Latest revision as of 04:18, 2 February 2019

Text

Revision 18 to Updated Safety Analysis Report, Chapter 7, Instrumentation and Controls
	ML16207A551
Person / Time
Site:	South Texas
Issue date:	04/28/2016
From:	; South Texas
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML16207A547	List: ML16138A060; ML16207A533; ML16207A534; ML16207A535; ML16207A536; ML16207A537; ML16207A538; ML16207A539; ML16207A540; ML16207A541; ML16207A542; ML16207A543; ML16207A544; ML16207A545; ML16207A546; ML16207A548; ML16207A549; ML16207A550; ML16207A551; ML16207A552; ML16207A553; ML16207A554; ML16207A555; ML16207A556; ML16207A557; ML16207A558; ML16207A559; ML16207A560; ML16207A561; ML16207A562; ML16207A564; ML16207A566; ML16207A568; ML16207A569; ML16207A570; ML16207A571; ML16207A572; ML16207A573; ML16207A574; ML16207A575; ML16207A576; ML16207A577; ML16207A578; ML16207A579; ML16207A580; ML16207A581; ML16207A583; ML16207A584; ML16207A585; ML16207A586; ... further results
References
	NOC-AE-16003371
	Download: ML16207A551 (480)
	v • d • e

STPEGS UFSAR 7.1-1 Revision 1 7 7.0 INSTRUMENTATION AND CONTROLS

7.1 INTRODUCTION

This chapter presents the various plant instrumentation and control systems by relating the functional performance requirements, design bases, system descriptions, design evaluations, and tests and inspections for each. The information provided in this chapter emphasizes those instruments and associated equipment which constitute the protection system as defined in Institute of Electrical and Electronic Engineers (IEEE) 279

-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations".

The primary purpose of the instrumentation and control systems is to provide automatic protection and exercise proper control against unsafe and improper reactor operation during steady

-state and transient power operations (American Nuclear Society [ANS] Conditions I, II, III) and to provide initiating signals to mitigate the consequences of faulted conditions (ANS Condition IV). ANS conditions are discussed in Chapter 15. Consequently, the information presented in this chapter emphasizes those instrumentation and control systems which are central to assuring that the reactor can be operated to produce power in a manner that ensures no undue risk to the health and safety of the public. Specific system purposes are discussed in the applicable Chapter 7 Sections.

It is shown that the applicable criteria and codes, such as Nuclear Regulatory Commission (NRC)

General Design Criteria (GDC) and IEEE standards, concerned with the safe generation of nuclear power are met by these systems. (See Table 7.1

-1 for a listing of applicable criteria specifically discussed in various sections and Figure 7.1

-1 for instrumentation and controls identification of applicable safety criteria).

Definitions

Terminology used in this chapter is based on the definitions given in IEEE 279

-1971. In addition, the following definitions apply:

1. Degree of Redundancy

- The difference between the number of channels monitoring a variable and the number of channels which, when tripped, will cause an automatic system trip.

2. Minimum Degree of Redundancy

- The degree of redundancy below which operation is prohibited or otherwise restricted by the Technical Specifications.

3. Cold Shutdown Condition

- When the reactor is subcritical by at least 1 percent k/k, and Tavg is <200 F. 4. Hot Shutdown Condition

- When the reactor is subcritical by an amount greater than or equal to the margin to be specified in the applicable Technical Specification, and Tavg is greater than or equal to the temperature specified in the applicable Technical Specification.

STPEGS UFSAR 7.1-2 Revision 1 7 5. Phase A Containment Isolation

- Closure of all nonessential process lines which penetrate Containment. This closure is automatically initiated by the safety injection (SI) signal (Section 6.2.4).

6. Phase B Containment Isolation

- Closure of remaining process lines, initiated by Containment HI-3 pressure signal (process lines do not include Engineered Safety Feature [ESF] lines).

7. Protection System Response Times

-

a. Reactor Trip System (RTS) Response Time

- The time delays are defined as the time required for the reactor trip to be initiated (i.e., the time the rods are free and begin to fall) following a step change in the variable being monitored from 5 percent below (or above) to 5 percent above (or below) the trip setpoint.

b. ESF Actuation System (ESFAS) Response Time

- The interval required for the ESF sequence to be initiated subsequent to the point in time that the appropriate variable (s) exceed setpoints. The response time includes sensor/process (analog) and logic (digital) delay.

Times required for standby diesel generator startup and loading (as applicable) and equipment response times are not included in the protection system response times. These times are, however, considered in the accident analyses discussed in Chapters 6 and 15. 8. Reproducibility

- Scientific Apparatus Manufacturers Association (SAMA) Standard PMC

-20.1-1973, "Process Measurement and Control Terminology", defines reproducibility as "the closeness of agreement among repeated measurements of the output for the same value of input, under normal operating conditions over a period of time, approaching from both directions". It includes drift due to environmental effects, hysteresis, long

-term drift, and repeatability. Long

-term drift (aging of components, etc.) is not an important factor in accuracy requirements since, in general, the drift is not significant with respect to the time elapsed between testing. Therefore, long

-term drift may be eliminated from this definition. Reproducibility, in most cases, is a part of the definition of accuracy (see below).

9. Accuracy - An accuracy statement for a device falls under Note 2 of the SAMA Standard PMC-20.1-1973 definition of accuracy, which means reference accuracy or the accuracy of that device at reference operating conditions: "Reference accuracy includes conformity, hysteresis and repeatability". To adequately define the accuracy of a system, the term "reproducibility" is useful as it covers normal operating conditions. The terms "trip accuracy", "indicated accuracy", etc., then include conformity and reproducibility under normal operating conditions. Where the final result does not have to conform to an actual process variable but is related to another value established by testing, conformity may be eliminated, and the term "reproducibility" may be substituted for "accuracy".

10. Normal Operating Conditions

- For the South Texas Project Electric Generating Station (STPEGS) Updated Final Safety Analysis Report (USFAR), these conditions cover all normal STPEGS UFSAR 7.1-3 Revision 1 7 process temperature and pressure changes. Also included are ambient temperature changes around the transmitter and racks. This document includes no accuracies under post

-accident conditions.

11. Readout Devices

- For consistency, the final device of a complete channel is considered a readout device. This includes indicators, recorders, and controllers.

12. Channel Accuracy

- This definition includes accuracy of primary element, transmitter, and rack modules. It does not include readout devices or rack environmental effects, but does include process and environmental effects on field

-mounted hardware.

13. Indicated and/or Recorded Accuracy

- this definition includes channel accuracy, accuracy of readout devices, and rack environmental effects.

14. Trip Accuracy

- This definition includes comparator accuracy, channel accuracy for each input, and rack environmental effects. This is the tolerance, expressed in process terms (or percent of span), within which the complete channel must perform its intended trip function.

This includes all instrument errors but no process effects such as streaming. The term "actuation accuracy" may be used where the word "trip" might cause confusion (for example, when starting pumps and other equipment).

15. Control Accuracy

- This definition includes channel accuracy, accuracy of readout devices (isolator, controller), and rack environmental effects. Where an isolator separates control and protection signals, the isolator accuracy is added to the channel accuracy to determine control accuracy, but credit is taken for tuning beyond this point; i.e., the accuracy of these modules (excluding controllers) is included in the original channel accuracy. Control accuracy is simply defined as the accuracy of the control signal in percent of the span of that signal. This includes gain changes where the control span is different from the span of the measured variable. Where controllers are involved, the control span is the input span of the controller.

No error is included for the time in which the system is in a non

-steady-state condition.

7.1.1 Identification

of Safety

-Related Systems Safety-related instrumentation and control systems and their supporting systems are those systems required to function to achieve the system response assumed in the safety evaluation and to assure:

1. The integrity of the reactor coolant pressure boundary (RCPB), or

2. The capability to shut down the reactor and maintain it in a safe shutdown condition, or

3. The capability to prevent or mitigate the consequences of accidents which could result in potential offsite radiation exposures comparable to the guideline exposures stated in 10CFR100.

STPEGS UFSAR 7.1-4 Revision 1 7 7.1.1.1 Reactor Trip System. The RTS is described in Section 7.2. The equipment which provides the trip functions is identified and discussed in Section 7.2. Design bases for the RTS are given in Section 7.1.2.1. Figure 7.1

-2 includes a single

-line diagram of this system. The Solid

-State Protection System (SSPS) cabinet layout is shown on Figure 7.1

-3. A typical SSPS input relay bay is shown on Figure 7.1

-4.

7.1.1.2 Engineered Safety Feature Actuation Systems. The ESF Actuation Systems are those instrumentation and control systems which are needed to actuate the equipment and systems required to mitigate the consequences of ANS Condition II, III, and IV faults (Chapter 15). The ESF and ESF support systems requiring ESFAS actuation are:

1. Standby diesel generators and ESF load sequencers

2. Emergency Core Cooling System (Safety Injection System)

3. Main steam line and feedwater isolation

4. Containment isolation (Phase A, Phase B and Containment Ventilation Isolation)

5. Containment heat removal (Reactor Containment Fan Coolers and Containment Spray System)

6. Electrical Auxiliary Building Main Area Heating, Ventilating, and Air Conditioning (HVAC)

System

7. Electrical Penetration Space HVAC System

8. Fuel Handling Building HVAC Exhaust Subsystem

9. Control Room Envelope HVAC System

10. Auxiliary Feedwater System

11. Component Cooling Water System

12. Essential Cooling Water System

13. Essential Chilled Water System

14. Various HVAC equipment as required to support these ESF components and systems

The ESFAS are discussed in Section 7.3. Design bases for the ESFAS are given in Section 7.1.2.1.

A single-line diagram of the Westinghouse ESFAS is shown on Figure 7.1

-2. The SSPS cabinet layout is shown on Figure 7.1

-3.

STPEGS UFSAR 7.1-5 Revision 1 7 Systems supporting the ESFAS are the Class 1E AC Power System and the Class 1E 125 vdc Power System. Both power systems are discussed in Chapter 8.

7.1.1.3 Systems Required for Safe Shutdown. Systems required for safe shutdown are defined as those essential for pressure and reactivity control, coolant inventory makeup, and removal of residual heat once the reactor has been brought to a subcritical condition.

Identification of the equipment and systems required for safe shutdown is provided in Section 7.4.

7.1.1.4 Safety-Related Display Instrumentation. Safety-related display instrumentation provides information to the operator to manually perform reactor trip, ESF actuation, post

-accident monitoring or safe shutdown functions. Identification of the equipment and systems providing safety-related display instrumentation is provided in Section 7.5 and Appendix 7B.

7.1.1.5 All Other Instrumentation Systems Required for Safety. The systems required for safety, other than the RTS, the ESFAS, safe shutdown systems, and the safety

-related display information are categorized as safety support systems. They are those systems and components which have a preventive role in reducing the effect of accidents. Single failures in these systems would not inhibit reactor trip, ESF actuation, or functions required for safe shutdown. The other systems and interlocks required for safety are:

1. Instrumentation and Control Power Supply System

2. Residual heat removal (RHR) isolation valve interlocks

3. Accumulator motor

-operated valve interlocks

4. Interlocks for switchover from injection to recirculation

5. Refueling interlocks

6. Monitoring of combustible gas in Containment

7. Hot leg recirculation motor

-operated valves

8. Interlocks for Reactor Coolant System (RCS) pressure control during low temperature operation

9. RHR pump low flow interlock

10. Volume Control Tank low

-low level interlock

11. (Deleted)

12. Chemical and Volume Control System (CVCS) charging header low pressure interlock (to seal injection isolation valves)

STPEGS UFSAR 7.1-6 Revision 1 7 13. Letdown stop valves interlock

14. Boric acid tanks low level interlock

Item 1 above is described in Sections 7.6.1 and 8.3. Item 5 is described in Section 9.1.4. The remaining items are described in Section 7.6.

7.1.1.6 Control Systems Not Required for Safety. Control System not required for safety include automatic and manual systems with the primary purpose of normal load control, startup and shutdown of the power generating system. As shown in Section7.7, malfunctions in these systems do not result in unsafe conditions.

7.1.1.7 Anticipated Transients Without Scram (ATWS) Mitigation System Actuation Circuitry (AMSAC). An AMSAC performs those mitigative functions required when an anticipated transient occurs but, due to a postulated common cause failure, a reactor trip is not obtained.

The AMSAC is independent of and diverse from the reactor trip system up to, but not including, the final actuation devices. The AMSAC is discussed in Section 7.8.

7.1.1.8 Plant Comparison. System functions for systems discussed in Chapter 7 are simila r to those of the Comanche Peak systems. Functional comparison of the instrumentation and control systems is provided in Table 7.1

-2.

7.1.1.9 Designer Identification. The instrumentation and control systems discussed in Chapter 7 are listed in Table 7.

1-3 with an indication of the system designer and whether the system is safety-related.

7.1.1.10 Drawings. Instrumentation and control drawings required to perform a safety review are listed in Section 1.7. Certain logic drawings are also provided in the UFSAR where considered appropriate.

Control switch locations, when noted on these drawings, are indicated by panel number. Panels with numbers beginning with ZCP are located in the main control room. Panels with numbers beginning with ZLP are located outside the control room. In particular, the auxiliary shutdown panel (Section 7.4) is designated ZLP

-100. 7.1.2 Identification of Safety Criteria Section 7.1.2.1 gives design bases for the systems discussed in Section 7.1.1. Design bases for nonsafety-related systems are provided in the sections which describe the systems. Conservative considerations for instrument errors are included in the accident analyses presented in Chapter 15.

Functional requirements were developed on the basis of the results of the accident analyses, which utilized conservative assumptions and parameters. Functional requirements were used in designing these systems, and a preoperational testing program will verify the adequacy of the design.

Accuracies are given in Sections 7.2 and 7.3. Additional control system failures were evaluated and included in the response to UFSAR NRC Question 032.45.

STPEGS UFSAR 7.1-7 Revision 1 7 The documents listed in Table 7.1

-1 and on Figure 7.1

-1 were considered in the design of the systems given in Section 7.1.1. In general, the scope of these documents is given in the document itself. This determines the systems or parts of systems to which the document is applicable. A discussion of compliance with each document for systems in its scope is provided in the referenced sections given in Table 7.1

-1 for each criterion.

7.1.2.1 Design Bases

.

7.1.2.1.1 Reactor Trip System: The RTS automatically prevents operation of the reactor in an unsafe condition by shutting down the reactor whenever the limits of safe operation ar e approached. The safe operating region is defined by several considerations, such as mechanical/hydraulic limitations on equipment and heat transfer phenomena. Reactor trip setpoints are given in the Technical Specifications.

The design requirements for the RTS are derived by analyses of plant operating and fault conditions where automatic rapid control rod insertion is necessary in order to prevent or limit core or RCPB damage. The design bases addressed in IEEE 279

-1971 are discussed in Sections 7.2.1.2 and 7.2.2.2.3. The design limits specified by Westinghouse for the RTS are:

1. The minimum departure from nucleate boiling ratio (DNBR) shall not be less than the design basis limit as a result of any anticipated transient or malfunction (ANS Condition II faults).

2. Power density shall not exceed the rated linear power density for Condition II faults. See Chapter 4 for fuel design limits.

3. The stress limit of the RCS for the various conditions shall be as specified in Chapter 5.

4. Release of radioactive material shall not be sufficient to interrupt or restrict public use of those areas beyond the exclusion radius as a result of any ANS Condition III fault.

5. For any ANS Condition IV fault, release of radioactive material shall not result in undue risk to public health and safety.

7.1.2.1.2 Engineered Safety Feature Actuation Systems: The ESFASs act to mitigate the consequences of ANS Condition III events (infrequent faults such as primary coolant spillage from a small rupture which exceeds normal charging system makeup and requires actuation of the Safety Injection System [SIS]). The ESFASs act to mitigate ANS Condition IV events (limiting faults, which include the potential for significant release of radioactive material).

The design bases for the ESFAS are derived from the design bases for each of the ESF systems and support systems and from the accident analyses in Chapters 6 and15. Design bases requirements of IEEE 279-1971 are addressed in Sections 7.3.1.2, 7.3.2.2, and 7.3.3.2. General design requirements are given below.

1. Automatic Actuation Requirements

STPEGS UFSAR 7.1-8 Revision 1 7 The primary requirement of the ESFAS is to receive input signals (information) from the various ongoing processes within the reactor plant and Containment and to automatically provide, as output, timely and effective signals to actuate the various ESF components and systems.

2. Manual Actuation Requirements

The ESFASs have provisions in the control room for manually initiating appropriate ESF functions.

7.1.2.1.3 Instrumentation and Control Power Supply System: The Instrumentation and Control Power Supply System provides continuous, reliable, regulated, single

-phase ac power to all instrumentation and control equipment required for plant safety. Details of this system are provided in Section 7.6. The design bases are given below:

1. The inverters have the capacity and regulation required for the AC output for proper operation of the equipment supplied.

2. Redundant loads are assigned to different instrument channels, which are supplied from different inverters.

3. Auxiliary devices that are required to operate dependent equipment are supplied from the same distribution panel to prevent a loss of electric power in one protection set from causing the loss of equipment in another protection set. No single failure may cause a loss of power supply to more than one instrument channel.

4. Each of the distribution panels has access only to its respective inverter supply and a standby power supply.

5. The system complies with IEEE 308-1974, Paragraph 5.4.

7.1.2.1.4 Emergency Power: Design bases and system descriptions for the emergency power supply are provided in Chapter 8.

7.1.2.1.5 Interlocks: Interlocks are discussed in Sections 7.2, 7.3, 7.6, and 7.7. The protection (P) interlocks are given in Tables 7.2

-2 and 7.3-4. The safety analyses demonstrate that even under conservative critical conditions for either postulated or hypothetical accidents, the protective systems ensure that the Nuclear Steam Supply System (NSSS) will be put into and maintained in a safe state following an ANS Condition II, III, or IV accident commensurate with applicable Technical Specifications and pertinent ANS criteria. The protective systems have been designed to meet IEEE 279

-1971 and are entirely redundant and separate, including all permissives and blocks. All blocks of protective function are automatically cleared whenever the protective function would be required in accordance with General Design Criteria (GDC) 20, 21, and 22 and IEEE 279-1971, Paragraphs 4.11, 4.12, and 4.13. Control c interlocks are identified in Table 7.7

-1. Because control interlocks are not safety

-related, they have not been specifically designed to meet the requirements of IEEE protection system standards.

STPEGS UFSAR 7.1-9 Revision 1 7 7.1.2.1.6 Bypasses: Bypasses are designed to meet the requirements of IEEE 279

-1971, Paragraphs 4.11, 4.12, 4.13, and 4.14. A discussion of the bypasses provided is given in Sections 7.2 and 7.3. The capability of bypass testing is provided for the 7300 Process Protection System Reactor Trip and Engineered Safety Features Actuation functions and Nuclear Instrumentation System Reactor Trip functions.

The Bypass Test Instrumentation that allows testing in a bypassed condition instead of a tripped condition conforms to applicable regulatory criteria including IEEE

-Std 279-1971 and Regulatory Guide 1.47. Additional information concerning test in bypass can be found in WCAP

-15631.

7.1.2.1.7 Equipment Protection: The criteria for equipment protection are given in Chapter 3. Equipment related to safe operation of the plant is designed, constructed, and installed to protect it from damage. This is accomplished by working to accepted standards and criteria aimed at providing reliable instrumentation which is available under varying conditions. During construction, independence and separation are achieved, as required by IEEE 279

-1971, IEEE 384

-1974, and Regulatory Guide (RG) 1.75, either by barriers, physical separation, or demonstration test. This serves to protect against loss of function.

7.1.2.1.8 Diversity: Functional diversity has been designed into the system. Functional diversity is discussed in Reference 7.1

-1. The extent of the diverse system variables has been evaluated for a wide variety of postulated accidents. Generally, two or more diverse protection functions would automatically terminate an accident before unacceptable consequences could occur.

Regarding the ESFAS for a Loss

-of-Coolant Accident (LOCA), a SI signal can be obtained manually or by automatic initiation from two diverse parameter measurements:

1. Low pressurizer pressure

2. High Containment pressure (HI

-1)

For a steam line break accident, diversity of SI actuation is provided by:

1. Low compensated steam line pressure

2. Low pressurizer pressure

3. For a steam line break inside Containment, high Containment pressure (HI

-1) provides an additional parameter for generation of the signal.

All of the above sets of signals are redundant and physically separated and meet the requirements of IEEE 279-1971.

7.1.2.1.9 Bistable Trip Setpoints: Three values applicable to reactor trip and ESF actuations are specified:

1. Safety limit

STPEGS UFSAR 7.1-10 Revision 1 7 2. Limiting value

3. Nominal setpoint

The safety limit is the value assumed in the accident analysis and is the least conservative value.

The limiting value is the Technical Specification value and is obtained by subtracting a safety margin from the safety limit. The safety margin accounts for instrument error, process uncertainties such as flow stratification and transport factor effects, etc.

The nominal setpoint is the value set into the equipment and is obtained by subtracting allowances for instrument drift from the limiting value. The nominal setpoint allows for the normal expected instrument setpoint drifts so that the Technical Specification limits will not be exceeded under normal operation.

The setpoints that require trip action are given in the Technical Specifications. A further discussion on setpoints if found in Section 7.2.2.2.1.

The trip setpoint is determined by factors other than the most accurate portion of the instrument's range. The safety limit is determined only by the accident analysis. As described above, allowance is then made for process uncertainties, instrument error, instrument drift, and calibration uncertainty to obtain the nominal setpoint value which is actually set into the equipment. The only requirement on the instrument's accuracy value is that, over the instrument span, the error must always be less than or equal to the error value allowed in the accident analysis. The instrument does not need to be the most accurate at the setpoint value as long as it meets the minimum accuracy requirement. The accident analysis accounts for the expected errors at the actual setpoint.

Range selection for the instrumentation covers the expected range of the process variable being monitored consistent with its application. The design of the RTS and ESFAS is such that the bistable trip setpoints do not require process transmitters to operate within 5 percent of the high and low end of their calibrated span or range. Functional requirements established for every channel in the RTS and ESFAS stipulate the maximum allowable errors on accuracy, linearity, and reproducibility. The protection channels are tested to ascertain that the characteristics throughout the entire span in all aspects are acceptable and meet functional requirement specifications. As a result, no protection channel operates within 5 percent of the limits of its specified span.

Emphasis is placed on establishing adequate performance requirements under both normal and faulted conditions. This includes consideration of process transmitter margins so that even under a highly improbable situation of full

-power operation at the limits of the operating map (as defined by the high and low

-pressure reactor trip, T overpower and overtemperature trip lines [departure from nucleate boiling protection], and the steam generator safety valve pressure setpoint), adequate

instrument response is available to ensure plant safety.

7.1.2.1.10 AMSAC: The requirements for the AMSAC are specified in Title 10 of the Code of Federal Regulations, Part 50.62. The design of the AMSAC is based on transient analyses, STPEGS UFSAR 7.1-11 Revision 1 7 referenced in UFSAR Section 15.8, where the limiting ATWS event has been shown to be a loss of feedwater event without an ensuing reactor trip. Based on these analyses it has been concluded that the mitigative functions performed by the AMSAC are sufficient to prevent unacceptable offsite radioactive doses and to maintain reactor coolant system pressure to with in ASME Stress Level C.

7.1.2.2 Independence of Redundant Safety

-Related Systems. The safety

-related systems in Section7.1.1 are designed to meet the independence and separation requirements of GDC 22 and IEEE 279-1971, Paragraph 4.6.

The electrical power supply, instrumentation, and control conductors for redundant circuits have physical separation to preserve the redundancy and to ensure that no single credible event will prevent operation of the associated function due to electrical conductor damage. Critical circuits and functions include power, control, and analog instrumentation associated with the operation of the RTS or ESFAS. Credible events include, but are not limited to, the effects of electrical faults, pipe rupture, missiles, fire, etc., and are considered in the basic plant design.

7.1.2.2.1 General: For the criteria and design bases for the installation of electrical cable and wiring for safety

-related systems, see the referenced sections noted as follows:

1. Cable derating and cable tray fill (Section 8.3)

2. Cable routing in congested areas and areas of hostile environment (Section 8.3)

3. Separation criteria for cables and wiring (Section 8.3.1.4)

4. Fire detection and protection in areas where cables are installed (Section 9.5.1)

5. Cable and cable tray marking (Section 8.3)

6. Spacing of wiring and components in control boards, panels, and relay racks (Section 8.3)

The following criteria establish the minimum requirements for physical separation of redundant instrument impulse lines for the RTS and ESFAS for eliminating the possibility of damage to more than one redundant impulse line as a result of any one incident:

1. Impulse lines in the same channel may be routed together, but those of redundant channels are separated.

2. Redundant impulse lines are physically separated by a minimum distance of 18 inches.

Redundant transmitter impulse lines penetrating walls are also physically separated. If separation is not practicable, then a suitable barrier is used to protect against common failures.

Suitable barriers include structural steel shapes, building structures (such as walls), and guard pipes, for example.

3. Special shielding is incorporated in areas where particular missiles or other hazards are identified.

STPEGS UFSAR 7.1-12 Revision 1 7 The physical separation criteria for redundant safety

-related system sensors, sensing lines, wireways, cables, components on racks, and the Integrated Head Package within Westinghouse's NSSS scope meet recommendations contained in RG 1.75, with the following comments:

1. The Westinghouse design of the protection system relied on the provisions of IEEE 384

-1974 relative to overcurrent devices to prevent malfunctions in one circuit from causing unacceptable influences on the functioning of the protection system. The protection system uses redundant instrumentation channels and actuation trains and incorporates physical and electrical separation to prevent faults in one channel from degrading any other protection channel.

2. Separation recommendations for redundant instrumentation racks are not the same as those given for the control boards in RG 1.75, Regulatory Position C.16 because of different functional requirements. Main control boards contain redundant circuits which are required to be physically separated from each other. However, since there are no redundant circuits which share a single compartment of an NSSS protection instrumentation rack, and since these redundant protection instrumentation racks are physically separated from each other, the physical separation requirements specified for the main control board do not apply.

However, redundant, isolated control signal cables leaving protection cabinets are brought into close proximity elsewhere in the plant; e.g., the control board. It could be postulated that electrical faults, or interference, at these locations might be propagated into redundant cabinets and degrade protection circuits because of the close proximity of protection and control wiring within each cabinet. RG 1.75, Regulatory Position C.4, and IEEE 384

-1974, Paragraph 4.5(3), provide the option to demonstrate that the absence of physical separation could not significantly reduce the availability of Class 1E circuits.

The nuclear instrumentation and SSPS tests were included in the "Westinghouse Protection System Noise Tests" report submitted to and accepted by the NRC in support of the Diablo Canyon application (docket numbers 50

-275 and 50

-323). The tests on the Process Control System 7300 Series are reported in Reference 7.1

-4; test conclusions were accepted by the NRC. Tests on the Qualified Display Processing System are reported in Reference 7.1

-5.

Provisions are made to provide assurance that maximum credible fault voltages and conditions which could be postulated in the STPEGS nuclear station, as a result of balance

-of-plant cable routing design, do not exceed those used in the tests.

These Westinghouse tests demonstrated that the protection system's performance would not be degraded even if subjected to abnormal electrical conditions which far exceed those which can be reasonably postulated.

3. The physical separation criteria for instrument cabinets within Westinghouse's NSSS scope meet the recommendations contained in IEEE 384

-1974, Paragraph 5.7.

STPEGS UFSAR 7.1-13 Revision 1 7 4. Separation between cabling groups on the Integrated Head Package and Rapid Refueling Bridge is maintained to the greatest extent practicable, but the 3

-ft horizontal and 5

-ft vertical criteria cannot be maintained in this area. Damage by single events is not credible because of the protected area of the reactor cavity and the missile interference provided by the Integrated Head Package. The core exit thermocouples and reactor vessel water level heated junction thermocouples signals are low level electrical signals contained within mineral

-oxide insulated and stainless steel jacketed cables. (Refer to Appendix 7.A.II.F.2 for further details on the core exit thermocouples.) The cables for head vent valves are contained within flexible metallic tubing and are normally deenergized.

7.1.2.2.2 Specific Systems: Independence is maintained throughout the system, extending from the sensor through to the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters. Separation of wiring is achieved using separate wireways, cable trays, conduit runs, and Containment penetrations for each redundant protection channel set. Redundant analog equipment is separated by locating modules in different protection sets. Each redundant protection set is energized from a separate ac power feed.

7.1.2.2.2.1 Protection Sets

- There are four separate process analog sets. In these process analog sets, some cards are replaced with new cards developed by Westinghouse using Application Specific Integrated Circuit (ASIC) technology. The ASIC

-based replacement modules (ABRMs) is a direct card

-for-card replacement module for the Westinghouse 7300 Process Protection System (PPS) or Process Control System (PCS). Separation of redundant analog channels begins at the process sensors and is maintained in the field wiring, Containment penetrations, and analog protection cabinets to the redundant trains in the logic racks. Separate routing is maintained for the four basic protection sets of analog sensing signals, bistable output signals, and power supplies. The separation of these four protection sets is maintained from the sensors to protection set cabinets to SSPS input cabinets.

In the Nuclear Instrumentation System (NIS), Process Control System, and SSPS input cabinets where redundant channel instrumentation is physically adjacent, there are no wireways or cable penetrations which would permit, for example, a fire resulting from electrical failure in one channel to propagate into redundant channels in the logic racks. Redundant analog channels are separated by locating modules in different cabinets. Since all equipment within any cabinet is associated with a single protection set, there is no requirement for separation of wiring and components within the cabinet.

