitate repair or

adjustment. 7.3.2.11.2.2.1.22 Identification of Protection Systems (IEEE 279, Paragraph 4.22)

Nameplates identify the electrical separation divis ion for each instrument panel or instrument or both. 7.3.2.11.2.2.2 Compliance to IEEE 338 The operability of the diesel fuel oil system can be verified, and credible failures are detectable through testing during normal plant operation. Each subsystem logic, through the final actuators, may be tested independent of the other subsystem. The input sensors and setpoints are checked by the application of simulated signals. A failure of a subsystem while testing will not prevent the other subsystems from being initiated. 7.3.2.11.2.2.3 Compliance to IEEE 379 See Subsection 7.3.2.11.2.2.1.2.

7.3.2.12 Diesel-Generator Room HVAC System - Instrumentation and Controls 7.3.2.12.1 Specific Conformance of the Instrumentation and Control to IEEE 279 7.3.2.12.1.1 General Functional Requirement (IEEE 279, Paragraph 4.1)

Instrumentation and controls are provided for each of the redundant diesel-generator room ventilation fans. The ventilation fans are interlocked to startup automatically upon the start of the respective diesel generator. The ventilation fans can also be started manually from the CPS/USAR CHAPTER 07 7.3-158 REV. 11, JANUARY 2005 main control room. With the associated remote shutdown transfer switch in either the NORMAL or EMERGENCY position, the Division 1 ventilation fan will automatically start with initiation of the Division 1 diesel generator. A temperature switch installed in each diesel generator room will stop the respective fan if room temperature drops below a pre-determined setpoint and the diesel generator is not running. 7.3.2.12.1.2 Single Failure Criterion (IEEE 279, Paragraph 4.2)

Independent instrumentation and controls are provided for each of the three redundant ventilation fans. Single failure of the instrumentation and controls associated with one fan will not affect the safety-related function of the other two ventilation fans. 7.3.2.12.1.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

Components used in the diesel-generator room HVAC have been carefully selected on the basis of suitability for the specific application. The logic relays have been selected with conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant. A quality assurance program is required to be implemented and documented by equipment vendors with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. 7.3.2.12.1.4 Equipment Qualification (IEEE 279, Paragraph 4.4)

The nuclear safety related instrumentation and controls for the diesel generator ventilation fans are qualified by type test and/or analyses in conformance with the contract specification. 7.3.2.12.1.5 Channel Integrity (IEEE 279, Paragraph 4.5)

Instrumentation and controls for the diesel-generator HVAC system are qualified to maintain their functional capability under extreme conditions specified in the design environmental parameters. 7.3.2.12.1.6 Channel Independence (IEEE 279, Paragraph 4.6)

The diesel-generator room ventilation systems instrument and control channels are independent from each other. Electrical and physical separation is maintained between the instruments and controls provided for the redundant ventilation systems, and no interface exists between the control channels. 7.3.2.12.1.7 Control and Protection System Interaction (IEEE 279, Paragraph 4.7) 7.3.2.12.1.7.1 Classification of Equipment (IEEE 279, Paragraph 4.7.1)

The instruments and controls provided for the diesel-generator ventilation fans do not have any direct interaction with the control and the safeguard function for the diesel generators. 7.3.2.12.1.7.2 Isolation Devices, Single Random Failure and Multiple Failures Resulting from a Credible Single Event (Paragraphs 4.7.2, 4.7.3, 4.7.4)

Does not apply based on Subsection 7.3.2.12.1.7.1.

CPS/USAR CHAPTER 07 7.3-159 REV. 11, JANUARY 2005 7.3.2.12.1.8 Derivation of System Input (IEEE 279, Paragraph 4.8)

The signals for essential instruments are direct measures of desired variable parameters.

7.3.2.12.1.9 Capability for Sensor Checks (IEEE 279, Paragraph 4.9)

The sensors which are used for input to the diesel-generator room HVAC system can be checked one at a time by application of simulated signals during normal plant operation. 7.3.2.12.1.10 Capability for Test and Calibration (IEEE 279, Paragraph 4.10)

The instruments and controls for the diesel-generator ventilation system are located such that they are accessible for periodic testing and calibration without affecting the safety function of the other associated instruments. 7.3.2.12.1.11 Channel Bypass or Removal from Operation (IEEE 279, Paragraph 4.11)

Removal from operation per design can be achieved from the pull-to-lock position on the control switch. Therefore this Paragraph does not apply. 7.3.2.12.1.12 Operating Bypass (IEEE 279, Paragraph 4.12)

The automatic start of the diesel generator room fans can be bypassed either by manual or pull to lock selection of the fan control switch. 7.3.2.12.1.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)

The pull-to-lock control switch selection for each fan causes all corresponding indicating lights to go out. 7.3.2.12.1.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14)

The control switch for each fan is located on the main control benchboard and is under administrative control. 7.3.2.12.1.15 Multiple Set Points (IEEE 279, Paragraph 4.15)

The design of the diesel-generator room HVAC system control and instrumentation does not require provisions for multiple control setpoints. 7.3.2.12.1.16 Completion of Protective Action Once It Is Initiated (IEEE 279, Paragraph 4.16)

The operation of diesel-generator room ventilation fans does not require a protective action signal. 7.3.2.12.1.17 Manual Initiation (IEEE 279, Paragraph 4.17)

On the basis of Subsection 7.3.2.12.1.16, the requirement of this Paragraph does not apply.

CPS/USAR CHAPTER 07 7.3-160 REV. 11, JANUARY 2005 7.3.2.12.1.18 Access to Set Point Adjustm ents, Calibrations and Test Points (IEEE 279, Paragraph 4.18)

Access to setpoint adjustments, calibrations, and test points are under administrative control. 7.3.2.12.1.19 Identification of Protective Action (IEEE 279, Paragraph 4.19)

This article does not apply since no protective action is required for the operation of diesel-generator room fans. 7.3.2.12.1.20 Information Read Out (IEEE 279, Paragraph 4.20)

Each diesel generator room is provided with local room temperature indicators. Ventilation fan status is indicated in the main control room. 7.3.2.12.1.21 System Repair (IEEE 279, Paragraph 4.21)

The diesel generator instrumentation and controls are located to facilitate the recognition, location, replacement, repair or adjustment of any malfunctioning instrument(s). 7.3.2.12.1.22 Identification (IEEE 279, Paragraph 4.22)

Nameplates identify the electrical separation divis ion for each instrument panel or instrument or both. All interconnecting wires and cables are properly identified with tags. 7.3.2.12.2 Specific Conformance of the Instrumentation and Controls to General Criteria, 10 CFR 50 Appendix A 7.3.2.12.2.1 Criterion 13 - Instrumentation and Controls Diesel generator ventilation fan instrumentation and controls for each system have been provided to monitor and maintain room te mperature at a predetermined setpoint. 7.3.2.13 Shutdown Service Water Pump Room Ventilation System Instrumentation and Controls 7.3.2.13.1 Specific Conformance of the Instrumentation and Controls to IEEE-279 7.3.2.13.1.1 General Functional Requirements (IEEE 279, Paragraph 4.1)

Instruments and controls are provided to start each shutdown service water (SSW) pump room cooling system fan automatically when the respective SSW pump is started or the temperature in the pump room rises above the setpoint. Fans in Pump Rooms can be started and stopped manually through their respective control switches provided on the main control benchboard. 7.3.2.13.1.2 Single Failure Criterion (IEEE 279, Paragraph 4.2)

Independent instrumenation and controls are provided for each of the three redundant ventilation fans. Single failure of the instrumentation and controls associated with one fan will not affect the safety related function of the other two ventilation fans.

CPS/USAR CHAPTER 07 7.3-161 REV. 11, JANUARY 2005 7.3.2.13.1.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

Components used in the SSW pump room ventilation have been carefully selected on the basis of suitability for the specific application. The logic relays have been select ed with conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant. A quality assurance program is required to be implemented and documented by equipment vendors with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. 7.3.2.13.1.4 Equipment Qualification (IEEE 279, Paragraph 4.4)

The nuclear safety-related instrumentation and controls for the shutdown service water pump room ventilation fans are qualified by type test and/or analyses in conformance with the contract specification. 7.3.2.13.1.5 Channel Integrity (IEEE 279, Paragraph 4.5)

Instrumentation and controls for the SSW pump room system are qualified to maintain their functional capability under extreme conditions specified in the design environmental parameters. 7.3.2.13.1.6 Channel Independence (IEEE 279, Paragraph 4.6)

The SSW pump room ventilation systems instrument and control channels are independent from each other. Electrical and physical separation is maintained between the instruments and controls provided for the redundant ventilation systems, and no interface exists between the control channels. 7.3.2.13.1.7 Control and Protection System Interaction (IEEE 279, Paragraph 4.7) 7.3.2.13.1.7.1 Classification of Equipment (IEEE 279, Paragraph 4.7.1)

The instruments and controls provided for the SSW pump room ventilation fans do not have any direct interaction with the control and the function of the SSW pumps. 7.3.2.13.1.7.2 Isolation Devices, Single Random Failure and Multiple Failures Resulting from a Credible Single Event (Paragraphs 4.7.2, 4.7.3, 4.7.4 of IEEE-279 Does not apply based on Subsection 7.3.2.13.1.7.1.

7.3.2.13.1.8 Derivation of System Input (IEEE 279, Paragraph 4.8)

The signals for essential instruments are direct measures of desired variable parameters. 7.3.2.13.1.9 Capability for Sensor Checks (IEEE 279, Paragraph 4.9)

The sensors which are used for input to the SSW pump room ventilation system can be checked one at a time by application of simulated signals during normal plant operation.

CPS/USAR CHAPTER 07 7.3-162 REV. 11, JANUARY 2005 7.3.2.13.1.10 Capability for Test and Calibration (IEEE 279, Paragraph 4.10)

The instruments, controls, and devices for the SSW pump room ventilation system are located such that they are accessible for periodic testing and calibration without affecting the safety function of the other related instruments. 7.3.2.13.1.11 Channel Bypass or Removal from Operation (IEEE 279, Paragraph 4.11)

This Paragraph does not apply.

7.3.2.13.1.12 Operating Bypass (IEEE 279, Paragraph 4.12)

The automatic start of the SSW pump room fans can be bypassed either by the manual or pull to lock selection of the fan control switch. 7.3.2.13.1.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)

The pull-to-lock control switch selection for each fan causes an annunciator and an indicating light in the main control room to activate. 7.3.2.13.1.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14)

The control switch for each fan is located on the main control benchboard and is under administrative control. 7.3.2.13.1.15 Multiple Set Points (IEEE 279, Paragraph 4.15)

The design of the SSW pump room ventilation control and instrumentation does not require provisions for multiple control setpoints. 7.3.2.13.1.16 Completion of Protective Action Once It Is Initiated (IEEE 279, Paragraph 4.16)

The operation of SSW pump room ventilation fans does not require a protective action signal.

7.3.2.13.1.17 Manual Initiation (IEEE 279, Paragraph 4.17)

On the basis of Subsection 7.3.2.13.1.16, the requirement of this Paragraph does not apply. 7.3.2.13.1.18 Access to Set Point Adjustm ents, Calibrations and Test Points (IEEE 279, Paragraph 4.18)

Access to setpoint adjustments, calibrations, and test points are under administrative control. 7.3.2.13.1.19 Identification of Protective Action (IEEE 279, Paragraph 4.19)

This article does not apply since no protective action is required for the operation of SSW pump room fans.

CPS/USAR CHAPTER 07 7.3-163 REV. 11, JANUARY 2005 7.3.2.13.1.20 Information Readout (IEEE 279, Paragraph 4.20)

Ventilation fan status is indicated in the main control room. Each SSW water pump room is provided with local room temperature indicators. 7.3.2.13.1.21 System Repair (IEEE 279, Paragraph 4.21)

The SSW pump room instrumentation and controls are located to facilitate the recognition, location, replacement, repair or adjustment of any malfunctioning instrument(s). 7.3.2.13.1.22 Identification (IEEE 279, Paragraph 4.22)

Nameplates identify the electrical separation divis ion for each instrument panel or instrument or both. All interconnecting wires and cables are properly identified with tags. 7.3.2.13.2 Specific Conformance of the Instrumentation and Controls to General Criteria, 10 CFR 50 Appendix A 7.3.2.13.2.1 Criterion 13 - Instrumentation and Controls SSW pump room ventilation instrumentation and controls for each system have been provided to monitor and maintain room temperature at a predetermined setpoint. 7.3.2.14 Essential Switchgear Heat Removal HVAC System Instrumentation and Controls 7.3.2.14.1 Specific Conformance of the Instrumentation and Controls to IEEE-279 7.3.2.14.1.1 General Functional Requirements (IEEE 279, Paragraph 4.1)

Instruments and controls are provided to start and stop the ventilation fans for the switchgear heat removal system to maintain switchgear room temperature between the high and low

setpoints. Each switchgear room is provided with one nuclear safety-related and one non-safety-related heat removal coil cabinet and a fan unit. The safety-related fan can be started and stopped manually through a control switch provided in the main control room. When the control switch is placed in the AUTO position, the fan is interlocked with the room thermostat to start automatically when the room temperature rises above the high setpoint and to stop automatically when the room temperature drops below the reset value. The chilled water runs through the cooling coil without control at all times. The non-safety related fan can be started and stopped manually through a control switch located on the MCB. The fan will stop automatically when the safety-related fan starts. A temperature transmitter sensing the room temperature modulates the chilled water valve through a temperature controller to maintain the room temperature at a predetermined setpoint. 7.3.2.14.1.2 Single Failure Criterion (IEEE 279, Paragraph 4.2)

Independent instrumentation and controls are provided for each of the three redundant ventilation fans. Single failure of the instrumentation and controls associated with one fan will not affect the safety-related function of the other two ventilation fans.

CPS/USAR CHAPTER 07 7.3-164 REV. 11, JANUARY 2005 7.3.2.14.1.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

Components used in the essential switchgear heat removal HVAC system have been carefully selected on the basis of suitability for the specific application. The logic relays have been selected with conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant. A quality assurance program is required to be implemented and documented by equipment vendors with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. 7.3.2.14.1.4 Equipment Qualification (IEEE 279, Paragraph 4.4)

The nuclear safety-related instrumentation and controls for the switchgear heat removal ventilation fans are qualified by type test and/or analyses in conformance with the contract specification. 7.3.2.14.1.5 Channel Integrity (IEEE 279, Paragraph 4.5)

Instrumentation and controls for the switchgear heat removal HVAC system are qualified to maintain their functional capability under extreme conditions specified in the design environmental parameters. 7.3.2.14.1.6 Channel Independence (IEEE 279, Paragraph 4.6)

The switchgear heat removal room ventilation systems instruments and controls channel are independent from each other. Electrical and physical separation is maintained between the instruments and controls provided for the redundant ventilation systems, and no interface exists between the control channels. 7.3.2.14.1.7 Control and Protection System Interaction (IEEE 279, Paragraph 4.7) 7.3.2.14.1.7.1 Classification of Equipment (IEEE 279, Paragraph 4.7.1)

The instruments and controls provided for the switchgear heat removal ventilation fans do not have any direct interaction with the control and the protective function of the essential switchgear. 7.3.2.14.1.7.2 Isolation Devices, Single Random Failure and Multiple Failures Resulting from a Credible Single Event (Paragraphs 4.7.2, 4.7.3, 4.7.4 of IEEE-279)

Does not apply based on Subsection 7.3.2.12.1.7 7.3.2.14.1.8 Derivation of System Input (IEEE 279, Paragraph 4.8)

The signals for essential instruments are direct measures of desired variable parameters.

7.3.2.14.1.9 Capability for Sensor Checks (IEEE 279, Paragraph 4.9)

The sensors which are used for input to the essential switchgear heat removal HVAC system can be checked one at a time by application of simulated signals during normal plant operation.

CPS/USAR CHAPTER 07 7.3-165 REV. 11, JANUARY 2005 7.3.2.14.1.10 Capability for Test and Calibration (IEEE 279, Paragraph 4.10)

The instruments and controls for the switchgear heat removal ventilation system are located such that they are accessible for periodic testing and calibration without affecting the safety function of the other related instruments. 7.3.2.14.1.11 Channel Bypass or Removal from Operation (IEEE 279, Paragraph 4.11)

This Paragraph does not apply.

7.3.2.14.1.12 Operating Bypass (IEEE 279, Paragraph 4.12)

The automatic start of the switchgear heat removal room fans can be bypassed either by the manual or pull-to-lock selection of the fan control switch. 7.3.2.14.1.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)

The pull-to-lock control switch selection for each fan causes an annunciator and an indicating light in the main control room to activate. 7.3.2.14.1.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14)

The control switch for each fan is located on the main control benchboard under administrative control. 7.3.2.14.1.15 Multiple Set Points (IEEE 279, Paragraph 4.15)

The design of the essential switchgear heat removal HVAC system control and instrumentation does not require provisions for multiple control setpoints. 7.3.2.14.1.16 Completion of Protective Action Once It Is Initiated (IEEE 279, Paragraph 4.16)

The operation of essential switchgear heat removal HVAC system ventilation fans do not require a protective action signal. 7.3.2.14.1.17 Manual Initiation (IEEE 279, Paragraph 4.17)

On the basis of Subsection 7.3.2.14.1.16, the requirement of this Paragraph does not apply.

7.3.2.14.1.18 Access to Set Point Adjustments, Calibrations, and Test Points (IEEE 279, Paragraph 4.18)

Access to setpoint adjustments, calibrations, and test points are under administrative control. 7.3.2.14.1.19 Identification of Protective Actions (IEEE 279, Paragraph 4.19)

This article does not apply since no protective action is required for the operation of switchgear heat removal room fans.

CPS/USAR CHAPTER 07 7.3-166 REV. 11, JANUARY 2005 7.3.2.14.1.20 Information Read Out (IEEE 279, Paragraph 4.20)

Ventilation fan status is indicated in the main control room. Each switchgear heat removal room is provided with local room temperature indicators. 7.3.2.14.1.21 System Repair (IEEE 279, Paragraph 4.21)

The switchgear heat removal HVAC system instrumentation and controls are located to facilitate the recognition, location, replacement, repair, or adjustment of any malfunctioning instrument(s). 7.3.2.14.1.22 Identification (IEEE 279, Paragraph 4.22)

Nameplates identify the electrical separation divis ion for each instrument panel or instrument or both. All interconnecting wires and cables are properly identified with tags. 7.3.2.14.2 Specific Conformance of the Instrumentation and Controls to General Criteria, 10 CFR 50 Appendix A 7.3.2.14.2.1 Criterion 13 - Instrumentation and Controls Essential switchgear heat removal ventilation instrumentation and controls for each system have been provided to monitor and maintain room temperature at a predetermined setpoint. 7.3.2.15 ECCS Equipment Room HVAC System - Instrumentation and Controls 7.3.2.15.1 Specific Conformance of the Instrumentation and Controls to IEEE-279 7.3.2.15.1.1 General Functional Requirement (IEEE 279, Paragraph 4.1)

Instruments and controls are provided to automatically start the LPCS, RCIC, and RHR pump room HVAC fans when the respective ECCS equipment is started, or the ambient temperature in the cubicle rises above the high setpoint. The RHR heat exchanger room fans are operated automatically only with ambient temperature, while HPCS, MSIV Inboard and MSIV Outboard room fans are operated automatically only with operation of the respective ECCS equipment. Control switches for each fan are located on the main control room benchboard except for the MSIV Inboard and MSIV Outboard room fan control switches which are located on a local panel. 7.3.2.15.1.2 Single Failure Criterion (IEEE 279, Paragraph 4.2)

Independent instrumentation and controls are provided for each of the redundant ventilation fans. Single failure of the instrumentation and controls associated with one fan will not affect the safety related function of the other ventilation fans. 7.3.2.15.1.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

Components used in the ECCS equipment room HVAC system have been carefully selected on the basis of suitability for the specific application. The logic relays have been selected with conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant.

CPS/USAR CHAPTER 07 7.3-167 REV. 11, JANUARY 2005 A quality assurance program is required to be implemented and documented by equipment vendors with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. 7.3.2.15.1.4 Equipment Qualification (IEEE 279, Paragraph 4.4)

The nuclear safety-related instrumentation and controls for the ECCS equipment room ventilation fans are qualified by type test and/or analyses in conformance with the contract specification. 7.3.2.15.1.5 Channel Integrity (IEEE 279, Paragraph 4.5)

Instrumentation and controls for the ECCS equipment room ventilation system are qualified to maintain their functional capability under extreme conditions specified in the design environmental parameters. 7.3.2.15.1.6 Channel Independence (IEEE 279, Paragraph 4.6)

The ECCS equipment room ventilation systems instruments and controls channel are independent from each other. Electrical and physical separation is maintained between the instruments and controls provided for the redundant ventilation systems, and no interface exists between the control channels. 7.3.2.15.1.7 Control and Protection System Interaction IEEE 279, Paragraph 4.7) 7.3.2.15.1.7.1 Classification of Equipment (IEEE 279, Paragraph 4.7.1)

The instruments and controls provided for the ECCS equipment room ventilation fans do not have any direct interaction with the control and the function of the ECCS. 7.3.2.15.1.7.2 Isolation Devices, Single Random Failure and Multiple Failures Resulting from a Credible Single Event (Paragraphs 4.7.2, 4.7.3, 4.7.4 of IEEE-279 Does not apply based on Subsection 7.3.2.15.1.7.1. 7.3.2.15.1.8 Derivation of System Input (IEEE 279, Paragraph 4.8)

The signals for essential instruments are direct measures of desired variable parameters.

7.3.2.15.1.9 Capability for Sensor Checks (IEEE 279, Paragraph 4.9)

The sensors which are used for input to the ECCS equipment room HVAC can be checked one at a time by application of simulated signals during normal plant operation. 7.3.2.15.1.10 Capability for Test and Calibration (IEEE 279, Paragraph 4.10)

The instruments and controls for the ECCS equipment room ventilation system are located such that they are accessible for periodic testing and calibration without affecting the safety function of the other related instruments. 7.3.2.15.1.11 Channel Bypass or Removal from Operation (IEEE 279, Paragraph 4.11)

This Paragraph does not apply.

CPS/USAR CHAPTER 07 7.3-168 REV. 11, JANUARY 2005 7.3.2.15.1.12 Operating Bypass (IEEE 279, Paragraph 4.12)

This Paragraph does not apply.

7.3.2.15.1.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)

This Paragraph does not apply. 7.3.2.15.1.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14)

This Paragraph does not apply.

7.3.2.15.1.15 Multiple Set Points (IEEE 279, Paragraph 4.15)

The design of the ECCS equipment room control and instrumentation does not require provisions for multiple control setpoints. 7.3.2.15.1.16 Completion of Protective Action Once It Is Initiated (IEEE 279, Paragraph 4.16)

The operation of ECCS equipment room ventilation fans do not require a protective action signal. 7.3.2.15.1.17 Manual Initiation (IEEE 279, Paragraph 4.17)

On the basis of Subsection 7.3.2.15.1.16, the requirement of this Paragraph does not apply.

7.3.2.15.1.18 Access to Set Point Adjustments, Calibrations, and Test Points (IEEE 279 Paragraph 4.18)

Access to setpoint adjustments, calibrations, and test points are under administrative control. 7.3.2.15.1.19 Identification of Protective Actions (IEEE 279 Paragraph 4.19)

This article does not apply since no protective action is required for the operation of ECCS equipment room fans. 7.3.2.15.1.20 Information Read Out (IEEE 279 Paragraph 4.20)

Except for the MSIV Inboard and Outboard rooms, ventilation fan status is provided in the control room. The MSIV room fans are indicated locally with off normal status provided in the control room. Temperature of each ECCS Equipment room is available in the main control room. Each room except the HPCS, MSIV Inboard and MSIV Outboard rooms is provided with local room temperature indication. 7.3.2.15.1.21 System Repair (IEEE 279 Paragraph 4.21)

The ECCS equipment ventilation instrumentation and controls are located to facilitate the recognition, location, replacement, repair, or adjustment of any malfunctioning instrument(s).

CPS/USAR CHAPTER 07 7.3-169 REV. 11, JANUARY 2005 7.3.2.15.1.22 Identification (IEEE 279 Paragraph 4.22)

Nameplates identify the electrical separation divis ion for each instrument panel or instrument or both. All interconnecting wires and cables are properly identified with tags. 7.3.2.15.2 Specific Conformance of the Instrumentation and Controls to General Criteria, 10 CFR 50 Appendix A 7.3.2.15.2.1 Criterion 13 - Instrumentation and Controls ECCS equipment room ventilation instrumentation and controls have been provided to monitor and maintain room temperature within design limits. 7.3.2.16 Additional Design Considerations Analyses 7.3.2.16.1 General Plant Safety Analysis The examination of the subject ESF system at the plant safety analyses level is presented in Chapter 15 and Appendix 15A. 7.3.2.16.2 Loss of Plant Instrument Air System Loss of plant instrument air will not negate the subject ESF system safety functions. Refer to Appendix 15A. 7.3.2.16.3 Loss of Cooling Water to Vital Equipment Loss of cooling water to ECCS, containment and reactor vessel isolation systems and other systems described in this Section when subject to Single Active Component Failure (SACF) or

Single Operator Error (SOE) will not result in the loss of sufficient ESF system to negate their safety function. Refer to Appendix 15A. 7.3.2.17 Suppression Pool Cooling (SPC) Mode (RHR) Instrumentation and Controls 7.3.2.17.1 General Functional Requirements Conformance The suppression pool cooling mode of the RHR sy stem is designed to limit the water temperature in the suppression pool such that the temperature immediately after a blowdown does not exceed the established limit when reactor pressure is above the limit for cold shutdown. During this mode of operation, water is pumped from the suppression pool, through the RHR system heat exchangers, and back to the suppression pool. Thus, the SPC (RHR) maintains the suppression pool as a heat sink for reactor and containment blowdown and source of water for ECCS and containment spray and shutdown cooling.