7.1.2.2.2.2 Reactor Trip System

- Two reactor trip breakers are actuated by two separate logic matrices which interrupt power to the control rod dive mechanisms (CRDMs). The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all CRDMs permitting the rods to free fall into the core.

Separate routing of the redundant reactor trip signals is maintained from the SSPS cabinets by spatial separation, by provision of barriers or by separate cable trays or wireways, as discussed in Section

8.3. STPEGS

UFSAR 7.1-14 Revision 1 7 7.1.2.2.2.3 Engineered Safety Features Actuation System

- The various ESF systems are actuated by the ESFAS. Separate routing of the redundant ESF actuation signals is maintained by spatial separation, by provision of barriers, or by separate cable trays or wireways, as discussed in Section 8.3.

Separate routing of control and power circuits associated with the operation of ESF equipment is required to retain redundancies provided in the system design and power supplies.

7.1.2.2.2.4 Instrumentation and Control Power Supply System

- The separation criteria presented also apply to the power supplies for the load centers and busses distributing power to redundant components and to the control of these power supplies.

7.1.2.2.3 Fire Protection: For electrical equipment within the NSSS scope of supply, Westinghouse specifies noncombustible or fire

-retardant material and conducts vendor

-supplied specification reviews of this equipment, including assurance that materials are not used that might ignite or explode from an electrical spark or flame or from heating, or that would independently support combustion. These reviews also include assurance of conservative current

-carrying capacities of all instrument cabinet wiring, which precluded electrical fires resulting from excessive overcurrent (I 2R) losses. For example, wiring used for instrument cabinet construction has Teflon or Tefzel insulation and is adequately sized based on current

-carrying capacities set forth by the National Electric Code. Braided sheathed material is noncombustible.

Details of the plant's fire protection provisions are provided in Section 9.5.1. Further information is provided in the Fire Hazards Analysis Report, provided under separate cover to the NRC.

7.1.2.3 Physical Identification of Safety

-Related Equipment. There are four separate protection sets identifiable with process equipment associated with the RTS and ESFAS. A protection set may consist of more than a single process equipment cabinet. The color

-coding of each process equipment cabinet nameplate coincides with the color code established for the protection se t of which it is a part. Redundant channels are separated by locating them in different equipment cabinets. Separation of redundant channels begins at the process sensors and is maintained in the field wiring, Containment penetrations, and equipment cabinets to the redundant trains in the logic racks. The SSPS input cabinets are divided into four isolated compartments, each serving one of the four redundant input channels. Horizontal 1/8

-inch-thick solid steel barriers, coated with fire

-retardant paint, separate the compartments. Four 1/8

-inch-thick solid steel wireways coated with fire

-retardant paint enter the input cabinets vertically in their own quadrant. The wireway for a particular compartment is open only into that compartment so that flame cannot propagate to affect other channels. A diagram of the input cabinet is given on Figure 7.1

-4. At the logic racks, the protection set color-coding for redundant channels is clearly maintained until the channel loses its identity in the redundant logic trains. The color

-coded nameplates described in Section 8.3.1.4 provide identification of equipment associated with protective functions and their channel set association.

Non-cabinet-mounted protective equipment and components are provided with identification tags or nameplates. Small electrical components such as relays have nameplates on the enclosure which houses them. Cables are numbered with identification tags. In congested areas, such as under or over the control boards, instrument racks, etc., cable trays and conduits containing redundant circuits STPEGS UFSAR 7.1-15 Revision 1 7 are identified using permanent markings, to facilitate cable routing identification for future modification or additions. Positive permanent identification of cables and/or conductors is made at terminal points. There are also identification nameplates on the input panels of the SSPS.

7.1.2.4 Conformance to Criteria. a list of applicable criteria and the sections where conformance is discussed is given in Table 7.1

-1. Comments relative to certain specific criteria are given below. RG conformance is also identified in Section 3.12.

7.1.2.5 Conformance to Regulatory Guide 1.22. Periodic testing of the RTS and ESFAS, as described in Sections 7.2.2 and 7.3, complies with RG 1.22.

Where the ability of a system to respond to a bona fide accident signal is intentionally bypassed for the purpose of performing a test during reactor operation, each bypass condition is automatically indicated to the reactor operator in the control room by separate annunciator for the train in test. Test circuitry will cause a reactor trip if two trains are inadvertently placed in test at the same time.

Administrative and procedural controls are used to prevent testing of more than one protection set of the analog circuitry simultaneously.

The actuation logic for the RTS and ESFAS is tested as described in Sections 7.2 and 7.3. As recommended by RG 1.22, where actuated equipment is not tested during reactor operation, the following were determined:

1. There is no practicable system design that would permit operational testing of the equipment without adversely affecting the safety or operability of the plant;

2. The probability that the protection system will fail to initiate the operation of the equipment is, and can be maintained, acceptably low without testing the equipment during reactor operation; and

3. The equipment can be routinely tested when the reactor is shut down.

Equipment that may not be tested at full power in order to avoid damaging equipment or upsetting plant operation is listed below:

Manual actuation switches (RTS and ESFAS)

Reactor coolant pump breakers

Main steam isolation valves

Main feedwater isolation valves (full close)

Feedwater control valves (close)

STPEGS UFSAR 7.1-16 Revision 1 7 Reactor coolant pump seal water return valves (close)

Certain slave relays in the SSPS In addition, some valves that have power locked out are not tested while power is locked out.

The justifications for not testing the above items at full power are discussed below.

1. Manual Actuation Switches - These would cause initiation of their protection system function at power, causing plant upset and/or reactor trip. It should be noted that the reactor trip function derived from the automatic SI signal is tested at power as follows:

The analog signals, from which the automatic SI signal is derived, are tested at power in the same manner as the other analog signals, and as described in Section 7.2.2.2.3.10. The processing of these signals in the SSPS, where their channel orientation converts to a logic train orientation, is tested at power by the built

-in semi-automatic test provisions of the SSPS. The reactor trip breakers are tested at power as discussed in Section 7.2.

2. Tripping of Reactor Coolant Pump (RCP) Breakers

- No credit is taken in the accident analyses for an RCP breaker opening causing a direct reactor trip. Since testing them at power would cause plant upset, the RCP breakers do not need to be tested at power.

3. Closing the Main steam Isolation Valves

- Full closure of the main steam isolation valves (MSIVs) is periodically tested as required by the Technical Specifications. Testing of the MSIVs to full closure at power is not practicable. As the plant power is increased, the coolant average temperature is programmed to increase. If the valves are closed under these elevated temperature conditions, the steam pressure transient would unnecessarily operate the steam generator (SG) power

-operated relief valves and possibly the SG safety valves. The steam pressure transient produced would cause shrinkage in the SG water level, which would cause the reactor to trip on low

-low SG water level. Testing during operation will decrease the operating life of the valve.

The proposed resolution below meets the guidelines of Regulatory Position D.4 of RG 1.22, based on the above

-identified problems incurred with periodic testing of the MSIVs at power. Since (1) no practicable system design will permit full closure of the valves without adversely affecting the safety or operability of the plant, (2) the probability that the protection system will fail to initiate the actuated equipment is acceptably low due to testing up to final actuation, and (3) these valves will be periodically tested as required per Section 10.3.4 "Inspection and Testing Requirements".

4. Closing the Feedwater Isolation Valves

- The feedwater isolation valves (FWIVs) are periodically tested as required by the Technical Specifications. Periodic testing of FWIVs, closing them completely at power, would induce SG water level transients and oscillations, which would trip the reactor. These transient conditions would be caused by perturbing the feedwater (FW) flow and pressure conditions necessary for proper operation of the variable

-speed FW Pump Control System and the SG Water Level Control System. Any operation STPEGS UFSAR 7.1-17 Revision 1 7 which induces perturbations in the main FW flow, whether deliberate or otherwise, generally leads to a reactor trip and should be avoided.

Since (1) no practicable system design will permit operation of these valves without adversely affecting the safety or operability of the plant, (2) the probability that the protection system will fail to initiate equipment operation is acceptably low without testing the equipment during reactor operation, and (3) these valves can be tested while the reactor is shutdown, the FWIVs will be tested during cold shutdown.

5. Closing the Feedwater Control Valves

- The FW control valves are periodically tested. To close them at power would adversely affect the operability of the plant. The verification of operability of FW control valves at power is assured by confirmation of proper operation of the SG Water Level Control System. The actual actuation function of the solenoid, which provides the closing function, is periodically tested at power, as discussed in Section 7.3. The operability of the slave relay which actuates the solenoid, which is the actuating device, is verified during this test. Although the actual closing of these control valves is blocked when the slave relay is tested, all functions are tested to assure that no electrical malfunctions have occurred which could defeat the protective function. The solenoids work on the energize-to-actuate principle, so that the FW control valves remain in the modulate mode upon loss of power and close upon loss of air pressure.

Based on the above, the testing of the isolating function of FW control valves meets the guidelines of Regulatory Position D.4 of RG 1.22.

6. Seal Water Return Valves (Close)

- Seal water return line isolation valves are periodically tested. Closure of these valves during operation would cause the seal water return safety valve to lift, with the possibility of valve chatter which would damage this safety valve.

Testing of these valves at power would cause equipment damage. Therefore, these valves are tested during plant outages. Additional Containment penetrations and Containment isolation valves would introduce additional unnecessary potential pathways for radioactive release following a postulated accident. Thus, the guidelines of Regulatory Position D.4 of RG 1.22 are met. 7. Certain Slave Relays

- Certain other devices were identified whose operation during full

-power plant operation would cause plant upset. Therefore testing of these slave relays will be performed during outages and/or refuelings, as is identified in the Technical Specifications. A summary of these devices, the associated slave relays and the rationale for not testing these slave relays during power operation was provided to the NRC by letter ST

-HL-AE-2115, Mr. M. R. Wisenburg of Houston Lighting and Power Company to U. S. Nuclear Regulatory Commission, dated April 22, 1987.

8. Power Locked Out Valves

- Technical Specifications require power to be locked out for the accumulator discharge isolation valves above 1000 psig pressurizer pressure. The purpose of the power lockout is to prevent inadvertent closing of the accumulator discharge isolation valves since they do not meet single failure criteria. For these valves, only a continuity test of actuating relays is performed when power is required to be locked out.

STPEGS UFSAR 7.1-18 Revision 1 7 7.1.2.6 Conformance to Regulatory Guide 1.47. The design of the safety

-related equipment bypass status indication system complies with the requirements of Section 4.13 of IEEE 279-1971 and satisfies the recommendations of RG 1.47. The Bypass Indication System is designed as follows:

1. The Bypass Indication System is located in the control room and is isolated from safety

-related systems. Bypass indication is grouped on a system basis with separate groups for trains A, B, and C.

2. The bypass indication system does not perform functions essential to the public health and safety during an accident nor do administrative procedures require immediate operator action based solely on bypass indications.

3. Appropriate separation criteria are applied to the design and installation of the system in order to avoid degradation of the safety

-related systems.

4. The capability for assuring the operable status of the system is provided.

5. Bypass indication on a system basis is provided for the following systems:

a. Safety Injection System

b. Containment Spray System

c. Containment Isolation Phase A

d. Containment Ventilation Isolation

e. Class 1E 125

-volt DC and 120

-volt Vital AC systems

f. Containment Hydrogen Monitoring System (Section 7.6.5).

g. Containment Heat Removal System

h. Fuel Handling Building HVAC Exhaust Subsystem

i. Solid State Protection System

j. Feedwater Isolation

k. Steam Line Isolation

l. Auxiliary Feedwater System

m. Electrical Penetration Space HVAC System

n. Control Room Envelope and Electrical Auxiliary Building Main Area HVAC Systems

o. Containment Isolation Phase B

STPEGS UFSAR 7.1-19 Revision 1 7 6. The following support systems, when bypassed or rendered inoperable, activate bypass indication for that system plus all supported systems identified in item 5 above:

a. Component Cooling Water System

b. Essential Cooling Water System

c. ESF Bus System (including the standby diesel generator and the ESF load sequencers)

d. Essential Chilled Water System

e. Supporting HVAC equipment

7.1.2.7 Conformance to Regulatory Guide 1.53 and IEEE 379

-1972. The principles described in IEEE Standard 379

-1972 are used in the design of the Westinghouse protection system and the Houston Lighting & Power (HL&P) (historical context) supplied ESFAS. The systems comply with the intent of this standard and the additional guidance of RG 1.53. For the Westinghouse systems, the formal analyses have not been documented exactly as outlined in IEEE 379. Westinghouse has gone beyond the required analyses and has performed a fault

-tree analysis (Ref. 7.1-1).

The referenced topical report provides details of the analyses of the protection systems previously made to show conformance with the single

-failure criterion set forth in IEEE 279

-1971, Paragraph 4.2. The interpretation of "single

-failure criterion" provided by IEEE 379

-1972 does not indicate substantial differences from the Westinghouse interpretation of the criterion except in the methods used to confirm design reliability. Established design criteria in conjunction with sound engineering practices form the bases for the Westinghouse protection systems. The RTS and ESFAS are each redundant safety systems. The required periodic testing of these systems will disclose any failures or loss of redundancy which could have occurred in the interval between tests, thus ensuring the availability of these systems.

The design of the instrumentation and controls for the Fuel Handling Building (FHB) HVAC Exhaust Subsystem and Control Room Envelope HVAC System conforms to the requirements of IEEE 379

-1972 and is consistent with the guidance contained in RG 1.53. The design of these systems includes consideration of potential faults and failures on a system basis to assure that the protective function would be performed. Channel independence has been verified in the design to ensure that there is no potential for common mode failures for each of the redundant sensor channels on these actuatio n

channels. Periodic testing of each channel is accomplished by tripping the radiation sensor and verifying that the appropriate HVAC equipment actuates. The required periodic testing of these systems will disclose any failures or loss of redundancy which could have occurred in the interval between tests, thus ensuring the availability of these systems.

The Containment Combustible Gas Monitoring System is manually started and has no actuation function. However, the design of the system controls complies with the intent of IEEE 379

-1972 and STPEGS UFSAR 7.1-20 Revision 1 7 the guidance of RG 1.53. Periodic tests ensure that the gas monitors will function as required to assure their availability in the event of a LOCA.

7.1.2.8 Conformance to Regulatory Guide 1.63 (IEEE 317

-1976). Design conformance to RG 1.63 (IEEE 317

-1976) for electrical penetration assemblies in the Containment structure is discussed in Section 8.3.

7.1.2.9 This section is not used.

7.1.2.10 Conformance to Regulatory Guide 1.30 (IEEE 336

-1971). Design conformance to RG 1.30 (IEEE 336

-1971) for the installation, inspection, and testing requirements for instrumentation and electrical equipment is discussed in Section 8.3.

7.1.2.11 Conformance to Regulatory Guide 1.118 (IEEE 338

-1977). The periodic testing of the RTS and ESF Actuation System conforms to the requirements of IEEE 338

-1977, and the guidance of RG 1.118 with the following comments:

1. The testing program for these systems complies with the intent of the standard and the additional guidance of RG 1.118. For items concerning IEEE 338

-77, Section 6, "Testing Program", exceptions and clarifications may be identified during procedure development.

2. The surveillance requirements of the Technical Specifications for the protection systems ensure that the system functional operability is maintained comparable to the original design standards. Periodic tests at frequent intervals demonstrate this capability for the system, excluding sensors.

Overall protection system response times will be demonstrated by test. Sensors within the Westinghouse scope are demonstrated to be adequate for this design by vendor testing, in situ tests in operating plants with appropriately similar design, or by suitable type testing. The Nuclear Instrumentation System (NIS) detectors are excluded since they exhibit response

-time characteristics such that delays attributable to them are negligible in the overall channel response time required for safety.

The Technical Specifications require periodic verification testing at intervals of no greater than 18 months.

Each test will include at least one logic train so that both logic trains are tested at least once per 36 months and one channel per function, so that all channels are tested at least once every N times 18 months, where N is the total number of redundant channels in a specific protective function.

The measurement of response time at the specified time intervals provides assurance that the protective and ESF actuation function associated with each channel is completed within the time limit assumed in the accident analyses.

STPEGS UFSAR 7.1-21 Revision 1 7

7.1.2.12 Conformance to 10CFR50.62 The AMSAC conforms to the requirements of 10CFR50.62, as discussed in Section 7.8.

STPEGS UFSAR 7.1-22 Revision 1 7 REFERENCES Section 7.1:

7.1-1 Gangloff, W. C., and W. D. Loftus, "An Evaluation of Solid

-State Logic Reactor Protection in Anticipated Transients", WCAP

-7706-L, Proprietary (February 1971) and WCAP

-7706, Nonproprietary (February 1973).

7.1-2 Katz, D. N., "Solid

-State Logic Protection System Description", WCAP

-7488-L, Proprietary (January 1971) and WCAP

-7672, Nonproprietary (May 1971).

7.1-3 Not Used 7.1-4 Siroky, R. M., and F. W. Marasco, "7300 Series Process Control System Noise Tests", WCAP-8892A, Nonproprietary (June 1977).

7.1-5 Nasrallan, C. N., "Noise, Fault, Surge, and Radio Frequency Interference Test Report: Westinghouse Eagle

-21 Digital Family as Used in QDPS, PSMS, RVLIS, and ICCM", WCAP

-11340 (Proprietary) and WCAP

-11341 (Nonproprietary); November 1986; submitted by letter M. R. Wisenburg, HL&P to Vincent S. Noonan, NRC; dated December 5, 1986; ST

-HL-AE-1824.

STPEGS UFSAR

7.1-23 Revision 1 7 TABLE 7.1-1 LISTING OF APPLICABLE CRITERIA Criteria Title Conformance Discussed In

1. General Design Criteria, Appendix Note: General conformance to GDCs is discussed in A to 10CFR50:

Section 3.1.

GDC 1 Quality Standards and Records 3.1 GDC 2 Design Bases for Protection Against Natural 3.1, 7.2.1.1 Phenomena GDC 3 Fire Protection 3.1, 9.5.1 GDC 4 Environmental and Missile Design Bases 3.1, 3.11, 7.2.2.2 GDC 5 Sharing of Structures, Systems, and Components 3.1 GDC 10 Reactor Design 3.1, 7.2.2.2 GDC 12 Suppression of Reactor Power Oscillations 3.1 GDC 13 Instrumentation and Control 3.1, 7.3.1, 7.3.1.2, 7.3.2, 7.3.3, 7.7.2 GDC 15 Reactor Coolant System Design 3.1, 7.2.2.2.1 GDC 17 Electric Power Systems 3.1, 7.6.1.2, 8.2, 8.3 GDC 19 Control Room 3.1, 6.4, 7.3.2 GDC 20 Protection System Functions 3.1, 7.1.2.1, 7.2.2.2, 7.3.1, 7.3.2, 7.3.3 GDC 21 Protection System Reliability and Testability 3.1, 7.1.2.1, 7.2.2.2, 7.3.1, 7.3.1.1, 7.3.1.2, 7.3.2, 7.3.3 GDC 22 Protection System Independence 3.1, 7.1.2.1, 7.1.2.2, 7.2.2.2, 7.3.1.1, 7.3.1.2, 7.3.2, 7.3.3 GDC 23 Protection System Failure Modes 3.1, 7.2.2.2, 7.3.1.1, 7.3.1.2, 7.7.2.2

STPEGS UFSAR

7.1-24 Revision 1 7 TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA Criteria Title Conformance Discussed In GDC 24 Separation of Protection and Control Systems 3.1, 7.2.2.2, 7.3.1.1, 7.3.1.2, 7.7.2.1 GDC 25 Protection System Requirements for Reactivity 3.1, 7.3.1.2, 7.7.2.2 Control Malfunctions GDC 26 Reactivity Control System Redundancy and Capability 3.1 GDC 27 Combined Reactivity Control Systems Capability 3.1, 7.3.1, 7.3.1.2 GDC 28 Reactivity Limits 3.1, 7.3.1, 7.3.1.2 GDC 29 Protection Against Anticipated Operational 3.1, 7.2.2.2 Occurrences GDC 33 Reactor Coolant Makeup 3.1 GDC 34 Residual Heat Removal 3.1 GDC 35 Emergency Core Cooling 3.1, 7.3.1.1, 7.3.1.2 GDC 37 Testing of Emergency Core Cooling System 3.1, 7.3.1.2 GDC 38 Containment Heat Removal 3.1, 7.3.1, 7.3.1.2 GDC 40 Testing of Containment Heat Removal System 3.1, 7.3.1.2 GDC 41 Containment Atmosphere Cleanup 3.1 GDC 43 Testing of Containment Atmosphere Cleanup System 3.1, 7.3.1.2 GDC 44 Cooling Water 3.1 GDC 46 Testing of Cooling Water System 3.1, 7.3.1.2 GDC 50 Containment Design Basis

3.1 STPEGS

UFSAR

7.1-25 Revision 1 7 TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA Criteria Title Conformance Discussed In GDC 54 Piping Systems Penetrating Containment 3.1, 6.2.4 GDC 55 Reactor Coolant Pressure Boundary 3.1, 6.2.4 GDC 56 Primary Containment Isolation 3.1, 6.2.4, 7.3.1.1 GDC 57 Closed System Isolation Valves 3.1, 6.2.4

2. Institute of Electrical and Electronics Engineers Standards:

IEEE 279-1971 (ANSI N42.7

-1972) Criteria for Protection Systems for Nuclear Power 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7.2.1 Generating Stations IEEE 308-1974 Criteria for Class 1E Power Systems for Nuclear 7.1.2.1, 7.6.1.2, 7.6.2.2, 8.2 Power Generating Stations IEEE 317-1976 Electric Penetration Assemblies in Containment 7.1.2.8, 8.3 Structures for Nuclear Power Generating Stations IEEE 323-1974 IEEE Standard for Qualifying Class 1E Equipment 3.11, 7.6.3 for Nuclear Power Generating Stations IEEE 334-1971 Type Tests of Continuous

-Duty Class I Motors 3.11 Installed Inside the Containment of Nuclear Power Generating Stations IEEE 336-1971 Installation, Inspection and Testing Requirements 7.1.2.10 (ANSI N45.2.4

-1972) for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations

STPEGS UFSAR

7.1-26 Revision 1 7 TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA Criteria Title Conformance Discussed In IEEE 338-1977 Criteria for the Periodic Testing of Nuclear Power 7.1.2.11, 7.2.2.2, 7.2.3, 7.6.2.2, 7.6.6.3, 8.3 Generating Station Protection Systems IEEE 344-1975 (ANSI N41.7)

Seismic Qualification of Class 1E Equipment for 3.10 Nuclear Generating Stations IEEE 379-1972 (ANSI N41.2)

Guide for the Application of the Single

-Failure 7.1.2.7, 7.2.1.1 Criterion to Nuclear Power Generating Station Protection Systems IEEE 382-1972 Type Test of Class 1 Electric Valve Operators for 3.11, 7.6.3 Nuclear Power Generating Stations IEEE 384-1974 (ANSI N41.14)

Criteria for Separation of Class 1E Equipment 7.1.2.1, 7.1.2.2, 7.3.1.1, 7.5.4 and Circuits

3. Regulatory Guides Note: General conformance to RGs is discussed in Section 3.12.

RG 1.6 Independence Between Redundant Standby (Onsite) 3.12, 7.6.1.2, 8.3 Power Sources and Between Their Distribution Systems RG 1.7 Control of Combustible Gas Concentrations in 3.11.5, 3.12, 6.2.5 Containment Following a Loss

-of-Coolant Accident RG 1.11 Instrument Lines Penetrating Primary Reactor 3.1, 3.12, 6.2.4, 7.3.1.1 Containment RG 1.12 Instrumentation For Earthquakes 3.7.4, 3.12 RG 1.22 Periodic Testing of Protection System Actuation 3.12, 7.1.2.5, 7.2.2.2, 7.2.3, 7.3.1.2, 7.4.2, 8.3 Functions STPEGS UFSAR

7.1-27 Revision 1 7 TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA Criteria Title Conformance Discussed In RG 1.29 Seismic Design Classification 3.2, 3.12, 6.5.1.5, 7.4.2 RG 1.30 (IEEE 336

-1971) Quality Assurance Requirements for the Installation, 3.12, 7.1.2.10, 8.3, 17.2 Inspection, and Testing of Instrumentation and Electric Equipment RG 1.32 (IEEE 308

-1974) Criteria for Safety

-Related Electric Power Systems 3.12, 7.1.2.1, 7.6.1.2, 7.6.2.2, 8.2, 8.3 for Nuclear Power Plants RG 1.40 (IEEE 334

-1971) Qualification Tests of Continuous

-Duty Motors 3.11, 3.12 Installed inside the Containment of Water

-Cooled Nuclear Power Plants RG 1.45 Reactor Coolant Pressure Boundary Leakage 3.12, 5.2.5, 11.5 Detection Systems RG 1.47 Bypassed and Inoperable Status Indication for 3.12, 7.1.2.6, 7.5.4, 8.3 Nuclear Power Plant Safety Systems RG 1.53 (IEEE 379

-1972) Application of the Single

-Failure Criterion to 3.12, 7.1.2.7, 7.2.1.1, 8.3 Nuclear Power Plant Protection Systems RG 1.62 Manual Initiation of Protection Actions 3.12, 7.2.1.1, 7.3.1.2, 8.3 RG 1.63 (IEEE 31 7-1972) Electric Penetration Assemblies in Containment 3.12, 7.1.2.8, 8.3 Structures for Water

-Cooled Nuclear Power Plants RG 1.67 Installation of Overpressure Protection Devices 3.12, 3.9.3, 5.4.11 RG 1.68 Initial Test Programs for Water

-Cool ed 3.9.2, 3.12, 14.2.7 Nuclear Power Plants

STPEGS UFSAR

7.1-28 Revision 1 7 TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA Criteria Title Conformance Discussed In RG 1.73 (IEEE 384

-1972) Qualification Tests of Electric Valve Operators 3.11, 3.12, 7.6.3 Installed Inside the Containment of Nuclear Power Plants RG 1.75 (IEEE 384

-1974) Physical Independence of Electric Systems 3.12, 7.1.2.1, 7.1.2.2, 7.2.1.1, 7.2.2.2, 7.3.1.1, 7.5.4, 8.3, 9.5.1 RG 1.89 (IEEE 323

-1974) Qualification of Class 1E Equipment for Nuclear 3.10, 3.11, 3.12, 7.6.3 Power Plants RG 1.95 Protection of Nuclear Power Plant Control Room 3.12 (not applicable to STPEGS)

Operators Against an Accidental Chlorine Release RG 1.97 Instrumentation for Light

-Water-Cooled Nuclear 3.10, 3.12 Power Plants to Assess Plant and Environs Conditions During and Following an Accident RG 1.100 (IEEE 344

-1975) Seismic Qualification of Electric Equipment for 3.10, 3.12 Nuclear Power Plants RG 1.105 Instrument Setpoint s 3.12 RG 1.118 Periodic Testing of Electric Power and Protection 7.1.2.11 Systems RG 1.120 Fire Protection Guidelines for Nuclear Power Plants 3.12 4. Branch Technical Positions (BTPs) ICSB BTP ICSB 3 Isolation of Low Pressure Systems from the High 7.6.2.2 Pressure Reactor Coolant System BTP ICSB 4 Requirements of Motor

-Operated Valves In the ECCS

7.6.3 Accumulator

Lines

STPEGS UFSAR

7.1-29 Revision 1 7 TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA Criteria Title Conformance Discussed I n BTP ICSB 5 Scram Breaker Test Requirements

-Technical Technical Specifications Specifications BTP ICSB 9 Definition and Use of "Channel

-Cali-bration"

- Technical Specifications Technical Specifications BTP ICSB 12 Protection System Trip Point Changes for Operation Technical Specifications with Reactor Coolant Pumps Out of Service BTP ICSB 13 Design Criteria for Auxiliary Feed

-Water Systems See AFW System FMEA, Section 10.4.9, ESFAS design is given in Section 7.3.1.

BTP ICSB 14 Spurious Withdrawals of Single Control Rods in Conformance if demonstrated in Sections Pressurized Water Reactors 7.7.2.2, 15.4.1, 15.4.2, and 15.4.3.

BTP ICSB 18 Application of the Single

-Failure Criterion to 6.3.1, 6.3.2.2, 6.3.5.5, 7.6.3 and 7.6.7. See Manually-Controlled, Electrically

-Operated Valves Figures 7.6

-3 and 7.6-10 BTP ICSB 20 Design of Instrumentation and Controls Provided to Conformance is demonstrated in Sections Accomplish Changeover from Injection to 6.3 and 7.6.4. Recirculation Mode BTP ICSB 21 Guidance for Application of Regulatory Guide 1.47 7.5.4 BTP ICSB 22 Guidance for Application of Regulatory Guide 1.22 Conformance is demonstrated in Section 7.1.2.5.

BTP ICSB 24 Testing of Reactor Trip System and Engineered Safety Conformance is demonstrated in Section 7.1.2.11.

Feature Actuation System Sensor Response Times BTP ICSB 25 Guidance for the Interpretation of GDC 37 for Conformance is demonstrated in Section 3.1 Testing the Operability of the Emergency Core Cooling System as a Whole

STPEGS UFSAR

7.1-30 Revision 1 7 TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA Criteria Title Conformance Discussed In BTP ICSB 26 Requirements for Reactor Protection System Conformance is demonstrated in Section 7.2.1 Anticipatory Trips BTP RSB 5-1 Design Requirements of the Residual Heat Removal System Appendix 5.4.A BTP RSB 5-2 Overpressurization Protection of Pressurized Water 7.6.6.3 Reactors While Operating at Low Temperatures

5. 10CFR50 Requirements for Reduction of Risk from Anticipated 7.8.3 10CFR50.62 Transients Without Scram (ATWS) Events

STPEGS UFSAR 7.1-31 Revision 1 7 TABLE 7.1-2 PLANT COMPARISON

Differences From Reactor Trip System Comanche Peak Nuclear Station

1. Overtemperature T and Overpower

1. Comanche Peak uses N

-16 power monitors T Coolant Temperature Measurements and in-line Tcold detectors rather than the (Sections 7.2, 7.3, and 7.7) narrow range Thot and Tcold RTDs used at STPEGS. Thus, Comanche Peak has overtemperature and overpower N

-16 trips and N-16 measurements rather than overtemperature and overpower T trips and T measurements used on STPEGS.

2. Power Range Neutron Detectors

2. Comanche Peak uses four

-section power (Sections 7.2.1.1.7 and 7.7) range neutron detectors; STPEGS uses two

- section detectors.

3. Reactor Trip on Turbine Trip

3. Comanche Peak uses P

-7 interlock (Figure 7.2

-17) (10-percent-power); STPEGS use s P-9 interlock (50

-percent-power). 4. Reactor Trip on Turbine Stop Valve

4. Logic is 2/4 on STPEGS and 4/4 on Closure (Figure 7.2

-17) Comanche Peak.

5. Pressurizer High Water Level Trip

5. Four channels are used on STPEGS (Figure 7.2-6) (2/4 logic); three channels are used on Comanche Peak (2/3 logic).

6. Narrow Range Steam Generator Water

6. Measurements are compensated for Level Measurements (Figure 7.2

-7) temperature effects on the reference leg fluid for STPEGS.

Measurements are not compensated on Comanche Peak.

7. Turbine Trip on Reactor Trip (Figures

7. Comanche Peak uses a P

-4 signal to trip 7.2-2, 7.2-14, and 7.2

-17) the turbine; STPEGS uses P

-16 signal (P

-4 or reactor trip signal) to trip turbine.

STPEGS UFSAR 7.1-32 Revision 1 7 TABLE 7.1-2 (Continued)

PLANT COMPARISON*

Differences From Reactor Trip System (Continued)

Comanche Peak Nuclear Station

8. Source Range Flux Detector

8. On Comanche Peak, each source range Energization (Figure 7.2

-3) flux detector is energized and deenergized by logic output from a single train (the two detectors are on separate trains). On STPEGS, to deenergize each detector, outputs from both A and B actuation trains are used; to energize each detector, output from either actuation train (A or B) is used. Engineered Safety Features Actuation Systems

1. Steam Generator High

-High 1. Four channels are used for each SG Water Level Signal (Figure 7.2

-7) (2/4 logic) on STPEGS; three channels are used for each SG (2/3 logic) on Comanche Peak.

2. Containment Spray Actuation

2. On Comanche Peak, the spray pumps are (Figure 7.2

-8) started by the SI signal, while the Containment spray signal confirms pump start and opens system valves. On STPEGS, the SI signal does not actuate any containment spray equipment; only the containment spray signal actuates Containment Spray System equipment.

3. Radiation Signal Inputs to

3. On Comanche Peak, the radiation inputs Containment Ventilation Isolation to the Containment ventilation isolation (Figure 7.3

-2A and 7.2

-8) signal are the three detectors (particulate, iodine, gas) of the Containment air monitor.

On STPEGS, the radiation inputs are the two Class 1E RCB purge isolation monitors (gas detectors).

STPEGS UFSAR 7.1-33 Revision 1 7 TABLE 7.1-2 (Continued)

PLANT COMPARISON*

Engineered Safety Features Differences From Actuation Systems (Continued)

Comanche Peak Nuclear Station

4. Control Room HVAC ESF

4. Both plants utilize the SI signal for control Actuation Signals (Figures 7.2

-8 and room air cleanup filtration. Comanche Peak 7.3-24) has a common control room; each control room inlet radiation monitor actuates the corresponding control room HVAC train.

Also each unit's plant vent stack wide

- range gas radiation monitor actuates one control room HVAC train. STPEGS has a separate control room for each unit.

Each control room has redundant air inlet radiation monitors, each actuating all three trains of control room HVAC.

5. Fuel Handling Building Exhaust

5. STPEGS uses SI signal or high HVAC ESF Actuation Signals radiation signal (from either of two (Figure 7.3

-27) redundant Class 1E spent fuel pool exhaust monitors) to initiate FHB exhaust filtration. On Comanche Peak, fuel building exhaust is always filtered; no actuation is required.

6. Turbine Trip Signal From Feedwater

6. Addition on STPEGS of manual reset Isolation Signals (Figure 7.2

-14) capability for the turbine trip signal from the combined signal of P

-16 or any of the following signals: safety injection or P

-14 signal. Comanche Peak does not provide this capability.

STPEGS UFSAR 7.1-34 Revision 1 7 TABLE 7.1-2 (Continued)

PLANT COMPARISON*

Engineered Safety Features Differences from Actuation Systems (Continued)

Comanche Peak Nuclear Station

7. P-4 Signal/Safety Injection or P

-14 7. Comanche Peak: After P

-14 signal or SI Signal Feedwater Isolation Interface signal is received feedwater isolation (Figure 7.2

-14) signal is sent. This signal is then sealed in through coincidence with the a P

-4 reactor trip.

STPEGS: The SI signal or P

-14 FW isolation signal sets a retentive memory for FW isolation. Absence of a P

-4 reactor trip then allows reset of the memory. 8. P-4 Signal/Low Tavg Signal 8. Comanche Peak: Presence of P

-4 Feedwater Isolation Interface reactor trip and low Tavg signals sets a (Figure 7.2

-14) retentive memory (with actuation block).

Manual reset of this memory allows repositioning of all FW control and bypass control valves (if closed by that signal).

STPEGS: Presence of P

-4 reactor trip and low Tavg signals seals in the low Tavg signal, sends a (non

-resettable) closure signal to the FW control valves and sets a retentive memory (with actuation block), which can be manually reset to allow repositioning of the FW bypass control valves. (Difference is that the STPEGS FW control valves cannot be repositioned until the reactor trip signal is removed.

)

STPEGS UFSAR 7.1-35 Revision 1 7 TABLE 7.1-2 (Continued)

PLANT COMPARISON*

Engineered Safety Features Differences From Actuation Systems (Continued)

Comanche Peak Nuclear Station

9. Auxiliary Feedwater System

9. Comanche Peak: Two motor

-driven pumps Actuation (Figure 7.2

-16) are automatically actuated by SI signal or blackout (LOOP) signal or trip of both main feed pumps or low

-low water level in any SG. One turbine

-driven pump is automatically actuated by blackout (LOOP) signal or low

-low water level in 2 or 4 SGs (not by SI signal).

STPEGS: Three motor

-driven trains and one turbine

-driven train are actuated by SI signal, AMSAC signal (discussed in Section 7.8) or low

-low water level in any SG. All cross-connect valves are closed and all isolation and flow regulating valves are opened by these signals. Manual reset capability for the low

-low SG water level signal is also provided. Trip of main FW pumps is not used. The LOOP signal is not used (motor

-driven pumps are actuated by LOOP signal but flow is recirculated to the AFW storage tank). Turbine

-driven train is actuated on low

-low water level in any SG, rather than in 2/4 SGs. The QDPS, discussed in Section 7.5, is used to control AFW flow between preset low and high values, using the AFW regulating valves, after the SI, AMSAC or low

-low SG water level signal (QDPS also limits flow below a preset high value at all times).

CN-3101 STPEGS UFSAR 7.1-36 Revision 1 7 TABLE 7.1-2 (Continued)

PLANT COMPARISON*

Engineered Safety Features Differences From Actuation Systems (Continued)

Comanche Peak Nuclear Station

10. Containment Isolation Signal

10. Comanche Peak provides the capability for Override certain specific components and at the component level, for overriding a standing Containment isolation signal (Containment ventilation isolation or phase A isolation).

On STPEGS, this capability is not provided; in order to change the state of an ESFAS-actuated component, the actuating signal must first be reset. However, for the MOVs listed below, if the handswitch is held in the open position while the Containment Isolations ESFAS signal is present, the valve will open only after it has gone fully closed first. When the handswitch is released, the valve will continue to open until it is fully open and then, if the isolation signal is still present, the valve will close again.

Also for the air operated isolation valves listed below, if the handswitch is held in the open position while the Containment Isolation signal is present, the valve will open. When the handswitch is released and the Containment Isolation signal is still present, the valve will close. Therefore, the ESFAS signal to an individual component can be temporarily interrupted by holding the handswitch in the position opposite to that directed by the ESFAS signal. The component, then being in a status contrary to that commanded by the Containment Isolation ESFAS signal, is annunciated by the ESF Status Monitoring System. When the handswitch is released, the component reverts to the ESFAS

- actuated state.

STPEGS UFSAR 7.1-37 Revision 1 7 TABLE 7.1-2 (Continued)

PLANT COMPARISON*

Engineered Safety Features Differences From Actuation Systems (Continued)

Comanche Peak Nuclear Station MOVs AOVs CVMOV-0023 SIFV

-3971 CVMOV-0024 SIFV

-3970 CVMOV-0077 SIFV

-3983 CVMOV-0079 EDFV

-7800 CVMOV-0033A CVMOV-0033B CVMOV-0033C CVMOV-0033D CVMOV-0025 Systems Required for Safe Shutdown

1. Systems Required for Hot

1. STPEGS has added RCS wide

-range Standby (Section 7.4.1) temperature (Thot and Tcold) and auxiliary feedwater flow (to each SG) monitoring.

Letdown stop valves are used to isolate letdown on STPEGS. Comanche Peak relies on the letdown orifice valves.

2. Systems Required for Cold

2. Both Comanche Peak and STPEGS (Appendix 5.4.A) identify Hot Standby as the safe shutdown design basis. Comanche Peak uses air

-operated atmospheric steam relief valves for cooldown to RHR cut

-in conditions.

STPEGS uses safety

-related, electro

- hydraulically operated SG PORVs.

Comanche Peak accomplishes RCS depressurization by use of the pressurizer pressure control system. STPEGS provides safety-related, solenoid

-operated pressurizer PORVs for RCS depressurization.

STPEGS UFSAR 7.1-38 Revision 1 7 TABLE 7.1-2 (Continued)

PLANT COMPARISON*

Systems Required for Differences From Safe Shutdown (Continue d) Comanche Peak Nuclear Station

3. Shutdown from Outside the Control 3A. Similar controls and instrumentation are Room (Section 7.4.1.9) provided for Comanche Peak and for STPEGS at the auxiliary shutdown panel. STPEGS provides additional instrumentation through the QDPS.

3B. Comanche Peak transfers one train of shutdown equipment from the control room to alternate shutdown locations; STPEGS transfers three trains of shutdown equipment.

Safety-Related Display Instrumentation 1. Post Accident Monitoring

1. Minor differences exist in the specific Instrumentation (Section 7.5.1 and instruments identified to address certain Appendix 7B)

RG 1.97 variables as well as in some of the type and category classifications, based on plant-specific considerations.

2. Qualified Display Processing System

2. STPEGS has provided a safety

-related (QDPS) (Section 7.5.6) display processing system which provides redundant data acquisition and display, via plasma displays, in the control room and at the auxiliary shutdown panel. The majority of the post

-accident monitoring instrumentation is displayed via the QDPS.

Comanche Peak post

-accident monitoring instrumentation is displayed predominantly by meters driven by various signal processing systems.

STPEGS UFSAR 7.1-39 Revision 1 7 TABLE 7.1-2 (Continued)

PLANT COMPARISON*

Safety-related Display Differences From Instrumentation (Continued)

Comanche Peak Nuclear Station

3. ESF Status Monitoring System

3. Comanche Peak provides system

-level (Section 7.5.4) lights for bypassed and inoperable status indication.

STPEGS provides both system

-level and component-level lights for bypassed and inoperable status indication. STPEGS adds component and system

-level monitoring for post

-safety-signal indication of status to the operator.

Actual systems and components monitored are plant-specific. All Other Systems Required For Safety

1. Switchover from Injection to 1A. Comanche Peak uses 4 RWST transmitters Recirculation (Section 7.6.4) and a 2/4 coincidence logic to initiate the automatic switchover after an accident which generates an SI signal.

STPEGS uses 3 level transmitters; each transmitter interfaces with one train o f pumps (1/1 logic) to initiate the automatic switchover to recirculation (conincident SI signal required).

1B. On Comanche Peak, only the RHR pump suctions are automatically switched from the RWST to the Containment sumps.

Manual actions are necessary to transfer the pump suctions for the safety injection, centrifugal charging, and containment spray pumps from the RWST.

STPEGS UFSAR 7.1-40 Revision 1 7 TABLE 7.1-2 (Continued)

PLANT COMPARISON*

All Other Systems Required Differences From For Safety (Continued) Comanche Peak Nuclear Station On STPEGS, because of the ECCS/CSS pump suction design, all pumps are automatically switched to sump suction on RWST low-low level(coincident SI signal required). Only manual closure of the RWST outlet valves is needed thereafter, to back up the check valves also provided.

2. Containment Hydrogen Monitoring 2A. Comanche Peak uses 2 analyzers to monitor System (Section 7.6.5)

Containment hydrogen concentrations in both units. Four sample points are monitored in each Containment, with 2 points monitored by one analyzer and 2 points monitored by the other analyzer.

STPEGS analyzers are completely separate between the units. Each unit has 2 separate analyzers, with each analyzer capable of monitoring 4 sample points (manually selected).

2B. Comanche Peak uses a microprocessor

- based system with sensors inside Containment determining hydrogen concentration based on hydrogen partial pressure. Sensors inside Containment provide output signal to microprocessors outside Containment (no isolation valves needed). STPEGS uses analyzers outside Containment, with the Containment atmosphere sample provided through isolation valving to the analyzers and returned again through isolation valves to the Containment. Analysis is based on thermal conductivity of the sample.

STPEGS UFSAR 7.1-41 Revision 1 7 TABLE 7.1-2 (Continued)

PLANT COMPARISON*

All Other Systems Required Differences From For Safety (Continued)

Comanche Peak Nuclear Station 3. Interlocks for RCS Pressure

3. Comanche Peak uses an automatic low Control during Low Temperature temperature arming of the cold Operation (Section 7.6.6.3) overpressure protection logic. STPEGS uses a manual arming of the protection logic. 4. RHR Pump Low Flow

4. For pump protection against loss of suction, Interlock (Section 7.6.6.4)

STPEGS provides an interlock to stop the RHR pump on low discharge flow.

Comanche Peak does not provide this interlock.

5. CVCS Seal Injection Isolation

5. STPEGS uses charging header low Valves Charging Header Pressure pressure coincident with the Phase A Interlock (Section 7.6.67)

Containment isolation signal to close the seal injection isolation valves if the charging pumps are always operating after an SI signal.

Because of differences in the ECCS design, the Comanche Peak charging pumps are always operating after an SI signal. Since seal injection is highly desirable after an incident, the seal injection valves are not automatically closed; they may be closed by operator action.

6. Letdown Valves Pressurizer Low

6. The functional intent on both plants Level Interlock (Section 7.6.6.8 and is the same, i.e., when the pressurizer Figures 7.2

-12a and 7.2

-12b) water level is low, close the letdown stop valves and the letdown orifice isolation valves. On STPEGS, additional logic is added to close the stop valves after the orifice isolation valves, to prevent flashing in the regenerative heat exchanger.

7. Reactor Coolant Purity Control

7. Comanche Peak does not have a similar Interlock (Section 7.6.6.9) system which needs isolation by means of this interlock. On STPEGS the system is provided and thus the interlock is required.

STPEGS UFSAR 7.1-42 Revision 1 7 TABLE 7.1-2 (Continued)

PLANT COMPARISON*

All Other Systems Required Differences From For Safety (Continued)

Comanche Peak Nuclear Station

8. Hot Leg Recirculation Motor

- 8. On both plants, vlaves have been Operated Valves (Section 7.6.7) identified which require power lockout to meet Branch Technical Position ICSB 18.

While the valves needing power lockout are not the same on both plants, the approach used is the same.

Control Systems Not Required Differences From For Safety Comanche Peak Nuclear Station

1. Generator Trip, Turbine Trip, 1. Various differences exist between Turbine runback, Condenser Available Comanche Peak and STPEGS on signals Logics (Section 7.7, Figures 7.2

-17, used for generator trip and turbine trip.

7.2-11) These signals are generally plant specific and include utility preferences. At STPEGS, the turbine runback function has been disabled.

2. Movable Neutron Flux Detector

2. Comanche Peak System uses isolation System (Section 7.7.1.9) valves; STPEGS uses magnetic ball valves to isolate leaks. System layout differs between the two plants.

STPEGS UFSAR

7.1-43 Revision 1 7 TABLE 7.1-3 IDENTIFICATION OF DESIGNER AND SAFETY

-RELATED STATUS FOR INSTRUMENTATION AND CONTROL SYSTEM Safety-Related Status Designer Instrumentation and Control System*

Yes No Westinghouse Bechtel in Section No.

1. Reactor Trip System X X 7.2 2. ESF Actuation System (NSSS)

X X 7.3.1 Inputs for Containment Ventilation Isolation X X 7.3.1 3. Control Room Envelope HVAC ESF Actuation System X X 7.3.2 4. Fuel Handling Building HVAC ESF Actuation System X X 7.3.3 5. Systems Required for Safe Shutdown X X X 7.4 6. Safety

-Related Display Information See Section 7.5 X X 7.5 Display System (QDPS)

X X 7.5 (ERFDADS) X X ESF Status Monitoring System X X 7.5.4 7. Other Instrumentation Systems Required for Safety X X 7.6 I&C Power Supply System X X 7.6.1 Containment Hydrogen Monitoring System X X 7.6.5 8. Control Systems Not required for Safety X X 7.7 9. ATWS Mitigation System Actuation Circuitry (AMSAC) X X 7.8

Major responsibility is listed for each item; any differences in responsibility or safety

-related status as indicated below the major item. For greater detail, see the referenced Section.

STPEGS UFSAR 7.2-1 Revision 147.2 REACTOR TRIP SYSTEM

7.2.1 Description

7.2.1.1 System

Description:

The Reactor Trip System (RTS) automatically prevents operation of the reactor in an unsafe condition by shutting down the reactor whenever the limits of

safe operation are approached. The safe operating region is defined by several considerations, such as mechanical/hydraulic limitations on equipment and heat transfer phenomena. Therefore, the RTS keeps surveillance on process variables which are directly related to equipment mechanical limitations, such as pressure and pressurizer water level (to prevent water discharge through safety valves and uncovering heaters), and also on variables which directly affect the heat transfer capability of the reactor (e.g., flow and reactor coolant temperatures). Still other parameters utilized in the RTS are calculated from various process variables. In any event, whenever a direct process or calculated variable exceeds a setpoint, the reactor is shut down in order to protect against either gross damage to fuel cladding or loss of system integrity which could lead to release of radioactive fission products. The following systems make up the RTS: 1.Process Instrumentation and Control System (Ref. 7.2-1) 2.Nuclear Instrumentation System (Ref 7.2-2) 3.Solid-State Protection System (Ref. 7.2-3) 4.Reactor trip switchgear 5.Manual reactor trip actuation circuit

The RTS consists of sensors which, when connected with analog circuitry (consisting of two to four redundant channels), monitor various plant parameters, and of digital circuitry (consisting of two redundant logic trains) which receives inputs from the analog protection channels to complete the logic necessary to automatically open the reactor trip breakers.

Each of the two logic trains, R and S is capable of opening a separate and independent reactor trip breaker, RTR or RTS (Figure 7.2-2), respectively. The two trip breakers in series connect three-phase ac power from the rod drive motor generator sets to the rod drive power cabinets, as shown on Figure 7.2-2. During plant operation, a dc undervoltage coil on each reactor trip breaker holds a trip

plunger out against its spring, allowing ac power to be available at the rod control power supply cabinets. For reactor trip, a loss of dc voltage to the undervoltage coil, as will as energization of the shunt trip coil, trips open the breaker. When either of the trip breakers opens, by gravity, into the core. The rods cannot be withdrawn until the trip breakers are manually reset. The trip breakers cannot be reset until the abnormal condition which initiated the trip is corrected. Bypass breakers BYR and BYS are provided to permit testing of the trip breakers, as discussed in Section 7.2.2.2.3.10. 7.2.1.1.1 Equipment Description

Two logic trains, three actuation trains, three Safeguards Test Cabinets, a control board demultiplexer, and a computer demultiplexer constitute the Solid-State Protection System (SSPS), as shown on Figure 7.1-2 and as discussed in Sections 7.2 and 7.3. 1.Redundant Logic Trains STPEGS UFSAR 7.2-2 Revision 14 Two identical logic trains, R and S, are provided to comply with Institute of Electrical and Electronic Engineers (IEEE) 279-1971 criteria. Each logic train consists of an input cabinet and a logic cabinet preassembled on a common base. 2.Input Cabinet To comply with IEEE 279-1971 redundant channel separation requirements, physical separation of the four basic protection channel sets is maintained by separate compartments within the input cabinet. Isolation of the logic from the input signals is maintained by virtue

of the separation between the input relay operating coils and their contacts. Miniature relays in each of the compartments accept input signals from nuclear instrumentation and process bistables and field contacts. Contacts of the input relays supply signals to logic circuits in the logic cabinet. Wireways running from top to bottom in the input cabinet for each protection channel set allow either top or bottom cable entry. The wireway for a particular protection channel set opens only into its own compartment. 3.Logic Cabinet Printed circuit cards in the logic cabinet are used to implement the protection and ESF actuation logic, transmit information to the control board and computer, and provide semiautomatic testing. The number of different card types is minimized to reduce spare part inventories. The basic card is the universal logic containing three circuits that can be connected to produce the various logic combinations, such as two out of for, one out of two, etc. Design is such that the number of components in series from input to output is kept to a minimum. Auctioneered 48 vdc and 15 vdc power supplies fed from separate 120vac vital instrument buses supply power to the printed circuit cards. A semiautomatic test panel is

provided for testing the logic through to the reactor trip breaker undervoltage coil or the ESF actuation master relay coil. Cable entrance openings are provided at the top and bottom of the logic cabinet. 4.Redundant Actuation Trains Emergency Core Cooling System (ECCS) requirements call for three trains of safety injection(SI) equipment to ensure that, in the event of a single failure, at least two out of three standby diesel generators (DGs), SI pumps, and valves will operate to protect the core. Three actuation trains, A, B, and C, each driven from both logic trains R and S, are provided for this purpose. Each actuation train consists of a master cabinet and two output cabinets preassembled on a common base. 5.Master Cabinet Three separate compartments, two containing about 20 master relays each, operated by logic trains R and S, and on test compartment for on -line testing of master relay operation, constitute each master cabinet. The master relays are actuated by the solid-state logic and are similar to the miniature input relays. two separate wireways, each opening into only one master relay compartment and running from top to bottom of the cabinet, maintain separation between master relay input wiring and allow for top or bottom cable entry. 6.Output Cabinets STPEGS UFSAR 7.2-3 Revision 14 Slave relays are provided for ESF actuation and reactor protection and control functions in the two output cabinets of each actuation train. Slave relays are driven from master relay contacts and are used for contact multiplication. A slave relay test panel in the master cabinet test compartment actuates the master relays and checks the slave relay coil through the master

relay contact by applying 15 vdc rather than 120 vac without actually operating the slaves.

Cable entrance openings are provided at the top and bottom of the output cabinets. 7.Safeguards Test Cabinets Each of the three redundant actuation trains includes two safeguards test cabinets preassembled on a common base. The cabinets contain the relays, switches, pushbuttons, and

indicating lights necessary for checking the ESF actuation devices. The actuation circuit testing system facilitates routine testing of the complete ESF actuation train, including the final device, while the plant is in operation. These tests verify that the ESF systems will be available in the unlikely event of an accident. 7.2.1.1.2 Functional Performance Requirements: The RTS automatically initiates reactor trip: 1. Whenever necessary to prevent fuel damage for an anticipated operational transient (American Nuclear Society [ANS] Condition II). 2. To limit core damage for infrequent faults (ANS Condition III).

3. So that the energy generated in the core is compatible with the design provisions to protect the reactor coolant pressure boundary for limiting fault conditions (ANS

Condition IV). The RTS initiates a turbine trip signal whenever reactor trip is initiated to prevent the reactivity insertion that would otherwise result from excessive reactor system cooldown in order to avoid unnecessary actuation of the Engineered Safety Features Actuation System (ESFAS).

The RTS provides for manual initiation of reactor trip by operator action.

7.2.1.1.3 Reactor Trips: The various reactor trip circuits automatically open the reactor trip breakers whenever a condition monitored by the RTS reaches a preset level. To ensure a reliable system, high-quality design, components, manufacturing, quality control, and testing are used. In addition to redundant channels and trains, the design approach provides an RTS which monitors numerous system variables, therefore providing RTS functional diversity. The extent of this diversity has been evaluated for a wide variety of postulated accidents (Section 7.1.2.1.8).

A list of reactor trips, respective coincidence logics, and interlocks is given in Table 7.2-1. The reactor trips are described as follows: 1.Nuclear Overpower and Rate Trips (logics on Figure 7.2-3)

a. Power-range high neutron flux trip The power-range high neutron flux trip circuit trips the reactor when two of the four power-range channels exceed the trip setpoint.

STPEGS UFSAR 7.2-4 Revision 14There are two bistables, each with its own trip setting used for a high-and low-range trip setting. The high trip setting provides protection during normal power

operation and is always active. The low trip setting, which provides protection during startup, can be manually bypassed when two out of the four power-range channels read above approximately 10 percent power (P-10).Three of the four channels below 10 percent automatically reinstate the trip function. Refer to Table

7.2-2 for a list of all RTS interlocks. b. Intermediate-range high neutron flux trip The intermediate-range high neutron flux trip circuit trips the reactor when one out of the two intermediate-range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup, can be manually blocked if two out of four power-range channels are above approximately 10 percent power (P-10).

Three of the four power-range channels below this value automatically reinstate the intermediate-range high neutron flux trip. the intermediate-range channels (including detectors) are separate from the power-range channels. The intermediate-range channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to

startup. This bypass action is annunciated on the control board. c. Source-range high neutron flux trip The source-range high neutron flux trip circuit trips the reactor when one of the two source-range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup and plant shutdown, can be manually bypassed when one of the two intermediate-range channels reads above the P-6 setpoint value and is automatically reinstated when both intermediate-range channels decrease below the P-6 setpoint value. This trip is also automatically bypassed by two-out-of-four logic from the power-range protection interlock (P-10). This trip function can also be reinstated below P-10 by an administrative action requiring manual actuation of two control-board-mounted switches. Each switch reinstates the trip function in one of the two protection logic trains. The source-range trip point is set between the P-6 setpoint (source-range cutoff power level) and the maximum source-range power level. The channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown

or prior to startup. This bypass actions is annunciated on the control board. d. Power-range high positive neutron flux rate trip This circuit trips the reactor when a sudden abnormal increase in neutron flux occurs in two of four power-range channels. This trip provides protection against rapid positive reactivity insertion accidents, such as Uncontrolled RCCA Bank Withdrawal at Power and Rod Ejection, and is always active. 2.Core Thermal Overpower Trips (Figure 7.2-5) a.Overtemperature T trip STPEGS UFSAR 7.2-5 Revision 14This trip protects the core against a low departure from nucleate boiling ratio (DNBR) and trips the reactor on coincidence, as listed in Table 7.2-1, with on set of temperature measurements per loop. The measured T is continuously monitored by analog circuitry for each loop to ensure the following relation. The channel is tripped if the relation is not true: ]1 1[)1 ()1 ([1 1)1 ()1 (6 5 4 2 1 3 2 1 s s s K K s s s T])(f)P P (K 1 3 where: T = Measured T by RCS instrumentation T = Indicated T at rated thermal power T = Average temperature, F T = Nominal T avg at rated thermal power, F T avg = Average reactor coolant temperature, F P = Pressurizer pressure, psig P = Nominal RCS operating pressure, psig K = Preset bias 3 = Time constant utilized in the lag compensator for T, sec 6 = Time constant utilized in the measured T avg lag compensator, sec 1 , 2 = Time constants utilized in the lead-lag compensator for T, sec K 2 = Preset gain which compensates for effects of temperature on the DNB limits K 3 = Preset gain which compensates for the effect of pressure on the DNB limits 4, 5 = Time constants utilized in the lead-lag compensator for T avg , sec s = Laplace transform operator, sec

-1 f 1 () = A function of the indicated difference between top and bottom detector of the power range neutron ion chambers (Figure 7.2-18) A separate long ion chamber unit with upper and lower ion chambers supplies the flux signal for each overtemperature T trip channel.