CPS/USAR CHAPTER 07 7.3-170 REV. 11, JANUARY 2005 7.3.2.17.2 Specific Regulatory Requirements Conformance 7.3.2.17.2.1 NRC Regulatory Guides 7.3.2.17.2.1.1 Regulatory Guides 1.6, 1.11, 1.22, 1.29, 1.30, 1.32, 1.47, 1.53, 1.62, 1.63, 1.75, 1.89, 1.97, 1.105, and 1.118 Refer to Subsection 7.3.2.1.2.1; the discussion of conformance to these guides applies to the suppression pool cooling mode (RHR). 7.3.2.17.2.1.2 Regulatory Guide 1.100 All Class 1E equipment will meet the r equirements of IEEE Standard 344 and will be environmentally qualified in conformance with Regulatory Guide 1.89, as discussed in Subsections 3.10 and 3.11. All applicable equipment will also be qualified subject to the supplementary requirements of Regulatory Guide 1.100. This provides an adequate basis for complying with the requirements of Regulatory Guide 1.100. 7.3.2.17.2.2 10 CFR 50, Appendix A 7.3.2.17.2.2.1 General Design Criteria 5, 13, 19, 21, 22, 24, 35, 37 Refer to Subsection 7.3.2.1.2.2. The discussion of these criteria applies to the suppression pool cooling mode of RHR. 7.3.2.17.3 Conformance to Industry Codes and Standards 7.3.2.17.3.1 IEEE Standard 279, Criteria for Protection Systems for Nuclear Power Generating Stations 7.3.2.17.3.1.1 General Functional Requ irements (IEEE 279, Paragraph 4.1) 7.3.2.17.3.1.1.1 Auto-Initiation The suppression pool cooling mode of the RHR system has no auto-initiation feature, but is manually initiated from the main control room. Proper and timely system operation is assured with manual initiation, because sufficient time and information is available to the operator.

Monitored parameters indicating satisfactory system performance or which would indicate operator error include fluid temperatures, flow, pressure, and valve positions. 7.3.2.17.3.1.1.2 Appropriate Protective Action The suppression pool cooling instrumentation and controls are used to initiate cooling flow to maintain suppression pool temperatures within established limits. 7.3.2.17.3.1.1.3 Precision Since suppression pool cooling is manually initiated based on one or more parameters, precision does not strictly apply to this system's control circuitry.

CPS/USAR CHAPTER 07 7.3-171 REV. 11, JANUARY 2005 7.3.2.17.3.1.1.4 Reliability Reliability of the control system is compatible with controlled equipment.

7.3.2.17.3.1.1.5 Performance Under Adverse Conditions (1) Power Supply Voltage and Frequency An electrical fault in one division cannot impair proper suppression pool cooling system operation due to the redundant control circuits, each being supplied by different power sources.

(2) Temperature The suppression pool cooling system is designed to function properly in the high temperature environment expected during the design basis loss- of-coolant accident (LOCA).

(3) Humidity The system is designed to function properly in the high humidity (steam) environment expected during the design basis LOCA.

(4) Pressure The system is designed to function properly in the full range of pressures expected during the design basis LOCA.

(5) Vibration Tolerance to environmentally-induced vibration (earthquake, wind) is discussed in Section 3.10. (6) Accidents The system is tolerant to any design basis accident.

(7) Fire The system is tolerant to a fire in a single division raceway or enclosure.

(8) Explosions Explosions are not defined in the design basis.

(9) Missiles The system is tolerant of any single missile destroying no more than one pipe, raceway, or electrical enclosure.

CPS/USAR CHAPTER 07 7.3-172 REV. 11, JANUARY 2005 (10) Lightning The system is tolerant of lightning damage to one auxiliary ac bus. (11) Flood All instrumentation and controls are located above flood level or are protected from flood damage. (12) Earthquake All control equipment is housed in a Seismic Class I structure. Tolerance to earthquake damage is discussed in Section 3.10. (13) Wind and Tornado Tolerance to wind and tornado is discussed in Subsection 7.3.1.2.8. (14) System Response Time Response time of the circuitry associated with suppression pool cooling is not critical to plant safety, but is adequate to enable timely operator action. Control circuit time response and valve operation speed in excess of the manufacturer's standard speed in not required because the speed of operation has an insignificant effect on proper and timely system operation. (15) System Accuracies The discussion in 7.3.2.17.3.1.1.3 above applies. (16) Ranges of Monitored Parameters Instrument sensors and processing equipment are capable of displaying the fullranges of parameters expected during the design basis LOCA. 7.3.2.17.3.1.2 Single Failure Criterion (IEEE 279, Paragraph 4.2) 7.3.2.17.3.1.2.1 Redundancy Two independent fluid systems are provided, each with the capacity for removing the total design heat load. Two division logic networks are provided: Division 1 logic initiates loop A equipment and Division 2 logic initiates loop B equipment. Redundancy in equipment and control logic circuitry is provided so that a single failure will not interfere with proper operation of the redundant portions of the system. 7.3.2.17.3.1.2.2 System Performance with Single Failure Assuming that, in a design basis accident, equipment failures caused by the accident occur simultaineously with the failure of all nonsafety grade and non-qualified equipment, the additional failure of any remaining single component will not impair system operation. Also, system design and testing procedures eliminate the possibility of undetected failures impairing CPS/USAR CHAPTER 07 7.3-173 REV. 11, JANUARY 2005 system function. Instrumentation sensors, trip logic, actuator logic circuitry, and actuated equipment is designed such that the system is tolerant to single failures. 7.3.2.17.3.1.3 Quality of Components (IEEE 279, Paragraph 4.3)

Components used in the suppression pool cooling mode (RHR) have been carefully selected for their specific applications. Ratings have sufficient conservatism to prevent significant deterioration during expected duty over the lifetime of the plant, as illustrated below: (1) Switch contacts and other logic elements carry no more than 50% of their continuous duty rating. (2) Controls are "energized to operate" and have infrequent duty cycles.

(3) Motor starters and circuit breakers are effectively derated for motor-starting applications since their nameplate ratings are based on short circuit interruption capabilities and on continuous current-carrying capabilities. (4) Normal motor starting equipment ratings include allowance for a much greater number of operating cysles thant the application will demand, including testing. (5) Instrumentation and controls are rated for application in the normal, abnormal, and accident environments in which they are located. (6) These components are subjected to the manufacturer's normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications, or which have been qualified by testing, are selected for use. Additionally, equipment vendors are required to implement and document a quality control and assurance program in accordance with the requirements of 10CFR50, Appendix B. There are no specific criteria to evaluate conformance with this criterion; however, the intent of the criteria is satisfied. 7.3.2.17.3.1.4 Equipment Qualification (IEEE 279, Paragraph 4.4)

Components of the suppression pool cooling system instrumentation haver undergone qualification testing to evaluate their suitability for reliable service in their installed locations, or have demonstrated reliable operation in similar nuclear power plant installations and industrial applications (see Subsection 3.11). No component of the control system is required to operate in the drywell environment. Sensory equipment is located outside the drywell and is capable of accurate operation in wide variations of environmental conditions.

CPS/USAR CHAPTER 07 7.3-174 REV. 11, JANUARY 2005 7.3.2.17.3.1.5 Channel Integrity (IEEE 279, Paragraph 4.5)

The suppression pool cooling system instrumentation and controls are designed to remain operable under extreme environmental conditions. This is discussed in detail in 7.3.2.17.3.1.1 above. 7.3.2.17.3.1.6 Channel Independence (IEEE 279, Paragraph 4.6)

Channel independence is maintained for all suppression pool cooling control circuitry.

7.3.2.17.3.1.7 Control and Protection System Interaction (IEEE 279, Paragraph 4.7)

The suppression pool cooling mode (SPC) is a safety system and is independent of plant control systems. The requirements of this Paragraph are not applicable. 7.3.2.17.3.1.8 Derivation of System Inputs (IEEE 279, Paragraph 4.8)

The inputs to the interlock circuit for suppression pool cooling flow control are the same as those used in LPCS and LPCI (see Subsections 7.3.1.1.1.5 and 7.3.1.1.1.6). 7.3.2.17.3.1.9 Capability for Sensor Checks (IEEE 279, Paragraph 4.9)

Discussion of checks on sensors used in the interlock circuit are discussed in Subsection 7.3.2.1.2.3.1.9. Trip units mounted in the control structure are calibrated separately by introducing a calibration source and verifying the setpoint through the use of a digital readout on the trip calibration module. 7.3.2.17.3.1.10 Calibration for Test and Calibration (IEEE 279, Paragraph 4.10)

The suppression pool cooling mode can be tested completely during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. Motor-operated valves can be exercised by the appropriate control logic and starters, and all indications and annunciations can be observed during the test. 7.3.2.17.3.1.11 Channel Bypass or Removal from Operation (IEEE 279, Paragraph 4.11)

Calibration of each sensor will introduce a single instrument channel trip. This does not cause a protective function. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning if accident conditions occur. By design, the period during which an instrument channel is removed from service for calibration is brief. 7.3.2.17.3.1.12 Operating Bypasses (IEEE 279, Paragraph 4.12)

The suppression pool cooling control system has no operating bypasses; thus, the requirements of these Paragraphs are not applicable. 7.3.2.17.3.1.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)

The suppression pool cooling control system has no operating bypasses; thus, the requirements of these Paragraphs are not applicable.

CPS/USAR CHAPTER 07 7.3-175 REV. 11, JANUARY 2005 7.3.2.17.3.1.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14)

Since there are no bypasses, this criterion is not strictly applicable. However, means of disabling instrumentation and controls is controlled as follows: (1) Access to instrument valves is controlled administratively. (2) Emergency switchgear rooms are lockable. 7.3.2.17.3.1.15 Multiple Setpoints (IEEE 279, Paragraph 4.15)

There are no multiple trip settings.

7.3.2.17.3.1.16 Completion of Protective Action Once Initiated (IEEE 279, Paragraph 4.16)

The final control elements for the suppression pool cooling system are essentially bi-stable; for example, motor-operated valves stay open once they have reached their open position even after the motor starter drops out. Thus, once initiated an action will go to completion. 7.3.2.17.3.1.17 Manual Initiation (IEEE 279, Paragraph 4.17)

Suppression pool cooling is manually-initiated.

7.3.2.17.3.1.18 Access to Setpoint Adjustments (IEEE 279,Paragraph 4.18)

The suppression pool cooling system is manually initiated and secured. The only setpoints are those associated with LPCS and LPCI initiation (see Subsection 7.3.2.1.2.3.1.18). 7.3.2.17.3.1.19 Identification of Protective Actions (IEEE 279, Paragraph 4.19)

The suppression pool cooling system is manually initiated and secured. The only protective actions are those associated with LPCS and LPCI as discussed in Subsection 7.3.2.1.2.3.1.19. 7.3.2.17.3.1.20 Information Readout (IEEE 279, Paragraph 4.20)

Continuous-reading indications are provided to enable the operator to verify proper system operation. The design minimizes the possibility of confusion due to erroneous indications. 7.3.2.17.3.1.21 System Repair (IEEE 279, Paragraph 4.21)

The suppression pool cooling system is designed for efficient maintainability. Easy recognition of malfunctioning equipment is provided through proper test procedures. Accessibility is provided for the sensors and controls to facilitate repair or adjustment. 7.3.2.17.3.1.22 Identification (IEEE 279, Paragraph 4.22)

Colored nameplates identify each logic cabinet and instrument panel that is part of the suppression pool cooling mode (RHR) system. The nameplates also indicate the division to which each panel or cabinet is assigned. Panels in the main control room are identified by tags which indicate the system and logic contained therein. Identification of safety related equipment is discussed in Subsection 8.3.1.3.

CPS/USAR CHAPTER 07 7.3-176 REV. 11, JANUARY 2005 7.3.2.17.3.2 IEEE Standard 308 Class 1E electrical loads in the suppression pool cooling (RHR) instrumentation and control system are physically separated and electrically isolated into independent load groups. A failure in one group will not interfere with proper operation of the redundant potions of the systems. Details of the Class 1E power system are discussed in Chapter 8. 7.3.2.17.3.3 IEEE Standard 323 Refer to Subsection 3.11 for a discussion of system compliance to this standard.

7.3.2.17.3.4 IEEE Standard 338 The capability for testing the suppression pool cooling instrumentation and control system is discussed in Subsections 7.3.2.17.3.1.9 and 7.3.2.17.3.1.10. 7.3.2.17.3.5 IEEE Standard 344 Refer to Section 3.10 for a discussion of system compliance of this standard.

7.3.2.18 CGCS Equipment Cubicle Cooling System 7.3.2.18.1 Conformance with General Functional Requirements General Functional Requirements for the CGCS Equipment Cubicle Cooling System are discussed in Subsection 9.4.5.5. 7.3.2.18.2 Conformance with Specific Regulatory Requirements 7.3.2.18.2.1 Conformance with 10 CFR 50 General Design Criteria General Design Criteria, established in Appendix A of 10 CFR 50, which are generally applicable to all ESF systems, are discussed in Subsection 7.1.2.7. Those with specific impact on the CGCS Equipment Cubicle Cooling System are described in this section.

Criterion 13: Instrumentation and Control CGCS Equipment Cubicle Cooling System instrumentation and controls for each train have been provided to monitor and maintain room temperature below a predetermined value. 7.3.2.18.2.2 Conformance to IEEE Standard 279 The CGCS Equipment Cubicle Cooling System is designed to conform to the requirements of Section 4 of IEEE Standard 279, Criteria for Protection Systems for Nuclear Power Generating Stations, as described below. 7.3.2.18.2.2.1 General Functional Requ irements (IEEE 279, Paragraph 4.1)

Instrumentation and controls are provided for each of the redundant CGCS Equipment Cubicle Cooling System trains. The trains are interlocked to start up automatically upon the start of the respective CGCS equipment. The trains can also be started manually from the local control panel.

CPS/USAR CHAPTER 07 7.3-177 REV. 11, JANUARY 2005 7.3.2.18.2.2.2 Single Failure Criterion (IEEE 279, Paragraph 4.2 Independent instrumentation and controls are provided for each train. Single failure of the instrumentation and controls associated with one train will not affect the safety-related function of the other train. 7.3.2.18.2.2.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

Components used in the CGCS Equipment Cubicle Cooling System have been carefully selected on the basis of suitability for the specific application. A quality assurance program is required to be implemented and documented by equipment vendors with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. 7.3.2.18.2.2.4 Equipment Qualification (IEEE 279, Paragraph 4.4)

The nuclear safety-related instrumentation and controls for the CGCS Equipment Cubicle Cooling System are qualified by type test and/or analyses to meet the performance requirements. 7.3.2.18.2.2.5 Channel Integrity (IEEE 279, Paragraph 4.5)

Instrumentation and controls for the CGCS Equipment Cubicle Cooling System are qualified to maintain their functional capability under extreme conditions specified in the design environmental parameters. Loss or damage to any one channel will not prevent the action of the redundant channel. 7.3.2.18.2.2.6 Channel Independence (IEEE 279, Paragraph 4.6)

The CGCS Equipment Cubicle System instrument and control channels are independent from each other. Electrical and mechanical separation is maintained between the instrumentation and controls of the redundant trains, and no interface exists between the control channels. 7.3.2.18.2.2.7 Control and Protection System Interaction (IEEE 279, Paragraph 4.7)

Instruments and controls for the CGCS Equipment Cubicle Cooling System provide only control function. There is no interaction with the protection system. 7.3.2.18.2.2.8 Derivation of System Inputs (IEEE 279, Paragraph 4.8)

The signals which are used for input to the CGCS Equipment Cubicle Cooling System are direct measures of desired variable parameters. 7.3.2.18.2.2.9 Capability for Sensor Checks (IEEE 279, Paragraph 4.9)

The sensors which are used for input to the CGCS Equipment Cubicle Cooling System can be checked one at a time by application of simulated signals during normal plant operation.

CPS/USAR CHAPTER 07 7.3-178 REV. 11, JANUARY 2005 7.3.2.18.2.2.10 Capability for Test and Calibration (IEEE 279, Paragraph 4.10)

The instruments and controls for the CGCS Equipment Cubicle Cooling System are located such that they are accessible for periodic testing and calibration during normal plant operation

or shutdown. 7.3.2.18.2.2.11 Channel Bypass or Removal from Operation (IEEE 279, Paragraph 4.11)

Either train may be shut down for maintenance, test or calibration by placing the control switch in the pull-to-lock position without affecting the operation of the other train. 7.3.2.18.2.2.12 Operating Bypasses (IEEE 279, Paragraph 4.12)

The automatic start of the CGCS Equipment Cubicle Cooling System can be bypassed by pull-to-lock selection of the train control switch. 7.3.2.18.2.2.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)

The pull-to-lock control switch selection for each train causes all corresponding indicating lights to go out. 7.3.2.18.2.2.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14 The control switch for each fan is located on local control panels and is under administrative control. 7.3.2.18.2.2.15 Multiple Setpoints (IEEE 279, Paragraph 4.15)

This does not apply because the setpoints are fixed and administratively controlled. 7.3.2.18.2.2.16 Completion of Protective Action Once it is Initiated (IEEE 279, Paragraph 4.16)

There are no protective interlocks in the system.

7.3.2.18.2.2.17 Manual Initiation (IEEE 279, Paragraph 4.17)

The system is capable of being initiated manually, on the train level, from the local control panel. 7.3.2.18.2.2.18 Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279, Paragraph 4.18)

Access to setpoint adjustments, calibrations, and test points are under administrative control. 7.3.2.18.2.2.19 Identification of Protective Actions (IEEE 279, Paragraph 4.19)

Not applicable based on Subsection 7.3.2.18.2.2.16. 7.3.2.18.2.2.20 Information Readout (IEEE 279, Paragraph 4.20)

Each train is provided with local panel indicating lights and alarms showing the fan status. Fan-coil unit differential pressure is provided locally.

CPS/USAR CHAPTER 07 7.3-179 REV. 11, JANUARY 2005 7.3.2.18.2.2.21 System Repair (IEEE 279, Paragraph 4.21)

The CGCS Equipment Cubicle Cooling System instrumentation and controls are located to facilitate the recognition, location, replacement, repair, or adjustment of any malfunctioning

instrument(s). 7.3.2.18.2.2.22 Identification (IEEE 279, Paragraph 4.22)

Nameplates identify the electrical separation divis ion for each instrument panel or instrument or both. All interconnecting wires and cables are properly identified with tags. 7.3.2.19 Reactor Core Isolation Cooling System This system is discussed in Section 7.4.2.1.

7.3.2.20 Feedwater Leakage Control Mode (RHR) - Instrumentation and Controls 7.3.2.20.1 General Functional Requirement Conformance Initiation of the FWLC diverts water from RHR to the feedwater lines to provide a seal at the outboard feedwater isolation check valves (1B21-FO32A/B) and gate valves (1B21-FO65A/B) after a DBA LOCA to prevent the release of containment atmosphere through the feedwater piping release path. The FWLC mode of RHR c an be operated simultaneously with RHR LPCI, suppression pool cooling, or containment spray cooling modes. 7.3.2.20.2 Specific Regulatory Requirements Conformance 7.3.2.20.2.1 Regulatory Guide Conformance 7.3.2.20.2.1.1 Regulatory Guide 1.6 The two loops of FWLC are powered from separate divisional emergency AC-power sources. 7.3.2.20.2.1.2 Regulatory Guide 1.29 All instrumentation and controls required to complete the safety function are tested and qualified to meet Seismic Category I requirements and will be functional after a seismic event. 7.3.2.20.2.1.3 Regulatory Guide 1.30 The quality assurance requirements of IEEE 336 are applicable during the plant design and construction phases (see Section 7.1) and will also be implemented as an operational QA program during plant operation in response to Regulatory Guide 1.30. 7.3.2.20.2.1.4 Regulatory Guide 1.32 Both divisions of FWLC are powered from Class 1E safety-related busses. 7.3.2.20.2.1.5 Regulatory Guide 1.47 Conformance to Regulatory Guide 1.47 is discussed in Sections 7.1.2.6.11 and 8.1.6.1.9.

CPS/USAR CHAPTER 07 7.3-180 REV. 11, JANUARY 2005 7.3.2.20.2.1.6 Regulatory Guide 1.53 The system is designed with two independent and redundant portions to ensure that no single failure can prevent the safety function. 7.3.2.20.2.1.7 Regulatory Guide 1.75 The instrumentation and control devices and power supplies for each subsystem are completely separated and independent. Separate and independent raceways are routed from devices to the respective subsystem enclosure. The system conduit groupings comply with the requirements of this regulatory guide. Redundant subsystems are on separate and independent main control room panels. Optical isolators provide electrical isolation between the FWLC valve limit switches and the non-safety plant computer. 7.3.2.20.2.1.8 Regulatory Guide 1.89 The FWLC cables are environmentally qualified for the harsh areas in which they are located. All other instrumentation and controls components are located in mild environmental areas and therefore do not require environmental qualification. 7.3.2.20.2.1.9 Regulatory Guide 1.97 See Subsection 7.1.2.6.23 and Table 7.1-13, parameter B10, for the degree of conformance regarding primary containment isolation valve position. 7.3.2.20.2.1.10 Regulatory Guide 1.100 See Section 3.10 for discussion of the degree of conformance.

7.3.2.20.2.1.11 Regulatory Guide 1.105 See Subsection 7.1.2.6.25 for discussion of the degree of conformance.

7.3.2.20.2.1.12 Regulatory Guide 1.118 See Subsection 7.1.2.6.26 for discussion of the degree of conformance. 7.3.2.20.2.2 Conformance to 10 CFR 50, Appendix A General Design Criteria (1) Criterion 13 - Instrumentation and indicators are provided to monitor the position of the FWLC valves. (2) Criterion 19 - Controls and instrumentation (position indication) are provided in the main control room for the FWLC valves.

CPS/USAR CHAPTER 07 7.3-181 REV. 11, JANUARY 2005 7.3.2.20.3 Conformance to Industry Standards 7.3.2.20.3.1 Conformance to IEEE 279 - Criterion for Protection Systems for Nuclear Power Generating Stations 7.3.2.20.3.1.1 General Functional Requirement (IEEE 279, Paragraph 4.1)

The FWLC mode is a manually operated system and therefore has no automatic initiation. The FWLC valves, however will automatically close upon loss of any of the permissives described in Section 7.3.1.1.19.6. 7.3.2.20.3.1.2 Single Failure Criterion (IEEE 279, Paragraph 4.2)

The FWLC mode consists of two separate loops. The two loops feature separate and independent sets of controls and instrumentation which meet the single failure criterion. 7.3.2.20.3.1.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

Components used in FWLC mode have been carefully selected on the basis of suitability for the specific application. A quality assurance program is required to be implemented and documented by equipment vendors with the intent of complying with requirements set forth in 10 CFR 50, Appendix B. 7.3.2.20.3.1.4 Equipment Qualification (IEEE 279, Paragraph 4.4)

No components of the FWLC mode are located inside containment. With the exception of the cabling, all instrumentation and controls equipment is located in mild environments. The FWLC essential components meet the equipment requirements described in Sections 3.10 and 3.11. 7.3.2.20.3.1.5 Channel Integrity (IEEE 279, Paragraph 4.5)

The FWLC mode is designed to maintain its functional capability under the environmental conditions, electrical transients, and malfunctions that may occur in the design basis LOCA. 7.3.2.20.3.1.6 Channel Independence (IEEE 279, Paragraph 4.6)

Channel independence for sensors is provided by electrical and mechanical separation. The two loops of FWLC are on opposite sides of the steam tunnel and power is supplied from divisionally separated cables and sources. 7.3.2.20.3.1.7 Control and Protection System Interaction (IEEE 279, Paragraph 4.7)

The FWLC mode is a safety system and is independent of plant control systems. The requirements of this Paragraph are not applicable. 7.3.2.20.3.1.8 Derivation of System Inputs (IEEE 279, Paragraph 4.8)

The inputs to the FWLC permissives are derived from signals that are direct measures of the desired variables. The pressure signals are from pressure switches mounted on the feedwater side of the FWLC valves. The valve position sign als from valves lB21-FO65A/B are from limit switches on the valve operator.

CPS/USAR CHAPTER 07 7.3-182 REV. 11, JANUARY 2005 7.3.2.20.3.1.9 Capability for Sensor Checks (IEEE 279, Paragraph 4.9)

Testing of the pressure switches will be performed in reactor modes 4 or 5.

7.3.2.20.3.1.10 Capability for Test and Calibration (IEEE 279, Paragraph 4.10)

The FWLC mode will be tested in reactor modes 4 or 5. 7.3.2.20.3.1.11 Channel Bypass or Removal from Operation (IEEE 279, Paragraph 4.11)

The FWLC valves are operator initiated valves that are normally closed. The only automatic feature is the permissive which would close the valves if permissives are not met. Calibration, testing and maintenance of the pressure switches including breaker maintenance, overload bypass, etc., is not planned during normal operation. 7.3.2.20.3.1.12 Operating Bypasses (IEEE 279, Paragraph 4.l2)

The FWLC mode has no operating bypasses. 7.3.2.20.3.1.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)

The FWLC mode has no operating bypasses. All motor control center control circuits related to engineered safety feature systems are individually monitored. If control voltage is lost as a result of tripping of a motor starter feeder breaker or removal of a fuse in the control circuit (rendering the valve inoperable), indication is provided in the control room. 7.3.2.20.3.1.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14)

The FWLC mode has no operating bypasses.

7.3.2.20.3.1.15 Multiple Set Points (IEEE 279 Paragraph 4.15)

There are no multiple trip settings for the FWLC mode.

7.3.2.20.3.1.16 Completion of Protective Action Once It Is Initiated (IEEE 279, Paragraph 4.16)

The FWLC mode is manually initiated. The FWLC mode will remain in continuous operation after system initiation unless manually terminated, or one of the motor operated valve permissives is lost. 7.3.2.20.3.1.17 Manual Initiation (IEEE 279, Paragraph 4.17)

The FWLC mode is a manually-initiated function.

7.3.2.20.3.1.18 Access to Set Point Adjustments, Calibration, and Test Points (IEEE 279, Paragraph 4.18)

The FWLC mode is manually initiated and secured. The only setpoints are those associated with the pressure switch permissive. Setpoint check/adjustments will be performed during the calibration process in reactor modes 4 or 5.

CPS/USAR CHAPTER 07 7.3-183 REV. 11, JANUARY 2005 7.3.2.20.3.1.19 Identification of Protective Actions (IEEE 279, Paragraph 4.l9)

FWLC mode initiation is indicated by position indication in the main control room of the two FWLC motor operated valves. 7.3.2.20.3.1.20 Information Readout (IEEE 279, Paragraph 4.20)

FWLC mode initiation is indicated by position indication in the main control room of the two FWLC motor operated valves. 7.3.2.20.3.1.21 System Repair (IEEE 279, Paragraph 4.21)

The FWLC mode is designed for efficient maintainability. Easy recognition of malfunctioning equipment is provided through proper test procedures. 7.3.2.20.3.1.22 Identification (IEEE 279, Paragraph 4.22)

Colored nameplates identify the two MCCs that are part of the FWLC mode. The nameplates also indicate the division to which MCCs are assigned. Panels in the main control room are identified by tags which identify the FWLC valves. Identification of safety related equipment is discussed in Subsection 8.3.1.3. 7.3.2.20.3.2 Conformance to IEEE 308 - Standard Criteria for Class 1E Electric Systems Class 1E loads are physically separated and electrically isolated into independent load groups, including the instrumentation and controls used in the FWLC mode of the RHR system. A failure in one loop will not interfere with proper operation of the redundant loop. Details of the Class 1E power system are discussed in Chapter 8. 7.3.2.20.3.3 Conformance to IEEE 323 - Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations The class 1E equipment qualification is demonstrated by the vendor or others by type tests on actual equipment in accordance with the purchase specification. Qualification documentation is maintained to verify that the equipment is qualified. (See Section 3.11.) 7.3.2.20.3.4 Conformance to IEEE 336 - Installation, Inspection, and Testing Requirements for Instrumentation and Electrical Equipment During the Construction of Nuclear Power Generating Stations The IEEE 336 requirements for installation, inspection and testing of Class 1E instrument and control equipment and systems during construction have been met through a quality assurance program. See Chapter 17 for specific details of the program. 7.3.2.20.3.5 Conformance to IEEE 338 - Standard Criteria for Periodic Testing of Nuclear Power Generating Station Safety Systems The FWLC instrumentation and controls will be tested in reactor modes 4 or 5.