STPEGS UFSAR 7.2-6 Revision 14 Increases in beyond a predefined deadband result in a decrease in trip setpoint, as shown on Figure 7.2-18. A tolerance of +5% on the lead/lag time constants is acceptable. (Ref. 7.2-6) b.OverpowerT trip This trip protects against excessive power (fuel rod rating protection) and trips the reactor on coincidence, as listed in Table 7.2-1, with one set of temperature measurements per loop. The measured T is continuously monitored by analog circuitry for each loop to assure the following relation remains true. the channel is tripped if the relation is not true: )1 ()1 ()1 ()({)1 ()1 ()1 ()1 (6 7 7 5 4 3 2 1 s s s K K T s s s})(])1 ()1 ([2 6 6 f s K where: T = Measured T by RCS instrumentation T o = Indicated T at rated thermal power T = Average temperature, F f 2 () = Function of the indicated difference between top and bottom detector of the power range neutron ion chambers; 0 for all K 4 = Preset bias K 5 = Constant which compensates for instrument time delay K 6 = Constant which compensates for the change in density flow and heat capacity of the water with temperature T" = Indicated T avg at rated thermal power, F (calibration temperature for Tinstrumentation)

T avg = Average reactor coolant temperature, F 7 = Time constant utilized in the rate-lag compensator for T avg , sec s = Laplace transform operator, sec

-1 1 , 2 = Time constants utilized in the lead-lag compensator for T, sec 3 = Time constant utilized in the lag compensator for T, sec STPEGS UFSAR 7.2-7 Revision 14 6 = Time constant utilized in the measured T avg lag compensator, sec The source of temperature and flux information is identical to that of the overtemperature T trip, and the resultant T setpoint is compared to the same T. A tolerance of +5% on the lead/lag time constants is acceptable. (Ref. 7.2-6) 3.Reactor Coolant System Pressurizer Pressure and Water Level Trips (Figure 7.2-6) a.Pressurizer low-pressure trip The purpose of this trip is to protect against low pressure which could lead to departure from nucleate boiling (DNB). The parameter being sensed is reactor coolant pressure as measured in the pressurizer. Above P-7, the reactor is tripped when the pressurizer pressure measurements (compensated for rate of change) fall below preset limits. This trip is blocked below P-7 to permit startup. The trip logic and interlocks are given in Table 7.2-1. b.Pressurizer high-pressure trip The purpose of this trip is to protect the Reactor Coolant System (RCS) against system overpressure.The same sensors and transmitters used for the pressurizer low-pressure trip are used for the high-pressure trip except that separate bistables are used. These bistables trip when uncompensated pressurizer pressure signals exceed preset limits. The coincidence used is listed in Table 7.2-1. There are no interlocks or permissives associated with this trip function. c.Pressurizer high water level trip This trip is provided as a backup to the high pressurizer pressure trip and serves to prevent water relief through the pressurizer safety valves.This trip is blocked below P-7 to permit startup. The coincidence logic and interlocks of pressurizer high water level signals are given in Table 7.2-1. 4.Reactor Coolant System Low Flow Trips These trips protect the core from DNB in the event of a loss-of-coolant flow situation. Figure 7.2-5 shows the logic for these trips. The low-flow trip sensors, i.e., the reactor coolant low-flow sensors, meet IEEE 279-1971, as documented in Chapter 7, and meet seismic design criteria, as documented in Section 3.10. The RTS design provides for capability for sensor checks in accordance with Section 4.9 of IEEE 279-1971. The means of sensing the loss-of-coolant flow are as follows: a.Low reactor coolant flow The parameter sensed is reactor coolant flow. Three redundant differential pressure sensors measure the differential pressure across elbow taps on each reactor coolant STPEGS UFSAR 7.2-8 Revision 14loop. An output signal from two of three bistables in any coolant loop indicates a low flow in that loop. The coincidence logic and interlocks are given in Table 7.2-1. b.Reactor coolant pump (RCP) undervoltage This trip is required to protect against low flow that can result from loss of voltage to more than one RCP motor; e.g., from loss of offsite power (LOOP) or RCP breakers

opening.For each pump, there is an undervoltage sensing relay in the Class 1E cubicles located between the RCP breakers and the motors. These relays provide an output signal when the voltage goes below approximately 70 percent of rated voltage. Signals form these relays are time-delayed to prevent spurious trips caused by short-term voltage perturbations. The coincidence logic and interlocks are given in Table 7.2-1. c.RCP underfrequency This trip is required to protect against low flow resulting from bus underfrequency; e.g., a major power grid frequency disturbance. Its function is to trip the reactor for an

underfrequency condition. The setpoint of the underfrequency relays is adjustable

between 54 and 60 Hz. For each pump, there is an underfrequency sensing relay in the Class 1E cubicles located between the RCP breakers and the motors. Signals from any two relays (time-delayed to prevent spurious trips caused by short-term frequency perturbations) trip the reactor if the power level is above P-7. The coincidence logic and interlocks are given in Table 7.2-1. 5.Steam Generator Low-Low Water Level Trip The low-low steam generator (SG) water level trip protects the reactor from loss of the heat sink. This trip is actuated on two of four low-low water level signals occurring in any SG.

The logic is shown on Figure 7.2-7. The input signals for this trip are continuously compensated for the effect of temperature changes in the reference leg fluid. Two strap-on resistance temperature detectors (RTDs) are installed on each narrow range reference leg.These RTDs provide reference leg temperature signals to the compensation system algorithm. The reference leg temperature inputs are used to calculate the change in density of the reference leg fluid, which in turn is used to determine the SG narrow range level error. The calculated level error is then combined with the uncompensated level signal, resulting in a compensated level signal that is input to the low-

low water level trip logic. The compensated level signal is calculated using the following equation:

L C = L UC - L ERR where:

L C = compensated level signal STPEGS UFSAR 7.2-9 Revision 14 L UC = uncompensated level output signal L ERR = level errors due to reference leg temperature changes then:

L ERR = H L/H (1c - 1)/(fc - gc) where: 1 = water density in reference (lbm/ft³) 1c = water density at temperature and pressure for which level indication system was calibrated (lbm/ft³) fc = saturated water density at the pressure for which level indication system was calibrated (lbm/ft³) gc= dry saturated steam at the pressure for which level indication system was calibrated (lbm/ft³)

H L = vertical distance from lower tap to water level in condensing pot (ft) H = vertical distance between upper and lower taps (ft) 6.Reactor Trip on a Turbine Trip (Anticipatory)

The reactor trip on a turbine trip is actuated by two-of-three logic from emergency trip fluid pressure signals or by two-of-four closed signals from the turbine steam stop valves. A turbine trip causes a reactor trip above P-9. The reactor trip on turbine trip provides additional protection and conservatism beyond that required for the health and safety of the public. This trip is included as part of good engineering practice and prudent design. No

credit for this trip is taken in any of the safety analyses (Section 15.0.6). The turbine provides anticipatory trips to the RTS from contacts which change position when the turbine stop valves close or when the turbine emergency trip fluid pressure goes below its setpoint. One of the design bases considered in the RTS is the possibility of an earthquake. With respect to these contacts, their functioning is unrelated to a seismic event in that they are anticipatory to other diverse parameters which cause reactor trip. This design functions in a deenergize-to-trip fashion to cause a plant trip if power is interrupted in the trip circuitry.

Seismic design considerations do not form part of the design bases for anticipatory trip sensors. (The RTS cabinets which receive the inputs from the anticipatory trip sensors are seismically qualified as discussed in Section 3.10.) The anticipatory trips thus meet IEEE 279-1971, including redundancy, separation, single failure, etc.Seismic qualification of the contacts sensors is not required. While the turbine trip pressure switches and valve limit switches are not installed in a seismically designed building, they are purchased as Class 1E qualified equipment. These switches are installed using mountings comparable to those STPEGS UFSAR 7.2-10 Revision 14which would be required for a true seismic installation. Cables are routed in conduit and separated in accordance with RG 1.75. The logic for this trip is shown on Figure 7.2-17.

7.Safety Injection Actuation Trip A reactor trip occurs when an SI signal is actuated. The means of actuating SI is described in Section 7.3. This trip protects the core against postulated accidents as described in Chapter 15, including, for example, a loss-of-coolant accident (LOCA) or steam line break accident.

The logic for this trip is shown on Figure 7.2-8. 8.Manual Trip The manual trip consists of two switches with two outputs on each switch. One output actuates the train R trip breaker and the other actuates the train S trip breaker. Operation of

either switch deenergizes the undervoltage coils in both breaker through both logic trains. At the same time the breaker shunt trip coils in both breakers are energized. Figure 7.2-19 shows the switch arrangement and Figure 7.2-3 shows the manual trip logic. There are no interlocks which can block this trip. This design is based on Regulatory Guide (RG) 1.62 and the single failure criteria of IEEE-279 and IEEE-379. It provides that either switch initiates the required action at the system level (both trains). Failure of one switch does not prevent system actuation to open both

reactor trip breakers. In order to maintain separation between wiring associated with different trains, redundant safety train wiring is generally not terminated on single devices. In devices where connection of redundant trains is unavoidable, barriers are used to separate wiring. Backup manual actuation switches link the separate trains mechanically to provide greater reliability of operator action for the manual reactor trip (as well as Engineered Safety Features [ESF] actuations). The linked switches are themselves redundant so that operation of either set of linked switches actuates trains R and S simultaneously. 7.2.1.1.4 Reactor Trip System Interlocks: 1.Power Escalation Permissives The overpower protection provided by the out-of-core nuclear instrumentation consists of three discrete but overlapping ranges. Continuation of startup operation or power increase requires a permissive signal from the higher range instrumentation channels before the lower range trips can be manually blocked by the operator. A one-of-two intermediate-range permissive signal (P-6) is required prior to source-range trip blocking and detector high-voltage cutoff. Source-range trips are automatically reactivated and high voltage restored when both intermediate-range channels are below the permissive (P-6) setpoint. There are two manual reset switches for administratively reactivating the source-range trip and detector high voltage when between the permissive P-6 and P-10 STPEGS UFSAR 7.2-11 Revision 14setpoints, if required. Source-range trip block and high-voltage cutoff are always maintained when above the permissive P-10 setpoint. The intermediate-range trip and power-range (low setpoint) trip can be blocked only after satisfactory operation and permissive information are obtained from two of four power-range channels. Four individual blocking switches are provided so that the low power-range trip and intermediate-range trip can be independently blocked (one switch for each train). These trips are automatically reactivated when any three of the four power-range channels are below the permissive (P-10) setpoint, thus ensuring automatic activation to more restrictive trip

protection. The development of permissives P-6 and P-10 is shown on Figure 7.2-4. The power escalation permissives are digital and are derived from analog signals in the nuclear power-range and intermediate-range channels. See Table 7.2-2 for the list of RTS interlocks.

2.Blocks of Reactor Trips at Low Power The absence of interlock P-7 blocks a reactor trip on a low reactor coolant flow in more than one loop, RCP undervoltage, RCP underfrequency, pressurizer low pressure, or pressurizer

high water level. The absence of interlock P-7 indicates that the reactor is at low power (below approximately 10 percent of full power). See Figures 7.2-5 and 7.2-6 for permissive applications. Presence of interlock P-7 is derived from either two of four power-range neutron flux signals above the setpoint (P-10) or one of two turbine impulse chamber pressure signals above the setpoint (P-13). The absence of P-7, or therefore a low-power signal, is present when three of four power-range neutron flux signals are below the setpoint in coincidence with two-of-two turbine impulse chamber pressure signals below the setpoint (low plant load). See Figures 7.2-4 and 7.2-17 for the derivation of P-7. The absence of the P-8 interlock blocks a reactor trip on a low reactor coolant flow in any one loop. The P-8 signal is derived from two of four neutron flux power-range signals above the setpoint; its absence indicates that the plant is below approximately 40 percent of full power.

The block action (absence of the P-8 interlock signal) occurs when three of four neutron flux power-range signals are below the setpoint. Thus, below the P-8 setpoint, the reactor is

allowed to operate with one inactive loop, and trip does not occur until two loops are indicating low flow. See Figure 7.2-4 for derivation of P-8 and Figure 7.2-5 for applicable

logic.The absence of the P-9 interlock blocks a reactor trip on a turbine trip signal. The P-9 signal is derived from two of four neutron flux power-range signals above the setpoint; its absence indicates that the plant is below approximately 50 percent of full power. The block action (absence of the P-9 interlock signal) occurs when three of four neutron flux power-range signals are below the setpoint. See Figure 7.2-4 for derivation of P-9 and Figure 7.2-17 for the turbine trip reactor trip logic. See Table 7.2-2 for the list of RTS blocks.

STPEGS UFSAR 7.2-12 Revision 14 7.2.1.1.5 Coolant Temperature Sensor Arrangement and Calculational Methodology

The individual loop hot and cold loop temperature signals required for input to the reactor trip circuits and interlocks are obtained using RTDs installed in each reactor coolant loop. The hot leg temperature measurement on each loop is accomplished with three fast response narrow range RTDs mounted in thermowells. The thermowells are located within the three scoops previously used for the RTD bypass manifold with a portion of the scoop removed to entirely expose the end of the thermowell to the mainstream flow. For the final insertion depth, the tip of the RTD is located at the same dimensional position as previously occupied by the third center flow hole of the

scoop.These three narrow range RTD signals per loop are input to the Qualified Display Processing System (QDPS) where a sensor quality check is first performed. First, an out-of-range check is performed on each input with any signal out of range set at the upper or lower limit respectively. The following algorithm is then computed:

=- i j h T i j h T i B P B i j s where: = j i j h T th narrow range T hot estimate in loop i = j i j h T th narrow range T hot signal in loop i = power fraction in loop i i B P = stored bias value for j B i j s th narrow range T hot signal in loop i The three hot leg estimates in each loop are then processed to determine a group average value

)i ave h T ( and the corresponding data quality (GOOD, POOR or BAD). The power fraction is calculated as i B P)100 (/)(o h T i h T o h T i ave h T i B P where:

STPEGS UFSAR 7.2-13 Revision 14 = no-load temperature o h T = full power average hot leg temperature at nominal full power 100 i h TA current bias value is then calculated as i B P/)3/)i 3 h T i 2 h T i 1 h T (i j h T (B c i j where: = current bias value B c i jThe current bias values are then filtered and ) B c i j () i B cf j (the stored bias values are updated provided all the following conditions are met:

)B s i j (data quality is GOOD i ave h TL B P i B P) i R B T i j (i B cf j) i R B T i j ( where: ) S 8 1 1 (B c i j i B cf j = filter time constant 8 = minimum power threshold L B P = target bias value for j B T i j th narrow range T hot signal in loop i STPEGS UFSAR 7.2-14 Revision 14 = tolerances for the filtered bias values.

i RThe stored bias values are then used to calculate the narrow range T hot estimates in each loop. An alarm and annunciator is actuated in the control room whenever two or three RTD temperature inputs in any loop have a data quality of BAD. The operator must place the channel in a tripped mode in accordance with the Technical Specifications. One fast response narrow range RTD is located in each cold leg at the discharge of the reactor coolant pump (as replacements for the cold leg RTDs previously located in the bypass manifold).

Temperature streaming in the cold leg is not a concern due to the mixing action of the reactor coolant pump. These RTDs measure the cold leg temperature for use in calculation of the loop i ave Tand variables.

i TOne of the presently installed well-mounted fast response RTDs formerly used in the excessive cooldown protection logic is used as a spare for the cold leg; no new pentrations are necessary. All fast response narrow range T RTD signal outputs are input directly to the 7300 Process Protection System. The loop and T i ave T i variables are calculated in the 7300 hardware. The average temperature in loop i is calculated by 2/)i c T i ave h T (i avg Tand the temperature difference in loop i is calculated by i c T i avg h T iT 7.2.1.1.6 Pressurizer Water Level Reference Leg Arrangement

The design of the pressurizer water level instrumentation employs the usual tank level arrangement using differential pressure between an upper and a lower tap on a column of water. A reference leg connected to the upper tap is kept full of water by condensation of steam at the top of the leg. 7.2.1.1.7 Analog System: The Analog System consists of two instrumentation systems: The Process Instrumentation System and the Nuclear Instrumentation System (NIS). Process instrumentation includes those devices (and their interconnection into systems) that measure temperature, pressure, fluid flow, fluid level as in tanks or vessels, and, occasionally, physio-chemical parameters such as fluid conductivity or chemical concentration. Process instrumentation specifically excludes nuclear and radiation measurements. The process instrumentation includes the process measuring devices, power supplies, indicators, recorders, alarm-actuating devices, controllers, signal conditioning devices, etc., that are necessary for day-to-day operation of the Nuclear Steam Supply System (NSSS) as well as for monitoring the plant and providing initiation of

protective functions upon approach to unsafe plant conditions.

STPEGS UFSAR 7.2-15 Revision 14The primary function of nuclear instrumentation is to protect the reactor by monitoring the neutron flux and generating appropriate trips and alarms for various phases of reactor operating and shutdown conditions. It also provides a secondary control function and indicates reactor status during startup and power operation. The NIS uses information from three separate types of instrumentation channels to provide three discrete protection levels. Each range of instrumentation (source, intermediate, and power) provides the necessary overpower reactor trip protection required during operation in that range. The overlap of instrument ranges provides reliable continuous protection beginning with source range through the intermediate and low-power range. As the reactor power increases, the overpower RTS setpoint is increased by administrative procedures after satisfactory higher range instrumentation operation is obtained. Automatic reset to more restrictive trip protection is provided when reducing power. Various types of neutron detectors, with appropriate solid-state electronic circuitry, are used to monitor the leakage neutron flux from a completely shutdown condition to 120 percent of full power.

The power-range channels are capable of recording overpower excursions up to 200 percent of full power. The neutron flux covers a wide range between these extremes. Therefore, monitoring with several ranges of instrumentation is necessary. The lowest range (source) covers six decades of leakage neutron flux. The lowest observed count rate depends on the strength of the neutron sources in the core and the core multiplication associated

with the shutdown reactivity. This is generally greater than two counts per second. The next range (intermediate) covers eight decades. Detectors and instrumentation are chosen to provide two decades of overlap between the higher portion of the source range and the lower portion of the intermediate range. The highest range (power) covers approximately two decades of the total instrumentation range. This is a linear range that overlaps with the higher portion of the intermediate range.The system described above provides control room indication and recording of signals proportional to reactor neutron flux during core loading, shutdown, startup, and power operation, as well as during

subsequent refueling. Startup rate indication for the source range and intermediate range channels is provided at the control board. Reactor trip, rod stop, control, and alarm signals are transmitted to the reactor control and protection systems for automatic plant control. Equipment failures and test status information are annunciated in the control room. References 7.2-1 and 7.2-2 contain additional background information on the process and nuclear instrumentation. 7.2.1.1.8 Solid-State Protection System: The Solid-State Protection System (SSPS) takes binary inputs (voltage/no voltage) from the process and nuclear instrument channels corresponding to conditions (normal/abnormal) of plant parameters. The system combines these signals in the required logic combination and generates a trip signal (no voltage) to the undervoltage trip attachment and shunt trip auxiliary relay coils of the reactor trip circuit breakers when the necessary combination of signals occurs. The system also provides annunciator, status light, and computer input signals which indicate the condition of bistable input signals, partial trip and full trip functions, and the status of the various blocking, permissive, and actuation functions. In addition, the system includes means for semiautomatic testing of the logic circuits.

STPEGS UFSAR 7.2-16 Revision 14 7.2.1.1.9 Isolation Amplifiers: In certain applications, Westinghouse Electric Corporation considers it advantageous to employ control signals derived from individual protection channels through isolation amplifiers contained in the protection channel, as permitted by IEEE 279-1971. In all of these cases, analog signals derived from protection channels for nonprotective functions are obtained through isolation amplifiers located in the analog protection racks. By definition, nonprotective functions include those signals used for control, remote process indication, and computer monitoring. Consistent with the design of the instrumentation and control (I&C) protection systems, interfacing between the QDPS and any nonprotection or nonsafety-related circuitry is implemented through an isolation device. The design prevents degradation of the safety-related portions of the QDPS which could result from feedback of credible faults occurring in the nonsafety circuits being fed by the

QDPS. 7.2.1.1.10 Energy Supply and Environmental Variations: The energy supply for the RTS, including the voltage and frequency variations, is described in Section 7.6.1 and Chapter 8. The environmental variations under which the system performs are given in Section 3.11. 7.2.1.1.11 Setpoints: Setpoints that require trip action are given in the Technical Specifications. A detailed discussion of setpoints is given in Sections 7.1.2.1.9 and 7.2.2.2.1. 7.2.1.1.12 Seismic Design: The RTS seismic design criteria are given in Section 3.10. The design meets the requirements of General Design Criterion (GDC) 2. 7.2.1.2 Design Bases Information: The following design bases comply with Section 3 of IEEE 279-1971. 7.2.1.2.1 Generating Station Conditions: Generating station conditions requiring a reactor trip are the following: DNBR approaching the design basis limit (Chapters 4 and 15). Power density (kW/ft) approaching rated value for ANS Condition II faults (Chapter 4 for fuel design limits). RCS overpressure creating stresses approaching the limits specified in Chapter 5. 7.2.1.2.2 Generating Station Variables: The following variables are required to be monitored to provide reactor trips (Table 7.2-1): Neutron flux Reactor coolant temperature RCS pressure (pressurizer pressure)

STPEGS UFSAR 7.2-17 Revision 14 Pressurizer water level Reactor coolant flow RCP operational status (voltage and frequency) SG water level (density compensated) Turbine generator (TG) operational status (trip fluid pressure and stop valve position) 7.2.1.2.3 Spatially Dependent Variables: The reactor coolant temperature measurement is the only spatially dependent variable. 7.2.1.2.4 Limits, Margins, and Setpoints: The parametric values that will require reactor trip are given in Chapter 15. Chapter 15 analyses prove that the setpoints used in the Technical Specifications are conservative. The setpoints for the various functions in the RTS were analytically determined so that the operational limits so prescribed will prevent fuel rod clad damage and loss of integrity of the RCS as a result of any ANS Condition II incident (anticipated malfunction). As such, during any ANS Condition II incident, the RTS limits the following parameters to: Minimum DNBR = Design limit DNBR (as discussed in Section 4.4.1). Maximum system pressure = 2,750 psia Fuel rod maximum linear power for determination of protection setpoints = 18.0 kW/ft. The accident analyses, described in Chapter 15, demonstrate that the functional requirements as specified for the RTS are adequate to meet the above considerations, even assuming, for conservatism, adverse combinations of instrument errors. A discussion of the safety limits associated with the reactor core and RCS, plus the allowable values (limiting value), are presented in the

Technical Specifications. 7.2.1.2.5 Abnormal Events: The malfunctions, accidents, or other unusual events which could physically damage RTS components or could cause environmental changes are: Earthquakes (Chapters 2 and 3) Fire (Section 9.5.1) CN-2867 Missiles (Section 3.5) Flood (Chapters 2 and 3) Wind and tornadoes (Section 3.3) The RTS fulfills the requirements of IEEE 279-1971 to provide automatic protection and to provide initiating signals to mitigate the consequences of faulted conditions.

STPEGS UFSAR 7.2-18 Revision 14 7.2.1.6 Minimum Performance Requirements: Reactor Trip System Response Times Reactor Trip System response time is defined in Section 7.1. Typical maximum allowable time delays in generating the reactor trip signal are tabulated in Table 7.2-3. (Section 7.1.2.11 contains a discussion of periodic response time verification capabilities.)Reactor Trip Accuracies Accuracy is defined in Section 7.1. Typical reactor trip accuracies are tabulated in Table 7.2-3. An additional discussion on accuracy is found in Section 7.1.2.1.9. Protection System Ranges Typical RTS ranges are provided in Table 7.2-3. Range selection for the instrumentation covers the expected range of the process variable being monitored during power operation. Limiting setpoints are at least 5 percent from the end of the instrument span. 7.2.1.3 Final System Drawings: Functional block diagrams, electrical elementaries, and other drawings required to perform a safety review are provided in the safety-related drawing package listed in Section 1.7.

7.2.2 Analyses

7.2.2.1 Failure Modes and Effects Analyses

An analysis of the RTS has been performed. Results of this study and a fault-tree analysis are presented in Reference 7.2-4. 7.2.2.2 Evaluation of Design Limits: While most setpoints used in the RTS are fixed, there are variable setpoints, most notably the overtemperature T and overpower T setpoints which are shown in Figure 15.0-1C. All setpoints in the RTS were selected on the basis of engineering design or safety studies. The capability of the RTS to prevent loss of integrity of the fuel cladding and/or reactor coolant pressure boundary (RCPB) during ANS Condition II and III transients is demonstrated in Chapter 15. Setpoints for the overtemperature and overpressure trips are located in the COLR. The other RTS setpoints are presented in the Technical Specifications. Presented below is a discussion of the intent for each of the various reactor trips and the accident analyses (where

appropriate) which utilize this trip. It should be noted that the selected trip setpoints provide for margin before protection action is actually required to allow for uncertainties and instrument errors. The design meets the requirements of GDC 10 and 20. 7.2.2.2.1 Trip Setpoint Discussion: Below the DNBR design basis limit there is likely to be significant local fuel cladding failure. The overtemperature and overpressure trips ensure that the core remains within DNBR and local fuel temperature design limits. These trips are a function of the core inlet temperature, power output, operating pressure, flow, and various setpoint parameters as

described in Section 7.2.1.1.3.

STPEGS UFSAR 7.2-19 Revision 14Core safety limits in terms of the design basis DNBR for the hot channel can be developed as a function of core T, T avg, and pressure for a specified flow as shown in Figure 15.0-1C.

This figure also illustrates the following relationships (1) the loci of conditions equivalent to 118

percent of power as a function of T and T avg representing the overpower (kW/ft) limit on the fuel, (2) the maximum permissible setpoint (T) as a function of T avg and pressure for the trips, and (3) the locus of points where the steam generator safety valves open. Actual setpoint parameters for the overtemperature and overpressure trips are located in the COLR and are developed for each cycle-specific core using the methodology discussed in Reference 15.0-14. Setpoint parametric values are conservative to allow for instrument errors. The design meets the requirements of GDC

10, 15, 20, and 29. The DNBR is not a directly measurable quantity; however, the process variables that determine DNBR are sensed and evaluated. Small isolated changes in various process variables may not individually result in violation of a core safety limit; however, the combined variations, over sufficient time, may cause the overpower or overtemperature safety limit to be exceeded. The design concept of the RTS takes cognizance of this situation by providing reactor trips associated with individual process variables in addition to the overpower/overtemperature safety limit trips. Process variable trips prevent reactor operation whenever a change in the monitored value is such that a core or system safety limit is in danger of being exceeded, should operation continue. Basically, the high-pressure, low-pressure, and overpower/overtemperatureT trips provide sufficient protection for slow transients, as opposed to such trips as low flow or high flux, which will trip the reactor for rapid changes in flow or flux, respectively, that would result in fuel damage before actuation of the slower respondingT trips could be effected. The RTS is therefore designed to provide protection for fuel cladding and RCPB integrity where (1) a rapid change in a single variable or factor will quickly result in exceeding a core or a system safety limit, and (2) a slow change in one or more variables will have an integrated effect which will cause safety limits to be exceeded. Overall, the RTS offers diverse and comprehensive protection against fuel cladding failure and/or loss of RCS integrity for ANS Condition II and III accidents. This is demonstrated by Table 7.2-4, which lists the various trips of the RTS, the corresponding Technical Specification (which gives the allowable values and nominal trip setpoint settings), and the appropriate accident discussed in the safety analyses in which the trip

could be utilized. The design meets the requirements of GDC 21. Preoperational testing was performed on RTS components and systems to determine equipment readiness for startup. This testing served as a further evaluation of the system design. Analyses of the results of ANS Condition I, II, III, and IV events, including considerations of instrumentation installed to mitigate their consequences, are presented in Chapter 15. The instrumentation installed to mitigate the consequences of load rejection and turbine trip is listed in

Section 7.7. 7.2.2.2.2 Reactor Coolant Flow Measurement: The elbow taps used on each loop in the Reactor Coolant System are instrument devices that indicate the status of the reactor coolant flow.

The basic function of this device is to provide information as to whether a reduction in flow has occurred. The correlation between flow and elbow tap signal is given by the following equation:

STPEGS UFSAR 7.2-20 Revision 142 o w w o P P where: P o= Pressure differential at the reference flow, w oP = Pressure differential at the corresponding flow, w The full-flow reference point is established during initial plant startup. The low-flow trip point is then established by extrapolating along the correlation curve. The expected absolute accuracy of the channel is within 10 percent of full flow, and field results have shown the repeatability of the trip point to be within 1 percent. 7.2.2.2.3Evaluation of Compliance to Applicable Codes and Standards: The RTS meets the criteria of the GDC as indicated and the requirements of Section 4 of IEEE 279-1971, as indicated

below.7.2.2.2.3.1General Functional Requirement: The RTS automatically initiates appropriate protective action whenever a condition monitored by the system reaches a preset value. Functional performance requirements are given in Section 7.2.1.1.2. 7.2.2.2.3.2Single Failure Criterion

The RTS is designed to provide two, three, or four instrumentation channels for each protective function and two logic train circuits. These redundant channels and trains are electrically isolated and physically separated. Thus, any single failure within a channel or train will not prevent protective action at the system level when required. Loss of input power (the most likely mode of failure) to a channel or logic train will result in a signal calling for a trip. This design meets the requirements of GDC 23. To prevent the occurrence of common mode failures, such additional measures as functional diversity, physical separation, and testing, as well as administrative control during design, production, installation, and operation, are employed as discussed in Reference 7.2-4. The design meets the requirements of GDC 21 and 22.

7.2.2.2.3.3Quality of Components and Modules

For a discussion of the quality assurance requirements which apply to components and modules used in the RTS, refer to Reference

7.2-5.7.2.2.2.3.4Equipment Qualification: For a discussion of the type tests made to verify the performance requirements, refer to Sections 3.10 and 3.11. The test results demonstrate that the design meets the requirements of GDC 4. 7.2.2.2.3.5Channel Integrity

RTS channels required to operate in accident conditions maintain necessary functional capability under extremes of conditions relating to environment, energy supply, malfunctions, and accidents. The energy supply for the RTS is described in Section 7.6.1 and Chapter 8. The environmental variations throughout which the system is designed to perform are given in Section 3.11.

STPEGS UFSAR 7.2-21 Revision 147.2.2.2.3.6Independence: Channel independence is carried throughout the system, extending from the sensor through to the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters. Separation of wiring is achieved using separate wireways, cable trays, conduit runs, and Containment penetrations for each redundant channel. Redundant analog equipment is separated by locating modules in different protection cabinets. Each redundant protection channel set is energized from a separate ac power feed.. This design meets the requirements of GDC 21 and RG 1.75. Two reactor trip breakers are actuated by two separate logic matrices (Figure 7.1-2) which interrupt power to the control rod drive mechanisms (CRDMs). The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to the CRDMs, permitting the rods to free fall into the core. The design philosophy is to make maximum use of a wide variety of measurements. The RTS continuously monitors numerous diverse system variables. Generally, two or more diverse protection functions would terminate an accident before intolerable consequences could occur. This design meets the requirements of GDC 22.

7.2.2.2.3.7Control and Protection System Interaction: The RTS is designed to be independent of the control system. In certain applications, the control signals and other nonprotective functions are derived from individual protection channels through isolation amplifiers. The isolation amplifiers are classified as part of the RTS and are located in the analog protection racks.Nonprotection functions include those signals used for control, remote process indication, and computer monitoring. The isolation amplifiers are designed so that a short circuit, an open circuit, or the application of credible fault voltages from within the cabinets on the isolated output portion of the circuit, i.e., the nonprotective side of the circuit, will not affect the input (protective) side of the circuit. The signals obtained through the isolation amplifiers are never returned to the protection racks. This design meets the requirements of GDC 24 and Paragraph 4.7 of IEEE 279-1971. The results of applying various malfunction conditions on the output portion of the isolation amplifiers show that no significant disturbance to the isolation amplifier input signal occurred.

7.2.2.2.3.8Derivation of System Inputs: To the extent feasible and practicable, RTS inputs are derived from signals which are direct measures of the desired variables. Variables monitored for the various reactor trips are listed in Section 7.2.1.2.2. 7.2.2.2.3.9Capability for Sensor Checks: The operational availability of each system input sensor during reactor operation is accomplished by cross-checking between channels that bear a known relationship to each other and that have readouts available.Channel checks are discussed in

the Technical Specifications. 7.2.2.2.3.10Capability for Testing

The RTS is capable of being tested during power operation. Where only parts of the system are tested at any one time, the testing sequence provides the necessary overlap between the parts to assure complete system operation. The testing capabilities are in conformance with RG 1.22, as discussed in Section 7.1.2.5. The RTS is designed to permit periodic testing of its analog channel portion during reactor power operation without initiating a protective action unless a trip condition actually exists. This is because of the ability to test the analog system in bypass, and because coincidence logic is required for reactor STPEGS UFSAR 7.2-22 Revision 14trip. These tests may be performed at any plant power from cold shutdown to full power. Before starting any of these tests with the plant at power, all redundant reactor trip channels associated with the function to be tested must be in the normal (untripped) mode to avoid spurious trips. 1. Analog Channel Tests Analog channel testing is performed at the analog instrumentation cabinet set by individually introducing dummy input signals into the instrumentation channel and observing the tripping of the appropriate output bistables. Process analog output to the logic circuitry is interrupted during individual channel test by a test switch which, when thrown, deenergizes the

associated logic input and inserts a proving lamp in the bistable output. Interruption of the bistable output to the logic circuitry for any reason (testing, maintenance purposes, or removal from service) will cause that portion of the logic to be actuated (partial trip), accompanied by a partial trip alarm and channel status light actuation in the control room. The analog system also has test in bypass capability, which through an additional test switch maintains the

associated logic input and prevents the actuation of the logic (partial trip). The bypass capability is designed so that credible failures (e.g. relays) will not result in a function being automatically placed in a bypassed condition. Both a local status light and a main control room annunciator are provided to indicate a bypassed condition.Each channel contains those switches, test points, etc., necessary to test the channel (Refs. 7.2-1 and 7.2-2). The following periodic tests of the analog channels of the protection circuits are performed: a.T avg and T protection channel testing b.Pressurizer pressure protection channel testing c.Pressurizer water level protection channel testingd.SG water level protection channel testing e.Reactor coolant low flow, underfrequency, and undervoltage protection channels testingf.Impulse chamber pressure channel testing g.Steam pressure protection channel testing The interface between the protection cabinets of the 7300 Process Control System (PCS) and the Auxiliary Process Cabinets (APC) of the QDPS incorporates a special design for interlocked testing of the overall system. Normal overlap testing procedures for the protection system are basically unimpacted by the additional QDPS testing circuitry. Entrance to an APC and operation of a switch satisfies system circuit requirements which permit injection of a test signal from the 7300 PCS into the APC. At the 7300 PCS, the bistable(s) associated with the channel under test are first tripped off line. This action sends the corresponding APC channel into the test mode. Then when the test signal is injected at the 7300 PCS, it is transmitted to the APC then returned to the 7300 PCS, where bistable proving lights confirm channel integrity and operability. If desired, plasma display information may be confirmed at this time.

STPEGS UFSAR 7.2-23 Revision 14 The design of the testing circuits incorporates APC and 7300 PCS door limit switch interlocks with the test switches to prevent operators from inadvertently leaving the system in a test

mode. 2. Nuclear Instrumentation Channel Tests The power range channels of the NIS are tested by superimposing a test signal on the actual detector signal being received by the channel at the time of testing. The output of the bistable is not placed in a tripped condition prior to testing. Also, since the power range channel logic is two out of four, bypass of this reactor trip function is not required, but has been provided to minimize the potential for spurious reactor trips during surveillance and maintenance. These channels are provided with a bypass function to prevent initiation of an undesired action from the system function during the period that one channel is in test. When the bypass test capability is used, the logic circuitry will not be actuated and bistable operation will be indicated locally. To test a power range channel, a TEST-OPERATE switch is provided to require deliberate operator action. Operation of the switch will initiate the NIS CHANNEL TEST annunciator in the control room. If the bypass test capability is not used, bistable operation is tested by increasing the test signal to its trip setpoint and verifying bistable relay operation by control board annunciator and trip status lights. It should be noted that a valid trip signal would cause the channel under test to trip at a lower actual reactor power level. A reactor trip would occur when a second bistable trips. No provision has been made in the channel test circuit for reducing the channel signal level below that signal being received from the NIS detector. An NIS channel which can cause a reactor trip through one-of-two protection logic (source or intermediate range) is provided with a bypass function which prevents the initiation of a reactor trip from that particular channel during the short period that it is undergoing test. To permit testing in the bypass condition, a test panel is provided on each of the four NIS protection sets. Use of administrative controls will ensure that not more than one channel will be bypassed at a time. The bypass capability is designed so that credible failures (e.g. relays) will not result in a function being automatically placed in a bypassed condition. An annunciator in the main control room and bypass status lights on the bypass test panels are

provided to indicate the bypassed condition. The following periodic tests of the NIS are performed:

a.Testing at plant shutdown 1)Source-range testing 2)Intermediate-range testing 3)Power-range testing b.Testing between P-6 and P-10 permissive power levels STPEGS UFSAR 7.2-24 Revision 141)Source-range testing 2)Power-range testing c.Testing above P-10 permissive power level 1)Power-range testing Any deviations noted during the performance of these tests are investigated and corrected in accordance with the established calibration and troubleshooting procedures. For additional background information on the NIS, see Reference 7.2-2. 3. Solid-State Logic Testing The logic trains of the RTS are designed to be capable of complete testing at power. After the individual channel analog testing is complete, the logic matrices are tested from the train R and train S logic rack test panels. This step provides overlap between the analog and logic portions of the test program. During this test, all of the logic inputs are actuated automatically in all combinations of trip and nontrip logic. Trip logic is not maintained sufficiently long to permit opening of the reactor trip breakers. The reactor trip undervoltage trip attachment and

shunt trip auxiliary relay coils are pulsed in order to check continuity. During logic testing

of one train, the other train can initiate any required protective functions. Annunciation is provided in the control room to indicate when a train is in test (train output bypassed) and when a reactor trip breaker is bypassed. (Train in test is alarmed to the operator through the ESFAS. See Section 7.5.4.) Logic testing can be performed in less than two hours. A direct reactor trip resulting from undervoltage or underfrequency on the RCP buses is provided, as discussed in Section 7.2.1 and shown on Figures 7.2-2 and 7.2-5. The logic for these trips is capable of being tested during power operation. When parts of the trip are being tested, the sequence is such that an overlap is provided between parts so that a complete logic test is provided. This design complies with the testing requirements of IEEE 279-1971 and 338-1977, as discussed in Section 7.1.2.11. The permissive and block interlocks associated with the RTS and the ESFAS are given on Tables 7.2-2 and 7.3-4 and designated protection or "P" interlocks. As part of the RTS, these interlocks are designed to meet the testing requirements of IEEE 279-1971 and 338-1977. This capability for testing of all RTS interlocks is provided by the logic testing and semiautomatic testing features of the SSPS. In the SSPS, the undervoltage trip attachment and shunt trip auxiliary relay coils (reactor trip) and master relays (ESF actuation) are pulsed for all combinations of trip or actuation logic with and without the interlock signals. For example, reactor trip on low flow (two out of four loops showing two-out-of-three low flow)

is tested to verify operability of the trip above P-7 and nontrip below P-7 (Figure 7.2-5).

Interlock testing may be performed at power.

STPEGS UFSAR 7.2-25 Revision 14 Testing of the logic trains of the RTS includes a check of the input relays and a logic matrix check. The following sequence is used to test the system: a. Check of Input Relays During testing of the process instrumentation and NIS channels with each channel bistable placed in a trip mode, one input relay in train R and one in train S will deenergize. A contact of each relay is connected to a universal logic printed circuit card. This card performs both the reactor trip and monitoring functions. Each reactor trip input relay contact causes a status lamp and an annunciator on the control board to operate. Either the train R or train S input relay operation will light the status lamp

and annunciator. Each train contains a multiplexing test switch. At the start of a process instrumentation or NIS test, this switch (in either train) is in the R + S position. The R + S position alternately allows information to be transmitted from the two trains to the control board. A steady status lamp and annunciator indicates that input relays in both trains have been deenergized. A flashing lamp means that one of the input relays

in the two trains did not deenergize. Contact inputs to the SSPS, such as RCP bus underfrequency relays, operate input relays which are tested by operating the remote contacts as described above and using the same type of indications as those provided

for bistable input relays. Actuation of the input relays provides the overlap between the testing of the SSPS and the testing of those systems supplying inputs to the system. Test indications are status lamps and annunciators on the control board. Inputs to the system are checked, one channel at a time, leaving the other channels in service. For example, when testing with the channel bistable in a trip mode, a function that trips the reactor when two out of four channels trip becomes a one-out-of-three trip when one channel is placed in the trip mode. When testing in the bypass mode, a function that trips the reactor when two out of four channels trip becomes a two-out-of three trip when one channel is bypassed. The input relay operation is then verified at the 18 months frequency. Both trains of the SSPS remain in service during this portion of the test. b. Check of Logic Matrices Logic matrices are checked one train at a time. Input relays are not operated during this portion of the test. Reactor trips from the train being tested are inhibited with the used of the input error inhibit switch on the semiautomatic test panel in the train. At the completion on the logic matrix tests, one bistable in each channel of process instrumentation of nuclear instrumentation which is tripped due to plant conditions, is checked to ensure closure of the input error inhibit switch contacts. The logic test scheme uses pulse techniques to check the coincidence logic. All possible trip and nontrip combinations are checked. Pulses from the tester are applied to the inputs of the universal logic card at the same terminals that connect to the input

relay contacts. Thus, there is an overlap between the input relay check and the logic matrix check. Pulses are fed back from the reactor trip breaker undervoltage trip attachment and shunt trip auxiliary relay coils to the tester. The pulses are of such STPEGS UFSAR 7.2-26 Revision 14short duration that the reactor trip breaker undervoltage coil armature cannot respond mechanically. Test indications provided are: (1) an annunciator in the control room indicating that reactor trips from the train have been blocked and that the train is being tested, and (2) green and red lamps on the semiautomatic tester to indicate a good or bad logic matrix test. Protection capability provided during this portion of the test is from the train not

being tested. The test capability meets the requirements of GDC 21. 4. Testing of Reactor Trip Breakers Normally, the reactor trip breakers are in service, and the bypass breakers are withdrawn (out of service). The following describes the method used for testing the trip breakers: a.While the Train R bypass breaker is racked out, it is manually closed and tripped to verify its operation. b.The bypass breaker is then closed to allow testing of the main trip breaker. The main trip breaker is then tripped using a trip signal that passes through the

undervoltage driver circuit in SSPS which also verifies proper functioning of the undervoltage trip signal. This is done while operating the AUTO SHUNT TRIP BLOCK pushbutton on the automatic shunt trip panel. This verifies operation of the undervoltage trip attachment independent of the shunt trip device. After reclosing the main trip breaker, it is tripped again by operation of the AUTO SHUNT TRIP TEST pushbutton on the automatic shunt trip

panel. This is to verify tripping of the breaker through the shunt trip device independent of the undervoltage attachment.

c.The main trip breaker is then reclosed. d.The bypass breaker is tripped and racked out.

e.This is repeated for the opposite train in accordance with the test schedule. Auxiliary contacts of the bypass breakers are connected into the alarm system of their respective trains so that if either train is placed in test while the bypass breaker of the other train is closed, both reactor trip breakers and both bypass breakers will automatically trip. Auxiliary contacts of the bypass breakers are also connected in such a way that if an attempt is made to close the bypass breaker in one train while the bypass breaker of the other train is already closed, both bypass breakers will automatically trip. The two bypass breakers (one on Train R and one on Train S) operate one annunciator each in the control room. Bypassing of a protection train with either the bypass breaker or with the test switches will result in audible and visual indications.

STPEGS UFSAR 7.2-27 Revision 14 The complete RTS is normally required to be in service. However, to permit on-line testing of the various protection channels or to permit continued operation in the event of subsystem instrumentation channel failure, the Technical Specifications define the minimum number of operable channels. The Technical Specifications also define the required restriction to operation in the event that the channel operability requirements cannot be met. 7.2.2.2.3.11 Channel Bypass or Removal from Operation: The RTS is designed to permit periodic testing of its analog channel portion during reactor power operation without initiating a protective action unless a trip condition actually exists. This is because of the ability to test the analog system in bypass and because the coincidence logic is required for reactor trip. 7.2.2.2.3.12Operating Bypasses: Where operating requirements necessitate automatic or manual bypass of a protective function, the design is such that the bypass is removed automatically whenever permissive conditions are not met. Devices used to achieve automatic removal of the bypass of a protective function are considered part of the RTS and are designed in accordance with the criteria of this section. Indication is provided in the control room if some part of the system has been administratively bypassed or taken out of service. 7.2.2.2.3.13Indication of Bypasses

Bypass indication is discussed in Section 7.1. 7.2.2.2.3.14Access to Means for Bypassing: The design provides for administrative control of access to the means for manually bypassing channels or protective functions (Ref. 7.2-1). 7.2.2.2.3.15Multiple Setpoints: Multiple setpoints are used for monitoring neutron flux. When a more restrictive trip setting becomes necessary to provide adequate protection for a particular mode of operation or set of operating conditions, the RTS circuits are designed to provide positive means of administrative control to assure that the more restrictive trip setpoint is used. The devices used to prevent improper use of less restrictive trip settings are considered part of the RTS and are designed in accordance with the criteria of this section. 7.2.2.2.3.16Completion of Protective Action

The RTS is designed so that, once initiated, a protective action goes to completion. Return to normal operation requires action by the operator. 7.2.2.2.3.17Manual Initiation: Switches are provided on the control board for manual initiation of protective action. Failure in the automatic system does not prevent the manual actuation of the protective functions. Manual actuation relies on the operation of a minimum of equipment. 7.2.2.2.3.18Access: The design provides for administrative control of access to all setpoint adjustments, module calibration adjustments, and test points (Ref. 7.2-1). 7.2.2.2.3.19Identification of Protective Actions: Protective channel identification is discussed in Section 7.1.2.3. Indication is discussed in Section 7.2.2.2.3.20. 7.2.2.2.3.20Information Readout: The RTS provides the operator with complete information pertinent to system status and safety. All transmitted signals (flow, pressure, temperature, etc.) which can cause a reactor trip will be either indicated or recorded for every channel, including all neutron flux power range currents (top detector, bottom detector, algebraic difference, and average of bottom and top detector currents).

STPEGS UFSAR 7.2-28 Revision 14Any reactor trip will actuate an annunciator (both audible and visual indication). Such protective actions are indicated and identified down to the channel level. Alarms and annunciators are also used to alert the operator of deviations from normal operating conditions so that he may take appropriate corrective action to avoid a reactor trip. Actuation of any rod stop or trip of any reactor trip channel will actuate an alarm. 7.2.2.2.3.21System Repair: The system is designed to facilitate the recognition, location, replacement, and repair of malfunctioning components or modules. Refer to the discussion in

Section 7.2.2.2.3.10. 7.2.2.3 Specific Control and Protection Interactions: 7.2.2.3.1 Neutron Flux: Four power-range neutron flux channels are provided for overpower protection. An isolated auctioneered high signal is derived by actioneering of the four channels for automatic rod control. If any channel fails in such a way as to produce a low output, that channel is incapable of proper overpower protection but will not cause control rod movement because of the auctioneer. Two-out-of-four overpower trip logic will ensure an overpower trip if needed, even with an independent failure in another channel. In addition, channel deviation signals in the Reactor Control System will give an alarm if any neutron flux channel deviates significantly from the average of the flux signals. Also, the control system will

respond only to rapid changes in indicated neutron flux; slow changes or drifts are compensated by the temperature control signals. Finally, an overpower signal from any nuclear power range channel will block manual and automatic rod withdrawal. The setpoint for this rod stop is below the reactor trip setpoint. 7.2.2.3.2 Coolant Temperature: The accuracy of the narrow range resistance temperature detector temperature measurements is demonstrated during plant startup tests by comparing temperature measurements from the narrow range resistance temperature detectors with one another as well as with the temperature measurements obtained from the wide range resistance temperature detectors also located in the hot leg and cold leg piping of each loop. The comparisons are made with the RCS in an isothermal condition. The linearity of the T measurements obtained from the hot leg and cold leg narrow range resistance temperature detectors as a function of plant power is also checked during plant startup tests. The absolute value of T versus plant power is not important, per se, as far as reactor protection is concerned. The RTS setpoints are based upon percentages of the indicatedT at nominal full power rather than on absolute values of T in order to account for loop differences which are inherent. Therefore, the percent T scheme is relative, not absolute, and it provides better protective action without the expense of accuracy. For this reason, the linearity of the T signals as a function of power is of importance, rather than the absolute values of the T. As part of the plant startup tests, the narrow range resistance temperature detector signals are also compared with the core exit thermocouple signals. Reactor control is based upon signals derived from RTS channels after isolation by isolation amplifiers, so that no feedback effect can perturb the protection channels. Since control is based on the average temperature of the loop with the highest temperature, the control rods are always moved based upon the most conservative temperature measurement with STPEGS UFSAR 7.2-29 Revision 14respect to margins to DNB. A spurious low average temperature measurement from any loop temperature control channel will cause no control action. A spurious high average temperature measurement will cause rod insertion (safe direction). Channel deviation signals in the control system will give an alarm if any temperature channel deviates significantly from the auctioneered (highest) value. Automatic rod withdrawal blocks will also occur if any two of the four overtemperature or overpower T channels indicate an adverse condition.Section 4.7 of IEEE 279-1971 and GDC 24 requirements concerning Control and Protection Systems Interaction are satisfied, even though control signals are derived from protection sets, because the 2/4 voting coincidence logic of the protection sets is maintained. Where a single random failure can cause a control system action that results in a condition requiring protective action and can also prevent proper action of a protective system channel designed to protect against the condition, the remaining three redundant protection channels are capable of providing the protective action even if degraded by a second random failure. 7.2.2.3.3 Pressurizer Pressure: The pressurizer pressure protection channel signals are used for high-and low-pressure protection and as inputs to the overtemperature T trip protection function.Isolated output signals from these channels are used for pressure control. These are used to control pressurizer spray and heaters and power-operated relief valves (PORVs). Pressurizer pressure is sensed by fast-response pressure transmitters. A spurious high-pressure signal from one channel can cause decreasing pressure by actuation of either spray or relief valves.Additional redundancy is provided in the low pressurizer pressure reactor trip and in the logic for SI to ensure low-pressure protection. Overpressure protection is based upon the positive surge of the reactor coolant produced as a result of turbine trip under full load, assuming the core continues to produce full power. The self-actuated safety valves are sized on the basis of steam flow from the pressurizer to accommodate this surge at a setpoint of 2,500 psia and an accumulation of 3 percent. Note that no credit is taken for the relief

capability provided by the PORVs during this surge. In addition, operation of any one of the PORVs can maintain pressure below the high-pressure trip point for most transients. The rate of pressure rise achievable with heaters is slow, and ample time and pressure alarms are available to alert the operator of the need for appropriate action. 7.2.2.3.4 Pressurizer Water Level: Four pressurizer water level channels are used for reactor trip. Isolated signals from these channels are used for pressurizer water level control. A failure in the level control system could fill or empty the pressurizer at a slow rate (on the order of 30 minutes or more). The high water level trip setpoint provides sufficient margin so that the undesirable condition of discharging liquid coolant through the safety valves is avoided. Even at full-power conditions, which would produce the worst thermal expansion rates, a failure of the water level control would not lead to any liquid discharge through the safety valves. This is due to the automatic high pressurizer pressure reactor trip actuating at a pressure sufficiently below the safety valve setpoint. Furthermore, the two-out-of-four high pressurizer water level trip logic ensures a reactor trip if needed, even with STPEGS UFSAR 7.2-30 Revision 14an independent failure in another channel used for control and when degraded by an additional second random failure. 7.2.2.3.5 Steam Generator Water Level: The basic function of the reactor protection circuits associated with low-low SG water level is to preserve the SG heat sink for removal of long-term residual heat. Should a complete loss of feedwater (FW) occur, the reactor would be tripped on low-low SG water level. In addition, redundant auxiliary feedwater (AFW) pumps are provided to supply AFW in order to maintain residual heat removal after trip. These reactor trips act before the SGs are dry to reduce the required capacity and increase the starting time requirements of the AFW pumps and to minimize the thermal transient on the RCS and SGs. Therefore, the low-low SG water level reactor trip circuit is provided for each SG to ensure that sufficient initial thermal capacity is available in the SG at the start of the transient. The two-out-of-four low-low SG water level trip logic ensures a reactor trip if needed, even with an independent failure in another channel used for control and when degraded by an additional second postulated random failure. Each of the four narrow range level channels on each steam generator, which are input signals to the two-out-of-four low-low SG water level trip logic, is compensated for the effect of temperature changes in the reference leg fluid. Two strap-on RTDs are installed on each narrow range reference leg. These RTDs provide reference leg temperature signals to the compensation system electronics.

The reference leg temperature inputs are used to calculate the change in density of the reference leg fluid, which in turn is used to determine the SG narrow range level error. The calculated level error is then applied to the uncompensated level signal, resulting in a compensated level signal that is input to the low-low SG water level trip logic. Signal processing for SG narrow range water level is further described in Section 7.5.6. A spurious low signal from the FW flow channel being used for control would cause an increase in FW flow. The mismatch between steam flow and FW flow produced by the spurious signal would actuate alarms to alert the operator of the situation in time for manual correction.If the condition continues, a two-out-of-four high-high SG water level signal in any loop, independent of the indicated FW flow, will cause FW isolation and turbine trip. The turbine trip will result in a subsequent reactor trip if power is above the P-9 setpoint. The high-high SG water level trip is an equipment protective trip preventing excessive moisture carryover which could damage the turbine

blades.In addition, the three-element FW controller incorporates integral action on the level error signal so that, with expected controller settings, a rapid increase or decrease in the flow signal would cause only a small change in level before the controller would compensate for the level error. A slow change in the FW flow signal would have an insignificant effect. A spurious low or high steam flow signal would have the same effect as a spurious high-FW or low-FW flow signal. Automatic protection is also provided in case the spurious low-level signal increases FW flow sufficiently to cause high level in the SG. A turbine trip and FW isolation would occur on two-out-

of-four high-high SG water level in any loop. 7.2.2.4 Additional Postulated Accidents: Loss of plant instrument air or component cooling water is discussed in Section 7.3.1.2. Load rejection and turbine trip are discussed in further detail in Section 7.7.

STPEGS UFSAR 7.2-31 Revision 14The control interlocks (rod stops) provided to prevent abnormal power conditions which could result from excessive control rod withdrawal are discussed in Section 7.7.1.4.1 and listed in Table 7.7-1.

Excessively high power operation (which is prevented by blocking of automatic rod withdrawal), if allowed to continue, might lead to a safety limit (as given in the Technical Specifications) being reached. Before such a limit is reached, protection will be available from the RTS. At the power levels of the rod block setpoints, safety limits have not been reached; therefore, these rod withdrawal stops do not come under the scope of safety-related systems and are considered control systems. 7.2.3 Tests and Inspections The RTS meets the testing requirements of IEEE 338-1971, as discussed in Section 7.1.2.11. The testability of the system is discussed in Section 7.2.2.2.3. The initial test intervals will be specified in the Technical Specifications. Written test procedures and documentation, conforming to the requirements of IEEE 338-1971, will be available for audit by responsible personnel. Periodic testing complies with RG 1.22, as discussed in Sections 7.1.2.5 and 7.2.2.2.3.

STPEGS UFSAR 7.2-32 Revision 14 REFERENCES Section 7.2

7.2-1 Reid, J.B., Process Instrumentation for Westinghouse Nuclear Steam Supply Systems, WCAP-7913 (January 1973).

(Additional background information only) 7.2-2 Lipchak, J. B. and R. A. Stokes, Nuclear Instrumentation System, WCAP-8255, (January 1974). (Additional background information only) 7.2-3 Katz, D. N., Solid State Logic Protection System Description, WCAP-7488-L, Proprietary (March 1971) and WCAP-7672, Nonproprietary (May 1971). (Additional background information only) 7.2-4 Gangloff, W. C., and W. D. Loftus, An Evaluation of Solid State Logic Reactor Protection In Anticipated Transients, WCAP-7706-L, Proprietary (February 1971) and WCAP-7706, Nonproprietary (February 1971). 7.2-5 WCAP-8370, Rev. 9A Westinghouse Water Reactor Divisions Quality Assurance Plan, October 1979. 7.2.6 Westinghouse Letter, P. J. Biondo to T. J. Jordan, Lead/Lag Tolerances in Overpower and Overtemperature Delta-T, January 15, 1993, ST-WN-HS-203.