CPS/USAR CHAPTER 07 7.3-184 REV. 11, JANUARY 2005 7.3.2.20.3.6 Conformance to IEEE 344 - Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations The safety-related equipment for FWLC is classified as Seismic Category 1. (Refer to Section 3.10). 7.3.2.20.3.7 Conformance to IEEE 379 - Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Class 1E System The FWLC mode consists of two separate loops. The two loops feature separate and independent sets of controls and instrumentation which meet the single failure criterion. 7.3.2.20.3.8 Conformance to IEEE 384 - Standard Criteria for Independence of Class 1E Equipment and Circuits See Section 7.1.2.5.9 for conformance to IEEE 384.

CPS/USAR CHAPTER 07 7.3-185 REV. 11, JANUARY 2005 Table 7.3-1 through Table 7.3-6 have been deleted.

CPS/USAR CHAPTER 07 7.3-186 REV. 11, JANUARY 2005 TABLE 7.3-7 INSTRUMENT CHANNEL REQUIRED FOR CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM I. MSIV and Main Steam Line Drain Isolation Instrument Channel Description Normal Reactor Vessel Low Water Level (Level 1 Setting) 4 Main Steam Line High Radiation 4 Main Steam Line High Flow (each steam line) 4 Main Steam Line Low Pressure 4 Main Condenser Low Vacuum 4 Main Steam Line Area High Temperature 4 ambient 4 differential Main Steam Line Area High Temp - Turbine Bldg. 4

The normal column shows the number of instrument channels provided to monitor each variable required for the functional performance of CRVICS (MSIV MS drain valve isolation only).

CPS/USAR CHAPTER 07 7.3-187 REV. 11, JANUARY 2005 TABLE 7.3-7 INSTRUMENT CHANNEL REQUIRED FOR CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM (Continued)

II. CRVICS (General)

Instrument Channel Description Normal Total Reactor Vessel Low Water Level (Level 3) 4 Reactor Vessel Low Water Level (Level 2) 4 Main Steam Line High Radiation (shared with MS line isolation logic) 4 Reactor High Pressure 4 Drywell High Pressure 4 Containment Exhaust High Radiation 4 Reactor Water Cleanup System Differential Flow 2 Reactor Water Cleanup Equipment Area Temperatures (2 per room) 10 ambient 10 differential RHR Equipment Area Temperatures (2 per room) 4 ambient 4 differential RCIC High Steam Flow 4 RCIC Equipment Area Temperatures 2 ambient 2 differential Main Steam Line Tunnel Area Temperatures (2 ambient and 2 differential are shared with MS line isolation logic) 4 ambient 4 differential The "normal" column lists the number of instrument channels provided to monitor each variable required for the functional performance CRVICS.

CPS/USAR CHAPTER 07 7.3-188 REV. 11, JANUARY 2005 TABLE 7.3-8 TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF HPCS SYSTEM Component Affected Trip Channel Instrument Channels Provided HPCS system initiation Reactor Vessel low water level Level transmitter 4 HPCS system initiation Drywell high pressure Pressure transmitter 4 Suppression pool suction

valve RCIC storage tank low level Level transmitter 2 Suppression pool suction

valve Suppression pool high level Level transmitter 2

CPS/USAR CHAPTER 07 7.3-189 REV. 11, JANUARY 2005 TABLE 7.3-9 TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF AUTOMATIC DEPRESSURIZATION SYSTEM Initiating Function Instrument Channels Provided Reactor Vessel Low Water Level (Level 1)

Level transmitter and trip unit 2/trip system Reactor Vessel Low

Water Level (Level 3) -

Confirmatory Level transmitter and trip unit 1/trip system Drywell high pressure Pressure transmitter and trip unit 2/trip system LPCI permissive Pressure transmitter and trip unit 6 total Time delay Solid State digital timer 3/trip system LPCS permissive Pressure transmitter and trip unit 2 total LPCS interlocks only with Division 1, but RHR interlocks both divisions of ADS CPS/USAR CHAPTER 07 7.3-190 REV. 11, JANUARY 2005 TABLE 7.3-10 TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF LPCI "B" AND "C" Component Affected Trip Channel Instrument Channels Provided LPCI initiation (B and C loops)

Reactor vessel low water level Level transmitter &

trip unit 2 LPCI initiation (B and C loops)

Drywell high pressure Pressure transmitter &

trip unit 2 Minimum flow bypass valves (B and C loops) LPCI pumps discharge low flow Flow transmitter &

trip unit 2 (1/pump) LPCI injection valve permissive (B and C loops)

Reactor vessel pressure Pressure transmitter &

trip unit 4*

  • 4 trip units, 2 pressure transmitters CPS/USAR CHAPTER 07 7.3-191 REV. 11, JANUARY 2005 TABLE 7.3-11 TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF LPCS SYSTEM AND LPCI "A" Component Affected Trip Channel Instrument Channels Provided LPCS and LPCI A initiation Reactor vessel water level Level transmitter 2 LPCS and LPCI A initiation Drywell high pressure Pressure transmitter 2 Minimum flow valves (LPCS

and LPCI A)

LPCI or LPCS pumps discharge

low Flow transmitter 2 (1/pump)

LPCS and LPCI "A" injection valve permissive Reactor vessel pressure Pressure transmitter and

trip unit 4*

  • 4 trip units, 2 pressure transmitters CPS/USAR CHAPTER 07 7.4-1 REV. 14, JANUARY 2011 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN

7.4.1 Description

7.4.1.1 Reactor Core Isolation Cooling (RCIC) System - Instrumentation and Controls 7.4.1.1.1 System Identification 7.4.1.1.1.1 Function The Reactor Core Isolation Cooling System consists of a turbine, pump, piping, valves, accessories, and instrumentation designed to assure that sufficient reactor water inventory is maintained in the reactor vessel thus assuring continuity of core cooling. Reactor vessel water is maintained or supplemented by the RCIC during the following conditions: (1) When the reactor vessel is isolated and yet maintained in the hot standby condition; (2) When the reactor vessel is isolated and accompanied by a loss of normal coolant flow from the reactor feedwater system; (3) When a complete plant shutdown under conditions of loss of normal feedwater system is started but before the reactor is depressurized to a level where the reactor shutdown cooling mode of the RHR system can be placed into operation. 7.4.1.1.1.2 Classification Electrical components for the RCIC system are classified as Safety Class 2 and Seismic Category I. 7.4.1.1.2 Power Sources The RCIC logic is powered by the 125 vdc Division 1 system, except the inboard isolation valves logic which is powered by the 125 vdc Division 2 system. Motive power for inboard isolation valves is by Division 2 standby ac power, while outboard isolation valves are driven by Division 1 standby ac power. The remaining valves are driven by the Division 1 dc system. 7.4.1.1.3 Equipment Design 7.4.1.1.3.1 General When actuated, the RCIC system pumps water from either the RCIC storage tank or the suppression pool to the reactor vessel. The RCIC system includes one turbine-driven pump, one gland seal system dc powered air compressor, automatic valves, control devices for this equipment, sensors and logic circuitry. The arrangement of equipment and control devices is shown in Drawing M05-1079 (RCIC P&ID).

CPS/USAR CHAPTER 07 7.4-2 REV. 11, JANUARY 2005 Level transmitters used for the initiation and tripping and pressure transmitters for isolation of the RCIC system are located on instrument panels outside the drywell but inside the containment. The only operating components of the RCIC system that are located inside the drywell are the inboard steam line isolation valve, the steam line warmup line isolation valve, and one testable check valve on the pump discharge line. Cables connect the sensors to control circuitry in the main control room. The rest of the RCIC system control and instrumentation components are located in the auxiliary building. A design flow functional test of the RCIC system can be performed during normal plant operation by drawing suction from the RCIC storage tank and discharging through a full flow test return line to the RCIC storage tank. The discharge valve to the reactor remains closed during the test, and reactor operation remains undisturbed. All components of the RCIC system (except 1E51-F066) are capable of individual functional testing during normal plant operation.

The control system provides automatic return from test to operating mode if system initiation is required. There are three exceptions: (1) The flow controller in manual mode. This feature is required for operation flexibility during system operation. (2) Steam inboard/outboard isolation valves closed. Closure of either or both of these valves requires operator action to properly sequence their opening. An alarm sounds when either of these valves leaves the fully open position. (3) If breakers have been manually racked out-of-service. 7.4.1.1.3.2 Initiating Circuits Reactor vessel low water level is monitored by four level transmitters that sense the difference between the pressure to a constant reference leg of water and the pressure due to the actual height of water in the vessel. Each transmitter supplies a signal to analog comparator trip units that energize control logic. The analog comparator trip units are located in the main control room. The instrument sensing lines for the transmitters are physically separated from each other and tap off the reactor vessel at widely separated points. The RCIC system is initiated automatically by a reactor vessel low water level signal utilizing a one-out-of-two twice logic and produces the design flow rate within 30 seconds. The system will provide design makeup water flow to the reactor vessel until the amount of water delivered to the reactor vessel is adequate to restore vessel level, at which point the RCIC system automatically shuts down. The controls are also provided to allow remote manual startup, operation, and shutdown, provided initiation or shutdown signals do not exist. The RCIC turbine is controlled as shown in drawing E02-1RI99. The turbine governor limits the turbine speed and adjusts the turbine steam control valves so that design pump discharge flow rate is obtained. The flow signal used for automatic control of the turbine is derived from a differential pressure measurement across a flow element in the RCIC system pump discharge line.

CPS/USAR CHAPTER 07 7.4-3 REV. 11, JANUARY 2005 The turbine is shut down by tripping the turbine trip and throttle valve closed if any of the following conditions are detected: (1) Turbine overspeed (2) High turbine exhaust pressure (3) RCIC isolation signal from logic "A" or "B" (4) Low pump suction pressure (5) Manual trip actuated by the operator. Turbine overspeed indicates a malfunction of the turbine control mechanism. High turbine exhaust pressure indicates a condition that threatens the physical integrity of the exhaust line.

Low pump suction pressure warns that cavitation and lack of cooling can cause damage to the pump which could place it out of service. A turbine trip is initiated for these conditions so that if the causes of the abnormal conditions can be found and corrected, the system can be quickly restored to service. The trip settings are selected so that a spurious turbine trip is unlikely, but not so that damage occurs before the turbine is shut down. Turbine overspeed is detected by a standard turbine overspeed mechanical device. Two pressure sensors are used to detect high turbine exhaust pressure; either sensor can initiate turbine shutdown. Two pressure sensors are used to detect low RCIC system pump suction pressure. A high reactor water level signal initiates the closure of the steam supply valve, rather than the turbine trip valve, to shut off steam to the turbine. Closure of the steam supply valve places the RCIC system in a standby configuration until a low reactor water level initiation signal reinstates

system operation.

High water level in the reactor vessel indicates that the RCIC system has performed satisfactorily in providing makeup water to the reactor vessel. Further increase in level could result in RCIC system turbine damage caused by gross carry-over of moisture. The reactor vessel high water level setting is near the top of the steam separators and is sufficient to prevent gross moisture carry-over to the turbine. Two level transmitters and associated trip units which sense differential pressure are arranged to require that both trip units trip to initiate a steam supply valve closure. 7.4.1.1.3.3 Logic and Sequencinq The scheme used for initiating the RCIC system is shown in drawing E02-1RI99. 7.4.1.1.3.4 Bypasses and Interlocks To prevent the turbine pump from being damaged by overheating at reduced RCIC pump discharge flow, a pump discharge bypass is provided to route the water discharged from the pump back to the suppression pool. The bypass is controlled by an automatic, dc motor-operated valve whose control scheme is shown in drawing E02-1RI99. The valve is closed at high flow or when either the steam supply or turbine trip valves are closed. Low flow combined with high pump discharge pressure opens the valve.

CPS/USAR CHAPTER 07 7.4-4 REV. 11, JANUARY 2005 To prevent the RCIC steam supply pipeline from filling up with water and cooling excessively, a condensate drain pot, steam line drain, and appropriate valves are provided in a drain pipeline arrangement just upstream of the turbine supply valve. The control scheme is shown in drawing E02-1RI99. The controls position valves so that during normal operation steam line drainage is routed to the main condenser. The water level in the steam line drain condensate pot is normally maintained by a steam trap which is open to the main condenser. In addition, the water level in the steam line drain condensate pot is controlled by a level switch and a direct acting solenoid bypass valve which energizes to allow condensate to flow out of the drain pot. Upon receipt of an RCIC initiation signal, the drainage path is isolated. To prevent the turbine exhaust line from filling with water, a condensate drain pot is provided. The water in the turbine exhaust line condensate drain pot is routed to the RCIC pump room floor drain sump. The water level in the turbine exhaust line condensate drain pot is controlled by a level switch which, upon sensing high water level, opens the drain valve and allows condensate to flow to the Auxiliary Building Floor Drain system. RCIC initiation causes the condensate drainage line to be isolated. The control logic is shown in drawing E02-1RI99. During test operation, the RCIC pump discharge is routed to the RCIC storage tank. Two dc motor-operated valves are installed in the pump discharge to the RCIC storage tank pipeline. The arrangement is shown in Drawing M05-1079 (RCIC P&ID). Upon receipt of an RCIC initiation signal, the valves close as is shown in drawing E02-1RI99. Valves for the pump suction from the RCIC storage tank and the test discharge to the RCIC storage tank valves are automatically closed or interlocked closed if the suppression pool suction valve is fully closed. Numerous indications pertinent to the operation and condition of the RCIC are available to the main control room operator. Drawing E02-1RI99 shows the various indications provided. To reduce the potential possibility for moisture ingestion by the main and feedwater turbines during RCIC system operation, RCIC will issue a trip signal. If the RCIC injection valve is not fully closed, and if the RCIC pump flow is greater than a minimum set point, then a trip signal is generated to trip the main turbine and the feedwater turbines. 7.4.1.1.3.5 Redundancy and Diversity On a network basis, the HPCS is redundant to RCIC for the safe shutdown function. Therefore, RCIC as a system by itself is not required to be redundant, although the instrument channels are redundant for operational availability purposes. While no initiating-signal diversity exists within this system, there does exist system level diversity between RCIC and HPCS for plant conditions identified in Chapter 15. Diversity of initiating signals is a requirement stipulated only for RPS, ECCS, and Containment Isolation systems. Therefore, diversity of initiating circuits is not employed for the RCIC system. The RCIC is actuated by reactor low water level. Four level sensors in a one-out-of-two twice circuit supply this signal. 7.4.1.1.3.6 Actuated Devices All automatic valves in the RCIC are equipped with remote-manual capability, so that the entire system can be operated from the main control room. Motor operated valves are equipped with limit and torque switches. In the opening direction, limit switches turn off the motors when movement is complete. In the closing direction, torque switches turn the motor off (except for CPS/USAR CHAPTER 07 7.4-5 REV. 12, JANUARY 2007 double disc valve, which is turned off by limit switch) when the valve has properly seated. Thermal overload devices may temporarily be placed in service during testing, maintenance or valve repositioning during routine operation. All motor and air operated valves provide main control room indication of valve position. The system is capable of initiation independent of auxiliary ac power. To assure that the RCIC can be brought to design flow rate within 30 seconds from the receipt of the initiation signal, essential RCIC valves have the maximum operating times given in Subsection 5.4.6.2.2.2 item 4. The operating time is the time required for the valve to travel from the fully closed to the fully open position, or vice versa. The two RCIC steam supply line isolation valves are normally open and they are designed to isolate the RCIC steam line in the event of a break in that line. These valves are operated by ac motors powered from different ac sources and automatically close after a 8-second time delay on receipt of an isolation signal. One normally closed dc motor-operated valve is located in the turbine steam supply pipeline. This is the turbine steam admission valve. The flow coefficient profile for the turbine steam admission valve is designed to bring the turbine to idle speed, prior to bringing the turbine to normal operating speed. The control scheme for these valves are shown in drawing E02-1RI99. Upon receipt of a RCIC initiation signal these valves open and remain open until closed by operator action from the main control room. The instrumentation for isolation consists of the following:

Outboard RCIC Turbine Isolation Valve. (1) Ambient temperature switches-RCIC equipment area high temperature. (2) Ambient temperature switch-RCIC pipe routing area (main steam line pipe tunnel) high temperature. (3) Differential pressure transmitter and trip unit-drywell RCIC steamline or auxiliary building RCIC steamline high flow or instrument line break. (4) A 8-second time delay break detection logic circuit. (5) Two pressure transmitters and trip units-RCIC turbine exhaust diaphragm high pressure. Both trip units must activate to isolate. (6) Pressure transmitter and trip unit-RCIC steam supply pressure low.

(7) Manual isolation if the system operation has been initiated.

Inboard RCIC Turbine Isolation Valve. (1) Except for the manual isolation feature, a similar set of instrumentation causes the inboard valve to isolate.

Two pump suction valves are provided in the RCIC system. One valve lines up pump suction from the RCIC storage tank; the other one from the suppression pool. The RCIC storage tank is the preferred source. Both valves are operated by dc motors. The control arrangement is CPS/USAR CHAPTER 07 7.4-6 REV. 11, JANUARY 2005 shown in drawing E02-1RI99. Upon receipt of an RCIC initiation signal, the RCIC storage tank suction valve automatically opens. RCIC storage tank low water level or suppression pool high water level automatically opens the suppression pool suction valve. Moving this valve from the fully closed position automatically closes the RCIC storage tank suction valve. One dc motor-operated RCIC pump discharge valve in the pump discharge pipeline is provided. The control scheme for this valve is shown in drawing E02-1RI99. This valve is arranged to open upon receipt of the RCIC initiation signal and closes automatically upon receipt of a

turbine trip signal. 7.4.1.1.3.7 Separation As in the emergency core cooling system, the RCIC system is separated into divisions designated 1 and 2. The RCIC is a Division 1 system, but the inboard steam line isolation valve, the steam line warmup line isolation valve, the inboard vacuum breaker isolation valve, the inboard turbine exhaust drain isolation valve, and the inboard steam supply drain isolation valve are Division 2; therefore, part of the RCIC logic is Division 2. The inboard and outboard steam supply line isolation valves, the steam line warmup line isolation valve and the inboard and outboard vacuum breaker isolation valves are ac powered valves. The rest of the valves are dc powered valves. In order to maintain the required separation, RCIC trip channel and logic components, instruments and manual controls are mounted so that separation from

Division 2 is maintained. All power and signal cables and cable trays are clearly identified by division. The auxiliary systems that support the RCIC system are: the gland seal system (which prevents turbine steam leakage) and the lube oil cooling water system. An RCIC initiation signal activates the gland seal compressor and opens the cooling water supply valve therefore initiating the gland seal and lube oil cooling funct ions. These systems remain on until manually turned off. The water leg pump maintains water in RCIC pump suction line. The water-leg pump is continuously running and derives its power from the standby ac power source. Safety-related power and signal cables, cable trays and instrument panels are specified in accordance with the requirements of Regulatory Guide 1.75. 7.4.1.1.3.8 Testability The RCIC may be tested to design flow during normal plant operation. The system is designed to return to the operating mode if system initiation is required during testing as discussed in section 7.4.1.1.3.1. Water is drawn from the RCIC storage tank and discharged through a full flow test return line to the RCIC storage tank. The discharge valve from the pump to the reactor is tested separately and closed during the system flow test so that reactor operation remains undisturbed. Testing of the initiation sensors which are located outside the drywell is accomplished by valving out each sensor and applying a test pressure source. This verifies the operability of the sensor as well as the calibration range. The logic is tested by automatic pulse testing. The Automatic Pulse Test (APT), the sixth test, discussed in RPS Testability 7.2.1.1.4.8 is also applicable here for RCIC. The instrument channel trip may be tested by manually introducing a signal of sufficient magnitude to trip the instrument channel trip device in the logic cabinets in the control CPS/USAR CHAPTER 07 7.4-7 REV. 11, JANUARY 2005 room. The change of state of the trip device may be observed by annunciation and by visual inspection of the trip device output indicator. 7.4.1.1.4 Environmental Considerations The only RCIC control components located inside the drywell that must remain functional in the environment resulting from a loss-of-coolant accident are the control mechanisms for the inboard isolation valve and the steam line warmup line isolation valve. The environmental capabilities of these valves are shown in Table 3.11-5. The equipment located outside the drywell which are required for a design basis event will operate in their worst-case environments shown in the Section 3.11 tables. All safety-related RCIC instrumentation is seismically qualified to remain functional following a Safe Shutdown Earthquake (SSE). 7.4.1.1.5 Operational Considerations 7.4.1.1.5.1 General Information Normal core cooling is required in the event the reactor becomes isolated during normal operation from the main condenser by a closure of the main steam line isolation valves. Steam is vented through in the pressure relief/safety valves to the suppression pool. The RCIC system maintains reactor water level by providing the makeup water. Initiation and control are automatic. 7.4.1.1.5.2 Reactor Operator Information The following items are located in the main control room for operator information:

Analog Indication (1) RCIC Turbine Inlet Pressure (2) RCIC Turbine Outlet Pressure (3) RCIC Pump Suction Pressure (4) RCIC Pump Discharge Pressure (5) RCIC Pump Discharge Flow (6) RCIC Turbine Speed Indicating Lamps (1) Position of all motor-operated valves. (2) Position of all solenoid-operated valves. (3) Turbine trip solenoid energized or deenergized.

(4) All sealed-in circuits.

(5) Pump status.

CPS/USAR CHAPTER 07 7.4-8 REV. 11, JANUARY 2005 Annunciators Annunciators are provided as shown in drawing E02-1RI99 and the RCIC system P&ID per Drawing M05-1079. 7.4.1.1.5.3 Setpoints For setpoints see the Operational Requirements Manual (ORM). 7.4.1.2 Standby Liquid Control System (SLCS) - Instrumentation and Controls 7.4.1.2.1 System Identification 7.4.1.2.1.1 Function The instrumentation and controls for the standby liquid control system are designed to initiate and continue injection of a liquid neutron absorber into the reactor when manually called upon to do so. This equipment also provides the necessary controls to maintain this liquid chemical solution well above saturation temperature in readiness for injection. 7.4.1.2.1.2 Classification The standby liquid control system is a backup method for manually shutting down the reactor to cold subcritical conditions by independent means other than the normal method by the control rod system. Thus, the system is considered a "Safe shutdown System." The standby liquid control process equipment, instrumentation, and controls essential for injection of the neutron absorber solution into the reactor are designed to withstand Seismic Category I earthquake loads. Non-direct process equipment, instrumentation, and controls of the system are not required to meet Seismic Category I requirements, however, the local and main control room mounted equipment is located in seismically qualified panels. 7.4.1.2.2 Power Sources The power supply to one explosive-operated inject ion valve, storage tank outlet valve, and injection pump and control circuit is powered from Division 1, 480 Vac and 120 Vac. The supply to the other explosive-operated injection valve, storage tank outlet valve, and injection pump and control circuit is powered from Division 2, 480 Vac and 120 Vac. The power supply to the tank heaters and heater controls is provided from two separate reliable AC sources. The power

supply to the main control room benchboard indicator lights and the level and pressure sensors is powered from an emergency instrument bus. 7.4.1.2.3 Equipment Design 7.4.1.2.3.1 General The SLCS is a special "plant capability" event system. No single active component failure of any plant system or component would necessitate the need for the operational function of the SLCS. It is included for a number of special consideration events: (1) Plant Capability to Shutdown the Reactor Without Control Rods From Normal Operation (Refer to Appendix A of Chapter 15).