TABLE 7.2-1 LIST OF REACTOR TRIPS 7.2-33 .2-33 Revision 14 STPEGS UFSARReactor Trip CoincidenceLogicInterlocksComments

1. High neutron flux (power-range) 2/4Manual block of low setting permitted by P-10 High and low setting; manual block and automatic reset of

low setting by P-10 2. Intermediate-range high neutron flux 1/2Manual block permitted by P-10 Manual block and automatic reset 3. Source-range high neutron flux1/2Manual block permitted by P-6, interlocked with P-10 Manual block and automatic reset; automatic block above

P-104. Power-range high positive neutron flux rate 2/4Nointerlocks

5. Overtemperature T2/4Nointerlocks

6. Overpower T2/4Nointerlocks7. Pressurizer low pressure 2/4Interlocked with P-7 Blocked below P-7 8. Pressurizer high pressure 2/4No interlocks

9. Pressurizer high water level2/4InterlockedwithP-7Blocked below P-7 TABLE 7.2-1 (Continued)

LIST OF REACTOR TRIPS 7.2-34 .2-34 Revision 14 STPEGS UFSARReactor Trip CoincidenceLogicInterlocksComments 10. Low reactor coolant flow 2/3 in any loop above P-8 2/3 in two loops above P-7 Interlocked with P-7 and P-8 Low flow in one loop will cause a reactor trip when above P-8;

low flow in two loops will cause

a reactor trip when P-7; blocked

below P-7 11. RCP bus undervoltage 2/4Interlocked with P-7 Low voltage on all buses permitted below P-7 12. RCP bus underfrequency 2/4Interlocked with P-7 Underfrequency on two buses will trip all RCP breakers and cause reactor trip; blocked

below P-7 13. Low-low SG waterlevel 2/4 in any loop No interlocks Levels are compensated changes in reference leg density 14. SI signal See Figure 7.2-8 No interlocksSee Section 7.3 for SI signal actuation conditions TABLE 7.2-1 (Continued)

LIST OF REACTOR TRIPS 7.2-35 .2-35 Revision 14 STPEGS UFSARReactor Trip CoincidenceLogicInterlocksComments 15. Turbine trip a) Low emergency trip fluid pressure 2/3InterlockedwithP-9Blocked below P-9 b) Turbine stop valve 2/4 closed Interlocked with P-9 Blocked below P-9 16. Manual 1/2No interlocks TABLE 7.2-2 PROTECTION SYSTEM INTERLOCKSDesignationDerivationFunctionI.POWER ESCALATION PREMISSIVESP-6Presence of P-6: 1/2 neutron flux (intermediate-range) above setpoint Allows manual block of source range reactor trip Absence of P-6: 2/2 neutron flux (intermediate-range) below setpoint Defeats the block of source-range reactor trip P-10Presence of P-10: 2/4 neutron flux (power-range) above setpoint Allows manual block of power-range (low setpoint) reactor tripAllows manual block of intermediate-range reactor trip and intermediate-range rod stops (C-1)

Blocks source-range reactor trip (backup for P-6)

Input to P-7 Absence of P-10: 3/4 neutron flux power-range) below setpoint Defeats the block of power-range (low setpoint) reactor tripDefeats the block of intermediate-range reactor trip and intermediate-range rod stops (C-1)

STPEGS UFSAR 7.2-36 .2-36 Revision 14 TABLE 7.2-2 (Continued)

PROTECTION SYSTEM INTERLOCKSDesignationDerivationFunctionII.BLOCKS OR REACTOR TRIPSP-7Absence of P-7: 3/4 neutron flux (power-range) below setpoint and 2/2 turbine impulse chamber

pressure below setpoint (Presence of P-7 occurs

when either P-10 or P-13 is present. Absence of P-

7 is when neither P-10 nor P-13 is present.) Absence of P-7 blocks reactor trip on: low reactor coolant flow in more than one loop, undervoltage, under-frequency pressurizer low pressure, and pressurizer high level P-8Absence of P-8: 3/4 neutron flux (power range) below setpoint Absence of P-8 blocks reactor trip on low coolant flow in a single loop P-9Absence of P-9: 3/4 neutron flux (power range) below setpoint Absence of P-9 blocks reactor trip on turbine trip P-13Absence of P-13: 2/2 turbine impulse chamber pressure below setpoint Input to P-7 STPEGS UFSAR 7.2-37 .2-37 Revision 14 TABLE 7.2-3 REACTOR TRIP SYSTEM INSTRUMENTATION 7.2-38 .2-38 Revision 14 STPEGS UFSARReactor Trip Signal Typical Range Typical Trip Accuracy Typical Time Response (sec) 1. Power-range high neutron flux1 to 120% full power 1% of full power 0.22. Intermediate-range high neutron flux8 decades of neutron flux overlapping source range by 2 decades 5% of full scale 1% of full scale from 10-4 to 50% full power (1) 0.23. Source-range high neutron flux 6 decades of neutron flux (1 to 10 6 counts/sec) 5% of full scale (1) 0.24. Power-range high positive neutron flux rate + 15% of full power 5% (1) 0.25. Overtemperature T:T H 530 to 650F 6.8%T 10.0 T C 510 to 630 F T avg 530 to 630 F PPRZR 1,700 to 2,500 psi f 1 -50 to + 35 6. Overpower TT H 530 to 650 F5.5%T 10.0 T C 510 to 630 F T avg 530 to 630 F7. Pressurizer low pressure1,700 to 2,500 psig 18 psi (compensated signal) 2.01. Reproducibility (see definitions in Section 7.1)

STPEGS UFSARReactor Trip Signal Typical Range Typical Trip Accuracy Typical time Response (sec)

8. Pressurizer high pressure 1,700 to 2,500 psig 18 psi (noncompensated signal 2.09. Pressurizer high water level Entire cylindrical portion of pressurizer (distance between taps) +2.3% of full range P between taps at design temperature and pressure 1.210. Low reactor coolant flow 0 to 120% of rated flow 2.5% of full flow within range of 70% to 100% of full flow (1)1.011. RCP bus undervoltage 0 to 100% rated voltage 1% 1.512. RCP bus underfrequency 50 to 65 Hz 0.1 Hz 0.613. Low-Low SG water level 6 ft from nominal full-load water level +4.3% of span (compensated signal) 2.014. Turbine trip NANA2.01. Reproducibility (see definitions in Section 7.1)

REACTOR TRIP SYSTEM INSTRUMENTATIONTABLE 7.2-3 (Continued) 7.2-39 Revision 14 STPEGS UFSAR 7.2-40 Revision 14TABLE 7.2-4 REACTOR TRIP CORRELATION Trip (a)Accident(b)TechnicalSpecificationc1. Power-Range High Neutron

Flux Trip (Low Setpoint)

a. Uncontrolled Rod Cluster Control Assembly Bank withdrawal from a

subcritical condition (Section 15.4.1)

2.2.1 Table

2.2-1 (2) b. Feedwater System malfunctions causing a reduction in feedwater temperature (Section 15.1.1) c. Feedwater System malfunctions causing an increase in feedwater

flow (Section 15.1.2) d. Rod Cluster Control Assembly ejection (Section 15.4.8)

2. Power-Range High Neutron Flux Trip (High Setpoint)

a. Uncontrolled Rod Cluster Control Assembly Bank withdrawal from a subcritical condition (Section 15.4.1)

2.2.1 Table

2.2-1 (2)

b. Uncontrolled Rod Cluster Control Assembly Bank withdrawal at power (Section 15.4.2) c. Startup of an inactive Reactor Coolant Loop (Section 15.4.4) d. Feedwater System malfunctions causing a reduction in feedwater temperature (Section 15.1.1) e. Feedwater System malfunctions causing an increase in feedwater

flow (Section 15.1.2)

f. Excessive increase in secondary steam flow (Section 15.1.3)

STPEGS UFSAR 7.2-41 Revision 14TABLE 7.2-4 (Continued)

REACTOR TRIP CORRELATION Trip (a)Accident(b)TechnicalSpecificationcg. Accidental depressurization of the Main Steam System (Section 15.1.4) h. Major Secondary System pipe ruptures (Section 15.1.5) i. Rod Cluster Control Assembly ejection (Section 15.4.8) 3. Intermediate-Range High

Neutron Flux

Trip a. Uncontrolled Rod Cluster Control Assembly Bank withdrawal from a

subcritical condition (Section

15.4.1)See Note d

2.2.1 Table

2.2-1

(5)4. Source-Range High Neutron

Flux Trip

a. Uncontrolled Rod Cluster Control Assembly Bank withdrawal from a

subcritical condition (Section 15.4.1)See Note d

2.2.1 Table

2.2-1 (6)

5. Power-Range High Positive

Neutron Flux

Rate Trip a. Rod Cluster Control Assembly ejection (Section 15.4.8)

2.2.1 Table

2.2-1 (3)

b. Uncontrolled Rod Cluster Control Assembly Rank withdrawal from a

subcritical condition (Section

15.4.1)6. Overtempera-tureT Trip a. Uncontrolled Rod Cluster Control Assembly Bank withdrawal at

power (Section 15.4.2)

2.2.1 Table

2.2-1 (7)

b. Uncontrolled Boron dilution (Section 15.4.6)

c. Loss of external electrical load and/or turbine trip (Section 15.2.2 and 15.2.3)

STPEGS UFSAR 7.2-42 Revision 14TABLE 7.2-4 (Continued)

REACTOR TRIP CORRELATION Trip (a)Accident(b)TechnicalSpecificationcd. Feedwater System malfunctions causing a reduction in feedwater temperature (Section 15.1.1) e. Feedwater System malfunctions causing an increase in feedwater flow (Section 15.1.2)

f. Excessive increase in secondary steam flow (Section 15.1.3)

g. Accidental depressurization of the Reactor Coolant System (Section 15.6.1)

h. Accidental depressurization of the Main Steam System (Section 15.1.4) i. Feedwater System pipe break (Section 15.2.8) j. Rod Cluster Control Assembly misoperation (Section 15.4.3)

7. Overpower T Trip a. Uncontrolled Rod Cluster Control Assembly Bank withdrawal at

power (Section 15.4.2)

2.2.1 Table

2.2-1 (8)

(Note 2) b. Feedwater System malfunctions causing a reduction in feedwater temperature (Section 15.1.1) c. Feedwater System malfunctions causing an increase in feedwater

flow (Section 15.1.2)

d. Excessive increase in secondary steam flow (Section 15.1.3)

e. Accidental depressurization of the Main Steam System (Section 15.1.4)

STPEGS UFSAR 7.2-43 Revision 14TABLE 7.2-4 (Continued)

REACTOR TRIP CORRELATION Trip (a)Accident(b)TechnicalSpecificationcf. Major Secondary System pipe ruptures (Section 15.1.5)

8. Pressurizer Low Pressure

Trip a. Accidental depressurization of the Reactor Coolant System (Section 15.6.1)

2.2.1 Table

2.2-1 (9) b. Major Reactor Coolant System pipe ruptures (LOCA) (Section 15.6.5) c. Steam Generator tube rupture (Section 15.6.3)

9. Pressurizer High Pressure Trip a. Uncontrolled Rod Cluster Control Assembly Bank withdrawal at power (Section 15.4.2)

2.2.1 Table

2.2-1 (10) b. Loss of external electrical load and/or turbine trip (Section 15.2.2 and 15.2.3) c. Feedwater System pipe break (Section 15.2.8)

10. Pressurizer High Water Level Trip

a. Uncontrolled Rod Cluster Control Assembly Bank withdrawal at power (Section 15.4.2)

2.2.1 Table

2.2-1 (11) b. Loss of external electrical load and/or turbine trip (Sections 15.2.2 and 15.2.3) 11. Low Reactor Coolant Flow a. Loss of nonemergency ac power station auxiliaries (loss of

offsite power) (Section 15.2.6)

2.2.1 Table

2.2-1 (12) b. Loss of forced reactor coolant flow (Sections 15.3.1 and 15.3.2) c. Reactor coolant pump shaft seizure and/or break (Sections 15.3.3 and 15.3.4)

STPEGS UFSAR 7.2-44 Revision 14TABLE 7.2-4 (Continued)

REACTOR TRIP CORRELATION Trip (a)Accident(b)TechnicalSpecificationcd. Startup of an inactive reactor cool- ant loop at an incorrect temperature (Section 15.4.4)

12. Reactor Coolant Pump

Undervoltage

Tripa. Loss of forced reactor coolant flow (Sections

15.3.1 and 15.3.2)

2.2.1 Table

2.2-1 (14)

13. Reactor Coolant Pump

Underfrequency

Tripa. Loss of forced reactor coolant flow (Sections

15.3.1 and 15.3.2)

2.2.1 Table

2.2-1 (15) 14. Low-Low Steam Generator

Water Level

Tripa. Loss of normal feedwater (Section 15.2.7)

2.2.1 Table

2.2-1 (13) b. Feedwater System pipe break (Section 15.2.8)

15. Reactor Trip on Turbine Tripa. Turbine trip (Section 15.2.3) See Note d 2.2-1 Table 2.2-1 (16) b. Loss of nonemergency ac power station auxiliaries (loss of offsite

power) (Section 15.2.6) 2.2.1 See Note d

Table 2.2.1 (17)

16. Safety Injection

Signal Actuation

Trip a. Accidental depressurization of the Main Steam System and/or steam line break (Sections 15.1.4

and 15.1.5)

See Note e

2.2.1 Table

2.2-1 (17) b. Feedwater System pipe break (Section 15.2.8) 17. Manual Trip Available for all accidents (Chapter 15)

See Note d STPEGS UFSAR 7.2-45 Revision 14TABLE 7.2-4 (Continued)

REACTOR TRIP CORRELATION

a. Trips are listed in order of discussion in Section7.2.

b. References refer to chapter 15.

c. References refer to the Technical Specifications which will be submitted 18 months prior to issuance of the operating license for Unit 1. d. A technical specification is not required because this trip is not assumed to function in the accident analyses. e. Accident assumes that the reactor is tripped at end of life, which is the worst initial condition for this case.

STPEGS UFSAR 7.3-1 Revision 1 8 7.3 ENGINEERED SAFETY FEATURES SYSTEM The occurrence of a postulated limiting fault, such as a Loss

-of-Coolant Accident (LOCA) or main steam line break (MSLB), requires a reactor trip plus actuation of engineered safety features (ESF) equipment to prevent or mitigate damage to the core and Reactor Coolant System (RCS) components and to ensure containment integrity. The Engineered Safety Features Actuation System (ESFAS) directs various ESF equipment to take protective action to mitigate the consequences of postulated accidents. The ESFAS is comprised of the instrumentation and controls necessary to sense accident conditions and initiate the operation of necessary to sense accident conditions and initiate the operation of necessary safety equipment.

In general, the sensors, analog circuitry, and actuation logic are supplied by Westinghouse Electric Corporation (Westinghouse). The radiation monitors for Containment ventilation isolation are part of the balance

-of-plant (BOP) scope of supply and interface with the Westinghouse equipment. The interfaces between the Westinghouse actuation signals and the actuated equipment are shown on Figures 7.2

-1 through 7.2

-17B. The Westinghouse ESFAS is described in Section 7.3.1.

The ESFASs for the Control Room Envelope Heating, Ventilating, and Air

-Conditioning (HVAC) System and for the Fuel Handling Building (FHB) HVAC System are part of the (BOP) scope of supply, including sensors and logic circuitry. Receipt of a safety injection (SI) signal from the Westinghouse ESFAS actuates these HVAC systems also. The Control Room Envelope HVAC ESFAS is described in Section 7.3.2; the FHB HVAC ESFAS is described in Section 7.3.3.

The Containment Hydrogen Monitoring System is also part of the BOP scope of supply. This system (described in Section 7.6.5) is actuated manually after a LOCA

. 7.3.1 Nuclear Steam Supply System ESFAS The Westinghouse ESFAS uses selected plant parameters and determines whether or not predetermined safety limits are being exceeded; if they are, it combines the signals into logic matrices sensitive to combinations indicative of primary or secondary system boundary ruptures (American Nuclear Society [ANS] Class III or IV faults). Once the required logic combination is completed, the system sends actuation signals to the appropriate ESF components. The ESFAS meets the requirements of General Design Criteria (GDC) 13, 20, 27, 28, and 38.

7.3.1.1 System Description. The ESFAS functionally consists of the following:

1. Process Instrumentation and Control System (Ref. 7.3

-1)

2. Solid-State Protection System (Ref. 7.3

-2)

3. Safeguards test cabinets (Ref. 7.3

-3)

4. Manual actuation circuits

The ESFAS consists of two discrete portions of circuitry: (1) An analog portion consisting of three to four redundant channels per parameter or variable to monitor various plant parameters such as RCS STPEGS UFSAR 7.3-2 Revision 1 8 and Steam System pressures, temperatures, and flows and Containment pressures; and (2) a digital portion consisting of two redundant logic trains which receive inputs from the analog protection channels and perform the logic needed to actuate ESF equipment, plus three actuation trains for actuating the ESF equipment required.

The intent is that any single failure within the ESFAS shall not prevent system action when required. Figures 7.1

-2 and 7.3-1 show in a simplified manner how three ESF actuation trains are derived from two Solid-State Protection System (SSPS) logic trains.

The redundant concept is applied to both the analog and digital portions of the system. Separation of redundant analog channels begins at the process sensors and is maintained in the field wiring, Containment penetrations, and analog protection racks terminating at the redundant safegaurds logic racks. The design meets the requirements of General Design Criterion (GDC) 20, 21, 22, 23, and 24.

The variables are sensed by the analog circuitry as discussed in Reference 7.3

-1 and in Section 7.2. The outputs from the analog channels are combined into actuation logic as shown on Figures 7.2

-5 throu gh 7.2-9. Tables 7.3

-2, 7.3-2A and 7.3

-3 give additional information pertaining to logic and function.

The interlocks associated with the ESFAS are outlined in Table 7.3

-4. These interlocks satisfy the functional requirements discussed in Section 7.1.2.

Redundant manual actuation of ESF trains is provided on the main control panel for the following:

1. Safety injection

2. Containment spray

3. Containment isolation Phase A

4. Steam line isolation

Manual controls for valves are also provided to switch from injection to recirculation, as a backup to the automatic switchover described in Section 7.6.4.

7.3.1.1.1 Function Initiation: The specific functions which rely on the ESFAS for initiation are:

1. A reactor trip, provided one has not already been generated by the Reactor Trip System (RTS).

2. High head and low head safety injection pumps and associated valves, which provide emergency makeup water to the cold legs of the RCS following a LOCA.

3. Reactor containment fan coolers, which serve to cool the Containment and limit the potential for release of fission products from the Containment by reducing the pressure following an accident.

STPEGS UFSAR 7.3-3 Revision 1 8 4. Component cooling water (CCW) and essential cooling water (EWC) pumps and associated valves, which serve as auxiliary heat removal systems.

5. Motor-driven auxiliary feedwater (AFW) pumps and turbine

-driven auxiliary feedwater (AFW) pump and associated valves, which serve to cool the steam generators (SGs) on loss of main feedwater.

6. Containment isolation phase A, designed to prevent fission product release, i.e., isolation of lines not essential to reactor protection.

7. Steam line isolation to prevent the continuous, uncontrolled blowdown of more than one SG and thereby uncontrolled RCS cooldown

8. Main FW line isolation as required to prevent or mitigate the effect of excessive cooldown.

9. Standby diesel generators to assure backup supply of power of emergency and supporting systems components.

10. Operation of the Control Room Envelope HVAC System to meet control room occupancy requirements following a LOCA. Operation of the Electrical Auxiliary Building (EAB) Main Area HVAC System to meet equipment environment requirements.

11. Containment spray pumps and associated valves, which serve to reduce Containment pressure and temperature (and to remove iodine) following a LOCA or steam line break accident inside the Containment.

12. Containment isolation phase B, designed to isolate the Containment following a LOCA or a steam or feedwater line break within the Containment to limit radioactive releases. (The Containment isolation phase A signal, the Containment isolation phase B signal, and the Containment ventilation signal close all lines penetrating Containment which are not considered essential for reactor protection and accident mitigation).

13. Containment ventilation isolation, to ensure that all Containment purge lines have been isolated, thus preventing fission product release.

14. Operation of the FHB HVAC Exhaust System, to ensure filtration of air exhausted from the cubicles containing the safety injection and containment spray pumps, thus minimizing offsite releases of postulated leakage from these pumps.

No credit is taken in the accident dose analyses for this filtration function.

15. Turbine trip, to prevent excessive cooldown of the RCS.

16. Essential Chilled Water System (ECWS), to provide chilled water for necessary HVAC systems.

17. Electrical Penetration Space HVAC System, to provided cooling for essential equipment located in that area.

STPEGS UFSAR 7.3-4 Revision 1 8 Supporting HVAC equipment is also actuated, as required, to cool the above equipment. For example, cubicle coolers are required to operate in the rooms containing the safety injection and containment spray pumps, and are therefore actuated.

7.3.1.1.2 Analog Circuitry: The process analog sensors and racks for the ESFAS are discussed in Reference 7.3

-1. Discussed in Reference 7.3

-1 are the parameters to be measured, including pressures, flows, tank and vessel water levels, and temperatures, as well as the measurement and signal transmission considerations. These latter considerations include the transmitters, orifices, flow elements, and resistance temperature detectors, as well as automatic calculations, signal conditioning, and location and mounting of the devices.

The sensors monitoring the primary system are shown on process and instrument diagrams presented in Chapter 5. The secondary system sensors are shown on process and instrument diagrams presented in Chapter 10.

Containment pressure is sensed by four physically separated, seismically supported differential pressure transmitters outside of the Containment. (They are connected to the Containment atmosphere by a filled and sealed hydraulic transmission system.) The distance from penetration to transmitter is kept to a minimum, and separation is maintained. This arrangement, together with the pressure sensors external to the Containment, forms a double barrier and conforms to GDC 56 and Regulatory Guide (RG) 1.11.

For the Containment ventilation isolation function, input is provided to the Westinghouse ESFAS from radiation detection equipment monitoring the Normal Containment Purge System exhaust line or the Supplementary Containment Purge system exhaust line. During a plant shutdown fo r

refueling, the Normal containment Purge System is in operation, as discussed in Section 9.4.5. Also discussed in the section is the Supplementary Containment Purge system, which may be used during normal plant operation. Redundant Class 1E radiation monitors (i.e., the Reactor containment Building [RCB] Purge Isolation) monitor the radiation in these purge lines, as discussed in Sections 11.5. Upon either monitor sensing radiation above a preset limit, a signal is sent to the logic trains of the Westinghouse ESFAS, and the Containment ventilation isolation signal is actuated.

The logic for the radiation monitoring input to the Westinghouse ESFAS is shown in Figure 7.3

-2A. Separation criteria, as required by RG 1.75 and Institute of Electrical and Electronics Engineers (IEEE) 384

-1974, are followed.

7.3.1.1.3 Digital Circuitry: The ESF logic racks are discussed in detail in Reference 7.3

-2. The description includes the considerations and provisions for physical and electrical separation as well as details of the circuitry. Reference 7.3

-2 also covers certain aspects of on

-line test provisions, provisions for test points, considerations for the instrument power source, and considerations for accomplishing physical separation. The output from the analog channels are combined into actuation logic as shown on Figures 7.2

-6 (pressurizer pressure), 7.2

-7 (steam generator water level and steam pressure rate), 7.2

-8 (ESF actuation), 7.2

-9 (low compensated steam line pressure protection), 7.2

-14 and 7.2-15 (feedwater control and isolation), and 7.2

-16 (auxiliary feedwater).

To facilitate ESF actuation testing, six cabinets (two per train) are provided which enable operation, to the maximum extent practicable, of safety features loads on a group

-by-group basis until actuation of all devices has been checked. Final actuation testing is discussed in detail in Section 7.3.1.2.

STPEGS UFSAR 7.3-5 Revision 1 8 7.3.1.1.4 Final Actuation Circuitry: The SSPS supplies the following signals:

1. Safety injection signal (Table 7.3

-5 lists actuated equipment. Typical control logics for actuated equipment are shown on Figures 7.3

-2 through 7.3

-8.)

2. Containment spray signal (Table 7.3

-6 lists actuated equipment. Typical control logics for actuated equipment are shown on Figures 7.3

-9 and 7.6-14.)

3. Containment isolation Phase A signal (Table 7.3

-7 lists actuated equipment. Typical control logics are shown on Figures 7.3

-11 through 7.3

-13.)

4. Containment isolation Phase B signal (Table 7.3

-8 lists actuated equipment. Typical control logics are shown on Figures 7.3

-14 and 7.3

-15.)

5. Containment ventilation isolation signal (Table 7.3

-9 lists actuated equipment. Typical control logics are shown on Figures 7.3

-16 and 7.3

-17.)

6. Steam line isolation signal (Table 7.3

-10 lists actuated equipment. Typical control logics are shown on Figures 7.3

-18.)

7. FW isolation signal (Table 7.3

-11 lists actuated equipment. Typical control logics are shown on Figures 7.3

-19 and 7.3

-20.)

8. AFW initiation signal (Table 7.3

-15 lists actuated equipment. Typical control logics are shown on Figures 7.3

-21, 7.3-21A and 7.3

-21B.) Loads are sequenced onto the three Class 1E ESF buses by the ESF load sequencers, as described in Chapter 8. The design meets the requirements of GDC 35.

7.3.1.1.5 Design Bases Information: The functional diagrams presented on Figures 7.2

-5 through 7.2

-9 and 7.2-14 through 7.2

-16 provide a graphic outline of the functional logic associated with requirements for the ESFAS. Requirements for the ESFAS are given in Chapter 15. Given

below is the design bases information required in IEEE 279

-1971.

7.3.1.1.5.1 Generating Station Condition s - The following is a summary of those generating station conditions requiring protective action:

1. Primary system:

a. Rupture in small pipes or cracks in large pipes

b. Rupture of reactor coolant pipe or LOCA

c. Rupture of an SG tube

2. Secondary system:

STPEGS UFSAR 7.3-6 Revision 1 8 a. Minor secondary system pipe breaks resulting in steam release rates equivalent to a single dump, relief, or safety valve

b. Rupture of a major secondary system pipe

3. Fuel handling accident inside Containment 7.3.1.1.5.2 Generating Station Variables

- The accidents identified above are described in Chapter 15, including the ESFAS signals used to mitigate the accident consequences. The variables listed below are monitored for the automatic initiation of ESF system during these accidents. Post

-accident monitoring requirements are discussed in Section 7.5.

1. Containment pressure

2. Pressurizer pressure

3. Steam line pressure

4. SG water level

5. Normal and Supplementary Containment purge exhaust radiation

7.3.1.1.5.3 Section Not Used.

7.3.1.1.5.4 Limits, Margins, and Setpoints

- Prudent operational limits, available margins, and setpoints before onset of unsafe conditions requiring protective action are discussed in Chapter 15 and the Technical Specifications.

7.3.1.1.5.5 Abnormal Events

- The malfunctions, accidents or other unusual events which could physically damage protection system components or could cause environmental changes are as follows:

1. RCS breaks (discussed in Chapter 15)

2. Secondary system breaks (discussed in Chapter 15)

3. Earthquakes (discussed in Chapters 2 and 3)

4. Fire (discussed in Section 9.5)

5. Missiles (discussed in Section 3.5)

6. Flood (discussed in Chapters 2 and 3)

7.3.1.1.5.6 Minimum Performance Requirements

- Minimum performance requirements are as follows.

STPEGS UFSAR 7.3-7 Revision 1 8 7.3.1.1.5.6.1 ESFAS Response Time

- The ESFAS response time is defined as the interval required for the ESF sequence to be initiated subsequent to the point in time that the appropriate variable(s) exceed(s) setpoints. The ESF sequence is initiated by the output of the ESFAS, which is brought about by operation of dry contacts of the slave relays in the output cabinets of the SSPS. The response times include the interval of time which elapses between the time the parameters, as sensed by the sensor, exceed the safety setpoint and the time the SSPS slave relay dry contacts are operated.

The values listed below are maximum allowable times consistent with the safety analyses and were systematically verified during plant preoperational startup tests. For the overall ESFAS, see the Technical Specifications. In a similar manner, for the overall RTS instrumentation response times, see Chapter 16. These maximum delay times include all compensation and therefore require that any such network be aligned and operating during verification testing.

The ESFAS is always capable of having response time tests performed using the same methods as those tests performed during the preoperational test program or following significant component changes.

Time response criteria is defined in Chapter 16.

7.3.1.1.5.6.2 System Accuracies

-

1. Accuracies for ESFAS Functions for RCS and secondary break protection are defined in Reference 7.3

-5, Tables 1

-1, 1-2, and 1-3. 2. Typical accuracy in generating the required radiation actuation signals for the Containment ventilation isolation signal is 33 percent.

7.3.1.1.5.6.3 Ranges of Sensed Variables to be Accommodated Until Conclusions of Protective Action are Assured

-

1. Typical ranges required in generating the actuation signals for RCS break protection are:

a. Pressurizer pressure 1,700 to 2,500 psig

b. Containment pressure

-5 to 65 psig

2. Typical ranges required in generating the actuation signals for secondary system break protection, in addition to the above, are:

a. Steam line pressure (from which steam line pressure rate is derived) 0 to 1,400 psig

b. Actuation signals for auxiliary 0 to 100% feedwater pumps (SG water level)

(15 feet)

3. The typical range required in generating the radiation actuation signals for containment ventilation isolation signal is 1 x 10

-6 Ci/cm3 to 0.1 Ci/cm3 STPEGS UFSAR 7.3-8 Revision 1 8 7.3.1.1.6 Final System Drawings: Functional block diagrams, electrical elementaries, and other drawings required to perform a safety review are listed in Section 1.7.

7.3.1.2 Analysis.

7.3.1.2.1 Failure Modes and Effects Analyses: Failure modes and effects analyses have been performed generically on the ESFAS within the scope of Westinghouse and documented in Reference 7.3

-4. The results verify that these systems meet protection single

-failure criteria as required by IEEE 279

-1971. The South Texas Project Electric Generating Station (STPEGS) ESFAS, although not identical, is designed to equivalent safety design criteria (including separation criteria). Furthermore, the functions, manufacturing, testing, quality criteria, and components are equivalent. Thus Reference 7.3

-4 is applicable to STPEGS. The interface criteria of Appendices B and C of Westinghouse Commercial Atomic Power (WCAP)

-8760 have been included in interface criteria provided by Westinghouse and incorporated into BOP design.

7.3.1.2.2 Compliance With Standards and Design Criteria

- Discussions of GDC are provided in various sections of Chapter 7 where a particular GDC is applicable. Applicable GDCs include 13, 20, through 25, 27, 28, 35, 37, 38, 40, 43, and 46. Compliance with certain IEEE Standards is presented in Sections 7.1.2.7 through 7.1.2.11. Compliance with RG 1.22 is discussed in Section 7.1.2.5. Discussion of the requirements of IEEE 279

-1971 and the ESFAS compliance with these requirements is presented in Sections 7.3.1.2.2.1 through 7.3.1.2.2.5 below, with the balance of the requirements discussed in Section 7.2.2.2.3. Paragraph 4.20 of IEEE 279 receives special attention in Section 7.5.

7.3.1.2.2.1 Single Failure Criteria

- The discussion presented in Section 7.2.2.2.3.2 is applicable to the ESFAS with the following exception. In the ESFAS, a loss of instrument power will call for actuation of ESF equipment controlled by the specific bistable that lost power (Containment spray excepted). The power supply for the protection systems is discussed in Section 7.6 and Chapter 8. For Containment spray, the final bistables are energized to trip to avoid spurious actuation. In addition, manual Containment spray requires a simultaneous actuation of two manual controls. This is considered acceptable because spray actuation on HI

-3 Containment pressure signal provides automatic initiation of the system via protection channels. Moreover, two sets (two switches per set) of Containment spray manual initiation switches are provided to meet the requirements of IEEE 2 79-1971. Also, it is possible for all ESF equipment (valves, pumps, etc.) to be individually manually actuated from the control room. Hence, a third mode of Containment spray initiation is available. The design meets the requirements of GDC 21 and 23.

7.3.1.2.2.2 Equipment Qualification

- Equipment qualifications are discussed in Sections 3.10 and 3.11.

7.3.1.2.2.3 Channel Independence

- The discussion presented in Section 7.2.2.2.3.6 is applicable. The ESFAS slave relay outputs from the SSPS cabinets are redundant. The actuated devices and interposing components between the SSPS slave relay output and the final actuator are energized by the separate, train

-oriented power supplies that supply the SSPS cabinets.