CPS/USAR CHAPTER 07 7.4-9 REV. 11, JANUARY 2005 (2) Plant Capability to Shutdown the Reactor without Control Rods From a Transient Incident (Refer to Appendix A of Chapter 15 and Section 15.8). Although this system has been designed to a high degree of reliability with many safety system features, it is not required to meet the safety design basis requirements of the safety systems. 7.4.1.2.3.2 Initiating Circuits The standby liquid control is initiated in the main control room by turning a keylocking switch for system A and a separate keylocking switch for system B to the RUN position. The switch slip contacts remain in the activated position, but the mechanism spring returns to the center NORMAL position from which the key is removable. 7.4.1.2.3.3 Logic and Sequencing When one division of standby liquid control system is initiated, one explosive valve fires and the tank discharge valve starts to open immediately. The pump that has been selected for injection will not start until its associated tank discharge valve is nearly open. In order to provide maximum MOV availability when the SLC system is in normal standby readiness, the overloads for the storage tank outlet valves are bypassed with a test switch in its NORMAL position. When the TEST position is selected, the overload bypass is removed thus allowing motor protection during routine non-accident operation of the valves. 7.4.1.2.3.4 Bypasses and Interlocks Pumps are interlocked so that either the storage tank discharge valve or the test tank discharge valve must be open for the pump to run. When the standby liquid control system is initiated to inject the neutron absorber into the reactor, the Reactor Water Cleanup System suction valve is automatically closed, per SLC subsystem initiation, to accomplish that isolation. 7.4.1.2.3.5 Redundancy and Diversity The SLCS is functionally redundant to the control rod drive system in achieving and maintaining the reactor subcritical. Therefore, the SLCS as a system by itself is not required to be redundant, although the active components and control channels are redundant for serviceability. Diversity of initiating signals is a requirement only for RPS, ECCS, and Containment Isolation Systems. Therefore, diversity of initiating circuits is not employed for the SLCS design. The SLCS provides, however, a diverse means for reactivity control. The method of identifying redundant power cables, signal cables and cable trays, and the method of identifying non-safety related cables as associated circuits are discussed in

Subsection 8.3.1.3. 7.4.1.2.3.6 Actuated Devices When the standby liquid control system is initiated to inject a liquid neutron absorber into the reactor, the following devices are actuated: (1) One of the two explosive valves is fired; CPS/USAR CHAPTER 07 7.4-10 REV. 11, JANUARY 2005 (2) One of the two storage tank discharge valves is opened; (3) One of the two injection pumps is started, and (4) The pump output pressure and storage tank level sensing equipment indicates that the standby liquid control system is pumping liquid into the reactor. 7.4.1.2.3.7 Separation The SLCS is separated both physically and electrically from the control rod drive system. The SLC system electrical control channels are separated in accordance with the requirements of

Regulatory Guide 1.75. 7.4.1.2.3.8 Testability The instrumentation and control system of the standby liquid control system can be tested as described in Subsection 7.4.2.2.2.1.3. 7.4.1.2.4 Environmental Considerations The environmental considerations for the instrument and control portions of the standby liquid control system are the same as for the active mechanical components of the system. This is discussed in Section 3.11. The instrument and control portions of the Standby Liquid Control System are seismically qualified not to fail during and to remain functional following a Safe Shutdown Earthquake (SSE). Refer to Section 3.10 for seismic qualification aspects. 7.4.1.2.5 Operational Considerations 7.4.1.2.5.1 General Information The control scheme for the standby liquid control system can be found in drawing E02-1SC99. The standby liquid control system is manually initiated in the main control room by inserting keys in the "A" and the "B" keylocking switches and turning them to the pump run position. It will take approximately 50 minutes with both pumps running to complete the injection and for the storage tank level sensors to indicate that the storage tank is depleted. When the injection is completed, the system may be manually tur ned off by turning the keylocking switch counterclockwise to the "STOP" position. The slip contacts will remain in their deactivate positions but the switch mechanism will spring-return to the center "NORMAL" position for key

removal. 7.4.1.2.5.2 Reactor Operator Information The following items are located in the main control room for operator information:

Analog Indication (1) Storage tank level (2) System pressures (3) Explosive valves continuity CPS/USAR CHAPTER 07 7.4-11 REV. 11, JANUARY 2005 Status Lights (1) Pump or storage tank outlet valve overload, trip or power loss (2) Explosive loss of continuity or power loss (3) Position of injection line manual service valve in the SLC sparger line (4) Position of storage tank outlet valve (5) Position of test tank discharge manual service valve (6) SLCS manually out of service (7) Pump auto trip Annunciators and Status Lights The standby liquid control system main control room annunciators indicate: (1) Manual or automatic out of service condition of SLC system "A" and/or "B" due to: a. Operation of manual out-of-service switch.

b. The loss of continuity of any explosive valve primers.
c. Storage tank outlet valve in test status.
d. Overload trip or power loss in pump or storage tank outlet valve controls. (2) Standby liquid storage tank high or low temperature. (3) Standby liquid tank high or low level.

(4) Standby liquid pump "A" or "B" auto trip. The following items are located locally at the equipment for operator utilization:

Analog Indication (1) Storage tank level (2) System pressures (3) Storage tank temperature Indicating Lamps (1) Pump status (2) Storage tank operating heater status CPS/USAR CHAPTER 07 7.4-12 REV. 11, JANUARY 2005 (3) Storage tank mixing heater status 7.4.1.2.5.3 Set Points The standby liquid control system is a manually initiated system with no automatic setpoints. 7.4.1.3 Reactor Shutdown Cooling Mode (RHR) Instrumentation and Controls 7.4.1.3.1 System Identification 7.4.1.3.1.1 Function The shutdown cooling mode of the RHR System used during a normal shutdown and cooldown is a safe shutdown function. The initial phase of a normal nuclear system cooldown is accomplished by routing steam from the reactor vessel to the main condenser which serves as the heat sink. Reactor shutdown cooling mode consists of a set of pumps, valves, heat exchangers, and instrumentation designed to provide decay heat removal capability for the core. The mode specifically accomplishes the following: (1) The reactor shutdown cooling mode is capable of providing cooling for the reactor during shutdown operation after the vessel pressure is reduced to approximately 96.5 psig. (2) The mode is capable of cooling the reactor water to a temperature at which reactor refueling and servicing can be accomplished. (3) The mode is capable of diverting part of the shutdown flow to a nozzle in the reactor vessel head to condense the steam generated from the hot walls of the vessel while it is being flooded. The mode can accomplish its design objectives by a preferred means of directly extracting reactor vessel water from the vessel via the loop and routing it to a heat exchanger and back to the vessel, or by an alternate means by indirectl y extracting the water via relief valve discharge lines to the suppression pool and routing suppression pool water to the heat exchanger and back to the vessel. 7.4.1.3.1.2 Classification Electrical components for the Reactor Shutdown cooling mode of the Residual Heat Removal System are classified as Safety Class 3 and Seismic Category I. Portions of the RHR shutdown cooling system which are used in other modes that are safety related are classified as Safety Class 1 or 2. 7.4.1.3.2 Power Sources This system utilizes normal plant power sources. These include 4160 vac, 480 vac, 120 vac instrument busses. and dc sources. If, for any reason, the normal plant sources become unavailable, the system is designed to utilize the emergency busses and sources since the RHR has safety modes of operation (e.g., LPCI) associated with this equipment.

CPS/USAR CHAPTER 07 7.4-13 REV. 11, JANUARY 2005 7.4.1.3.3 Equipment Design 7.4.1.3.3.1 General The reactor water is cooled by taking suction from one of the recirculation loops; the water is pumped through the system heat exchanger and back to the reactor vessel via the feedwater lines. Part of the flow can be diverted to a nozzle in the vessel head to provide for head cooling. The function of head cooling is to condense steam generated from the hot walls of the vessel while it is being flooded, thereby keeping system pressure down. During the initial phase of cooling the reactor, only a portion of the RHR system heat exchanger capacity is required. This allows the remaining portion of the RHR system wi th its heat exchanger, associated pumps, and valving to be available for the LPCI mode. The LPCI mode portion of the system is shifted to the shutdown mode after the reactor is depressurized so the proper cooling rate may be achieved with the lower reactor water inlet temperature. See Drawing M05-1075 for RHR System P&ID. 7.4.1.3.3.2 Initiating Circuits The reactor shutdown cooling system is initiated by manual operator actions. There is no requirement for automatic control. 7.4.1.3.3.3 Logic and Sequencing The following is a typical sequence of operations illustrating the use of the RHR shutdown cooling mode: (1) Initially steam is condensed in the main condenser. This heat sink allows the reactor to be brought from operating pressures (1000 psig) and temperature (540°F) to the RHR shutdown cooling mode permissive setpoint (~96.5 psig and 335°F). (2) RHR shutdown cooling operates to bring the reactor to 125

° F within 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> after all rods have been inserted. Early in the shutdown, part of the RHR flow may be diverted to condense steam in the reactor head area (head spray) to allow the vessel to be flooded. During the RHR shutdown cooling operation, a reac tor low low water level signal will cause vessel isolation. 7.4.1.3.3.4 Bypasses and Interlocks To prevent opening the reactor shutdown cooling valves except under proper conditions, the interlocks are provided as shown in Table 7.4-2. The RHR A heat exchanger may be used for spent fuel pool cooling as described in Subsection 7.6.1.9. The two RHR pumps used for shutdown cooling are interlocked to trip if the reactor shutdown cooling valves and suction valves from the suppression pool are not properly positioned.

CPS/USAR CHAPTER 07 7.4-14 REV. 11, JANUARY 2005 7.4.1.3.3.5 Redundancy and Diversity The reactor shutdown cooling system contains two loops. Either loop is sufficient to satisfy the cooling requirements for shutdown cooling. A diverse method of shutdown cooling is provided by the alternate shutdown cooling mode, which is actually an extension of the LPCI mode. To establish the alternate mode, the normal shutdown cooling loop is bypassed by manually switching to take suction water from the suppression pool and manually opening the ADS valves to allow reactor water to flow back to the suppression pool. The ADS valves may be actuated by either Division 1 or Division 2 power thus providing redundancy in the event of a divisional power failure. Refer to Chapter 15 and Appendix 15A of Chapt er 15 for a system level examination of the above operation. Although there is no instrumentation diversity requirement for the reactor shutdown cooling system, the design basis objective is achieved by providing two shutdown cooling paths. 7.4.1.3.3.6 Actuated Devices All power operated valves in the shutdown cooling system are equipped with remote manual switches in the main control room. Further discussion can be found in Section 7.3.1.1 relative to the general operation of the RHR system including its other modes of operation. 7.4.1.3.3.7 Separation Since various modes of operation of the RHR system perform safety-related functions (LPCI and containment cooling), any of the system

's equipment performing safety-related functions satisfy the appropriate safety separation criteria (refer to Section 7.3.1.1). 7.4.1.3.3.8 Testability The reactor shutdown cooling pumps (RHR) may be tested to full capacity during normal plant operation. All valves except those isolated by reactor pressure interlock in the system may be tested during normal plant operation from the remote manual switches in the main control room. The logic is tested by automatic pulse testing. The Automatic Pulse Test (APT), the sixth test, discussed in RPS Testability 7.2.1.1.4.8 is also applicable here for the Reactor Shutdown Cooling mode function of RHR. 7.4.1.3.4 Environmental Considerations The only reactor shutdown cooling control component located inside the drywell that must remain functional in the environment is the control mechanism for the inboard isolation shutdown cooling suction valve. The environmental capabilities of this valve are discussed in Subsection 7.3.1.1.2. The control and instrumentation equipment located outside the drywell is selected in consideration of the normal and accident environments in which it must operate.

RHR equipment is seismically qualified and environmentally classified as discussed in Sections 3.2, 3.10 and 3.11.

CPS/USAR CHAPTER 07 7.4-15 REV. 11, JANUARY 2005 7.4.1.3.5 Operational Considerations 7.4.1.3.5.1 General Information All controls for reactor shutdown cooling are located in the main control room. Reactor operator information is provided as described in the RHR discussion of the LPCI mode in Subsection 7.3.1.1.1.6.11. 7.4.1.3.5.2 Reactor Operator Information Refer to Section 7.3.1.1 for reactor operator information associated with RHR in general.

7.4.1.3.5.3 Set Points There are no safety-related set points involved in the operation of the shutdown cooling mode of RHR except that reactor pressure and water level set points must be satisfied before the operator can begin this mode. 7.4.1.4 Remote Shutdown System 7.4.1.4.1 Plant Special Capabilities Identification 7.4.1.4.1.1 General The remote shutdown system provides a means to carry out the reactor shutdown functions from outside and independent of the main control room and bring the reactor to cold conditions in a safe and orderly fashion fo any abnormal occurrence that results in the evacuation of the MCR, including a 10CFR50 Appendix R remote shutdown in the event of a fire. The control panel contains Division I controls and indications for equipment used as the primary means to cool the reactor to the cold condition from outside the main control room. A back up means of accomplishing the cool down assuming a failure of the primary means for other than Appendix R fires is provided by Division II controls and indications on the panel and equipment operation from Division II motor control centers. The main control room and the remote shutdown panel and the Division II motor control centers are each served by separate HVAC systems located in different areas of the plant. It is therefore considered improbable that the event which caused evacuation of the main control room would also render the remote shutdown or Division II MCC's inaccessible. 7.4.1.4.1.2 Postulated Conditions Assumed to Exist as the Main Control Room Becomes Inaccessible The following is a list of conditions which were assumed to exist at the time that the main control room becomes inaccessible and form the basis of the remote shutdown system design. These conditions are the conditions under which the safe shutdown has to be achieved and

maintained. (1) The plant is operating initially at or below design power. (2) The plant is not experiencing any accident situation. No design basis accident (including a LOCA) is assumed, so that complete control of engineered CPS/USAR CHAPTER 07 7.4-16 REV. 11, JANUARY 2005 safeguard feature (ESF) systems from outside the main control room is not required. For Division II remote shutdown instrumentation/equipment used in case of failure of Division I power to the remote shutdown panel, no fire damage is assumed to any system or component required for reactor shutdown. (3) All personnel have evacuated the main control room and the main control room continues to be inaccessible for the duration of the cool down. (4) The initial event that causes the main control room to become inaccessible is assumed to be such that the reactor operator can manually scram the reactor before leaving the main control room. If this is not possible, opening the output breakers of the RPS logic from outside the main control room will be used as a backup means to achieve initial reactor reactivity shutdown. (5) Under normal conditions, the main turbine pressure regulators will be controlling reactor pressure via the bypass valves. However, in the interest of demonstrating that remote shutdown syst em can accommodate even loss of the turbine controls, it is assumed that the turbine generator control panel function is also lost. Therefore, main steam line isolation is initiated prior to control room evacuation and reactor pressure is relieved through the relief valves to the suppression pool. (6) The reactor feedwater system isolation is also initiated prior to control room evacuation. Reactor vessel water inventory is maintained by the RCIC system. (7) AC/DC power services are expected to be supplied from at least one plant power system for each essential system or equipment item in the remote shutdown system. Even though the loss of off-site AC power is considered unlikely, the remote shutdown system is powered from Class 1 power buses which are automatically backed-up by the plant diesel generators. Manual control of the diesel generators is available outside the main control room. The above initial conditions and associated assumptions are very severe and conservatively bound any similar postulated situation. For an additional list of assumptions refer to Appendix F, Section 1.4. 7.4.1.4.2 Remote Shutdown Capability Description The overall features and capabilities of the remote shutdown system to cool the reactor to cold shutdown are as follows: (1) The capability provides remote control for reactor systems needed to carry out the shutdown function from outside the main control room and bring the reactor to cold condition in a safe and orderly fashion. (2) It provides a variation to the normal system used in the main control room permitting the shutdown of the reactor when the normal heat sinks (turbine and condenser) are assumed to be unavailable. (3) Automatic activation of relief valves and the Reactor Core Isolation Cooling (RCIC) system will bring the reactor to a hot shutdown condition after scram and CPS/USAR CHAPTER 07 7.4-17 REV. 11, JANUARY 2005 isolation are achieved. During this phase of shutdown, the suppression pool will be cooled by operating the Residual Heat Removal (RHR) system in the suppression pool cooling mode. Reactor pressure will be controlled and core decay and sensible heat rejected to the suppression pool by relieving steam pressure through the relief valves. Reactor water inventory will be maintained by the RCIC system. (4) Manual operation of the certain safety relief valves will cool the reactor and reduce pressure at a controlled rate until reactor pressure becomes so low that the RCIC turbine will discontinue operation. This condition will be reached at 50 to 100 psig reactor pressure. (5) The RHR system will then be operated in the shutdown cooling mode using the RHR system heat exchanger in the reactor water circuit to bring the reactor to the cold low pressure condition. (6) Essential equipment cubicles cooling systems will maintain the environmental conditions for equipment operated from the remote shutdown panel within their

design basis. (7) Redundant safety grade means of carrying out the reactor shutdown from outside the control room are provided by Division I controls and indications on the remote shutdown panel and by Division II controls and indications on the remote shutdown panel and operation of Division II equipment from local motor control

centers. (8) Operating any single transfer switch will not result in the transfer of controls for more than one system for most NSSS (see Section 7.4.1.4.4.3). 7.4.1.4.3 Remote Shutdown Capability Procedure The following is a general description of the procedure which will be followed in using the remote shutdown procedure: (1) If evacuation becomes necessary, the operator will manually scram the reactor by placing the Mode switch in "SHUTDOWN" at the Principal Plant Console prior to leaving the main control room. (2) The remainder of the procedure assumes that the automatic pressure regulator is not available, the main steam line isolation valves are closed, and the Feedwater Injection is terminated. (3) Opening the output breakers on feeders from the NSPS buses and the auxiliary 120 Vac bus to the Reactor Protection System trip logic channels will be used as a backup means of scramming the reactor and closing the containment and reactor vessel isolation valves. The controls for this function are located on the Reactor Protection System power distribution panel. (4) When conditions of the evacuation warrant, the breaker for the scram solenoids will be opened and left open while the control room is unattended to assure the reactor scram and to prevent unplanned and spurious rod withdrawal.

CPS/USAR CHAPTER 07 7.4-18 REV. 11, JANUARY 2005 (5) Operate transfer switches to transfer control to the remote shutdown panel. The operation or the transfer switches is such that the operator can either transfer all control to the Remote Shutdown Panel by operating all switches or transfer only the system (RCIC or RHR Shutdown Cooling) to be operated by operating the associated transfer switch. Operation of any single transfer switch will not transfer controls or indication for more than one system for most NSSS (see Section 7.4.1.4.4.3). (6) Relief valves may open automatically and cycle to control reactor pressure. Reactor level will drop at a rate dependent on prior power level and elapsed time

from scram. (7) The postulated situation and actions taken upon evacuation of the main control room are expected to result in Emergency Operating Procedure (EOP) entry conditions. The EOPs, when entered, are utilized concurrently with the remote shutdown procedure for controlling critical plant parameters. (8) The operator establishes RPV water level control consistent with EOP guidance using RCIC as the preferred system. LPCI (Div 1 or Div 2) is available for RPV level control if needed. (9) The operator establishes RPV pressure control consistent with EOP guidance utilizing RCIC, SRVs (Div 1 or 2), or a combination of both. (10) Use the RHR system with pump and one heat exchanger, and associated water systems to cool the suppression pool. (11) After RPV water level and pressure control has been established, a controlled plant cooldown to 96.5 psig is commenced. The reactor cooldown rate should not exceed 100

°F per hour, as determined by observing reactor pressure. (12) Place the RHR system in the shutdown cooling mode, and continue cooldown until the reactor is in the cold low-pressure condition. (13) As a back up means of shutdown in the event that Division I control and indication is unavailable at the Remote Shutdown Panel, the operator can control reactor depressurization at the panel by operating the Division II SRV controls and monitoring Division II indications. The cooldown can be accomplished by local operation of Division II equipment at motor control centers. 7.4.1.4.4 Remote Shutdown Capability Controls and Instrumentation Equipment, Panels, and Displays 7.4.1.4.4.1 Main Control Room - Remote Shutdown Capability Interconnection Design Considerations Some of the systems used in the normal reactor shutdown operation are also utilized in the remote shutdown capability to shutdown the reactor from outside the main control room. The remote shutdown capability for Division I with the exception identified in section 7.4.1.4.4.3 are designed to control the required shutdown systems from outside the main control room irrespective of shorts, opens, or grounds in the control circuit in the main control room that may CPS/USAR CHAPTER 07 7.4-19 REV. 11, JANUARY 2005 have resulted from the event causing an evacuation. For Division I with the exception identified in section 7.4.1.4.4.3, the functions needed for remote shutdown control are provided with manual transfer devices which override controls in the main control room and transfer the controls to the remote shutdown panel. All necessary power supplies are also transferred. For Division I with the exception identified in section 7.4.1.4.4.3, remote shutdown control is not possible without actuation of the transfer devices. Operation of the transfer devices causes an alarm in the main control room. The remote shutdown panel is located in the Aux. Building. Access to this panel is administratively controlled. Most of the Division II control switches and indicating lights are located on various

MCC cubicles and switchgear compartments. Actuation of these control switches will sound alarms in the control room. The automatic controls and permissives for this equipment are not bypassed by the control switches for remote shutdown for Division II. 7.4.1.4.4.2 Reactor Core Isolation Cooling (RCIC) System The following RCIC System equipment/functions have transfer and control switches located on the remote shutdown panel:

DIVISION I E51-F010 - RCIC Storage Tank Suction Valve E51-F013 - RCIC Pump Discharge to Reactor Outboard Isolation Valve E51-F019 - RCIC Pump Minimum Flow Recirc to Suppression Pool E51-F022 - RCIC Pump First Test Valve to Storage Tank E51-C002F - Gland Seal Compressor E51-F031 - RCIC Suppression Pool Suction Valve E51-F045 - RCIC Turbine Steam Supply Shutoff Valve E51-F046 - RCIC Pump Supply to Turbine Lube Oil Cooler E51-F059 - RCIC Pump Second Test Valve to Storage Tank E51-F064 - RHR and RCIC Steam Supply Outboard Isolation Valve E51-F068 - RCIC Turbine Exhaust to Suppression Pool Stop Valve E51-F077 - RCIC Exhaust Vacuum Breaker Outboard Isolation Valve E51-C002E - RCIC Turbine Trip Throttle Valve DIVISION II E51-F063 - RHR and RCIC Steam S upply Inboard Isolation Valve E51-F076 - RHR and RCIC Steam Supply Warm Up Isolation Valve E51-F078 - RCIC Exhaust Vacuum Breaker Inboard Isolation Valve See RCIC P & ID Drawing M05-1079 RCIC functional control is shown on drawing E02-1R199 which reflects the latest RCIC system design. (Q&R 421.14) The following RCIC System instrumentation is provided on the remote shutdown panel: (1) RCIC Flow Controller and indicator, transfer switch, DC-to-AC inverter and square root converter CPS/USAR CHAPTER 07 7.4-20 REV. 11, JANUARY 2005 (2) RCIC Turbine Speed Indicator (3) Indicating lights are provided for: a. Turbine tripped

b. Turbine Bearing oil low pressure c. Turbine governor end bearing oil temperature high d. Turbine coupling end bearing oil temperature high (4) RCIC storage tank level indicator.

(5) Suppression pool level indicator (Div. I and II).

(6) Suppression pool temperature indicator (Div. I and II). 7.4.1.4.4.3 Residual Heat Removal (RHR) System The following RHR System equipment/functions have transfer and control switches located at the remote shutdown panel:

DIVISION I 1E12-C002A - RHR Pump A 1E12-F003A - RHR A Heat Exchanger Outlet Valve 1E12-F004A - RHR A Suppression Pool Suction Valve 1E12-F006A - RHR A Shutdown Cooling Suction Valve 1E12-F008 - Shutdown Cooling Outboard Suction Isolation Valve 1E12-F014A - RHR A Heat Exchanger SSW Inlet Valve 1E12-F024A - RHR Pump A Test Line Return to Suppression Pool 1E12-F027A - RHR to Containment Outboard Isolation Valve 1E12-F028A - RHR A to Containment Spray Shutoff Valve 1E12-F037A - RHR A to Containment Pool Cooling Shutoff Valve 1E12-F042A - RHR Pump A LPCI Injection Valve 1E12-F047A - RHR A Heat Exchanger Inlet Valve 1E12-F048A - RHR A Heat Exchanger Bypass Valve 1E12-F053A - RHR Shutdown Cooling Return Valve 1E12-F064A - RHR Pump A Minimum Flow Recirc Valve 1E12-F068A - RHR A Heat Exchanger SSW Outlet Valve DIVISION II 1E12-F006B - RHR B Shutdown Cooling Suction Valve 1E12-F009 - Shutdown Cooling Inboard Suction Isolation Valve The following RHR system equipment/functions have control switches located at various MCCs or switchgears:

DIVISION I

CPS/USAR CHAPTER 07 7.4-21 REV. 11, JANUARY 2005 1E12-F023 - RPV Spray Isolation Valve DIVISION II 1E12-F014B - RHR B Heat Exchanger SSW Inlet Valve 1E12-F068B - RHR B Heat Exchanger SSW Outlet Valve 1E12-F004B - RHR Pump B Suppression Pool Suction Valve 1E12-F003B - RHR B Heat Exchanger Shell Side Outlet Valve 1E12-F064B - RHR Pump B Minimum Flow Recirc Valve 1E12-F048B - RHR B Heat Exchanger Bypass Valve 1E12-F047B - RHR B Heat Exchanger Inlet Valve 1E12-C002B - RHR Pump B 1E12-F024B - RHR Pump B Test Line Return to Suppression Pool Valve 1E12-F042B - RHR Pump B LPCI Injection Valve 1E12-F053B - RHR Shutdown Cooling Return Valve The following RHR instrumentation is located on the remote shutdown panel: (1) RHR Flow indicator (Division I)

The Division II RHR pump flow is derived from pump differential pressure by locally obtaining suction and discharge pressure from instrumentation located on panel 1H22-P021. 7.4.1.4.4.4 Nuclear Boiler System The following functions have transfer and control switches located at the remote shutdown panel: Division I and Division II controls for two non-ADS and one ADS air operated relief valves are provided on different sections of the panel to provide the capability to manually depressurize the reactor from either division. (The valves are 125 Vdc solenoid pilot operated.) The following Nuclear Boiler instrumentation is provided on the remote shutdown panel: (1) Reactor water level indicators (Div. I and II)

(2) Reactor pressure indicators (Div. I and II) 7.4.1.4.4.5 Shutdown Service Water System The following Shutdown Service Water System (SSWS) equipment/functions have transfer and control switches located at the remote shutdown panel for proper operation of the remote

shutdown system: One control switch is provided for each of the following:

DIVISION I SX01PA - SSW Pump 1A SX014A - Plant Service Water to SSW System Interconnection Valve SX063A - Diesel Generator 1A Heat Exchanger Outlet Valve CPS/USAR CHAPTER 07 7.4-22 REV. 11, JANUARY 2005 One control (selector) switch is provided which is common to the following:

DIVISION I SX003A - SSWS Strainer 1A Inlet Valve SX004A - SSWS Strainer 1A Outlet Valve SX008A - SSWS Strainer 1A Bypass Valve Controls for the strainer motor are available on a motor control center remote from the main control room. One control switch is provided which is common to all of the following. This switch allows closing of all valves listed.

DIVISION I SX011A - SSWS Division 1 Crosstie Isolation Valve SX082A - RHR Heat Exchanger 1A Demineralized Water Inlet Valve SX012A - Fuel Pool Heat Exchanger 1A SSW Inlet Valve SX062A - Fuel Pool Heat Exchanger 1A SSW Outlet Valve SX016A - SSW to Fuel Pool Make-Up Inlet Valve SX073A - SGTS Train A Charcoal Bed Deluge Valve SX076A - Control Room HVAC Recirc Unit A Deluge Valve SX107A - Control Room HVAC M/U Unit A Deluge Valve The following shutdown service water system equipment/functions have control switches located at local MCC/switchgear (no transfer switches are provided):

DIVISION II SX01PB - SSWS Pump 1B SX014B - Plant Service Water to SSW System Interconnection Valve The following SSWS instrumentation is provided at the remote shutdown panel: (1) SSWS Strainer A discharge pressure indicator.

(2) Alarm (indicating light) for SSWS Strainer A high differential pressure. 7.4.1.4.4.6 Essential Equipment Cubicle HVAC Systems The following essential equipment cubicle HVAC systems have transfer switches located on the remote shutdown panel. Controls are provided by local instrumentation remote from the main control room.

DIVISION I VH01CA - SSW Pump 1A Room Supply Fan VY02C - RHR Pump 1A Room Supply Fan VY03C - RHR Heat Exchanger 1A Room Supply Fan VY04C - RCIC Pump Room Supply Fan VD01CA - Diesel Generator 1A Room Vent Fan CPS/USAR CHAPTER 07 7.4-23 REV. 11, JANUARY 2005 VD02CA - Diesel Generator 1A Fuel Oil Storage/Day Tank Room Exhaust Fan VX03CA - Division 1 Switchgear Room Exhaust Fan VX05CA - Division 1 Battery Room Exhaust Fan VX12CA - Switchgear Heat Removal Return Fan A The following essential equipment cubicle HVAC system has control switches provided at local MCC (no transfer switches are provided):

DIVISION II VH01CB - SSW pump room B supply fan Status (indicating) lights are provided on the remote shutdown panel for each of the fans listed.

7.4.1.4.4.7 Miscellaneous Instrumentation The following miscellaneous instrumentation is provided on the remote shutdown panel: (1) Drywell temperature indications (two)

(2) Suppression pool temperature indicators (Three each in Division I and Division II associated with the three safety relief valves controlled from each division.) (3) Indicating lights for: a. Diesel Generator Status b. Diesel Fuel Oil Transfer Pump Status 7.4.1.4.4.8 Miscellaneous Controls The following miscellaneous equipment/function has a transfer and control switch at the remote shutdown panel for proper operation of the remote shutdown system:

DIVISION I 480V Unit Substation 1A and A1 breaker A transfer switch is provided to isolate the following equipment/functions from the main control room (no control switches are located at the remote shutdown panel):

DIVISION I Diesel generator output breaker control power. Diesel generator fuel oil transfer pump. 7.4.1.4.4.9 Reactor Water Cleanup System The Reactor Water Cleanup pump suction outboard isolation valve 1G33-F004 control is provided by transfer and control switches located on MCC 1A3.

CPS/USAR CHAPTER 07 7.4-24 REV. 11, JANUARY 2005 7.4.1.4.4.10 Instrument Air System The Compressed Gas Header Outboard Isolation Valve 1IA012A control is provided by transfer and control switches located on Auxiliary Building MCC 1A3. 7.4.1.4.4.11 Main Steam Line System The Main Steam Line Drain Outboard Isolation Valve 1B21-F019 control is provided by transfer and control switches located on MCC 1A3. 7.4.1.4.4.12 Feedwater System The Feedwater Shutoff valves 1B21-F065A and 1B21-F065B control is provided by transfer and control switches located on Auxilary Building MCC 1A2.

7.4.2 Analysis

7.4.2.1 Reactor Core Isolation Cooling (RCIC System - Instrumentation and Control 7.4.2.1.1 General Functional Requirements Conformance For the events specified in Subsection 7.4.1.1.1.1, the RCIC system has a makeup capacity sufficient to prevent the reactor vessel water level from decreasing to the level where the core is uncovered. To provide a high degree of assurance that the RCIC system shall operate when necessary and in time to provide adequate inventory makeup, the pow er supply for the system is taken from energy sources of high reliability and which are immediately available. Evaluation of instrumentation reliability for the RCIC system shows that no failure of a single initiating sensor either prevents or falsely starts the system. A design flow functional test of the RCIC system can be performed during plant operation by taking suction from the demineralized water in the RCIC storage tank and discharging through the full flow test return line back to the RCIC storage tank. During the test, the discharge valve to the reactor vessel remains closed so that reactor operation is not disturbed. Control system design provides automatic return from the test mode to the operating mode if system initiation is required during testing except for the conditions described in 7.4.1.1.3.1. Chapter 15 and Appendix 15A of Chapter 15 examine the system level aspects of this system in plant operation and consider its function under various plant transient events. 7.4.2.1.2 Specific Regulatory Requirements Conformance 7.4.2.1.2.1 NRC Regulatory Guides Conformance 7.4.2.1.2.1.1 RG 1.6 - Independence Between Redundant Standby Power Sources and Between Their Distribution Systems Since it is not necessary for RCIC alone to meet the single-failure criterion, redundant power sources are not required.

CPS/USAR CHAPTER 07 7.4-25 REV. 11, JANUARY 2005 7.4.2.1.2.1.2 RG 1.11 - Instrument Lines Penetrating Primary Reactor Containment All RCIC instrument lines penetrating or connected to containment meet the requirements of regulatory position C.1 of RG 1.11, with the exceptions stated in Section 1.8. 7.4.2.1.2.1.3 RG 1.22 - Periodic Testing of Protection System Actuation Functions RCIC is fully testable from initiating sensors to actuated devices during full power operation, except for the discharge valve to head spray nozzle. 7.4.2.1.2.1.4 RG 1.29 - Seismic Design Classification The safety related portion of RCIC instrumentation and control is classified as Seismic Category I and is qualified to remain functional following an SSE. 7.4.2.1.2.1.5 RG 1.30 - Quality Assurance Requirements for the Installation, Inspection and Testing of Instrumentation and Electric Equipment Conformance to RG 1.30 is discussed in Subsection 7.1.2.6.7.

7.4.2.1.2.1.6 RG 1.32 - Use of IEEE - 308 Conformance to RG 1.32 as discussed in Section 8.3 is applicable to RCIC safety related control instrumentation. 7.4.2.1.2.1.7 RG 1.47 - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety System Regulatory Guide 1.47 Positions C.1, C.2, and C.3 Automatic indication is provided in the main control room to inform the operator that RCIC is inoperable. Annunciation is provided to indicate t he system or part of the system is not operable. Bypasses of certain infrequently used pieces of equipment, such as manual locked open valves, are not automatically annunciated in the main control room; however, capability for manual activation of each system level bypass indicator is provided in the control room for those systems that have these infrequently used bypasses. An administratively controlled switch is used for this manual activation. Following are examples of automatic indication of inoperability. (1) Circuit breaker opening or withdrawal is indicated in the main control room.

(2) All motor control center control circuits are individually monitored. If control voltage is lost as a result of tripping of a motor starter feeder breaker or removal of a fuse in the control circuit, indication is provided in the main control room. (3) Instruments which form part of a one-out-of-two twice logic can be removed from service for calibration. Removal of the instrument from service will be annunciated in the control room as "RCIC Division 1(2) out of service." (4) The RCIC contains a control switch with "Lockout" or "Test Mode" with continuous main control room indication that "Lockout" or "Test Mode" has been selected.

CPS/USAR CHAPTER 07 7.4-26 REV. 11, JANUARY 2005 Regulatory Guide 1.47 Position C.4 All the annunciators can be tested by depressing the annunciator test switches on the main control room benchboards. Individual indicators will be arranged together on the control room panel to indicate what function of the system is out of service, bypassed, or otherwise inoperable. All bypass and inoperability indicators both at a system level and component level will be grouped only with items that will prevent a system from operating if needed. Indication of pressures, temperatures, and other system variables that are a result of system operation will not be included with the bypass and inoperability indicators. These indication provisions serve to supplement administrative controls and aid the operator in assessing the availability of component and system level protective actions. This indication does not perform a safety function. All non-1E circuits are electrically independent of the station safety systems. The annunciator initiation signals are provided with isolators and can in no way prevent protective actions. Each indicator will be provided with dual lamps. Testing will be included on a periodic basis when equipment associated with the indication is tested. 7.4.2.1.2.1.8 RG 1.53 - Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems RCIC meets the single-failure criterion on a network basis in conjunction with HPCS. It is not necessary for RCIC alone to meet the single-failure criterion in itself since its function is duplicated or backed up by other systems. Redundant sensors are discussed in Section 7.4.2.1.2.3.1.6. 7.4.2.1.2.1.9 RG 1.62 - Manual Initiation of Protective Actions RCIC may be automatically as well as manually initiated inside the main control room as well as manually at the remote shutdown facility outside the main control room. 7.4.2.1.2.1.10 RG 1.63 - Electric Penetration Assemblies in Containment Structures for Water-Cooled Nuclear Power Plants Conformance to RG 1.63 is discussed in Subsection 8.1.6.1.12. 7.4.2.1.2.1.11 RG 1.75 See Subsection 7.1.2.6.19 for discussion of the degree of conformance.

7.4.2.1.2.1.12 RG 1.89 - Qualification of Class 1E Equipment for Nuclear Power Plants Conformance to RG 1.89 is discussed in Section: 3.11.

7.4.2.1.2.1.13 Regulatory Guide 1.97 See Subsection 7.1.2.6.23 for discussion of the degree of conformance.

CPS/USAR CHAPTER 07 7.4-27 REV. 11, JANUARY 2005 7.4.2.1.2.1.14 Regulatory Guide 1.100 See Section 3.10 for discussion of the degree of conformance.

7.4.2.1.2.1.15 Regulatory Guide 1.105 See Subsection 7.1.2.6.25 for discussion of the degree of conformance. 7.4.2.1.2.1.16 Regulatory Guide 1.118 See Subsection 7.1.2.6.26 for discussion of the degree of conformance.

7.4.2.1.2.2 NRC Regulations Conformance - 10 CFR 50 Appendix A Requirements 7.4.2.1.2.2.1 General Design Criterion 13 The reactor vessel water level, RCIC pump discharge pressure, and RCIC flow rate are monitored and displayed in the main control room. 7.4.2.1.2.2.2 General Design Criterion 20 Level sensors constantly monitor the water level in the reactor vessel and the RCIC system is automatically initiated when the level drops below the pre-established set point. 7.4.2.1.2.2.3 General Design Criterion 21 RCIC is fully testable from sensor to actuated device during normal operation.

7.4.2.1.2.2.4 General Design Criterion 22 RCIC initiation signal is supplied by redundant, independent sensors in a one-out-of-two twice logic. 7.4.2.1.2.2.4.1 General Design Criterion 24 The RCIC system is designed to be completely independent of control systems such that no single control system failure can affect RCIC operation. 7.4.2.1.2.2.5 General Design Criterion 29 RCIC maintains reactor vessel water level by providing the makeup water in the event the reactor becomes isolated from the main condenser during normal operation. 7.4.2.1.2.2.6 General Design Criterion 34 Conformance to GDC 34 is discussed in Subsection 7.4.1.1.1.1.(3).

7.4.2.1.2.2.7 General Design Criterion 37 RCIC is not part of the ECCS.

CPS/USAR CHAPTER 07 7.4-28 REV. 11, JANUARY 2005 7.4.2.1.2.3 Conformance to Industry Codes and Standards 7.4.2.1.2.3.1 IEEE 279 7.4.2.1.2.3.1.1 General Functional Requirement (IEEE 279, Paragraph 4.1)

RCIC is automatically initiated by r eactor low water level measurements. 7.4.2.1.2.3.1.2 Single-Failure Criterion (IEEE 279, Paragraph 4.2)

The RCIC system is not required to meet the single-failure criterion. The RCIC initiation sensors wiring and logic cabinet do, however, meet the single-failure criterion. Physical separation of instrument sensing lines is provided so that no single instrument rack destruction or single instrument sensing line (pipe) failure can prevent RCIC initiation. Wiring separation between divisions also provides tolerance to single wireway destruction (including shorts, opens, and grounds) in the accident detection portion of the control logic . The single-failure criterion is not applied to the logic cabinet or to other equipment required to function for RCIC

operation. RCIC and HPCS mitigate only the water level effects of a rod drop accident by providing makeup water required as a consequence of this event. Chapter 15 analysis of the rod drop accident, however, takes no credit for either of these systems in mitigating the consequences of the event. (Q&R 421.4) 7.4.2.1.2.3.1.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

The components of the RCIC instrumentation and control are of the same high quality as the ECCS systems. The safety-related portion of RCIC control and instrumentation components and modules is seismically qualified to remain functional following a Safe Shutdown Earthquake (SSE). 7.4.2.1.2.3.1.4 Equipment Qualification (IEEE 279) Paragraph 4.4)

No components of the RCIC control system are required to operate in the drywell environment except the RCIC steamline isolation valve. All other equipment for RCIC initiation is located outside the drywell and is capable for accurate operation in ambient temperature conditions that result from abnormal conditions. Panels and equipment cabinets are located in the main control room and/or auxiliary room environment so environmental testing of components mounted in these enclosures is not warranted. The components in the RCIC control system have demonstrated their reliable operability in previous applications in nuclear power plant protection systems or in extensive industrial use. 7.4.2.1.2.3.1.5 Channel Integrity (IEEE 279, Paragraph 4.5)

The RCIC system instrument initiation channels satisfy the channel integrity objective.

7.4.2.1.2.3.1.6 Channel Independence (IEEE 279, Paragraph 4.6)

Channel independence for initiation sensors is provided by electrical and mechanical separation. The A sensors for reactor vessel level, for instance, are located on one local CPS/USAR CHAPTER 07 7.4-29 REV. 11, JANUARY 2005 instrument panel identified as Division 1 equipment and the B sensors are located on a second instrument panel widely separated from the first and identified as Division 2 equipment. The Division 1 sensors have a common pair of process taps which are widely separated from the corresponding taps for the Division 2 sensors. Disabling one or both sensors in one location does not disable the control for RCIC initiation. 7.4.2.1.2.3.1.7 Control and Protection Interaction (IEEE 279, Paragraph 4.7)

The RCIC system has no interaction with plant control systems. Annunciator circuits use sensors and logic circuits which cannot impair the operability of the RCIC system control because of electrical isolation. 7.4.2.1.2.3.1.8 Derivation of System Inputs (IEEE 279, Paragraph 4.8)

The RCIC system uses a direct measure of the need for coolant inventory makeup, e.g., reactor vessel low water level. 7.4.2.1.2.3.1.9 Capability for Sensor Checks (IEEE 279, Paragraph 4.9)

All sensors are installed with calibration taps and instrument valves to permit testing during normal plant operation or during shutdown. 7.4.2.1.2.3.1.10 Capability for Test and Calibration (IEEE 279, Paragraph 4.10)

The RCIC control system can be completely tested during normal plant operation to verify that each element of the system, whether active or passive, is capable of performing its intended

function. As part of this test the turbine and RCIC pump are started in the test mode with the pump discharging into the RCIC storage tank. In this test mode all major components, except the isolation valves are tested. Valve operability tests completes the major system component testing. 7.4.2.1.2.3.1.11 Channel Bypass or Removal From Operation (IEEE 279, Paragraph 4.11)

Calibration of a sensor which introduces a single instrument channel trip will not cause a protective function without the coincident trip of a second channel. There are no instrument channel bypasses. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning. 7.4.2.1.2.3.1.12 Operating Bypasses (IEEE 279, Paragraph 4.12)

There is no violation of the operating bypass section of IEEE 279, since RCIC and HPCS cannot be simultaneously disabled. 7.4.2.1.2.3.1.13 Indication of Bypasses (IEEE 279, Paragraph 4.13)

Automatic indication of bypasses is provided by individual annunciators to indicate what function of the system is out of service, bypassed or otherwise inoperative. In addition, each of the indicated bypasses also activates a "SYSTEM-INOPERATIVE" or a "SYSTEM-OUT-OF-CPS/USAR CHAPTER 07 7.4-30 REV. 11, JANUARY 2005 SERVICE" annunciator. Manual "SYSTEM INOP ERATIVE" or "SYSTEM-OUT-OF-SERVICE" switches are provided for operator use for items that are only under administrative control. 7.4.2.1.2.3.1.14 Access to Means for Bypassing (IEEE 279, Paragraph 4.14)

Access to means o[ bypassing is located in the main control room and therefore under the administrative control of the operators. 7.4.2.1.2.3.1.15 Multiple Set Points (IEEE 279, Paragraph 4.15)

This is not applicable.

7.4.2.1.2.3.1.16 Completion of Protective Action Once it is Initiated (IEEE 279, Paragraph 4.16)

The final control elements for the RCIC system are essentially bistable, i.e., motor-operated valves stay open or closed once they have reached their desired position, even though their starter may drop out. In the case of the gland seal air compressor, the auto initiation signal is electrically sealed-in. Thus, once protective action is initiated (i.e., flow established), it must go to completion until terminated by deliberate operator action or automatically stopped on high vessel water level or system malfunction trip signals. 7.4.2.1.2.3.1.17 Manual Actuation (IEEE 279, Paragraph 4.17)

Each piece of RCIC actuation equipment required to operate (pumps and valves) is capable of manual initiation from the main control room. Failure of logic circuitry to initiate the RCIC system will not affect the manual control of equipment. However, failures of active components or control circuits which produce a turbine trio may disable the manual actuation of the RCIC system. Failures of this type are continuously monitored by alarms. 7.4.2.1.2.3.1.18 Access to Set Point Adjustment (IEEE 279, Paragraph 4.18)

Access to setpoint adjustment is under administrative controls.

7.4.2.1.2.3.1.19 Identification of Protective Actions (IEEE 279, Paragraph 4.19)

Protective actions are directly indicated and identified by annunciator operation or action of the trip unit which permits convenient visible verification of the trip unit actuation. The annunciation of trips fulfills the requirements of this criterion. 7.4.2.1.2.3.1.20 Information Readout (IEEE 279, Paragraph 4.20)

The RCIC control system is designed to provide the operator with accurate and timely information pertinent to its status. It does not introduce signals into other systems that could cause anomalous indications confusing to the operator. Periodic testing is provided for verifying the operability of the RCIC components. Proper selection of test periods compatible with the historically established reliability of the com ponents avails, complete and timely indications.

CPS/USAR CHAPTER 07 7.4-31 REV. 11, JANUARY 2005 Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the RCIC function is available and/or operating properly. 7.4.2.1.2.3.1.21 System Repair (IEEE 279, Paragraph 4.21)

The RCIC control system is designed to permit repair or replacement of components. 7.4.2.1.2.3.1.22 Identification (IEEE 279, Paragraph 4.22)

All controls and instruments are located in specific main control room panel which are clearly identified by nameplates. 7.4.2.1.2.3.2 IEEE 323 General Guide for Qualifying Class 1E Electric Equipment For Nuclear Power Generating Stations Specific conformance to requirements of IEEE 323 is covered in Section 7.1.2.5 and Section 3.11. 7.4.2.1.2.3.3 IEEE 338 Criteria for Periodic Testing of Nuclear Power Generating Station Protection Systems The RCIC system is fully testable during normal operation in conformance with IEEE 338. For further discussions refer to Subsections 7.4.2.1.2.3.1.9 and 7.4.2.1.2.3.1.10. 7.4.2.1.2.3.4 IEEE 344 Guide for Seismic Qualif ication of Class I Electric Equipment for Nuclear Power Generating Stations The conformance to the requirements of IEEE 344 is detailed in Section 3.10. 7.4.2.2 Standby Liquid Control System (SLCS) Instrumentation and Controls 7.4.2.2.1 General Functional Requirements Conformance Redundant positive displacement pumps, explosive valves, and control circuits for the standby liquid control system components have been provided in Section 7.4.1.2. This constitutes all of the active equipment required for injection of the sodium pentaborate solution. Continuity relays provide monitoring of the explosive valves, and indicator lights provide indication on the reactor control bench board of system status. Testability and redundant power sources are described in subsections 7.4.2.2.2.1.3 and 7.4.1.2.2. Chapter 15 and Appendix A of Chapter 15 examine the system-level aspects of the subject system under applicable plant events. Loss of plant instrument air of cooling water will not, by itself, prevent reactor shutdown capability.

CPS/USAR CHAPTER 07 7.4-32 REV. 11, JANUARY 2005 7.4.2.2.2 Specific Regulatory Requirements Conformance 7.4.2.2.2.1 NRC Regulatory Guides Conformance 7.4.2.2.2.1.1 NOT USED 7.4.2.2.2.1.2 NOT USED 7.4.2.2.2.1.3 RG 1.22 - Periodic Testing of Protection System Actuation Functions SLCS is capable of testing from initiation to actuated devices, except squib valves, during normal operation. In the test mode, demineralized water is circulated in the SLCS loops rather than sodium pentaborate. The explosive valves may be tested when plant is shut down. Otherwise, continuity in the explosive valve initiation circuits is continuously monitored during plant operation. 7.4.2.2.2.1.4 RG 1.29 - Seismic Design Classification The controls essential to the operation of the SLCS are classified as Seismic Category I and are qualified to remain functional following a SSE. 7.4.2.2.2.1.5 RG 1.30 - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment Conformance to RG 1.30 is discussed in Section 7.1.2.6. 7.4.2.2.2.1.6 NOT USED 7.4.2.2.2.1.7 RG 1.47 - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety System System level bypass condition is automatically indicated as described in Section 7.4.1.2. The removal of equipment for servicing is indicated by an administratively controlled display. 7.4.2.2.2.1.8 RG 1.53 - Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems SLCS is a backup method of manually shutting down the reactor to cold subcritical conditions by independent means other than the normal method by the control rod system. It is not necessary for SLCS to meet the single-failure criterion. The heating elements, the discharge pumps and pump motors, and the explosive valves are redundant so that no single failure in one of these components will cause or prevent initiation of SLCS. 7.4.2.2.2.1.9 RG 1.62 - Manual Initiation of Protective Action SLCS may be initiated manually from the main control room. The timing associated with SLCS is large compared to ten minutes so that the operator will have sufficient time to initiate SLCS if

necessary.

CPS/USAR CHAPTER 07 7.4-33 REV. 11, JANUARY 2005 7.4.2.2.2.1.10 RG 1.63 - Electric Penetration Assemblies in Containment Structures for Water-Cooled Nuclear Power Plants Conformance to RG 1.63 is discussed in Chapter 8.

7.4.2.2.2.1.11 RG 1.75 - Physical Independence of Electrical System Physical independence of electrical systems of the SLCS is provided by channel independence for sensors exposed to each process variable using electrical and mechanical separation.

Physical separation is maintained between redundant elements adding to reliability of operation. 7.4.2.2.2.1.12 RG 1.89 - Qualification of Class 1E Equipment for Nuclear Power Plants Conformance to RG 1.89 is discussed in Section 3.11.

7.4.2.2.2.1.13 Regulatory Guide 1.100 - Seismic Qualification of Electrical Equipment for Nuclear Power Plants See Section 3.10 for discussion of the degree of conformance.

7.4.2.2.2.1.14 Regulatory Guide 1.105 - Instrument Set Points See Subsection 7.1.2.6.25 for discussion of the degree of conformance.

7.4.2.2.2.1.15 Regulatory Guide 1.118 - Periodic Testing of Electrical Power and Protection Systems See Subsection 7.1.2.26 for discussion of the degree of conformance. 7.4.2.2.2.2 NRC Regulations Conformance - 10 CFR Appendix A Requirements 7.4.2.2.2.2.1 General Design Criterion 13 The sodium pentaborate tank temperature and le vel and explosive valves control circuit continuity are monitored and annunciated. 7.4.2.2.2.2.2 General Design Criterion 26 SLCS is a backup method of manually shutting down the reactor to cold subcritical conditions by independent means other than the normal method by the control rod system. 7.4.2.2.2.2.3 General Design Criterion 27 The system provides reactivity control with sufficient margin to assure that the core is maintained cool. 7.4.2.2.2.2.4 General Design Criterion 28 The SLCS is designed to bring the reactor from full power to subcritical condition.

CPS/USAR CHAPTER 07 7.4-34 REV. 11, JANUARY 2005 7.4.2.2.2.2.5 General Design Criterion 29 SLCS maintains the reactor subcritical by introducing poison into the reactor in the event the control rods fail to achieve subcriticality in the reactor. 7.4.2.2.2.3 Conformance to Industry Codes and Standards 7.4.2.2.2.3.1 IEEE 279 7.4.2.2.2.3.1.1 General Functional Requirement (IEEE 279 Paragraph 4.1)

SLCS is manually initiated by operator action. Display instrumentation in the main control room provide the operator with information on reactor vessel water level, pressure, neutron flux level, control rod position, and scram valve status. 7.4.2.2.2.3.1.2 Single Failure Criterion IEEE 279, Paragraph 4.2)

The standby liquid control system is a backup method of manually shutting down the reactor to cold subcritical conditions by independent means other than the normal method by the control rod system. It is not necessary for SLCS to meet the single failure criterion. However, the discharge pumps and pump motors. the explosive valves; and the storage tank outlet valves are redundant so that no single failure in one of these components will cause or prevent initiation of SLCS. 7.4.2.2.2.3.1.3 Quality of Components and Modules (IEEE 279, Paragraph 4.3)

The control components of SLCS are qualified Class 1E in accordance with IEEE 323.

7.4.2.2.2.3.1.4 Equipment Qualification (IEEE 279, Paragraph 4.4)

No components of SLCS are required to operate in the drywell environment. A maintenance valve and isolation check valve are the only components located inside the drywell and the maintenance valve is normally locked open. Other SLCS equipment is located outside the drywell and is capable of operation following an SSE. 7.4.2.2.2.3.1.5 Channel Integrity (IEEE 279, Paragraph 4.5)

SLCS is not required to operate during a decision basis accident. It is designed to remain functional following an SSE. 7.4.2.2.2.3.1.6 Channel Independence (IEEE 279, Paragraph 4.6)

SLCS is a backup method of manually shutting down the reactor to cold subcritical conditions by independent means other than the normal method by the control rod system. It is therefore kept independent of the control rod scram system. There are two channels of control circuits, discharge pumps and motors, explosive valves and storage tank discharge valves. These two channels are independent of each other, so that failure in one channel will not prevent the other from operating.

CPS/USAR CHAPTER 07 7.4-35 REV. 11, JANUARY 2005 7.4.2.2.2.3.1.7 Control and Protection Interaction (IEEE 279, Paragraph 4.7)

SLCS has no interaction with plant control systems. It has no function during normal plant operation and it is completely independent of control systems and other safety systems. 7.4.2.2.2.3.1.8 Derivation of System Inputs (IEEE 279, Paragraph 4.8)

Display instrumentations in the main control r oom provide the operator with information on reactor vessel water level, pressure, neutron flux level, control rod position and scram valve status. Based on this information, the operator can manually initiate SLCS. 7.4.2.2.2.3.1.9 Capability of Sensor Checks (IEEE 279, Paragraph 4.9)

The explosive valve control circuits continuity is continuously monitored and is indicated in the main control room. The testability of the sensors that provide information on reactor water level, pressure, and neutron flux, is discussed in Sections 7.2 and 7.3 and Topical Report NED0-21617-A. 7.4.2.2.2.3.1.10 Capability for Test and Calibration (IEEE 279, Paragraph 4.10)

The explosive valves may be tested during plant shutdown. The explosive valve control circuits are continuously monitored and indicated in the main control room. The remainder of the SLCS may be tested during normal plant operation to verify each element passive or active is capable of performing its intended function. In the test mode, demineralized water instead of sodium pentaborate solution is circulated from and back to the test tank. 7.4.2.2.2.3.1.11 Channel Bypass or Removal from operation (IEEE 279, Paragraph 4.11)

The discharge pumps and pump motors are redundant, so that one pump may be removed from service during normal plant operation in accordance with Technical Specification 3.1.7. 7.4.2.2.2.3.1.12 Operating Bypass (IEEE 279, Paragraph 4.12)

SLCS has no function during normal plant operation. 7.4.2.2.2.3.1.13 Indication of Bypass (IEEE 279, Paragraph 4.13)

Removal of components from service is manually indicated in the main control room. 7.4.2.2.2.3.1.14 Access to Means for Bypass IEEE 279, Paragraph 4.14)

Removal of components from service during normal plant operation is under administrative control. 7.4.2.2.2.3.1.15 Multiple Sets Points (IEEE 279, Paragraph 4.15 The actual injection operation of SLCS is not dependent on or affected by set points because the system is manually initiated.