7.3.1.2.2.4 Control and Protection System Interaction

- The discussions presented in Section 7.2.2.2.3.7 are applicable.

STPEGS UFSAR 7.3-9 Revision 1 8 7.3.1.2.2.5 Capability for Sensor Checks and Equipment Test and Calibration

- The discussions of system testability in Section 7.2.2.2.3.10 are applicable to the sensors, analog circuitry, and digital circuitry of the ESFAS.

The following discussions cover those areas in which the testing provisions differ from those for the Reactor Trip System.

7.3.1.2.2.5.1 Testing of Engineered Safety Features Actuation System

- The ESF systems are tested to provide assurance that the systems will operate as designed and will be available to function properly in the unlikely event of an accident. The testing program meets the requirements of GDC 21, 37, 40, and 43 and RG 1.22, as discussed in Section 7.1.2.5. The tests described in Section 7.3.1.2.2.5 and further discussed in Section 6.3.4 meet the requirements on testing of the Emergency Core Cooling System (ECCS) as stated in GDC 37 except for the operation of those components tha t will cause an actual safety injection. The test, as described, demonstrates the performance of the full operational sequence that brings the system into operation, the transfer between normal and standby power source, and the operation of associated cooling water systems. The safety injection pumps are started and operated, and their performance is verified in a separate test discussed in Section 6.3.4.

When the pump test are considered in conjunction with the ECCS test, the requirements of GDC 37

on testing of the ECCS are met as closely as possible without causing an actual safety injection.

Testing as described in Section 6.3.4 and in Sections 7.2.2.2.3 and 7.3.1.2.2.5 provides complete periodic testability during reactor operation of all logic and components associated with the ECCS. This design meets the requirements of RG 1.22 as discussed in the above sections. The program is as follows: 1. Prior to initial plant operations, ESF system tests were conducted

2. Subsequent to initial startup, ESF system test will be conducted during each regularly scheduled refueling outage.

3. During on-line operation of the reactor, all of the ESFAS analog and digital circuitry will be fully tested. In addition, essentially all of the ESF final actuators will be fully tested. The remaining few final actuators whose operation is not compatible with continued on

-line plant operation will be checked as discussed in Section 7.1.2.5.

4. During normal operation, the operability of testable final actuation devices of the ESF systems will be tested by manual initiation from the control room.

The following bypass/inoperable status indications are operated from the SSPS:

SSPS Train R

- test or loss of power

SSPS Train S

- test or loss of power

ESFAS Train A

- test or loss of power

ESFAS Train B

- test or loss of power

STPEGS UFSAR 7.3-10 Revision 1 8 ESFAS Train C

- test or loss of power Should two out of three actuation trains or safeguards test cabinets be inadvertently tested simultaneously, or should power be lost to two of the three actuation trains, the reactor will be tripped automatically.

7.3.1.2.2.5.2 Performance Test Acceptability Standard for the Safety Injection and Automatic Containment Spray Actuation Signals Generation

- During reactor operation, the basis for the ESFAS acceptability is the successful completion of the overlapping test performed on the initiating system and the ESFAS (Figure 7.3

-22). Checks of process indications verify operability of the sensors. Analog checks and tests performed with the channel in trip verify the operability of the analog circuitry from the input of these circuits through, to, and including the logic input relays except for the input relays associated with the Containment spray function, which are tested during the solid-state logic testing.

Analog checks and tests performed with the channel in bypass verify the operability of the analog circuitry from the input to the output of these circuits. Input relays for functions tested in bypass are tested every 18 months. Solid

-state logic testing also checks the digital signal path from and including logic input relay contacts through the logic matrices and master relays, and performs a continuity test on the coils of the output slave relays. Final actuator testing operates the output slave relays and verifies operability of those devices which require safeguards actuation and which can be tested without causing plant upset. Refer to Section 7.1.2.5 for a discussion of the remaining devices and their testing provisions. Operation of the final devices is confirmed by control board indication and visual observation that the appropriate pump breakers close and automatic valves have completed their travel.

The basis for acceptability for the ESF interlocks is control board indication of proper receipt of the signal upon introducing the required input at the appropriate setpoint. Plant programs assure that the qualification of equipment and components including their appurtenances is maintained. Specific plant parameters which can cause equipment degradation have been considered based on equipment qualification tests. Plant components have been qualified for the life of the plant or an end

-of-life equipment replacement frequency established.

7.3.1.2.2.5.3 Frequency of Performance of Engineered Safety Features Actuation Tests

- During reactor operation, complete system testing (excluding sensors or those devices whose operation would cause plant upset) is performed as required by the Technical Specifications. Testing, including the sensors, is also performed during scheduled plant shutdown for refueling.

7.3.1.2.2.5.4 Engineered Safety Features Actuation Test Description

- The following sections describe the testing circuitry and procedures for the on

-line portion of the testing program. The guidelines used in developing the circuitry and procedures are:

The test procedures must not involve the potential for damage to any plant equipment.

The test procedures must minimize the potential for accidental tripping.

The provisions for on

-line testing must minimize complication of ESF actuation circuits so that their reliability is not degraded.

STPEGS UFSAR 7.3-11 Revision 1 8 7.3.1.2.2.5.4.1 Description of Initiation Circuitry

- Several systems constitute the total ESF System, the majority of which may be initiated by different process conditions and reset independently of each other.

The remaining functions are initiated by a common signal (SI signal) which in turn may be generated by different process conditions.

In addition, operation of other vital auxiliary support systems, such as the CCW and ECW System, is initiated by the SI signal.

The output of each initiation circuit consists of a master relay which drives slaves relays for contact multiplication as required. The master and slave relays are mounted in the ESFAS cabinets, designated Train A, Train B, and Train C, respectively, for the redundant counterparts. The master and slave relay circuits operate various pump and fan circuit breakers or starters, motor

-operated valve contactors, solenoid

-operated valves, standby diesel generator starting equipment, and other ESF actuation devices.

7.3.1.2.2.5.4.2 Analog Testing

- Analog testing is identical to that used for reactor trip circuitry as described in Section 7.2.2.2.3 and includes the following analog channels for other safety-related circuits:

1. Containment pressure

2. Pressurizer pressure

3. Steam line pressure

Containment spray, which is energized to actuate 2/4 , is always tested in bypass and and reverts to 2/3 when one channel is in test.

7.3.1.2.2.5.4.3 Solid-State Logic Testing

- Except for Containment spray channels, solid

-state logic testing is the same as that discussed in Section 7.2.2.2.3. During logic testing of one train, the other logic train can initiate the required ESF function (Ref. 7.3

-2).

7.3.1.2.2.5.4.4 Actuation Testing

- At this point, testing of the initiation circuits through operation of the master relay and its contacts to the coils of the slave relays has been accomplished.

Slave relays do not operate because of reduced voltage.

The ESFAS final actuation device or actuated equipment testing is performed from the Safeguards Test Cabinets. These cabinets are located adjacent to the ESFAS cabinets. There is one set of test cabinets provided for each of the three actuation trains, A, B, and C. Each set of cabinets contains individual test switches necessary to actuate the slave relays. To prevent accidental actuation, test switches are of the type that must be rotated and then depressed to operate the slave relays.

Assignments of contacts of the slave relays for actuation of various final devices or actuators have been made so that groups of devices or actuated equipment can be operated individually during plant operation without causing plant upset or equipment damage. In the unlikely event an SI signal is STPEGS UFSAR 7.3-12 Revision 1 8 initiated during the test of the final device actuated by this test, the device will already be in its safeguards position.

During this last procedure, close communication between the main control room operator and the operator at the test panel is required. Prior to the energizing of a slave relay, the operator in the main control room assures that plant conditions permit operation of the equipment that will be actuated by the relay. After the tester has energized the slave relay, the main control room operator observes that all equipment required to be tested has operated, as indicated by appropriate indicating lamps and annunciators on the control board and, using a prepared checklist, records all operations. The operator then resets all devices and prepares for operation of the next slave

-relay-actuated equipment.

By means of the procedure outlined above, all ESF devices actuated by the ESFAS initiation circuits, with the exceptions noted in Section 7.1.2.5 under a discussion of RG 1.22, are operated by the automatic circuitry.

7.3.1.2.2.5.4.5 Actuation Blocking and Continuity Test Circuits

- The majority of the few final actuation devices that cannot be designed to be actuated during plant operation (discussed in Section 7.1.2.5) have been assigned to slave relays for which additional test circuitry has been provided to individually block actuation of a final device upon operation of the associated slave relay during testing. Operation of these slave relays, including contact operations and continuity of the electrical circuits associated with the final device control, are checked instead of checking actual operation. The circuit provide for monitoring of the slave relay contacts, the device control circuit cabling, control voltage, and the devices' actuation solenoid. Interlocking prevents blocking the output from more than one output relay in a protection train at a time. Two Safeguards Test Cabinets in test gives automatic reactor trip. If an accident occurs during testing, the automatic actuation circuitry will override testing as noted above. One exception to this is that if the accident occurs while testing a slave relay whose output must be blocked, those few final actuation devices associated with this slave relay will not be actuated; however, the redundant devices in the other trains would be operational and would perform the required safety function. Actuation devices to be blocked are identified in Section 7.1.2.5.

The continuity test circuits for these components that cannot be actuated online are verified by proving lights on the Safeguards Test Cabinets.

The typical schemes for blocking operation of selected protection function actuator circuits are shown on Figure 7.3

-23 as details A and B. The schemes operate as explained below and apply for each actuation train.

Detail A of Figure 7.3

-23 shows the circuit for contact closure for protection function actuation. Under normal plant operation, with the equipment not under test, the test lamps "Ds*" for the various circuits are energized. Typical circuit path is through the normally closed test relay contact "K8*"and through test lamp connections 1 through 3. Coils "X1"are capable of being energized for protection function actuation upon closure of soli d-state logic output relay contacts "K8*. Coil "X1" or "X2"is typical for a breaker closing auxiliary coil, motor starter master coil, coil of a solenoid valve, auxiliary relay, etc. When the contacts "K8*" are opened to block energizing of coils "X1"and

"X2", the white lamp is deenergized and the slave relay "K*" may be energized to perform continuity testing. To verify operability of the blocking relay in both blocking and restoring normal service, open the blocking relay contact in series with lamp connections

- the test lamp should be STPEGS UFSAR 7.3-13 Revision 1 8 deenergized; close the blocking relay contact in series with the lamp connections

- the testing lamp should now be energized, which verifies that the circuit is now in its normal, i.e. operable, condition. Detail B shows the circuit for contact opening for protection function actuation. Under normal plant operation, with the equipment not under test, the white test lamps "DS*" for the various circuits are energized and green test lamp "DS*" is deenergized. Typical circuit path for the white lamp "DS*" is through the normally closed solid

-state logic output relay contact "K*" and through test lamp connections 1 through 3. Coils "Y1" and "Y2" are capable of being deenergized for protection function actuation upon opening of solid-state logic output relay contact "K*". Coil "Y2" is typical for solenoid valve coil, auxiliary relay, etc. When the contacts "K8*" are closed to block deenergizing of coils "Y1" and "Y2", the green test lamp is energized and the slave relay "K*" may be energized to verify operation (opening of its contacts). To verify operability of the blocking relay in both blocking and restoring normal service, close the blocking relay contact to the green lamp

- the green test lamp should also now be energized; upon opening this blocking relay contact, the green test lamp should be deenergized, which verifies that the circuit is now in its normal, i.e., operable, position.

7.3.1.2.2.5.4.6 Time Required for Testing

- It is estimated that analog testing can be performed at a rate of several channels per hour. Testing of actuation trains A, B, and C can be performed in less than 45 minutes. Testing of actuated components (including those which can be only partially tested) will be a function of control room operator availability. It is expected that several shifts will be required to accomplish these tests. During this procedure, automatic actuation circuitry will override testing, except for those few devices associated with a single slave relay whose outputs must be blocked and then only while blocked. It is anticipated that continuity testing associated with a blocked slave relay could take several minutes. During this time, the redundant devices in the other trains would be functional.

7.3.1.2.2.5.4.

7 Summary of On

-Line Testing Capability

- The procedures described provide capability for checking completely from the process signal to the logic cabinets and from there to the individual pump and fan circuit breakers or starters, valve contractors, pilot solenoid valves, etc., including field cabling actually used in the circuitry called upon to operate for an accident condition. For those few devices whose operation could adversely affect plant or equipment operation, testing is performed as discussed in Section 7.1.2.5.

The procedures require testing at various locations, as follows:

1. Analog testing and verification of bistable setpoint are accomplished at process analog racks.

Verification of bistable relay operations done at the main control room status lights.

2. Logic testing through operation of the master relays and low voltage application to slave relays is done within the Logic and Safeguard Test Cabinets.

3. Testing of pumps, fans, and valves is done at the Safeguards Test Cabinet located next to the ESFAS cabinets in combination with the control room operator.

4. Continuity testing for those circuits that are tested for continuity is done at the test cabinet mentioned in 3 above.

STPEGS UFSAR 7.3-14 Revision 1 8 The reactor coolant pump (RCP) seal water return isolation valves are not tested periodically due to the risk of damage to the reactor coolant pumps. Although pump damage from this type of test would not result in a situation which endangers the health and safety of the public, it could result in unnecessary shutdown of the reactor for an extended period of time.

Containment Spray System test will be performed periodically. The pump tests are performed with the isolation valves in the spray supply lines at the Containment blocked closed and the pumps aligned for recirculation flow. The valves are tested periodically with the pumps tripped.

Testing of the containment sump isolation valves requires that the safety injection header isolation valve form the Refueling Water Storage Tank (RWST) be isolated to prevent water flow from the RWST to the containment sump and floor. During this time, the safety injection and containment spray pumps are removed from service to preclude operation in the event of an actual safety injection signal during testing, which could result in damage to the pumps.

7.3.1.2.2.5.4.8 Testing During Shutdown

- ECCS tests will be performed as required by the Technical Specifications with the RCS isolated from the ECCS by closing the appropriate valves.

A test SI signal will then be applied to initiate operation of active components (pumps and valves) of the ECCS. This is in compliance with GDC 37.

7.3.1.2.2.5.5 Periodic Maintenance Inspections

- The maintenance procedures which follow are accomplished in accordance with applicable plant procedures. The frequency will depend on the operating conditions and requirements of the reactor power plant. If any degradation of equipment operation is noted, either mechanically or electrically, remedial action is taken to repair, replace, or readjust the equipment. Optimum operating performance must be achieved at all times.

Typical maintenance procedures include:

1. Check cleanliness of all exterior and interior surfaces.

2. Check all fuses for corrosion.

3. Inspect for loose or broken control knobs and burned out indicator lamps.

4. Inspect for moisture and condition of cables and wiring.

5. Mechanically check all connectors and terminal boards for looseness, poor connection, or corrosion.

6. Inspect the components of each assembly for signs of overheating or component deterioration.

7. Perform a complete system operating check.

7.3.1.2.2.6 Manual Resets and Blocking Features

- The manual reset feature associated with Containment spray actuation is provided in the standard design of the Westinghouse SSPS for two basic purposes: first, the feature permits the operator to start an interruption procedure of automatic Containment spray in the event of false initiation of an actuation signal; second, although spray system performance is automatic, the reset feature enables the operator to start a manual STPEGS UFSAR 7.3-15 Revision 1 8 takeover of the system to handle unexpected events which can be better dealt with by operator appraisal of changing conditions following an accident It is most important to note that manual control of the spray system does not occur once actuation has begun by just resetting the associated logic devices alone. Components seal in (latch) so that removal of the actuation signal, in itself, neither cancels nor prevents completion of protective action nor provides the operator with manual override of the automatic system by this single action. In order to take complete control of the system to interrupt its automatic performance, the operator must deliberately unlatch relays which have "sealed in" the initial actuation signals in the associated motor control center, in addition to tripping the pump motor circuit breakers, if stopping the pumps is desirable or necessary.

The manual reset feature associated with Containment spray, therefore, does not perform a bypass function. It is merely the first of several manual operations required to take control from the automatic system or interrupt its completion should such an action be considered necessary.

In the event the operator anticipates system actuation and erroneously concludes that it is undesirable or unnecessary and imposes a standing reset condition in one train (by operating and holding the corresponding reset switch at the time the actuation signal is transmitted), the other trains automatically carry the protective action to completion. In the event the reset condition is imposed simultaneously in all three trains at the time the actuation signals are generated, the automatic sequential completion of system action is interrupted and control has been taken by the operator. Manual takeover is maintained, even though the reset switches are released, if the original actuation signal exists. Should the actuation signal then clear and return again, automatic system actuation will repeat.

Any time delays imposed on the system action are applied after the initiating signals are latched. In this way, delays of actuation signals for fluid system lineup, load sequencing, etc., do not provide the operator additional time to interrupt automatic completion with manual reset alone, as would be the case if a time delay were imposed prior to sealing of the initial actuation signal.

The manual block controls of pressurizer pressure input and low compensated steam line pressure input to the Safety Injection (SI) signal provide the operator with the means to block initiation of SI during plant shutdown and startup and allow main steam line isolation on high steam pressure negative rate (low compensated steam line pressure block only). These block features meet the requirements of Paragraph 4.12 of IEEE 279

-1971 in that automatic removal of the block occurs when plant conditions require the protection system to be functional.

7.3.1.2.2.7 Manual Initiation of Protective Actions (RG 1.62)

- There are eight individual main steam isolation momentary control switches (two per loop) mounted on the control board. Each switch, when actuated, isolates one of the main steam lines. In addition, there are two system-level switches. Operating either switch isolates all four steam lines at the system level.

No exception to the requirements of IEEE 279

-1971 has been taken in the manual initiation circuit of safety injection. Although Paragraph 4.17 of IEEE 279

-1971 requires that a signal failure within common portions of the protective system shall not defeat the protective action by manual or automatic means, the standard does not specifically preclude the sharing of initiated circuitry logic between automatic and manual functions. It is true that the manual safety injection initiation STPEGS UFSAR 7.3-16 Revision 1 8 functions associated with one logic train, e.g., Train R, share portions of the automatic initiation circuitry logic of the same logic train; however, a single failure in shared functions does not defeat the protective action of the redundant logic train, e.g., Train S. A single failure in shared functions does not defeat the protective action of the total SSPS. Initiation of either Train R or Train S initiates all three (A, B, and C) actuation trains. It is further noted that the sharing of the logic by manual and automatic initiation is consistent with the system

-level action requirements of the IEEE 279

-1971, Paragraph 4.17, and is consistent with the minimization of complexity.

7.3.1.2.3 Further Considerations: In addition to the considerations given above, a loss of instrument air or loss of CCW to vital equipment has been considered. Neither the loss of instrument air nor the loss of CCW (assuming no other accident conditions) can cause safety limits as given in the Technical Specifications to be exceeded. Likewise, loss of either instrument air or CCW to vital equipment will not adversely affect the core or the RCS, nor will it prevent an orderly shutdown if this is necessary. Furthermore, all pneumatically operated valves and controls assume a preferred operating position upon loss of instrument air. It is also noted that, for conservatism during the accident analysis (Chapter 15), credit is not taken for the instrument air systems or for any control system benefit. Present design does not provide any circuitry which will directly trip the reactor coolant pumps on a loss of CCW. Normally, alarm and indication in the control room are provided whenever CCW is lost to the pump(s). This alerts the operator to correct the problem or trip the pump(s) if necessary.

In regard to the AFW, there are three motor

-driven pumps and one turbine

-driven pump. The system is described in Section 10.4.9. The AFW trains automatically supply water to the corresponding SGs on receipt of an SI signal or a 2/4 low

-low water level signal in any SG (Figure 7.2

-16 and Table 7.3

-2). These signals also close the SG blowdown isolation and sample isolation valves (Table 7.3

-15). The turbine

-driven pump and valves in the AFW train are actuated automatically by actuation Train A. The AFW equipment may also be manually operated using control switches in the control room.

7.3.1.2.4 Summary: The effectiveness of the ESFAS is evaluated in Chapter 15, based on the ability of the system to contain the effects of ANS Condition III and IV faults, including LOCA and steam line break accidents. The ESFAS parameters are based upon the component performance specifications which are given by the manufacturer or verified by test for each component. Appropriate factors to account for uncertainties in the data are factored into the constants characterizing the system.

The ESFAS must detect ANS Condition III and IV faults and generate signals which actuate the ESF systems. The ESFAS must sense the accident condition and generate the signal actuating the protection function reliably and within a time determined by and consistent with the accident analyses in Chapter 15.

Much longer times are associated with the actuation of the mechanical and fluid system equipment

associated with ESF systems. This includes the time required for switching and bringing pumps and other equipment to speed, and the time required for them to take load.

The ESF actuating relays, once energized, remain energized until the manual reset for each system of actuation is performed by the operator. Such reset does not reverse the actuation of ESF equipment, which remains in its emergency mode until the operator takes manual action on a component

-by-STPEGS UFSAR 7.3-17 Revision 1 8 component basis. The only exceptions are two n on-Class 1E reheat coils in the EAB which return to normal operation following SI reset; heat loads from these reheat coils are insignificant.

Operating procedures require that the complete ESFAS normally be operable. However, redundancy of system components is such that the system operability assumed for the safety analysis can still be met with certain instrumentation channels out of service. Channels that are out of service are to be placed in the tripped mode or in the bypass mode.

7.3.1.2.4.1 Loss-of-Coolant Protection

- By analysis of LOCA and in

- system tests, it has been verified that except for very small coolant system breaks, which can be protected against by the charging pumps followed by an orderly shutdown, the effects of various LOCAs are reliably detected by the low pressurizer pressure signal; the ECCS is actuated in time to prevent or limit core damage.

For large coolant system breaks, the passive accumulators inject first because of rapid pressure drop.

This protects the reactor during the unavoidable delay associated with actuating the active ECCS phase. High Containment pressure also actuates the ECCS. Therefore, emergency core cooling actuation can be brought about by sensing this other direct consequence of a primary system break, i.e., the ESFAS detects the leakage of the coolant into the Containment. The actuation signal generation time of about 1.5 seconds after detection of the consequences of the accident is adequate.

Containment spray provides additional cooling of the Containment and also limits fission product release upon sensing elevated Containment pressure (HI

-3) to mitigate the effects of a LOCA.

The delay time between detection of the accident condition and the generation of the actuation signal for these system is assumed to be about 1.0 seconds, well within the capability of the protection system equipment. However, this time is short compared to that required for startup of the fluid systems. The analyses in Chapter 15 show that the diverse methods of detecting the accident condition and the time for generation of the signals by the protection systems are adequate to provide reliable and timely protection against the effects of a LOCA.

7.3.1.2.4.2 Steam Line Break Protection

- The ECCS is also actuated in order to protect against a steam line break. Section 7.3.1.1.5.6.1 gives the time between occurrence of low steam line pressure (as well as high steam pressure rate) or high Containment pressure (for breaks in Containment) and generation of the actuation signal. Analysis of steam line break accidents assuming this delay for signal generation shows that the ECCS is actuated for a steam line break in time to limit or prevent further core damage for steam line break cases.

Additional protection against the effects of steam line break is provided by feedwater isolation. Feedwater line isolation is initiated in order to protect the Containment from overpressurization and to prevent excessive cooldown of the reactor vessel and thus protect the reactor coolant pressure boundary. The feedwater isolation signal is initiated by the SI signal for the steam line break accident.

STPEGS UFSAR 7.3-18 Revision 1 8 Further protection against a steam line break accident is provided by closure of all steam line isolation valves in order to prevent uncontrolled blowdown of all SGs. The generation of the protection system signal (about 2.0 seconds) is again short compared to the time to trip the fast

-acting steam line isolation valves, which are designed to close in less than approximately 5 seconds.

In addition to actuation of the ESF systems, an effect of steam line break accident is generation of a signal resulting in a reactor trip on overpower or following ECCs actuation. The core reactivity is also reduced by the borated water injected by the ECCS.

The analyses in Chapter 15 of the steam line break accidents and an evaluation of the protection system instrumentation and channel design show that the ESFAS is effective in preventing or mitigating the effects of a steam line break accident.

7.3.1.2.4.3 Fuel Handling Accident Inside Containment Protection

- Should a postulated fuel handing accident occur inside the Containment, a prompt radiation detection and automatic Containment isolation capability has been provided to mitigate the consequences of this accident, if aligned for automatic operation. The redundant Reactor Containment Building (RCB) Purge Isolation radiation monitors sense the high radioactivity and the Containment ventilation isolation signal is generated to isolate the Containment.

The Alternative Source Term accident dose analysi s methodology does not credit this ESFAS feature of automatic containment closure for ensuring that resulting accident doses are well within the guidelines of 10CFR67 and 10CFR50, Appendix A, GDC

19. During the movement of irradiated fuel within the Containment, penetrations providing direct access from the containment atmosphere to the outside atmosphere shall be either (1) closed by an isolation valve, blind flange, or manual valve, or (2) be capable of being closed as soon as possible but within two hours. Therefore, automatic isolation capability is not required during refueling operation s. 7.3.2 Control Room Envelope HVAC ESFAS The ESFAS for the Control Room Envelope HVAC System uses the control room/EAB ventilation radiation monitors to sense whether predetermined setpoints have been exceeded. If they are, or if the Westinghouse ESFAS has generated a safety injection signal, this ESFAS sends actuation signals to the appropriate control room envelope HVAC components. The ESFAS meets the requirements of GDC 13, 19, 20, 21 and 22.

7.3.2.1 Description. The ESFAS for the Control Room Envelope HVAC System receives high radiation signals from the redundant control room/EBA ventilation radiation monitors and the safety injection signal from the Nuclear Steam Supply System (NSSS) ESFAS. Upon receipt of any of these signals, the control room makeup air is diverted through the makeup filters and then, along with a portion of the recirculation air, through cleanup filters. For a complete description of the Control Room Envelope HVAC System and its operation, refer to Section 9.4.1. Section 6.4 provides an analysis of Control Room Envelope habitability. Section 11.5 provides a description of the radiation monitors.

7.3.2.1.1 System Description

1. Actuating Circuits

STPEGS UFSAR 7.3-19 Revision 1 8 The gaseous radioactivity level of the control room/EAB makeup air is monitored by two independent and separate radiation monitors. Each monitor transmits a signal to the ESFAS if acceptable radioactivity levels are exceeded. The sensitivity and response times of these monitors are listed in Table 7.3

-16. Failure of a monitor is alarmed The Westinghouse ESFAS transmits signals to this ESFAS when an SI signal is generated.

The ESFAS may also be initiated manually.

2. Logic The Control Room Envelope HVAC ESFAS logic is shown on Figure 7.3

-24. As can be seen on this figure, the two redundant radiation monitors each have three separate and redundant outputs, on to each of the ESFAS trains.

In this way, detection of high radiation in either monitor actuates all three trains of HVAC equipment.

For an SI signal generated by the Westinghouse ESFAS, the signal is sent to the ESF load sequencers and then to the HVAC ESFAS. In this way, all of the Control Room Envelope HVAC components are actuated to the emergency mode at the same time. (Safety injection corresponds to ESF load sequencer mode I. Refer to Section 8.3.)

Manual initiation capability is provided by actuate switches, one for each actuation train. Reset capability is also provided on a per

-train basis.

The actuation signal is transmitted to each actuated device, causing each device to assume its safe state for these emergency conditions.

3. Bypass There is no bypass. Manual reset of the actuation signal may be performed, thus allowing the operator to assume manual control of the Control Room Envelope HVAC System. This would be desirable, for example, for manual shutdown of one train following actuation of all three trains of HVAC. It is noted that reset of the actuation signal does not reverse the actuation of ESF equipment. The equipment remains in its emergency mode until the operator takes manual action on a component

-by-component basis.

4. Interlocks

There are no interlocks on these controls.

5. Sequencing The Control Room Envelope HVAC System components required to operate during these emergency conditions are powered from Class 1E power systems. As noted in item B above, upon SI signal generation, the Control Room Envelope HVAC System components are actuated through the ESF load sequencers and this ESFAS. (Refer also to Section 8.3)

STPEGS UFSAR 7.3-20 Revision 1 8 6. Redundancy Redundancy is provide by two radiation monitors, each interfacing with the three ESFAS trains; the SI

-generated sequencer signals to each ESFAS train; manual actuation switches for each ESFAS train; and controls for each HVAC component.

7. Diversity Diversity of actuation is provided in that the HVAC system may be actuated to the emergency mode by either of two radiation monitors, by the SI signal or by manual initiation.

8. Actuated Devices

Table 7.3-17 lists the actuated devices.

9. Supporting Systems

The supporting systems for the ESFAS are the 125 vdc Class 1E Power System, described in Section 8.3.2, and the EBA Main Area HVAC System, described in Section 9.4.1.

7.3.2.1.2 Design Bases: The design bases for the Control Room Envelope HVAC ESFAS are such that no single failure can prevent the proper operation of the Control Room Envelope HVAC System. The trip setpoints are provided in the Technical Specifications.

The following conditions are considered for the ESFAS components:

1. Range of transient and steady

-state conditions: The electrical power supply characteristics are as described in Section 8.3. The range of possible environmental conditions is described in Section 3.10 and 3.11.

2. Malfunctions, accidents, or other unusual events

Fire protection Section 9.5.1

Missile protection Section 3.5

Earthquake protection Section 3.7

The design bases for the Control Room Envelope HVAC System are discussed in Sections 9.4.1 and 6.4. The failure modes and effects analysis is included in Section 9.4.1.