CPS/USAR CHAPTER 07 7.4-36 REV. 11, JANUARY 2005 7.4.2.2.2.3.1.16 Completion of Protective Action Once it is Initiated (IEEE 279.

Paragraph 4.16)

The explosive valves remain open once fired, and once initiated the injection valves will not close and discharge pump motors will not stop running unless terminated by operator action. 7.4.2.2.2.3.1.17 Manual Initiation (IEEE 279, Paragraph 4.17)

SLCS may only be manually initiated.

7.4.2.2.2.3.1.18 Access to Set Point Adjustments, Calibration and Test Points (IEEE 279, Paragraph 4.18)

The actual injection operation of SLCS is not dependent on or affected by any set point adjustment or calibration, because the system is manually initiated. The control circuits, discharge pumps, pump motors, and motor-operated valves are accessible for test and service. Setpoint adjustment for Boron solution temperature and level are inside the containment or within the main control room and are, therefore, under administrative control. 7.4.2.2.2.3.1.19 Identification of Protective Actions (IEEE 279, Paragraph 4.19)

The explosive valve status, once fired, is indicated in the main control room. Other indications of SLC action are noted in Subsection 7.4.1.2.5.2. 7.4.2.2.2.3.1.20 Information Readout (IEEE 279, Paragraph 4.20)

The discharge pressure of sodium pentaborate pumps is indicated in the main control room. Also, storage tank level is indicated in the main control room. 7.4.2.2.2.3.1.21 System Repair (IEEE 279, Paragraph 4.21)

The control circuits, pumps and pump motors may be repaired or replaced during normal plant operation. This is possible because of the redundant electrical control train provided. 7.4.2.2.2.3.1.22 Identification (IEEE 279, Paragraph 4.22)

Controls and instrumentation are located in main control room and local panels and are clearly identified by nameplates. 7.4.2.2.2.3.2 IEEE 308 Criteria for Class 1E Power Systems for Nuclear Power Generating Stations SLCS loads are physically separated and electrically isolated into redundant load groups so that safety action provided by redundant counter parts is not compromised. 7.4.2.2.2.3.3 IEEE 323 - General Guide for Qualifying Class I Electric Equipment for Nuclear Power Generating Stations The controls essential for injection of SLCS are qualified Class 1E. Specific conformance to requirements of IEEE 323 is covered in Section 7.1.2.5.

CPS/USAR CHAPTER 07 7.4-37 REV. 11, JANUARY 2005 7.4.2.2.2.3.4 IEEE 338 - Criteria for Periodic Testing of Nuclear Power Generating Station Protection Systems Except for the explosive valves, the design of SLCS permits periodic testing of the system from initiation to actuated devices. The explosive valves that control circuit continuity is continuously monitored and indicated in the main control room. The explosive valves can be test fired only during each refueling outage. 7.4.2.2.2.3.5 IEEE 344 - Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations The control equipment essential to injection of SLCS are classified as Seismic Category I and will remain functional following an SSE. Qualification and documentation procedures used for Seismic Category I equipment are discussed in 3.10. 7.4.2.3 Reactor Shutdown Cooling Mode (RHR) - Instrumentation and Controls 7.4.2.3.1 General Functional Requirements Conformance The design of the reactor shutdown cooling mode of the RHR system meets the general functional requirements as follows:

(1) Valves. Manual control and position indication is provided in the main control room. No single failure in a valve electrical circuitry can result in loss of capability to

perform a safety function. Interlocks are provided to close the valves if an isolation signal is present or if high reactor pressure exists.

(2) Instrumentation. Instrumentation is provided for shutdown flow, heat exchanger service water flow and temperature. Head spray flow indication is provided. (3) Annunciation. Indication of valve motor overload, heat exchanger cooling water outlet high temperature, shutdown suction header high pressure, and pump motor overload are annunciated in the main control room, either individually or as part of group alarms. (4) Pumps. Manual controls and stop and start indicators are provided in the main control room. Interlocks are provided to trip the pumps if the shutdown suction valves are not open and no other suction path exists.

Appendix A of Chapter 15 examines the protective sequences relative to the above event and equipment. Chapter 15 considers the operation and the system-level qualitative aspects of this system.

CPS/USAR CHAPTER 07 7.4-38 REV. 11, JANUARY 2005 Loss of plant instrument air or cooling water will not, by itself, prevent reactor shutdown capability. 7.4.2.3.2 Specific Regulatory Requirements Conformance 7.4.2.3.2.1 Conformance to NRC Regulatory Guides The regulatory guides as applied for ECCS are also applicable to RHR shutdown cooling. 7.4.2.3.2.1.1 Regulatory Guide 1.6 See Subsection 7.3.2.1.2.1.1.

7.4.2.3.2.1.2 Regulatory Guide 1.22 See Subsection 7.3.2.1.2.1.3.

7.4.2.3.2.1.3 Regulatory Guide 1.29 See Subsection 7.3.2.1.2.1.4. 7.4.2.3.2.1.4 Regulatory Guide 1.32 See Subsection 7.3.2.1.2.6.

7.4.2.3.2.1.5 Regulatory Guide 1.47 See Subsection 7.3.2.1.2.1.7.

7.4.2.3.2.1.6 Regulatory Guide 1.53 See Subsection 7.3.2.1.2.1.8. 7.4.2.3.2.1.7 Regulatory Guide 1.62 See Subsection 7.3.2.1.2.1.9.

7.4.2.3.2.2 Conformance to NRC Regulations - 10 CFR 50 Appendix A Requirements 7.4.2.3.2.2.1 Criteria 19 through 24 Conformance to these criteria is shown in Subsection 7.3.1.1.1.6. This system is actually an operating mode of the RHR System. 7.4.2.3.2.2 General Design Criterion 34 - Residual Heat Removal The Reactor Shutdown Cooling System removes residual heat from the reactor when it is shut-down and the main steamlines are isolated to maintain the fuel and reactor coolant pressure boundary within design limits. Redundant channels are provided to assure performance, even with a single failure. On-site and off-site power are provided in the event that either source is not available when shutdown cooling is needed. Subsection 3.1.2.4.5 provides a discussion of the RHR system compliance with General Design Criteria 34. Subsection 5.2.5 provides a CPS/USAR CHAPTER 07 7.4-39 REV. 11, JANUARY 2005 discussion of the leak detection system and its application to the RHR system. Subsystem 15.2.9 discusses a backup method for disposing of residual heat should the normal shutdown line become unavailable during shutdown. 7.4.2.3.2.3 Conformance to Industry Codes and Standards 7.4.2.3.2.3.1 IEEE 279 See Subsections 7.3.2.1.2.3.1 and 7.3.2.4.3.1.1 on RHR containment spray.

7.4.2.3.2.3.2 IEEE 308 See Subsection 7.3.2.1.2.3.2 7.4.2.3.2.3.3 IEEE 323 See Subsection 7.1.2.5. 7.4.2.3.2.3.4 IEEE 344 See Subsection 3.10.

7.4.2.3.2.3.5 IEEE 379 See Subsection 7.3.2.1.2.3.6.

7.4.2.4 Remote Shutdown System (RSS) 7.4.2.4.1 General Functional Requirements Conformance The remote shutdown capability, by itself, does not perform any safety related or protective function. This system does interface with safety related systems, such as RHR and RCIC and meets the design criteria for those systems. All design criteria for the remote shutdown capability are addressed in the respective design requirements sections.

Appendix A of Chapter 15 examines the protective sequences relative to this event and equipment. Chapter 15 considers the operation and the system-level qualitative aspects of this plant capability. 7.4.2.4.2 Specific Regulatory Requirements Conformance 7.4.2.4.2.1 NRC Regulatory Guides Conformance 7.4.2.4.2.1.1 Regulatory Guide 1.29 - Seismic Design Classification This guide is not applicable to the RSS by itself. Components which interface with other systems meet the same qualifications as the interfacing system. See Section 3.10. 7.4.2.4.2.1.2 R.G. 1.68 - Initial Startup Test Program to Demonstrate Remote Shutdown Conformance to this Regulatory Guide is discussed in Chapter 14.

CPS/USAR CHAPTER 07 7.4-40 REV. 11, JANUARY 2005 7.4.2.4.2.1.3 R.G. 1.75 - Physical Independence of Electric Systems See Subsection 7.1.2.6.19 7.4.2.4.2.1.4 Regulatory Guide 1.89 - Qualification of Class 1E Equipment for Nuclear Power Plants This guide is not applicable to the RSS by itself. Components which interface with other systems meet the same qualification standards as the interfacing systems. Such standards for Class 1E systems are addressed in Section 3.11. 7.4.2.4.2.1.5 Regulatory Guide 1.100 - Seismic Qualification of Electrical Equipment for Nuclear Power Plants This guide is not applicable to the RSS by itself. Components which interface with other systems meet the same qualification standards as the interfacing system. Such standards for Class 1E systems are addressed in Section 3.10. 7.4.2.4.2.2 NRC Regulations Conformance - 10 CFR 50 Appendix A Requirements 7.4.2.4.2.2.1 General Design Criteria 19 The remote shutdown system consists of equipment outside the main control room which is sufficient to provide and assure prompt hot shutdown of the reactor and to maintain safe conditions during hot shutdown. The equipment also provides capability for subsequent cold shutdown of the reactor. 7.4.2.4.2.3 Conformance to Industry Codes and Standards 7.4.2.4.2.3.1 IEEE 279 - Criteria for Protection Systems for Nuclear Power Generating Stations During normal plant operation the remote shutdown system interfaces with and becomes part of the RCIC and RHR systems. During this time the interfacing remote shutdown instrumentation and controls maintains channel independence required by IEEE 279, Paragraph 4.6, as discussed in sections covering the RCIC and RHR Systems. 7.4.2.4.2.3.2 IEEE 323 - General Guide for Qualifying Class 1 Electric Equipment for Nuclear Power Generating Stations The components of the remote shutdown panel were designed and purchased to the requirements of the interfacing system. These qualification requirements are discussed in the sections of this document which address the interfacing systems. 7.4.2.4.2.3.3 IEEE 344 - Guide for Seismic Qualification of Class I Electric Equipment for Nuclear Power Generating Stations The components of the remote shutdown panel were designed and purchased to the requirements of the interfacing system. These qualification requirements are discussed in the sections of this document which address the interfacing systems.

CPS/USAR CHAPTER 07 7.4-41 REV. 11, JANUARY 2005 TABLE 7.4-1 THIS TABLE HAS BEEN INTENTIONALLY DELETED

CPS/USAR CHAPTER 07 7.4-42 REV. 11, JANUARY 2005 TABLE 7.4-2 REACTOR SHUTDOWN COOLING BYPASSES AND INTERLOCKS VALVE FUNCTION MANUAL OPEN REACTOR PRESSURE EXCEEDS SHUTDOWN ISOLATION VALVE CLOSURE SIGNAL Inboard suction isolation Cannot open Cannot open Outboard suction isolation Cannot open Cannot open Reactor injection Cannot open Cannot open Head spray Cannot open Cannot open Radwaste discharge inboard Can open Cannot open Radwaste discharge outboard Can open Cannot open

Valve Function Auto (A) close or manual (M) close Inboard suction isolation Closes A and M Closes A and M Outboard suction isolation Closes A and M Closes A and M Reactor injection Closes A and M Closes A and M Head spray Closes A and M Closes A and M Radwaste discharge inboard Closes A and M Closes A and M Radwaste discharge outboard Closes A and M Closes A and M

CPS/USAR CHAPTER 07 7.5-1 REV. 11, JANUARY 2005 7.5 SAFETY RELATED DISPLAY INSTRUMENTATION

7.5.1 Description

7.5.1.1 General This section describes the instrumentation which provides information to the operator to enable him to perform required safety and power generation functions. The Safety Related Display Instrumentation is listed in Table 7.5-1. It tabulates equipment illustrated on the various system P&IDs and IEDs discussed in Sections 7.2, 7.3, 7.4, and 7.6. The instrumentation and ranges shown or referenced in Table 7.5-1 are selected on the basis of providing the reactor operator the necessary information to perform normal plant maneuvers and yet the capability to track process variables pertinent to safety during expected operational perturbations. The Elementary Diagrams illustrate separation of redundant display instrumentation and electrical isolation of redundant sensors and channels. The P&IDs, IEDs, and Elementary Diagrams adequately illustrate the redundancy of monitored variables and component sensors and channels. Nuclenet design provides an optimized operator/plant interface through the reduction of panel sizes and the logical grouping and simplification of controls and information displays. Where appropriate, considerable reduction in console (control panel) size is accomplished by simplifying controls and presenting normal operating data and supporting graphic displays on computer-controlled color displays. The computer systems are discussed in Subsections 7.7.1 and 7.7.2. A hardwired, independent annunciator system provides additional confirmation of the status of plant systems and components, and all system controls and switches remain conventionally hard-wired. The annunciator system is discussed in Subsections 7.7.1 and 7.7.2. Wherever the status or action of safety systems or safety-related information is concerned, additional hard-wired conventional display and/or indicating devices are used. The design stresses that the presentation of plant information to the operator be done in such a manner that efficient operation is enhanced. The partial or complete failure of the Nuclenet computer system will have no adverse effect upon continued safe operation of the unit. Nuclenet design also incorporates the Power Generation Control Complex (PGCC) described in General Electric Licensing Topical Report, NEDO-10466-A. PGCC allows improved control of cable routing in the main control room while maintaining strict separation requirements. The arrangement of the main control room is shown on Figure 7.5-1. This figure shows the relative location of the eight panels, benchboards, and consoles in the central control room area which serve as the primary operator interface with the plant. These panels are the Principal Plant Console (PPC) (P680), the Reactor Co re Cooling Systems Benchboard (RCCS) (P601), Diesel Generator Benchboard (P877), the Standby Information Panel (SIP) (P678), and three Balance of Plant (BOP) Benchboards (P800, P801, P870). Their individual descriptions are given in the following sections.

CPS/USAR CHAPTER 07 7.5-2 REV. 12, JANUARY 2007 7.5.1.1.1 Principal Plant Console (P680)

The PPC (also called the nuclenet control console) is the primary operator interface for monitoring and controlling plant operational systems. This console also contains some safety-related controls and hard-wired displays. The console is an angled, U-shaped, low-profile console and is approximately 16 ft long. Figure 7.5-2 shows the general arrangement of the console. The control functions that are located on the PPC are those that are required for normal operation of the nuclear unit. The functions that have been included are integrated on a unit basis as opposed to the use of separate nuclear boiler and turbine-generator benchboards.

Drawing 828E320 shows the system area assignment of space, within each area, for the hard-wired annunciators, displays, controllers and other instruments, and control switches and indicator lights. The overall shape and size of the console, combined with the centralized grouping of major plant system controls and displays, enhances the operator's interface with the plant processes. His awareness of and control response capabilities to changing plant conditions are thereby improved. The center section of the PPC contains integrated controls and displays for the reactor protection system, neutron monitoring system, The Rod Control and Information System, including the core display map and display control system. A detailed description of the design and functioning of these systems, the information displayed, and the control actions required by the operator is given in Sections 7.2, 7.6.1.5, 7.6.2.5, 7.7.1.2, and 7.7.2.2. The display control system is discussed in Section 7.7.1.21 and 7.7.2.21. 7.5.1.1.2 Standby Information Panel (P678)

The Standby Information Panel (SIP) is functional]y complementary to the displays on the Principal Plant Console. In case of a partial or complete failure of the Display Control System and the subsequent attendant loss of some or all data displays on the PPC, the standby information panel provides information which is required to perform plant operating activities. The SIP is positioned behind the PPC so that the operator has a clear view of the panel area where indicators and other display and recording devices are mounted. An outline of the SIP is provided in Drawing 866E441. 7.5.1.1.3 Reactor Core Cooling Systems Benchboard (P601)

The RCCS Benchboard provides all annunciators, necessary, recorders, indicators, and control functions for Division 1, 2, and 3 Engineered Safety Features. The layout of the benchboard, shown in Drawing 793E945, is functionally similar to designs approved for use on previous BWR's. Annunciators, indicators, and recording devices located on the RCCS benchboard are visible to an operator at the Principal Plant Console. 7.5.1.1.4 Balance of Plant Benchboards (P800, P801, P870)

The BOP Benchboards contain the annunciators, meters, recorders, controllers, indicators, and control devices for those plant systems and functions which do not require frequent attention or a rapid operator response. The operator generally has an extended period of time available to respond to control requirements on the BOP Benchboards. Annunciators, indicators, and displays can be seen by an operator at the Principal Plant Console. BOP Benchboard outline is shown in Figure 7.5-6.

CPS/USAR CHAPTER 07 7.5-3 REV. 11, JANUARY 2005 7.5.1.1.5 Diesel Generator Benchboard (P877)

The Diesel Generator Benchboard provides annunciation, necessary recorders, indicators and control functions for operation of Division 1 and 2 Engineered Safety Features diesel generators. The layout of the benchboard, shown in Figure 7.5-10, is functionally similar to designs approved for use on previous BWR's. All annunciators, indicators, and recording devices located on the Diesel Generator Benchboard are visible to an operator at the Principal

Plant Console. 7.5.1.2 Normal Operation The indicators and recorders for the plant process variables are described elsewhere in this chapter and are shown on the P&ID's for the various system. Hard-wired indicators and recorders are selected on the basis of being able to provide the operator the necessary information to perform all the normal plant maneuvers with the required precision and being able to track all the process variables pertinent to safety during expected operational perturbations.

These devices are mounted on the Standby Information Panel, Reactor Core Cooling Benchboard, or Balance of Plant Benchboard, according to the system which they serve and the functional classification of that system. 7.5.1.3 Abnormal Transient Occurrences The ranges of indicators and recorders provided are capable of covering the process variables and provide adequate information for all abnormal transient events. 7.5.1.4 Accident Conditions The DBA-LOCA is the most extreme postulated operational action event. Information readouts are designed to accommodate this event from the standpoint of operator action, information, and event tracking requirements and, therefore, will cover all other design-basis events or incident requirements. The annunciators discussed in this section are informational devices only and not part of the Safety Related Display Instrumentation (SRDI) and not indicators to direct operator action. They are addressed here because of the additional information they provide to the operator as a suppliment to SRDI devices. 7.5.1.4.1 Initial Accident Event The design basis of all engineered safety features to mitigate the accident event takes into consideration that no operator action or assistance is assumed for the first ten minutes of the

event. This requirement, therefore, makes it mandatory that all protective action necessary in the first ten minutes be "automatic". Although continuous tracking of process variables is available, no operator action based on them is required. 7.5.1.4.2 Post-Accident Tracking No operator action (and, therefore, no post-accident information) is required for at least ten minutes following an accident although the various monitoring devices are continuously tracking and indicating important parameter information and displaying it to the operator as well as recording appropriate data.

CPS/USAR CHAPTER 07 7.5-4 REV. 11, JANUARY 2005 The DBA-LOCA serves as the envelope accident sequence event to provide and demonstrate the plant's post-accident tracking capabilities. All other accidents have less severe and limiting tracking requirements. The following process instrumentation provides information to the operator after a design basis loss-of-coolant accident to monitor plant conditions. The instrumentation is also operable before and after a SSE. 7.5.1.4.2.1 Reactor Water Level (1) Two wide-range water level signals are transmitted from two independent differential pressure transmitters and are recorded on two, two-pen recorders located in the Main Control Room. One pen records the wide-range level and the other pen records the reactor pressure on each of the two recorders. These recorders are located on the RCCS benchboard. One recorder monitors Division 1 instrumentation and the other Division 2 instrumentation. Their design provides information over the full water level range for normal operation, abnormal transients, and accident conditions. The differential pressure transmitters have one side connected to a condensing chamber reference leg and the other side connected directly to a vessel nozzle, for the variable leg. The water level system is not compensated for variation in reactor water density and is calibrated to be most accurate at operational pressure and temperature conditions. The range of the recorded level is from the top of the feedwater control range (just above the high-level turbine trip point) down to a point near the top of the active fuel. The power sources for the two channels are the Division 1 and 2 instrument a-c buses fed by the Class 1E Power System buses. The feedwater control system has other reactor water level recorders and indicators in the Main Control

Room. Generic Letter 92-04 and NRC Bulletin 93-03 had addressed an issue where water in the RPV water level reference legs made up by the steam condensing chambers could be high in concentration of non-condensable gases. During depressurization, the high gas concentration could come out of solution causing a false high level indication. To comply with the generic letter and bulletin, CPS has installed a keep-fill system where water from the CRD system is fed into the Division 1 and 2 reference legs. This keeps the legs full of water with a low concentration of non-condensable gases. The low flow rate, approximately 4 lb/hr, does not impact the accuracy of the water level signals. If a channel of keep fill is not available, then the compensatory action of NRC Bulletin 93-03 would be in effect. This consists of enhanced monitoring during depressurization. (2) The narrow, upset and shutdown zone water levels and the fuel zone water level recorder are not safety related and are discussed in Subsection 7.7.1.1.3.1.2. (3) In order to minimize the level measurement error due to changes in the drywell temperature, the differences in vertical drops (from the condensing chamber to the drywell penetration) between the reference and variable legs of the wide and narrow ranges are within approximately

+/-1 foot. In order to minimize the level measurement error due to boiling in the sense lines, the vertical drop in the CPS/USAR CHAPTER 07 7.5-5 REV. 11, JANUARY 2005 reference legs shared by the narrow, wide and fuel zone ranges is less than 2.5 feet. 7.5.1.4.2.2 Reactor Pressure (1) Two high-range reactor pressure signals with range as itemized in Table 7.1-13 for RPV pressure are transmitted from two independent pressure transmitters and are recorded on two 2-pen recorders. These signals share the recorders described in Subsection 7.5.1.4.2.1. (2) Two low-range reactor pressure signals with range as itemized in Table 7.1-14 for RPV pressure are transmitted from two independent pressure transmitters and are recorded on two 3-pen recorders in the main control room. One pen records the low-range reactor pressure, the second pen records the suppression pool level, and the third pen records the low-range containment pressure. These recorders are located on the RCCS benchboard. One recorder monitors Division 1 instrumentation and the other monitors Division 2 instrumentation.

The power sources are from Class 1E power systems. 7.5.1.4.2.3 Reactor Shutdown, Isolation and Core Cooling Indication 7.5.1.4.2.3.1 Reactor Operator Information and Observations The information furnished to the main control room operator permits him to assess reactor shutdown, isolation, and availability of emergency core cooling following the postulated

accident. (1) Operator verification that reactor shutdown has occurred may be made by observing one or more of the following indications: a. The control rod status lights will be indicating each rod fully inserted. The power source is a non-class 1E ac distribution panel. These lights are located on the Principal Plant Console. (See Drawing 828E320) b. Control rod scram valve status lights will be indicating open valves. The power source is an instrument a-c bus. These lights are located on the

PPC. c. The neutron monitoring power range channels and recorders will indicate decreasing neutron flux or be downscale. Power sources for the Neutron flux signals are the NSPS buses, and the power source for the recorders is a non-class 1E ac distribution panel. Recorded indication is provided

on the Standby Information Panel. d. Indicators and supplementary annunciators for the reactor protection system variables and trip logic will be in the actuated state. The power source for the indicators is ac inverted from divisional dc batteries. The power source for the supplementary annunciators is dc from the station battery. These devices are located on the PPC.

CPS/USAR CHAPTER 07 7.5-6 REV. 11, JANUARY 2005 e. Supplementary information from the PMS by logging of trips and control rod position log. The power source is the computer power supply from battery-backed uninterruptible power. (2) Reactor isolation also occurs after the accident, as various environmental and process variables exceed their set points. The operator may verify reactor isolation by observing one or more of the following indications: a. The isolation valve position lamps in each affected system indicate valve closure by direct means. Each motor-operated isolation valve has limit switches operated by the motor operator. Air-operated isolation valves have limit switches operated by the valve stem. The power source for the valve position lamps is the same as for the associated valve operator. These lamps are on the RCCS benchboard. b. The main steam line flow indication will be downscale. This information is provided on the SIP. The power source is the instrument ac bus. c. Indication for the containment and reactor vessel isolation system variables and trip logic will be in the tripped state. These indicators are located on the RCCS benchboard. The power source is dc from the station battery. d. Supplementary information from the PMS. (3) Operation of the emergency core cooling and the RCIC system following the accident may be verified by observing the following indications, which except as noted are located on the RCCS benchboard; a. Indicators and status lights for high pressure core spray, low pressure core spray, residual heat removal, automatic depressurization system, and reactor core isolation cooling system sensor initiation logic trips. The power source is from the appropriate divisional supply. b. Flow and pressure indications for each emergency core cooling system are provided and are operable before and after a Safe Shutdown Earthquake (SSE). The power sources are independent and from the same Class 1E power system buses as the driven equipment. c. RCIC isolation valve position lamps directly indicate open valves via limit switches. These limit switches are operated by the motor operator on

motor-operated valves, and by the valve stem on air-operated valves. The power source for the valve position lights is the same as the valve motor. d. Injection valve position lights indicating either open or closed vlaves. Injection valve position inidcations are provided by direct means of limit switches operated by the motor operator. The power source for the position lights is the same as the vlave motor.

CPS/USAR CHAPTER 07 7.5-7 REV. 11, JANUARY 2005 e. Relief valve initiation circuit status by open or closed indicator lamps. The power source is the same as for the pilot solenoid. f. Relief valve position indications are provided by an acoustic-type valve position indicating system that provides open/closed status in the Main Control Room. The power ource is from a Class 1E system bus. g. Supplementary information from the PMS display located on panel H13-P870. The power source is the com puter power supply which utilizes a reliable ac cource including a battery backup. h. Relief valve discharge pipe temperature monitor located on panel H13-P614. The power source is from an instrument ac bus. 7.5.1.4.2.3.2 System Operation Information-Display Equipment (1) RCIC Two meters, one displaying RCIC discharge flow rate and one displaying RCIC pump discharge pressure, are located on the RCCS benchboard.

(2) HPCS Two meters, one displaying HPCS discharge flow rate and one displaying HPCS pump discharge pressure, are located on the RCCS benchboard.

(3) LPCS One meter displaying LPCS flow rate is located on the RCCS benchboard.

(4) RHR The following meters are located on the RCCS benchboard:

a. One meter displaying RHR flow rate for each of the three RHR loops. b. One meter displaying RHR water temperature for each of the RHR heat exchanger outlets. c. One meter displaying RHR service water flow rate for each of the two RHR service water loops. d. There are more instruments monitor ing RHR service water. They are described in Subsection 7.5.1.4.2.6.

(5) MSIV/LCS The following meters are located in the main control room displaying reactor and steam line pressures: a. One meter displaying main steam line pressure for each of the four MSL.

CPS/USAR CHAPTER 07 7.5-8 REV. 14, JANUARY 2011 b. Two meters displaying reactor pressure. c. One meter and one (low pressure) range meter displaying outboard steam line header pressure. d. One meter displaying inboard steam line pressure for each of the four steam lines. The instruments are powered from separate 120 Vac divisional power buses. e. Two meters displaying MSIV leakage control system header pressure. (6) Containment Atmosphere Monitoring System (CAMS) The following CAMS display instrumentation is located in the main control room: a. One channel of drywell hydrogen concentration indication and recording. b. One channel of containment hydrogen concentration indication and recording. c. Two channels of drywell gross gamma radiation level indication and recording. d. Two channels of containment gross gamma radiation level indication and recording. (7) Miscellaneous In addition to the above displays, the following also provide information to enable the reactor operator in the main control room to perform post-accident safety

functions: a. Control rod status lamps (powered from a non-class 1E ac distribution panel.) b. Scram pilot valve status lamps (powered from non-class 1E uninteruptable RPS power supplies.) c. Neutron flux level meters (powered from the NSPS buses.)

d. Two meters displaying ADS instrument air header pressure. One meter monitors Division 1 instrumentation and the other monitors Division 2

instrumentation. e. Two meters displaying ADS backup air bottle pressure. One meter monitors Division 1 instrumentation and the other monitors Division 2

instrumentation.

CPS/USAR CHAPTER 07 7.5-9 REV. 11, JANUARY 2005 7.5.1.4.2.3.3 System Operation Information-Display Equipment Qualification The safety-related display instrumentation sensors, modules, cabling, and display equipment are of the same high quality as the safety system's instrumentation. The environmental and seismic qualification of the sensors and modules is discussed in Sections 3.10 and 3.11. The post-accident display instrumentation is of a quality that is consistent with minimum maintenance requirements and low failure rates and is qualified according to IEEE 323. The post-accident monitoring equipment is environmentally and seismically qualified to continue to operate following a design basis accident. Redundant elements (such as cables, cable tray components, modules, and interconnecting wiring) are identified according to the requirements of IEEE 384. 7.5.1.4.2.4 Drywell and Containment Indications Drywell and containment building conditions are indicated and/or recorded by the instrumentation described below. (1) Containment Pressure Monitoring a. There are two post accident containment pressure monitoring channels with a range as itemized in Table 7.1-13 for primary containment pressure. One channel monitors Division 1 instrumentation and the other monitors Division 2 instrumentation. Each channel of instrumentation consists of two transmitters, one 3-pen recorder and one 2-pen recorder.

These two transmitters per channel overlap and split the required pressure range, thus providing the required measurement range and accuracy. One transmitter provides a low-range signal to one 3-pen recorder. This signal shares the recorder described in Subsection 7.5.1.4.2.2(2) which monitors low range reactor pressure and suppression pool level. The other transmitter provides a high range signal to one 2-pen recorder. b. Additionally, there are two higher range containment pressure monitoring channels with a range as itemized in Table 7.1-14 for primary containment pressure. The instrumentation consists of two separate transmitters and two 2-pen recorders. One pen records the containment pressure and the other records containment atmosphere temperature.

These recorders are mounted on the RCCS benchboard. One channel monitors Division 1 instrumentation and the other monitors Division 2 instrumentation. The power sources for the two channels are the two instrument a-c buses feeding from the Class 1E power system buses. The two monitoring channels are redundant to each other and qualified

Seismic Category I and Class 1E. One pen records the containment pressure and the other records the suppression pool level. The recorders are mounted on the RCCS benchboard in the main control room. The power sources for the two channels are the Class 1E power system buses. The two monitoring CPS/USAR CHAPTER 07 7.5-10 REV. 11, JANUARY 2005 channels are redundant to each other and qualified Seismic Category I and Class 1E. (2) Drywell Pressure Monitoring There are two drywell pressure monitoring channels with a range as itemized in Table 7.1-13 for drywell pressure. The instrumentation consists of two separate transmitters and two 2-pen recorders. One pen records the drywell pressure and the other records the drywell average temperature. These recorders are mounted on the RCCS benchboard. One channel monitors Division 1 instrumentation and the other monitors Division 2 instrumentation. The power sources for the two channels are the two instrument a-c buses feeding from the Class 1E power system buses. The two channels are redundant to each other and qualified Seismic Category I and Class 1E. (3) Suppression Pool Temperature Monitoring The suppression pool temperature is monitored by 24 sensors with a range as itemized in Table 7.1-13 for suppression pool bulk average temperature. The sensors are located between each SRV discharge pipe and below the minimum suppression pool water level. Twelve sensors are associated with Division 1 and 12 sensors with Division 2. Sensor outputs are recorded on the following

recorders: a. Two multi-point recorders mounted on Panels 1H13-P638 and 1H13-P639 in the main control room. One records the outputs from the eight Division 1 sensors and the other records the outputs from the eight Division 2 sensors. Each recorder is provided with contact closure outputs which actuate an alarm on the RCCS benchboard at high suppression pool temperature. The temperature sensors are located at

Elevation 730'-6". b. Two 2-pen recorders mounted on the RCCS benchboard in the main control room. One records the average output from four Division 1 sensors and the other records the average output from four Division 2 sensors. The second pen is used to monitor the suppression pool level.

The temperature sensors are located at Elevation 730'-6". c. Two 1-pen recorders mounted on the standby information panel in the main control room. One records the average output from four Division 1 sensors and the other records the average output from four Division 2 sensors. The temperature sensors are located at Elevation 726'-10". The instrumentation described in this subparagraph fulfills the requirements of TS 3.3.3.1, Post Accident Monitoring. Power sources for the two divisions of sensors are the two instrument a-c buses feeding from the Class 1E power system buses. The two divisions are redundant to each other and qualified Seismic Category I and Class 1E.

CPS/USAR CHAPTER 07 7.5-11 REV. 11, JANUARY 2005 (4) Suppression Pool Water Level The suppression pool water level is monitored by water level monitoring channels which measure a level range as itemized in Table 7.1-13 for suppression pool level. The lower end of the measurement range (720'-0") is at the same elevation as the ECCS suction line. Each division of instrumentation consists of two transmitters, one for low range and one for high range. For each division, the two transmitters over-lap and split the required water level range, thus providing the required measurement range and accuracy: The high range transmitter (CM system designator) provides a signal to one 2-pen recorder (which also records containment pressure described in Item (1)b above. The low range transmitter (SM system designator) provides a signal to one 3-pen recorder (which also records containment pressure and reactor pressure described in Subsection 7.5.1.4.2.2(2)). The power sources for the two suppression pool level instrumentation are the two instrument a-c buses feeding from the Class 1E power system buses. The divisional channels are redundant to each other and qualified Seismic Category I and Class 1E. (5) Suppression Pool Wide Range Water Level The suppression pool wide range (primary containment) water level is monitored by two channels of instrumentation which measure a level range as itemized in Table 7.1-14 for suppression pool level. One channel monitors Division 1 and the other monitors Division 2. Each channel of instrumentation consists of six transmitters, one selector switch and one indicator. These six transmitters split the required water level range, thus providing the required measurement accuracy. They provide a signal to one indicator by means of a range selector switch mounted on the RCCS benchboard. These transmitters and the suppression pool water level transmitters described in Item (4) above overlap to provide a full range of water level measur ement from the centerline of ECCS suction to the containment maximum floodable water level. The power sources for the two channels are the two instrument a-c buses feeding from the Class 1E power system buses. The two monitoring channels are redundant to each other and qualified Seismic Category I and Class 1E. (6) Containment Atmosphere Temperature Monitoring The containment atmosphere temperature is monitored by eight sensors with a range as itemized in Table 7.1-14 for containment atmosphere bulk temperature.

Four sensors are associated with Division 1 and four sensors are associated with Division 2. Each division of four sensor outputs are averaged and the averaged signal is then recorded on one 2-pen recorder. This signal is recorded on the 2-pen recorder described in Subsection 7.5.1.4.2.4(1b) which monitors the high-range containment pressure.

CPS/USAR CHAPTER 07 7.5-12 REV. 11, JANUARY 2005 Power sources for the two divisions of sensors and recorders are the two instrument a-c buses feeding from the Class 1E power system buses. The two divisions are redundant to each other and qualified Seismic Category I and

Class 1E. (7) Drywell Atmosphere Temperature Monitoring The drywell atmosphere temperature is monitored in a similar way as described in Item (6) above except the signal shares the recorder described in Item (2) above. There are eight Containment Monitoring (CM) sensors, four associated with Division 1 and four associated with Division 2, which fulfill the Post Accident Monitoring requirements of Regulatory Guide 1.97. These sensors are Seismic Category I and Class 1E. The range for these instruments is itemized in Table 7.1-13 for drywell atmosphere bulk average temperature. There are also 14 Drywell Cooling (VP) temperature sensors located at various elevations and azimuths within the drywell. These VP sensors are normally utilized to periodically calculate the arithmetic drywell average air temperature as required by the Technical Specifications during plant operation. These sensors are non-safety related. They have a range of 0-250 degrees Fahrenheit. The instrument number, elevation, and azimuth of these sensors are shown below. DRYWELL AIR TEMPERATURE SENSORS Instrument Number Elevation Azimuth a. ITE-VP033A 729'-0"# 45

° b. ITE-VP033B 775'-0" 160

° c. ITE-VP033C 741'-0" 45

° d. ITE-VP033D 772'-0" 130

° e. ITE-VP033E 802'-0" 0

° f. ITE-VP033F 746'-0" 307

° g. ITE-VP033G 794'-0" 0

° h. ITE-VP034A 732'-0"# 225

° i. ITE-VP034B 775'-0" 230

° j. ITE-VP034C 741'-0" 220

° k. ITE-VP034D 772'-0" 235

° l. ITE-VP034E 802'-0" 180

° m. ITE-VP034F 746'-0" 135

° n. ITE-VP034G 794'-0" 180

° # The instruments at a. and h. are considered to be at the same elevation.

CPS/USAR CHAPTER 07 7.5-13 REV. 11, JANUARY 2005 7.5.1.4.2.5 Main Control Room HVAC System Operation of the Main Control Room HVAC System may be verified by observing the following indications: a. The Make-up Filter Package Trains, Supply and Return fans status lights are indicated in the main control room. The control power circuits of the driven equipment provide power to the fan operating status lights. b. System damper position lights indicating either open or closed dampers are provided in the main control room and on local control panels as required. Intermediate damper position is indicated by simultaneous energization of both the open and closed indicating lights. These position indicating lights are actuated by limit switches that are operated directly from the damper shaft. The power sources are the same as the damper motor. c. The Make-up Filter Package Train flow is indicated and recorded in the main control room. Differential pressure recorders monitor the differential pressure across the demister and prefilter combination, and across the upstream HEPA

filter. The downstream HEPA filter differential pressure is indicated in the main control room. The power sources for these instruments are the same as for their respective systems. d. The main control room differential pressure with respect to the adjacent areas is indicated in the main control room. The power sources for these indicators are

the same as their respective HVAC trains. 7.5.1.4.2.6 Shutdown Service Water System The safety related display instrumentation for the Shutdown Service Water System (SSWS) is located in the main control room. Each subsystem of the SSWS is monitored by independent pressure sensors at each subsystem supply header which transmit signals that are indicated on the control board near the controls for the equipment being cooled by the SSWS. Additionally, each subsystem of the SSWS is monitored by independent temperature sensors at the inlet to the RHR heat exchangers which provides a signal indicated on the RCCS benchboard in the main control room. Each instrument loop is seismically qualified and Class 1E and is powered from the same safety related electrical separation division as the subsystem being monitored. 7.5.1.4.2.7 Standby Gas Treatment System (SGTS)

Operations of the SGTS may be verified by observing the following indications: a. Standby Gas Treatment System running lights indicate the operation of the equipment. The power sources are the same as for the equipment. b. System valve and damper open and closed position lights are provided in the main control benchboard. These position indications are actuated by limit switches that are operated directly from the valve stem or damper shaft. The power sources are the same as for the associated valve and damper motor.

CPS/USAR CHAPTER 07 7.5-14 REV. 11, JANUARY 2005 c. The filter train flow is indicated and recorded in the main control room. Differential pressure across the upstream and downstream HEPA filters is indicated in the main control room. A recorder monitors the differential pressure across the upstream HEPA filter. Instrument power is supplied by the same Class 1E bus that supplies power to each respective SGTS train. 7.5.1.4.2.8 Combustible Gas Control System 7.5.1.4.2.8.1 Drywell-Containment Mixing System Safety related controls for the drywell-containment mixing system are located in the main control room. Differential pressure is monitored across each compressor by an electronic differential pressure transmitter. The signal is indicated on the main control board near the control switches. Each instrument loop is seismically qualified, Class 1E, and is powered from the same electrical separation division which prov ides power to the equipment being monitored. Status lights located above the compressor control switches indicate whether the compressor is running, stopped or tripped. Position indicating lights are provided on the Standby Information Panel in the main control room for each of the eight check valves in the four vacuum relief lines. These indicating lights are controlled by limit switches on the check valves and indicate closed, intermediate, and open valve position. The indicating lights are power ed from Class 1E, Division 1 power. (Q&R 421.12) 7.5.1.4.2.8.2 Hydrogen Recombiner System Safety related instrumentation for the hydrogen recombiners is located on the local control panels for each recombiner. Recombiner flow and temperature is monitored and indicated on the control panel. Each instrument is seismically qualified, Class 1E, and is powered from the same electrical separation division which powers the equipment being monitored. Status lights

in the main control room above the control switch indicate whether the recombiner is running or stopped. 7.5.1.4.2.9 (NOT USED) 7.5.1.4.2.10 Diesel Generator Room Ventilation System 7.5.1.4.2.10.1 Indication Indication is provided as follows: a. Diesel Generator Room Ventilation fan status (i.e., on, tripped or off)

b. Diesel Generator Ventilation Oil Room Exhaust Fan Status (i.e., on, tripped or off) 7.5.1.4.2.11 Essential Switchgear Heat Removal HVAC System 7.5.1.4.2.11.1 Indication Indication is provided as follows:

CPS/USAR CHAPTER 07 7.5-15 REV. 11, JANUARY 2005 a. Heat removal fan status (i.e., on, tripped or off), on the MCB. b. Battery Room exhaust fan status (i.e., on, tripped or off), on the MCB. 7.5.1.4.2.12 ECCS Equipment Room Cooling - HVAC System 7.5.1.4.2.12.1 Indication Indication is provided as follows: a. Emergency Core Cooling System fan status (i.e., on, tripped or off) 7.5.1.4.2.13 Shutdown Service Water Pump Room Cooling System 7.5.1.4.2.13.1 Indication Indication is provided as follows: a. Shutdown Service Water Pump Room Cooling System fan status (i.e., on, tripped, or off), on the MCB. b. Room temperature for each SSW pump room 7.5.1.4.2.14 Secondary Containment Area Temperature Monitoring Instrumentation The secondary containment ambient temperatures are monitored by a total of 40 sensors with an instrument channel range as itemized in Table 7.1-14 for secondary containment area temperature. These sensors are located in various secondary containment areas. These areas are assigned to one of two groups each consisting of 20 sensors which are recorded on multi-point recorders mounted on the standby information panel in the main control room. The recorders are provided with alarm contact outputs which will activate one common high temperature alarm when the temperature of any of the monitored areas reaches a maximum normal operating value (MNOV), and will activate another common high-high alarm when the temperature of any of the monitored areas reaches a maximum safe operating valve (MSOV). The alarms are located on the RCCS benchboard. The areas monitored are identified as follows: a. Group A NUMBER OF LOCATION SENSORS HPCS Pump Room 1 Auxiliary Building Aisle Elevation 707 feet, 6 inches' 1 RHR Pump Room A 1 RHR Heat Exchanger Room A 1 RHR Pump Room B 1 RHR Heat Exchanger Room B 1 RHR Pump Room C 1 CPS/USAR CHAPTER 07 7.5-16 REV. 11, JANUARY 2005 NUMBER OF LOCATION SENSORS Auxiliary Building RCIC Pump Room 1 Auxiliary Building RCIC Instrument Panel Room 1 LPCS Pump Room 1

Auxiliary Building Access Aisle Elevation 737, 0 inches 2 Auxiliary Building Radwaste Pipe Tunnel 1 Auxiliary Building Below Main Steam Tunnel 1 RWCU Pump Room A 1 RWCU Pump Room B 1 RWCU Pump Room C 1 Auxiliary Building Steam Tunnel 1 Fuel Pool Cooling Heat Exchanger Room 2

b. Group B NUMBER OF LOCATION SENSORS Fuel Building General Area Elevation 712 feet, 0 inches 4 Fuel Building Pipe Valve Room 2 Fuel Building Fuel Pool Cooling Pump Room 2 Fuel Building General Area Elevation 737 feet, 0 inches 4 Fuel Building General Area Elevation 744 feet, 0 inches 4 Auxiliary Building MSIV Room A 1 Auxiliary Building MSIV Room B 1 Auxiliary Building Gas Control Boundary 2 7.5.1.4.2.15 Secondary Containment Water Level Monitoring Instrumentation Secondary containment areas are monitored for flooding by level switches. Each level switch will activate one common high-high water level alarm when the water level of any of the monitored areas reaches a maximum safe operating water level. The alarm is located on the RCCS benchboard. The areas monitored are identified as follows: a. RCIC Pump Room b. RHR Pump Room A
c. RHR Pump Room B CPS/USAR CHAPTER 07 7.5-17 REV. 11, JANUARY 2005 d. RHR Pump Room C e. LPCS Pump Room
f. HPCS Pump Room
g. Fuel Building Elevation 712 feet, 0 inches

7.5.2 Analysis

7.5.2.1 General Functional Requirements The safety-related and power generation display instrumentation provides adequate information to allow an operator to make correct decisions as bases for manual control actions permitted under normal, abnormal transient, and accident conditions. The Nuclenet design provides the operator with readily accessible information and control of the various plant operational parameters. This is accomplished by the logical organization of functional plant system indicators, displays, controls, and a computer display system into a human-engineered operator interface. The implementation involves the use of five modular console/ panel/benchboards. Additional information concerning analysis and design criteria applicable to the specific hard-wired indicators, displays and controls, for the various safety-related systems, is provided elsewhere in this chapter with the systems they serve. Redundancy and independence or diversity are provided in all of those information systems which are used as a basis for operator-controlled safeguards action. The complete failure of the Display Control Syst em, which serves as an active part of the operator/plant interface, does not degrade the quantity or quality of necessary information, presented by hard-wired devices, needed to determine the status or action of plant safety systems. Some safety-related process information is displayed and/or analyzed by this non-safety class Display Control System (DCS), as well as by the conventional hard-wired instruments. In all cases where a safety-related information is shared this way, the DCS is isolated from the safety- related circuitry so that no DCS failure can inhibit or affect that circuit or vice versa. 7.5.2.1.1 Design Criteria 7.5.2.1.1.1 Power Generation Control Complex Criteria The applicable design criteria for the PGCC aspects of Nuclenet design are provided in General Electric Licensing Topical Report NEDO-10466-A. 7.5.2.1.1.2 Nuclenet Design and Operational Criteria Compliance 7.5.2.1.1.2.1 Design Criteria (1) Nuclenet is designed to enhance the operational information without degrading the ability of the ESF systems I&C to meet the requirements of their design specifications.

CPS/USAR CHAPTER 07 7.5-18 REV. 11, JANUARY 2005 (2) In the implementation of Nuclenet, instruments for the reactor protection system and the engineered safety features meet the system design requirements of the systems they serve. They shall be located at easily visible and accessible positions. (3) The design employs modular techniques to implement distinct circuits so that the separation and redundancy requirements are satisfied. (4) All reactor protection system components incorporated by Nuclenet are of at least comparable quality to those components that are integral to the design of related systems and shall have demonstrated operational reliability. (5) Nuclenet design is such that the IEEE-279 requirement for protection system integrity, independence, and absence of interaction can be maintained from the various controls, indicators, and displays on the console/panel/benchboards through the termination cabinets. The termination cabinets are described in NEDO-10466-A and are incorporated as part of Nuclenet. (6) Nuclenet makes use of modular control and indication components. Plug-connected cables are used to facilitate removal of the modules. Cables and connectors are easily accessible and identified. Connector separation requires deliberate action. (7) Cabling is identified at each connection point, in the panels, in the wireways, and in the termination cabinets, so that visual verification of separation is easily made. Connectors and cabling at connection points are clearly marked with system and reference designations. (8) The Reactor Core Cooling benchboard is physically separated from those benchboards or consoles used for planned operating activities not performed by systems on the RCC benchboard. (9) Hard-wired standby display capabilities are provided in the main control room to permit operational continuity following a malfunction in or loss of the Display

Control System (DCS). (10) All plant system controls are har d wired. They are external to, and not dependent upon, the computer systems. (11) Simplification of controls is restricted to manual functions operating independently from, but compatible with, the automatic protective functions. (12) All safety system functions, either automatic protective or interlocking, including controls, displays, and alarms, are hardwired. (13) The Display Control System provides an alarm initiated display capability for selected variables. This display also presents relevant parameters associated with the alarmed parameter.

CPS/USAR CHAPTER 07 7.5-19 REV. 12, JANUARY 2007 7.5.2.1.1.2.2 Operating Criteria The Nuclenet design provides for normal plant operation under planned conditions in the absence of significant abnormalities. Operations subsequent to an incident (transient, accident, or special event) are not considered planned operations until the procedures being followed or equipment being used are identical to those used during any one of the defined planned operations. The established planned operations can be considered as a chronological sequence: refueling outage, achieving shutdown, cooldown, refueling outage. The following planned operations are identified. a. Refueling Outage

b. Achieving Criticality c. Heatup d. Reactor Power Operation
e. Achieving Shutdown
f. Cooldown 7.5.2.1.2 Principal Plant Console (P680)

The PPC (shown in Figure 7.5-2 and Drawing 828E320) contains control and display instrumentation which is safety-related, and also control and display instrumentation which is not safety-related. 7.5.2.1.3 Standby Information Panel (P678)

The SIP (shown in Drawing 866E441) contains both safety and nonsafety related instrumentation. The organization of system displays follows the same relative positional relationship when viewed by the operator as is used on the PPC. Certain functions of the following systems appear on the SIP: (1) Reactor Water Cleanup System (2) Feedwater System (3) Recirculation System (4) Nuclear Boiler and Main Steam Systems (5) Neutron Monitoring System 7.5.2.1.4 Reactor Core Cooling Systems Benchboard (P601)

The RCCS benchboard (shown in Drawing 793E945) is similar to previously approved designs. Hardwired controls, annunciators, and other instrumentation for the following systems appear on the RCCS benchboard:

CPS/USAR CHAPTER 07 7.5-20 REV. 11, JANUARY 2005 (1) CRD Hydraulic Control System (2) Standby Liquid Control System (3) Reactor Core Isolation Cooling and Low Pressure Core Spray Systems (4) RHR A System (5) Automatic Depressurization A System (6) Outboard Isolation System (7) Inboard Isolation System (8) Automatic Depressurization B System (9) RHR B and C Systems (10) HPCS Diesel Generator System (11) HPCS System This benchboard has welded steel barriers separating the controls and displays of one division from those of another division, and separating devices associated with any of the divisions from devices not associated with any division. All devices on the RCCS benchboard which are Class 1E, have been previously qualified for Class 1E use. Other criteria stated in Section 7.5.2.1.1.2 apply to the RCC benchboard. 7.5.2.1.5 Balance of Plant Benchboards (P800, P801, P870)

The function and description of the BOP benchboard were given in section 7.5.1.1.4. Instruments, controls, and annunciators are organized by system and function. The following safety and non-safety related systems are represented on these benchboards (shown in Figure 7.5-6): (1) Main Generator and Auxiliary Power Systems a. Main Generator, Switchyard, and Auxiliary Electrical Systems (2) Steam and Power Conversion Systems a. Turbine and Main Steam Systems

b. Extraction Steam Systems
c. Vents, Drains, Heaters, and Coolers
d. Condensate and Feedwater Systems e. Condenser Air Removal and Seal Steam Systems CPS/USAR CHAPTER 07 7.5-21 REV. 11, JANUARY 2005 (3) Water Systems a. Circulating and Cooling Water Systems
b. Service Water Systems
c. Fuel Pool Cooling and Cleanup Systems d. Suppression Pool Cleanup and Makeup Systems (4) Other Service and Instrument Systems a. Instrument and Service Air Systems
b. Drywell and Containment Temperature and Pressure Monitoring
c. Containment Combustible Gas Control System
d. Suppression Pool Temperature and Level Monitoring e. Control Building HVAC Systems f. Fire Protection System
g. Standby Gas Treatment Systems
h. Radiological Monitoring Display The BOP benchboard conforms to criteria in Section 7.5.2.1.1.2.

7.5.2.1.6 Diesel Generators Benchboard (P877)

The Diesel Generator benchboard, shown in Figure 7.5-10, is similar to previously approved designs. Hard-wired controls, annunciators, and other instrumentation for the following systems appear on the Diesel Generator benchboard: (1) Division 1 Diesel Generator Control System (2) Division 2 Diesel Generator Control System This benchboard has welded steel barriers separating the controls and displays of one division from those of another division, and separating devices associated with any of the divisions from devices not associated with any division. All devices on the Diesel Generator benchboard which are Class 1E have been previously qualified for Class 1E use. 7.5.2.2 Normal Operation Subsection 7.5.1.2 describes the basis for selecting ranges for instrumentation and since abnormal, transient, or accident conditions monitoring requirements exceed those for normal operation, the normal ranges are covered adequately.

CPS/USAR CHAPTER 07 7.5-22 REV. 11, JANUARY 2005 7.5.2.3 Abnormal Transient Occurrences These occurrences are not limiting from the point of view of instrument ranges and functional capability. (See Subsection 7.5.2.4.) The indications which may be utilized to verify that shutdown and isolation safety actions have been accomplished (see Subsection 7.5.1.4.2.3) meet the requirements of IEEE 279. 7.5.2.4 Accident Conditions The DBA-LOCA is the most extreme operational event. Information readouts are designed to accommodate this event from the standpoint of operator actions, information, and event tracking requirements, and therefore, will cover all other design basis events or incident requirements. 7.5.2.4.1 Initial Accident Event The design basis of all engineered safety features to mitigate accident event conditions takes into consideration that no operator action or assistance is required or recommended for the first ten (10) minutes of the event. This requirement therefore makes it mandatory that all protective action necessary in the first ten minutes be automatic. Therefore, although continuous tracking of variables is available, no operator action based on them is intended. 7.5.2.4.2 Post-Accident Trackin g The following process instrumentation provides information to the operator after a DBA loss-of-coolant accident for use in monitoring reactor conditions. (1) Reactor Water Level and Pressure Vessel water level and pressure sensor instrumentation described in Subsection 7.5.1.4.2 is redundant, electrically independent, and is qualified to be operable during and after a loss-of-coolant accident in conjunction with an SSE. Power is from independent instrument buses supplied from the two divisional ac buses. This instrumentation complies with the independence and redundancy requirements of IEEE 279 and provides recorded outputs. The reactor water level and pressure sensors are mounted on two independent local panels. The transmitters and recorders are designed to operate during normal operation and/or post-accident environmental conditions. The design criteria that these instruments must meet are discussed in Subsection 7.1.2.1.7. There are two complete and independent channels of wide range reactor water level and reactor vessel pressure with each channel having readout on a separate two-pen recorder. The design, considering the accuracy, range and quality of the instrumentation, is adequate to provide the operator with reliable reactor water level and reactor pressure information during normal operation, abnormal, transient, and accident conditions. (2) Suppression Pool Water Level CPS/USAR CHAPTER 07 7.5-23 REV. 11, JANUARY 2005 This instrumentation is redundant, electrically independent, and qualified to be operable during and after a LOCA in conjunction with an SSE. Power is from independent instrument buses supplied from the two divisional Class 1E ac power buses and complies with the requirements of IEEE 279 and provides recorded outputs. (3) Drywell and Containment Pressure This instrumentation is redundant, electrically independent, and is qualified to be operable during and after a LOCA in conjunction with an SSE. Power is from independent instrument buses supplied from the two divisional Class 1E ac power buses and the instrumentation complies with the requirements of IEEE 279 and provides recorded and indicated outputs. (4) Emergency Core Cooling Systems Performance of emergency core cooling systems following an accident may be verified by observing redundant and independent indications as described in Subsection 7.5.1.4.2.3.1(3) and fully satisfies the need for operator verification of operation of the system. Redundancy of instrumentation within the individual ECCS systems is not always provided. However, redundancy is provided within the combination of ECCS

systems. Each ECCS is provided with system flow measuring indication and valve status indication allowing the operator to assess the operating conditions. (5) Continued Shutdown Tracking The various indications described in Subsection 7.5.1.4.2 provide adequate information regarding status of the reactor vessel level and pressure to allow reactor operators to make proper decisions regarding core and containment cooling operations, and fully satisfies the need for post-accident surveillance of

these variables. (6) MCR Ventilation System Performance of the HVAC system following an accident may be verified by observing redundant and independent indications as described in subsection 7.5.1.4.2.5 and fully satisfies the need for operator verification of system operation. Redundancy of instrumentation within individual HVAC trains is not provided. However, redundancy is provided by the redundancy of the HVAC

trains. (7) Shutdown Service Water System (SSW) Performance of the SSW System following an accident may be verified by observing redundant and independent indications as described in subsection 7.5.1.4.2.6 and fully satisfies the need for operator verification of system operation. Redundancy of instrumentation within individual SSW divisional trains is not provided. However, redundancy is provided by the redundancy of the

trains.

CPS/USAR CHAPTER 07 7.5-24 REV. 11, JANUARY 2005 (8) Hydrogen Control Aspect The hydrogen control system hydrogen analyzer with indicator, recorder and alarm is designed to automatically operate during LOCA conditions. Hydrogen control system operation following an accident or LOCA condition may be verified by observing the hydrogen concentration recorded in the control room as described in Subsection 7.5.1.4.2.8. Indications in the control room fully satisfy the need for operator verification of operation of the hydrogen mixing system and

the hydrogen recombiner. (9) Standby Gas Treatment System (SGTS) Performance of the SGTS following an accident may be verified by observing redundant and independent indications as described in subsection 7.5.1.4.2.7 and fully satisfies the need for operator verification of system operation.

Redundancy of instrumentation within individual SGTS trains is not provided.

However, redundancy is provided by the redundancy of the individual SGTS

trains. (10) Combustible Gas Control System (CGCS) Performance of the CGCS subsequent to the manual initiation of the system may be verified by observing the indications as described in Subsection 7.5.1.4.2.8 and fully satisfies the need for operator verification of system operation.

Redundancy of instrumentation within the divisional systems is not provided.

However, redundancy is provided by the redundant CGCS's. (11) Containment and Drywell Atmosphere Monitoring System The various indicators described in Subsection 7.5.1.4.2 provide adequate information concerning containment and drywell hydrogen concentration and gross gamma radiation levels under post accident conditions. This will allow the (reactor) operator to make proper decisions regarding radiation and hydrogen hazards in those spaces. All equipment is required to function following the design basis seismic event. 7.5.2.4.3 Safe Shutdown Display The safe shutdown display instrumentation in Subsection 7.5.1.4.2.3.1 consists of control rod status lamps, scram pilot valve status lamps, and neutron monitoring instrumentation. These displays are expected to remain operable for a long enough time following an accident to support and verify safe and orderly shutdown. The displays provide diverse indications by monitoring separate parameters. The rod position and neutron monitoring outputs are recorded (the former by the PMS). The systems cited are automatically connectable to standby ac power. 7.5.2.4.4 Engineered Safety Feature Operation Display The other operating instruments provide indication of operation of various safety systems but, except for the isolation valve status, do not constitute post-accident surveillance or safe CPS/USAR CHAPTER 07 7.5-25 REV. 11, JANUARY 2005 shutdown display. Isolation valve status meets qualifications, redundancy, power and IEEE 279 requirements for indication. The others meet only qualification, redundancy, and power requirements and do not meet seismic qualification requirements. 7.5.2.5 Specific Regulatory Requirements 7.5.2.5.1 Conformance to IEEE-279 7.5.2.5.1.1 General Functional Requirement (IEEE-279, Paragraph 4.1)

Scram valves position status display verifies completion of RPS scram function. This is further verified by the rods status display. This combination satisfies the requirements for reliability by redundant confirmation of diverse sensors. All components except the front panel display are seismically qualified. Rod position information can also be obtained directly from the rod information panels in the main control room.

The neutron monitoring system is designed to meet all the requirements of IEEE-279 as a part of the reactor protection system. However, its RPS function is a "fail-safe" function while safe shutdown display is not. Further, its RPS function terminates with the generation and maintenance of a shutdown signal. In this regard, post DBA environment conditions may cause malfunction but not until the RPS has had sufficient time to complete its scram function. This makes it impossible to claim continuous indicating capability for safe shutdown display by the neutron monitoring system. Redundancy, power switching capabilities, RPS capabilities, and expected time to failure under DBA environment conditions allow the neutron monitoring system to meet the functional requirements of IEEE-279 as applicable to display instrumentation. The automatic initiation of protective action function is not applicable to the safe shutdown display

instrumentation. 7.5.2.5.1.2 Single Failure Criterion (IEEE-279, Paragraph 4.2)

The redundant channels provide indication to meet the single failure criterion. Also, signals feeding the instrumentation are electrically buffered so that failures in the display apparatus cannot be reflected back into essential system functions. 7.5.2.5.1.3 Quality of Indicators (IEEE-279, Paragraph 4.3)

The quality of the indicators will be in accordance with their importance to safety. Instruments providing information necessary for manual safety actions are class 1E. 7.5.2.5.1.4 Equipment Qualification (IEEE-279, Paragraph 4.4)

All safety-related equipment is qualified to assure performance of safety-related functions including post-seismic performance. 7.5.2.5.1.5 Channel Integrity (IEEE-279, Paragraph 4.5)

The failure of any indicator will not adversely affect channel integrity. 7.5.2.5.1.6 Channel Independence (IEEE-279, Paragraph 4.6)

The failure of any indicator will not adversely affect channel independence.

CPS/USAR CHAPTER 07 7.5-26 REV. 11, JANUARY 2005 7.5.2.5.1.7 Control and Protection System Interaction (IEEE-279, Paragraph 4.7)

This design requirement is not applicable to the safe shutdown display instrumentation. 7.5.2.5.1.8 Derivation of System Inputs (IEEE-279, Paragraph 4.8)

This is not applicable to display instrumentation. 7.5.2.5.1.9 Capability for Sensor Checks (IEEE-279, Paragraph 4.9)

This is not applicable to safe shutdown display instrumentation.

7.5.2.5.1.10 Capability for Test and Calibration (IEEE-279, Paragraph 4.10)

Calibration checks of the display instrumentation can be made in conjunction with testing of the associated systems. 7.5.2.5.1.11 Channel Bypass (IEEE-279, Paragraph 4.11)

This is not applicable. 7.5.2.5.1.12 Operating Bypa sses (IEEE-279, Paragraph 4.12)

This is not applicable.

7.5.2.5.1.13 Indication of Bypass (IEEE-279, Paragraph 4.13)

This is not applicable.

7.5.2.5.1.14 Access to Means for Bypassing (IEEE-279, Paragraph 4.14)

Bypassing is not applicable. 7.5.2.5.1.15 Multiple Setpoints (IEEE-279, Paragraph 4.15)

This design requirement is not applicable to safety-related display instrumentation. 7.5.2.5.1.16 Completion of Protective Action Once It Is Initiated (IEEE-279, Paragraph 4.16)

This is not applicable. 7.5.2.5.1.17 Manual Actuation (IEEE-279, Paragraph 4.17)

Manual actuation is not applicable to display instrumentation.

7.5.2.5.1.18 Access to Setpoints (IEEE-279, Paragraph 4.18)

This design requirement is not applicable to display instrumentation.

CPS/USAR CHAPTER 07 7.5-27 REV. 11, JANUARY 2005 7.5.2.5.1.19 Identification of Prot ective Action (IEEE-279, Paragraph 4.19)

Indicators will indicate protective actions at the channel level.

7.5.2.5.1.20 Information Read Out (IEEE-279, Paragraph 4.20)

Indicators will provide required information. 7.5.2.5.1.21 System Repair (IEEE-279, Paragraph 4.21)

This design requirement is not directly applicable, however the indicators provide diagnostic information and are replaceable. 7.5.2.5.1.22 Identification (IEEE-279, Paragraph 4.22)

Indicators are identified.

7.5.2.5.2 Conformance with IEEE-323 See Section 3.11 7.5.2.5.3 Conformance with IEEE-344 See Section 3.10 7.5.2.5.4 Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Function Calibration checks may be made of the display instrumentation in conjunction with testing of the associated system. 7.5.2.5.5 Regulatory Guide 1.47, Bypassed and Inoperable Status Indicator for Nuclear Power Plant Safety Systems Regulatory Guide 1.47 is not applicable to safety related display instrumentation (SRDI) because the SRDI is designed to operate continuously and thereby allows continuous

instrument status monitoring. Removal of instrumentation for servicing during plant operation is administratively controlled. The bypassed and inoperable status indications for t he ESF systems are automatically activated and indicated in the main control room should any system or part of a system become inoperable. The bypassed and inoperable status annunciators and indicators are capable of being manually tested from the main control room. 7.5.2.5.6 Regulatory Guide 1.53, Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Safety Related Display Instrumentation conf orms to the Regulatory Guide as addressed in Paragraph 4.2 of IEEE-279 above. 7.5.2.5.7 Regulatory Guide 1.97 See Subsection 7.1.2.6.23 for degree of conformance.

CPS/USAR CHAPTER 07 7.5-28 REV. 11, JANUARY 2005 7.5.2.5.8 Other Regulatory Guides Conformance to other regulatory guides identified in Table 7.1-3 for safety-related instruments is addressed generically in Section 7.1.2.6. 7.5.2.5.9 Conformance to 10CFR50 A. Appendix A (1) Criterion 13, Instrumentation and Control The safety-related display instrumentation is designed to provide reliable information to the operator consistent with this criteria for both normal and accident conditions (see Subsections 7.5.1.2 and 7.5.1.4, respectively). (2) Criterion 19, Control Room The safety-related display instrumentation discussed in this section is mounted in the main control room. It is designed to enhance operator awareness of plant functions, contributing to more effective main control room operation. Thus, it is consistent with the intent of this criterion. (3) Criterion 24, Separation of Protection and Control Systems Signals feeding the instrumentation are electrically buffered so that failures in the display apparatus cannot be reflected back into essential system functions. Thus, separation between protection and control system is retained. (4) GDC 41, Containment Atmosphere Cleanup Containment atmospheric monitoring and control system are provided as addressed in Subsections 7.6.1.10 (CAM) and 7.3.1.1.7 (CGCS), respectively.

The instrumentation provided with these systems is consistent with the intent of this criteria.

CPS/USAR CHAPTER 07 7.5-29 REV. 11, JANUARY 2005 TABLE 7.5-1 CONTROL ROOM SAFETY-RELATED DISPLAY INSTRUMENTATION INSTRUMENTINSTRUMENT PANEL SERVICE PROCESS VARIABLE TYPE NUMBER DIVISION System-AP Auxiliary Power 1H13-P822 Bus 1ET4 FDR TO 4160V Bus 1C1 WATTHR JI 1JI -AP783 3 1H13-P852 Bus 1ET4 FDR TO 4160V Bus 1B1 WATTHR JI 1JI -AP775 2 1H13-P862 Bus 1ET4 FDR TO 4160V Bus 1A1 WATTHR JI 1JI -AP767 1 1H13-P877-14B 4160V Bus 1A1 EI 1EI -AP760 1 480V Bus 1A&A Voltage EI 1EI -AP955 1 1H13-P877-15B Voltage 4160V Bus 1B1 Voltage EI 1EI -AP769 2 4160V Bus 1B1 FDR 480V Bus B1 II 1II -AP707 2 TO Current II 1II -AP837 2 4160V Bus 1B1 FDR 480V Bus 1B TO Current System-B21 Nuclear Boiler System 1H13-P601-17B RPV Pressure-Level Press & Level PR/LR 1B21-R623 B 2 1H13-P601-20B RPV Pressure-Level Press & Level PR/LR 1B21-R623 A 1 1H13-P661 MSIV 1B21-F028A SOL A AMPS II 1B21-R661 A 1 MSIV 1B21-F028B SOL A AMPS II 1B21-R661 B 1 MSIV 1B21-F028C SOL A AMPS II 1B21-R661 C 1 MSIV 1B21-F028D SOL A AMPS II 1B21-R661 D 1 MSIV 1B21-F028A SOL B AMPS II 1B21-R662 A 1 MSIV 1B21-F028B SOL B AMPS II 1B21-R662 B 1 MSIV 1B21-F028C SOL B AMPS II 1B21-R662 C 1 MSIV 1B21-F028D SOL B AMPS II 1B21-R662 D 1 1H13-P662 MSIV 1B21-F022A SOL A AMPS II 1B21-R659 A 2 MSIV 1B21-F022B SOL A AMPS II 1B21-R659 B 2 MSIV 1B21-F022C SOL A AMPS II 1B21-R659 C 2 MSIV 1B21-F022D SOL A AMPS II 1B21-R659 D 2 MSIV 1B21-F022A SOL B AMPS II 1B21-R660 A 2 MSIV 1B21-F022B SOL B AMPS II 1B21-R660 B 2 MSIV 1B21-F022C SOL B AMPS II 1B21-R660 C 2 MSIV 1B21-F022D SOL B AMPS II 1B21-R660 D 2 System-CM Containment 1H13-P601-17B Cont Press & Cont Temp Press & Temp PR/TR 1PR-CM256 1 Cont Press & Cont Temp Press & Temp PR/TR 1PR-CM257 2 CPS/USAR TABLE 7.5-1 (CONT'D)

CHAPTER 07 7.5-30 REV. 11, JANUARY 2005 INSTRUMENTINSTRUMENT PANEL SERVICE PROCESS VARIABLE TYPE NUMBER DIVISION 1H13-P601-18B Supp Pool Level & Cont Press Level & Press LR/PR 1LR-CM031 2 1H13-P601-19B DW Press & DW Bulk Temp Press & Temp PR/TR 1PR-CM063 1 DW Press & DW Bulk Temp Press & Temp PR/TR 1PR-CM064 2 Supp Pool Level & Supp Pool Level & Temp LR/TR 1LR-CM240 1 Bulk Temp 1LR-CM241 2 Supp Pool Level & Supp Pool Level & Temp LR/TR 1LR-CM030 1 Bulk Temp 1LI-CM260 1 1H13-P601-20B Supp Pool Level & Cont Press Level & Press LR/PR 1LI-CM261 2 1H13-P601-21B Supp Pool Water Level LI 1TR-CM017 1 Supp Pool Water Level LI 1RIX-CM061 1 1H13-P638 Supp Pool Water Temp TR 1RIX-CM059 1 Log Radiation Monitor Cont RIX 1TR-CM018 2 Log Radiation Monitor DW RIX 1RIX-CM062 2 1H13-P639 Supp Pool Water Temp TR 1RIX-CM060 2 Log Radiation Monitor Cont RIX 1TR-CM334 1 Log Radiation Monitor DW RIX 1TR-CM335 2 1H13-P678 Supp Pool Water Temp TR Supp Pool Water Temp TR System C-11 CRD Hydraulic System 1H13-P661 Turb First Stage Press Swch 1A PIS 1C11-N654 A 1 Turb First Stage Press Swch 1C PIS 1C11-N654 C 1 1H13-P662 Turb First Stage Press Swch 1B PIS 1C11-N654 B 2 Turb First Stage Press Swch 1D PIS 1C11-N654 D 2 System-DC Direct Current 1H13-P877-14B MCC 1A Voltage EI 1EI-DC001 1 Battery 1A AMM II 1II-DC006 1 1H13-P877-15B MCC 1B Voltage EI 1EI-DC002 2 MCC 1D Voltage EI 1EI-DC003 4 Battery 1B AMM II 1II-DC007 2 Battery 1D AMM II 1II-DC008 4 System-DG Diesel Generator 1H13-P852 DG 1B Output Current II 1II-DG811 B 2 DG 1B Ouptut WATTHR JI 1JI-DG809 2 1H13-P862 DG 1A Output Current II 1II-DG805 B 1 DG 1A Output WATTHR JI 1JI-DG803 1 CPS/USAR TABLE 7.5-1 (CONT'D)

CHAPTER 07 7.5-31 REV. 11, JANUARY 2005 INSTRUMENTINSTRUMENT PANEL SERVICE PROCESS VARIABLE TYPE NUMBER DIVISION 1H13-P877-14B DG 1A Output Voltage EI 1EI-DG801 1 DG 1A Output Current II 1II-DG805 A 1 DG 1A Output WATTS JI 1JI-DG802 1 DG 1A Output VARS JI 1JI-DG804 1 DG 1A Output Freq SI 1SI-DG819 1 1H13-P877-15B DG 1B Output Voltage EI 1EI-DG807 2 DG 1B Output Current II 1II-DG811 A 2 DG 1B Output WATTS JI 1JI-DG808 2 DG 1B Output VARS JI 1JI-DG810 2 DG 1B Output Freq SI 1SI-DG821 2 System-DO Diesel Oil 1H13-P877-14B DG Fuel Oil Storage TK 1A LI 1LI-DO011 1 DG Fuel Oil Storage TK 1C LI 1LI-DO013 3 1H13-P877-15B DG Fuel Oil Storage TK 1B LI 1LI-DO012 2 System-D17 Process Radiation Monitoring System 1H13-P669 Main Steam Line Rad Monitor RIY 1D17-K610 A 1 1H13-P670 Main Steam Line Rad Monitor RIY 1D17-K610 B 2 1H13-P671 Main Steam Line Rad Monitor RIY 1D17-K610 C 3 1H13-P672 Main Steam Line Rad Monitor RIY 1D17-K610 D 4 System-E12 RHR 1H13-P601 RHR Pmp 1A Motor AMM Amps II 1E12-R555 1 RHR Pmp 1B Motor AMM Amps II 1E12-R556 2 RHR Pmp 1C Motor AMM Amps II 1E12-R557 2 1H13-P601-17B RHR Heat Exch B001B Service Water Flow FI 1E12-R602 B 2 RHR Line B Flow Flow FI 1E12-R603 B 2 RHR Line C Flow Flow FI 1E12-R603 C 2 RHR Heat Exch B001B Temp TI 1E12-R564 2 Service Water Inlet RHR Heat Exch B001B Temp TI 1E12-R566 2 Outlet Service Water Flow FI 1E12-R602 A 1 CPS/USAR TABLE 7.5-1 (CONT'D)

CHAPTER 07 7.5-32 REV. 11, JANUARY 2005 INSTRUMENTINSTRUMENT PANEL SERVICE PROCESS VARIABLE TYPE NUMBER DIVISION 1H13-P601-20B RHR Heat Exch B001A Flow FI 1E12-R603 A 1 RHR Line A Flow Temp TI 1E12-R563 1 RHR Heat Exch B001A Service Water Inlet Temp TI 1E12-R565 1 RHR Heat Exch B001A Outlet System-E21 LPCS 1H13-P601-21B LPCS Pump Discharge Flow FI 1E21-R600 1 LPCS Pump Motor AMM Amps II 1E21-N558 1 System-E22 HPCS 1H13-P601-16B HPCS Transformer AMPS II 1E22-R621 3 Reserve Source WATTS JI 1E22-R625 3 HPCS Pump Discharge Pressure PI 1E22-R601 3 HPCS Pump Flow Flow FI 1E22-R603 3 HPCS Test Recirc Vlv POS (1E22-F010) ZI 1E22-R604 3 HPCS Test Recirc Vlv POS (1E22-F011) ZI 1E22-R606 3 System-E32 MSIV-LCS 1H13-P655 HTR B001A MSIV LCS Leakoff Line Temp TI 1E32-R602 A 1 HTR B001E MSIV LCS Leakoff Line Temp TI 1E32-R602 E 1 HTR B001J MSIV LCS Leakoff Line Temp TI 1E32-R602 J 1 HTR B001N MSIV LCS Leakoff Line Temp TI 1E32-R602 N 1 1H13-P601-19B MSIV Blower C001 Suct Press PI 1E32-R500 1 MSIV Blowers C002 B & F Suct Press PI 1E32-R501 1 System-E51 RCIC 1H13-P601 RCIC Turbine Speed Speed SI 1E51-C002-1 1 1H13-P601-21B RCIC Pump Disch Flow Sig to Turb Sp Cont FC 1E51-R600 1 1H13-P601 RCIC Pump Disch Pressure Press PI 1E51-R601 1 System-FC Fuel Pool Cooling and Cleanup 1H13-P800-62B Fuel Pool Clg Pmp 1A Motor AMM II 1II-FC119 1 Fuel Pool Clg Pmp 1B Motor AMM II 1II-FC120 2 System-HG Containment Combustible Gas Control 1H13-P800-63 Compressor 1HG02CA Diff Press PDI 1PDI-HG052 B 1 Compressor 1HG02CB Diff Press PDI 1PDI-HG053 B 2 CPS/USAR TABLE 7.5-1 (CONT'D)

CHAPTER 07 7.5-33 REV. 11, JANUARY 2005 INSTRUMENTINSTRUMENT PANEL SERVICE PROCESS VARIABLE TYPE NUMBER DIVISION System-IA Instrument Air 1H13-P601-19B ADS Instr Air HDR Press PI 1PI-IA078 1 ADS Backup Bottles Press PI 1PI-IA080 1 ADS Instr Air HDR Press PI 1PI-IA079 2 ADS Backup Bottles Press PI 1PI-IA081 2 System-VG Standby Gas Treatment 1H13-P801-66B SGTS Train A Flow through DMPR 01YA FI 0FI-VG004 1 CTMT Gas Cont Boundary N & S PDI 0PDI-VG001 1 SGTS Train A Upstream HEPA Fltr 07FA PDI 0PDI-VG023 1 SGTS Train A Downstream HEPA Fltr 11FA PDI 0PDI-VG024 1 SGTS Train A Inlet Temp TI 0TI-VG-021 1 SGTS Train A Outlet Temp TI 0TI-VG022 1 1H13-P801-67B SGTS Train B Flow through DMPR 01YB FI 0FI-VG104 2 CTMT Gas Cont Boundary E & W PDI 0PDI-VG101 2 SGTS Train B Upstream HEPA Flter 07FB PDI 0PDI-VG123 2 SGTS Train B Upstream HEPA Fltr 11FB PDI 0PDI-VG124 2 SGTS Train B Inlet Temp TI 0TI-VG121 2 SGTS Train B Outlet Temp TI 0TI-VG122 2 System-SM Suppression Pool Makeup 1H13-P601 Supp Pool Level, Cont & RPV Press Level & Press LR/PR 1LR-SM014 1 1H13-P601 Supp Pool Level, Cont & RPV Press Level & Press LR/PR 1LR-SM016 2

CPS/USAR CHAPTER 07 7.5-34 REV. 11, JANUARY 2005 TABLE 7.5-2 THIS TABLE HAS BEEN INTENTIONALLY DELETED

CPS/USAR REV. 10, November 2002 Figures 7.1-1 and 7.1-2 Deleted

CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURE 7.2-1 HAS BEEN DELETED

CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURE 7.3-1 HAS BEEN DELETED

CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURES 7.3-5 AND 7.3-6 HAVE BEEN DELETED

CPS/USAR REV. 10, November 2002 Figures 7.5-3 through 7.5-5 Deleted

CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURES 7.5-7 THROUGH 7.5-9 HAVE BEEN DELETED

CPS/USAR REV. 10, November 2002 Figures 7.6-1 through 7.6-9 Deleted

CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURES 7.6-12 THROUGH 7.6-14 HAVE BEEN DELETED

CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURE 7.6-16 HAS BEEN DELETED

CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURES 7.6-18 AND 7.6-19 HAVE BEEN DELETED

CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURE 7.6-21 HAS BEEN DELETED

CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURES 7.7-3 AND 7.7-4 HAVE BEEN DELETED

CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURE 7.7-7A HAS BEEN DELETED

CPS/USAR CHAPTER 07 REV. 12, JAN 2007 FIGURES 7.7-8 AND 7.7-9 HAVE BEEN DELETED

CPS/USAR REV. 10, November 2002 Figures 7.7-11 through 7.7-14 Deleted

Retrieved from "https://kanterella.com/w/index.php?title=RS-13-009,_Clinton,_Unit_1,_Updated_Safety_Analysis_Report,_Revision_15,_Chapter_7_-_Instrumentation_and_Control_Systems&oldid=906607"