7.3.2.1.3 Drawings: The logic diagram for the ESFAS is shown of Figure 7.3

-24. Typical logic diagrams for actuated equipment are shown on Figures 7.3

-25 and 7.3

-26.

7.3.2.2 Analysis. Conformance to Nuclear Regulatory Commission (NRC) General Design Criteria is indicated on Figure 7.1

-1. No deviations or exceptions are taken. Compliance with GDCs is also discussed in Section 3.1.

STPEGS UFSAR 7.3-21 Revision 1 8 Conformance to NRC Regulatory Guides and IEEE standards is shown on Figure 7.1

-1. Conformance to Regulatory Guides is also addressed in Table 3.12

-1. The design of the ESFAS conforms to the applicable requirements of IEEE 279

-1971, as indicated below.

1. General Function Requirements

- paragraph 4.1

The Control Room Envelope HVAC System and ESFAS are able to function automatically and reliably over the full range of transients for plant conditions for which credit is taken in the control room habitability analyses. The system functions when manually actuated. The system response times are within the times required in the habitability analyses.

2. Single Failure Criterion

- Paragraph 4.2

Through the use of redundant independent systems, as shown in Section 9.4.1, a single failure or multiple failures resulting from a single credible event will not prevent the ESFAS and the Control Room Envelope HVAC System from performing the safety function when required.

3. Quality of Components and Modules

- Paragraph 4.3 Components and modules used in the construction of the ESFAS exhibit a quality consistent with the plant design life objective, require minimum maintenance, and have low failure rates.

4. Equipment Qualification

- Paragraph 4.4

The system is qualified to perform its intended functions under the environmental conditions specified in Sections 3.10 and 3.11.

5. Channel Integrity

- Paragraph 4.5

Channels maintain functional capability under the range of electrical power and environmental conditions expected.

6. Channel Independence

- Paragraph 4.6

Channels that provide signals for the same protective function are independent and physically separated to decouple the effects of unsafe environmental factors, electrical transients, and physical accident consequences. Discussion of the means to ensure channel independence is provided in Sections 7.1.2.2 and 8.3.1.4.

7. Control and Protection System Interaction

- Paragraph 4.7

Equipment used for both protective and control functions is classified as part of the protection system. Transmission of signals from protection system equipment for STPEGS UFSAR 7.3-22 Revision 1 8 control system use is through qualified isolation devices considered part of the protection system. No credible failure at the output of an isolation device will prevent the associated protection channel from performing its intended function. No single random failure in one channel will prevent the other channels from performing the intended function.

8. Derivation of System Outputs

- Paragraph 4.8

To the extent feasible, the system inputs are from direct measurement of the desired variable. 9. Capability of Sensor Checks

- Paragraph 4.9

Sufficient means have been provided to check the operational availability of the sensors and the ESFAS.

10. Testing and Calibration

- Paragraph 4.10

The ESFAS has the capability of testing the devices used to derive the final system output.

11. Channel Bypass or Removal from Operation

- Paragraph 4.11 Testing of one channel can be accomplished during reactor operation without initiating a protective action at the system level.

12. Operating Bypasses

- Paragraph 4.12

There are no bypasses. Manual reset is provided on a per

-train basis, as described in Section 7.3.2.1.1, item 3.

13. Indication of Bypass

- Paragraph There are no bypasses.

14. Access to Means for Bypassing

- Paragraph 4.14

There are no bypasses.

15. Multiple Setpoints

- Paragraph 4.15 There are no multiple setpoints

16. Completion of Protective Action Once It Is Initiated

- Paragraph 4.16

Once protective action is initiated, it is carried through to completion. Return to normal operation requires subsequent deliberate operator actions.

STPEGS UFSAR 7.3-23 Revision 1 8 17. Manual Initiation

- Paragraph 4.17 Manual initiation of the HVAC system is provided in the control room on a per

-train basis. Manual initiation of the individual HVAC components is also provided in the control room through panel

-mounted control switches. System level actuation is not provided since the safety function can be provided in a timely manner through the per

-train manual actuation or through automatic actuations.

18. Access to Setpoint Adjustment, Calibration, and Test Points

- Paragraph 4.18

Appropriate administrative controls are applied to ensure that access to the means for adjusting, calibrating, and testing the radiation monitors and the ESFAS system is adequately protected.

19. Identification of Protective Actions

- Paragraph 4.10

System protective actions are described and identified down to the channel level.

20. Information Readout

- Paragraph 4.20 The ESFAS provides the operator with sufficient information pertinent to its own status and to generating station safety. See the ESFAS logic for operating status indication and Section 7.5 for information readout.

21. System Repair

- Paragraph 4.21

The system is designed to facilitate the recognition, location, replacement, repair, and adjustment of malfunctioning components or modules.

22. Identification

- Paragraph 4.22 Protection system components are identified as described in Section 7.1.2.3.

Periodic testing of the Control Room Envelope HVAC ESFAS is discussed in the Technical Specifications. Periodic testing of the mechanical components is discussed in Section 9.4.1.

7.3.3 Fuel Handling Building HVAC ESFAS The ESFAS for the Fuel Handling Building (FHB) HVAC System uses the spent fuel pool ventilation radiation monitors to sense whether predetermined setpoints have been exceeded. If they are, or if the Westinghouse ESFAS has generated an SI signal, the ESFAS sends actuation signals to the appropriate FHB HVAC components. The ESFAS meets the requirements of GDC 13, 20, 21 and

22. The Alternative Source Term accident dose analysis methodology (RG 1.183) used in the Chapter 15 radiological analyses does not credit this ESFAS feature

.

7.3.3.1 Description. The ESFAS for the FHB HVAC System receives high radiation signals from the redundant spent fuel pool ventilation radiation monitors and the SI signal from the STPEGS UFSAR 7.3-24 Revision 1 8 NSSS ESFAS. Upon receipt of any of these signals, the building exhaust air is diverted through filters and the supply system is tripped. For a complete description of the FHB HVAC System and its operation, refer to Section 9.4.2. Section 11.5 provides a description of the radiation monitors.

7.3.3.1.1.

System Description

1. Actuating Circuits

The gaseous radioactivity level of the spent fuel pool exhaust air is monitored by two independent and separate radiation monitors. Each monitor transmits a signal to the ESFAS if acceptable radioactivity levels are exceeded. The sensitivity and response times of these monitors are listed in Table 7.3

-16. Failure of a monitor is alarmed.

The Westinghouse ESFAS transmits signals to this ESFAS when an SI signal is generated.

The ESFAS may also be initiated manually.

2. Logic The FHB HVAC ESFAS logic is shown on Figure 7.3

-27. As can be seen in this figure, the two redundant radiation monitors each have three separate and redundant outputs, one to each of the ESFAS trains. In this way, detection of high radiation actuates all three trains of HVAC equipment.

A safety injection signal, one from each of the Westinghouse ESFAS actuation trains, is also sent to each ESFAS train.

Manual actuation capability is provided by actuate switches, one for each actuation train. Reset capability is also provided on a per

-train basis.

The actuation signal is transmitted to each actuated device, causing each device to assume its safe state for these emergency conditions.

3. Bypass There is no bypass. Manual reset of the actuation signal may be performed, thus allowing the operator to assume manual control of the HVAC system. It is noted that for initiation via the SI signal, both the SI signal and the ESFAS actuation signal must be reset.

Reset of the actuation signal does not reverse the actuation of ESF equipment. The equipment remains in its emergency mode until the operator takes manual action on a component

-by-component basis.

4. Interlocks

There are no interlocks on these controls.

STPEGS UFSAR 7.3-25 Revision 1 8 5. Sequencing The FHB HVAC equipment required to operate during these emergency conditions is powered from Class 1E power systems. Since these loads are small they are included in the first sequenced load onto the diesel generators. (Section 8.3)

6. Redundancy

Redundancy is provided by two radiation monitors, each interfacing with the three ESFAS trains; the SI signals to each of the ESFAS trains; manual actuation switches for each ESFAS train; and controls for each HVAC component.

7. Diversity Diversity of actuation is provided in that the HVAC system may be actuated to the emergency mode by either of two radiation monitors, by the SI signal, or by manual initiation.

8. Actuated Devices

Table 7.3-18 lists the actuated devices.

9. Supporting Systems The supporting systems for the ESFAS are the 125 vdc Class 1E Power System, described in Section 8.3.2, and the EAB Main HVAC System, described in Section 9.4.1.

7.3.3.1.2 Design Bases: The design bases for the FHB HVAC ESFAS are such that no single failure can prevent the proper operation of the FHB HVAC System. The trip setpoints are provided in the Technical Specifications.

The following conditions are considered for the ESFAS components:

1. Range of transient and steady

-state conditions: The electrical power supply characteristics are as described in Section 8.3. The range of possible environmental conditions is described in Sections 3.10 and 3.11.

2. Malfunctions, accidents, or other unusual even ts Fire protection Section 9.5.1

Missile protection Section 3.5

Earthquake protection Section 3.7

The design bases for the FHB HVAC System are discussed in Section 9.4.2. The failure modes and effects analysis is also provided in Section 9.4.2.

STPEGS UFSAR 7.3-26 Revision 1 8 7.3.3.1.3 Drawings: The logic diagram for the ESFAS is shown on Figure 7.3

-27. Typical logic diagrams for actuated equipment are shown on Figures 7.3

-28 and 7.3

-29. 7.3.3.2 Analysis. Conformance to NRC General Design Criteria is indicated on Figure 7.1-1. No deviations or exceptions are taken. Compliance with GDCs is also discussed in Section 3.1.

Conformance to NRC RGs and IEEE standards is also shown on Figure 7.1

-1. Conformance to RGs is also addressed in Table 3.12

-1.

The design of the ESFAS conforms to the applicable requirements of IEEE 279

-1971, in a manner similar to that described for the Control Room Envelope HVAC ESFAS, as discussed in

Section 7.3.2.2. Differences are discussed below.

1. General Functional Requirements

- Paragraph 4.1

The FHB HVAC System and ESFAS are able to function automatically and reliably over the full range of transients for plant conditions for which credit is taken in the accident analyses. The system functions when manually actuated. The system response times are within the times required in the LOCA and Fuel Handling Accident analyses.

2. Single Failure Criterion

- Paragraph 4.2 Through the use of redundant independent systems, as shown in Section 9.4.2, a single failure or multiple failures resulting from a single credible event will not prevent the ESFAS and the FHB HVAC System from performing the safety function when required. 3. Operating Bypasses

- Paragraph 4.12 There are no bypasses. Manual reset is provided on per

-train basis, as described i n Section 7.3.3.1.1(3).

Periodic testing of the mechanical components is discussed in Section 9.4.2.

STPEGS UFSAR 7.3-27 Revision 1 8 REFERENCES Section 7.3:

7.3-1 Reid, J. B., "Process Instrumentation for Westinghouse Nuclear Steam Supply System (4 Loop Plant Using WCID 7300 Series Process Instrumentation)", WCAP-7913 (January 1973). (Additional background information only)

7.3-2 Katz, D. N., "Solid State Logic Protection System Description", WCAP

-7488-L, Proprietary (March 3, 1971) and WCAP

-7672, Nonproprietary (May 1971) (Additional background information only)

7.3-3 Swogger, J. W., "Testing of Engineered Safety Features Actuation System", WCAP-7705, Revision 2 (May 1976). (Information only, i.e., not a generic topical WCAP.)

7.3-4 Mesmeringer, J.C., "Failure Mode and Effects Analysis (FMEA) of the Engineered Safety Features Actuation System", WCAP

-8584, Revision 1, Proprietary, February 1980 and WCAP

-8760, Revision 1, Nonproprietary, February 1980.

7.3-5 STPNOC Design Specification 5Z010ZS1101, "Precautions, Limitations, and Setpoints," Rev. 3

STPEGS UFSAR 7.3-28 Revision 1 8 TABLE 7.3-2 INSTRUMENTATION OPERATING CONDITION FOR WESTINGHOUSE ESFAS No. of No of Channels No. Functional Unit Channels To Trip 1. Safety Injection Signal ***

(See Figures 7.2

-8 and 7.2-9) a. Manual 2 1 b. HI-1 Containment pressure 3 2 c. Low compensated steam line pressure*

12 (3/steam line) 2/3 in any steam line

d. Pressurizer low pressure*

4 2 2. Containment Spray Signal (See figure 7.2

-8) a. Manual**

2 1 b. Containment pressure HI

-3 4 2 3. Auxiliary Feedwater Initiation Signal (See Figure 7.2

-16) a. Safety Injection Signal See Item 1 of this tabl e b. Steam generator low

-low water level 16 (4/SG) 2/4 in any SG

Permissible bypass if reactor coolant pressure is less than P

-11 (nominally 1985 psig).

- Manual actuation of Containment spray is accomplished by actuating either of two sets (two switches per set). Both switches in a set must be actuated to obtain a manually initiated spray signal. The sets are wired to meet separation and single

-failure requirements of IEEE 279

-1971. Simultaneous separation of two switches is desirable to prevent inadvertent spray actuation.

- - Excessive Cooldown Protection has been deleted. However, the Tcold analog signal which provides monitoring function will be maintained.

STPEGS UFSAR 7.3-29 Revision 1 8 TABLE 7.3-2A FUNCTIONS/SYSTEMS ACTUATED BY WESTINGHOUSE ESFAS SIGNALS Safety Injection Signal Containment Spray Signal Reactor Trip System Containment Spray System Turbine Trip Containment Isolation Phase B Feedwater Isolation Auxiliary Feedwater System Standby Diesel Generators Auxiliary Feedwater Initiation Signal Component Cooling Water System Auxiliary Feedwater System Safety Injection System Steam Generator Blowdown Isolation Essential Cooling Water System Steam Generator Sample Isolation Reactor Containment Fan Coolers Containment Isolation Phase A Containment Ventilation Isolation Main Steamline Isolation Control Room Envelope HVAC System Steamline Bypass Valve Closure EAB Main Area HVAC System Main Steam Isolation Valve Closure FHB HVAC Exhaust Subsystem ESF Load Sequencers Essential Chilled Water System Electrical Penetration Space HVAC System

STPEGS UFSAR 7.3-30 Revision 1 8 TABLE 7.3-3 INSTRUMENT OPERATING CONDITIONS FOR ISOLATION FUNCTIONS No. of Channels No. Functional Unit No. of Channels To Trip 1. Containment Isolation Phase A (See Figure 7.2

-8) a. safety Injecti on See item 1 (a through e) of Table 7.3-2 b. Manual 2 1 2. Steamline Isolation (See Figure 7.2

-8) a. High steam pressure negative rate (enable by low compensated steam line pressure SI Block

- see Figure 7.2-9) 12 (3/steam line) 2/3 in any steam line

b. Low compensated steam line pressure**

12 (3/steam line) 2/3 in any steam line c-.Manual*

2 1 d. Containment Pressure HI

-2 3 2 3. Feedwater Line Isolation (See Figures 7.2-8 and 7.2-14) a. SG hi

-hi water level 16 (4/SG) 2/4 in any SG

b. Safety Injection See item 1 (a through e) of Table 7.3-2 c. Low Tavg (interlocked with P

-4) 4 (1 per loop) 2

In addition to the two system

-level steam line isolation switches, each steam loop is provided with switches to effect steam line isolation in that loop.

- Permissible bypass if reactor coolant pressure is less than P

-11 (nominally 1985 psig).

STPEGS UFSAR 7.3-31 Revision 1 8 TABLE 7.3-3 (Continued)

INSTRUMENT OPERATING CONDITIONS FOR ISOLATION FUNCTIONS No. of Channels No. Functional Unit No. of Channels To Trip 4. Containment Isolation Phase B

a. Containment Spray See item 2 (a and b) of Table 7.3-2 5. Containment Ventilation Isolation

a. Safety Injectio n See item 1 (a through e) of Table 7.3-2 b. Manual Containment Spray Actuation See item 2a of Table 7.3-2 c. Manual Containment Isolation Phase A See item 1b of this table d. High radiation signal*

2 1

High radiation signal is derived from 1 of the two Class 1E RCB Purge Isolation monitors.

High radiation signal is redundantly provided to logic trains R and S. These radiation monitors are discussed in Section 11.5.

STPEGS UFSAR 7.3-32 Revision 1 8 TABLE 7.3-4 INTRELOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEM Designation Input Function Performed P-4 Reactor tripped Presence of P

-4 signal activates turbine trip*

Presence of P-4 signal closes main FW valves on Tavg below set point Presence of P

-4 signal prevents opening of main FW valves which are closed by SI or high SG water level Presence of P

-4 signal allows manual reset/block of automatic safety injection signal Absence of P

-4 signal defeats the manual reset/block for safety injection Presence of P

-4 signal with the Source Range Blocked provides a non

-protective function that closes SG Blowdown isolation valves. The isolation valves can b e reopened after the Source Range Block is reset.

P-11 2/3 pressurizer pressure below setpoint Presence of P

-11 allows manual block of SI on low pressurizer pressure Presence of P

-11 allows manual block of SI and main steam isolation on low compensated steam line pressure (Figure 7.2

-9 Absence of P

-11 opens all accumulator discharge isolation valves.

P-12 2/4 Tavg below low-low setpoint Presence of P

-12 blocks steam dump except for cooldown condenser dump valves Presence of P

-12 allows manual bypass of steam dump block for the cooldown valves only

P-4 is an input to P

-16. The P

-16 signal trips the turbine. The P

-16 signal is present when either the P

-4 signal is present (indicating the reactor trip circuit breaker(s) are open) or the reactor trip train

-oriented logic signal is present STPEGS UFSAR 7.3-33 Revision 1 8 TABLE 7.3-4 (Continued)

INTRELOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEM Designation Input Function Performed P-14 2/4 SG water level above setpoint on any SG Presence of P-14 closes all FW control and bypass valves Presence of P

-14 trips all main FW pumps and closes all FW isolation and bypass valves Presence of P

-14 actuates turbine trip

STPEGS UFSAR 7.3-34 Revision 1 8 TABLE 7.3-5 SAFETY-INJECTION-ACTUATED EQUIPMENT LIST EQUIP. ESF FIGURE P & ID LOGIC SYSTEM INDENTIF. DESCRIPTION TRAIN FUNCTION NUMBER NUMBER NUMBER CC CC0032 CCW TO SFP HEAT EXCHANGERS ISOLATION VALVE B CLOSE 9.2.2-4 9F05020 Z42045 CC CC0052 CCW COMMON HEADER OULET VALVE A OPEN** 9.2.2-4 9F05020 Z42044 CC CC0057 CCW RCFC SUPPLY ISOLATION VALVE A OPEN 9.2.2-1 9F05017 Z42042 CC CC0059 RCFC CHILLED WATER SUPPLY ISOLATION VALVE A CLOSE 9.2.2-1 9F05017 Z4204 1 CC CC0069 CCW RCFC RETURN ISOLATION VALVE A OPEN 9.2.2-1 9F05017 Z42042 CC CC0070 RCFC CHILLED WATER RETURN ISOLATION VALVE A CLOSE 9.2.2-1 9F05017 Z42041 CC CC0132 CCW COMMON HEADER OULET VALVE B OPEN** 9.2.2-4 9F05020 Z420 44 CC CC0136 CCW RCFC SUPPLY ISOLATION VALVE B OPEN 9.2.2-2 9F05018 Z42042 CC CC0137 RCFC CHILLED WATER SUPPLY ISOLATION VALVE B CLOSE 9.2.2-2 9F05018 Z42041 CC CC0148 CCW RCFC RETURN ISOLATION VALVE B OPEN 9.2.2-2 9F05018 Z42 042 CC CC0149 RCFC CHILLED WATER RETURN ISOLATION VALVE B CLOSE 9.2.2-2 9F05018 Z42041 CC CC0192 CCW COMMON HEADER OUTLET VALVE C OPEN** 9.2.2-4 9F05020 Z42044 CC CC0197 CCW RCFC SUPPLY ISOLATION VALVE C OPEN 9.2.2-3 9F05019 Z 42042 CC CC0199 RCFC CHILLED WATER SUPPLY ISOLATION VALVE C CLOSE 9.2.2-3 9F05019 Z42041 CC CC0209 RCFC CHILLED WATER RETURN ISOLATION VALVE C CLOSE 9.2.2-3 9F05019 Z42041 CC CC0210 CCW RCFC RETURN ISOLATION VALVE C OPEN 9.2.2-3 9F05019 Z42042 CC CC0235 CCW TO NON

-ESSENTIAL LOADS ISOLATION VALVE A CLOSE 9.2.2-4 9F05020 Z42045 CC CC0236 CCW TO NON

-ESSENTIAL LOADS ISOLATION VALVE C CLOSE 9.2.2-4 9F05020 Z42045 CC CC0297 CCW TO EXCESS LETDOWN & RCDT HXs ISOLATION VALVE A CLOSE 9.2.2-5 9F05021 Z42053 STPEGS UFSAR 7.3-35 Revision 1 8 TABLE 7.3-5 (Continued)

SAFETY-INJECTION-ACTUATED EQUIPMENT LIST EQUIP. ESF FIGURE P & ID LOGIC SYSTEM INDENTIF. DESCRIPTION TRAIN FUNCTION NUMBER NUMBER NUMBER CC CC0312 CCW COMMON HEADER INLET VALVE C OPEN** 9.2.2-4 9F05020 Z42044 CC CC0314 CCW COMMON HEADER INLET VALVE B OPEN** 9.2.2-4 9F05020 Z42044 CC CC0316 CCW COMMON HEADER INLET VALVE A OPEN** 9.2.2-4 9F05020 Z42044 CC CC0392 CCW TO RCDT HX ISOLATION VALVE C CLOSE 9.2.2-5 9F05021 Z42054 CC CC0393 CCW TO EXCESS LETDOWN HX ISOLATION VALVE B CLOSE 9.2.2-5 9F05021 Z42053 CC CC0447 CCW TO SFP HEAT EXCHANGERS ISOLATION VALVE C CLOSE 9.2.2-4 9F05020 Z42045 CC CC0642 CCW HEAT EXCHANGER BYPASS VALVE A CLOSE 9.2.2-1 9F05017 Z42055 CC CC0643 CCW HEAT EXCHANGER THROTTLE VALVE A OPEN 9.2.2-1 9F05017 Z42055 CC CC0644 CCW HEAT EXCHANGER BYPASS VALVE B CLOSE 9.2.2-2 9F05018 Z42055 CC CC0645 CCW HEAT EXCHANGER THROTTLE VALVE B OPEN 9.2.2-2 9F05018 Z42055 CC CC0646 CCW HEAT EXCHANGER BYPASS VALVE C CLOSE 9.2.2-3 9F05019 Z42055 CC CC0647 CCW HEAT EXCHANGER THROTTLE VALVE C OPEN 9.2.2-3 9F05019 Z42055 CC CC0768 CCW TO CHARGING PUMPS SUPPLY VALVE A OPEN** 9.2.2-4 9F05020 Z42064 CC CC0770 CCW TO CHARGING PUMPS SUPPLY VALVE B OPEN** 9.2.2-4 9F05020 Z42065 CC CC0771 CCW TO CHARGING PUMPS SUPPLY VALVE C OPEN** 9.2.2-4 9F05020 Z42065 CC CC0772 CCW TO CHARGING PUMPS RETURN VALVE A OPEN** 9.2.2-4 9F05020 A42064 CC CC0774 CCW TO CHARGING PUMPS RETURN VALVE B OPEN** 9.2.2-4 9F05020 Z42065 CC CC0775 CCW TO CHARGING PUMPS RETURN VALVE C OPEN** 9.2.2-4 9F05020 Z42065 CC CCW PUMP 1A COMPONENT COOLING WATER PUMP 1A A START* 9.2.2-1 9F05017 Z42040 CC CCW PUMP 1B COMPONENT COOLING WATER PUMP 1B B START* 9.2.2-2 9F05018 Z42040 STPEGS UFSAR 7.3-36 Revision 1 8 TABLE 7.3-5 (Continued)

SAFETY-INJECTION-ACTUATED EQUIPMENT LIST EQUIP. ESF FIGURE P & ID LOGIC SYSTEM INDENTIF. DESCRIPTION TRAIN FUNCTION NUMBER NUMBER NUMBER CC CCW PUMP 1C COMPONENT COOLING WATER PUMP 1C C START* 9.2.2-3 9F05019 Z42040 CC FV-4531 CCW TO RHR HEAT EXCHANGER ISOLATION VALVE A OPEN 9.2.2-1 9F05017 Z42058 CC F V-4540 CCW TO POST ACCIDENT SAMPLING PANEL ISOLATION VALVE A CLOSE 9.2.2-4 9F05020 Z42067 CC FV-4541 CCW TO POST ACCIDENT SAMPLING PANEL ISOLATION VALVE B CLOSE 9.2.2-4 9F05020 Z42067 CC FV-4548 CCW TO RHR HEAT EXCHANGER ISOLATION VALVE B OPEN 9.2.2-2 9F05018 Z42058 CC FV-4565 CCW TO RHR HEAT EXCHANGER ISOLATION VALVE C OPEN 9.2.2-3 9F05019 Z42058 CC FV-0862 RCFC CHILLED WATER RETURN ISOLATION VALVE B CLOSE 9.2.2-1 9F05017 Z42068 CC FV-0863 RCFC CHILLED WATER RETURN ISOLATION VALVE C CLOSE 9.2.2-2 9F05018 Z42068 CC FV-0864 RCFC CHILLED WATER RETURN ISOLATION VALVE A CLOSE 9.2.2-3 9F05019 Z42068 CH CH PUMP 11A ESSENTIAL CHILLED WATER PUMP 11A A START* 9.4.1-4 9V10001 Z41570 CH CH PUMP 11B ESSENTIAL CHILLED WATER PUMP 11B B START* 9.4.1-4 9V1001 Z41570 CH CH PUMP 11C ESSENTIAL CHILLED WATER PUMP 11C C START* 9.4.1-4 9V10001 Z41570 CH ESS CLR 004 ESSENTIAL CHILLER 12A A START* 9.4.1-4 9V10001 Z41593 CH ESS CLR 005 ESSENTIAL CHILLER 12B B START* 9.4.1-4 9V10001 Z41593 CH ESS CLR 006 ESSENTIAL CHILLER 12C C START* 9.4.1-4 9V10001 Z41593 CH TV-9476A CONTROL ROOM COLLING COILS CHILLER WATER OULET VALVE A OPEN 9.4.1-4 9V10002 Z41592 CH TV-9476B CONTROL ROOM CHILLED WATER COOLING COILS BYPASS VALVE A CLOSE 9.4.1-4 9V10002 Z41592 STPEGS UFSAR 7.3-37 Revision 1 8 TABLE 7.3-5 (Continued)

SAFETY-INJECTION-ACTUATED EQUIPMENT LIST EQUIP. ESF FIGURE P & ID LOGIC SYSTEM INDENTIF. DESCRIPTION TRAIN FUNCTION NUMBER NUMBER NUMBER CH TV-9477A EAB MAIN AREA COOLING COILS CHILLED WATER OUTLET VALVE A OPEN 9.4.1-4 9V10002 Z41592 CH TV-9744B EAB MAIN AREA CHILLED WATER COOLING COILS BYPASS VALVE A CLOSE 9.4.1-4 9V10002 Z41592 CH TV-9486A CONTROL ROOM COOLING COILS CHILLED WATER OUTLET VALVE B OPEN 9.4.1-4 9V10002 Z41592 CH TV-9486B CONTROL ROOM HCILLED WATER COOLING COILS BYPASS VALVE B CLOSE 9.4.1-4 9V10002 Z41592 CH TV-9487A EAB MAIN AREA COOLING COILS CHILLED WATER OUTLET VALVE B OPEN 9.4.1-4 9V10002 Z41592 CH TV-9487B EAB MAIN AREA CHILLED WATER COOLING COILS BYPASS VALVE B CLOSE 9.4.1-4 9V10002 Z41592 CH TV-9496A CONTROL ROOM COOLING COILS CHILLED WATER OUTLET VALVE C OPEN 9.4.1-4 9V10002 Z41592 CH TV-9496B CONTROL ROOM CHILLED WATER COOLING COILS BYPASS VALVE C CLOSE 9.4.1-4 9V10002 Z41592 CH TV-9497A EAB MAIN AREA COOLING COILS CHILLED WATER OUTLET VALVE C OPEN 9.4.1-4 9V10002 Z41592 CH TV-9497B EAB MAIN AREA CHILLED WATER COOLING COILS BYPASS VALVE C CLOSE 9.4.1-4 9V10002 Z41592 CV XCV0112B VCT OUTLET ISOLATION VALVE C CLOSE 9.3.4-3 9F05007 Z42415 CV XCV0112C RWST TO CHARGING PUMPS UCTION ISOLATION VALVE C OPEN 9.3.4-3 9F05007 Z42414 CV XCV 0113A VCT OUTLET ISOLATION VALVE B CLOSE 9.3.4-3 9F05007 Z42415 CV XCV0113B RWST TO CHARGING PUMPS SUCTION ISOLATION VALVE B OPEN 9.3.4-3 9F05007 Z42414 DG DG 11 STANDBY DIESEL GENERATOR 11 A START 8.3-4 SH1 NONE Z42100 DG DG 12 STANDBY DIESEL GENERATOR 12 B START 8.3-4 SH1 NONE Z42100 DG DG 13 STANDBY DIESEL GENERATOR 13 C START 8.3-4 SH1 NONE Z42100 EW BOOST PUMP 1A ECW SCREEN WASH BOOSTER PUMP 1A A START** 9.2.2.1-4 9F05039 Z42078 EW BOOST PMP 1 B ECW SCREEN WASH BOOSTER PUMP 1B B START** 9.2.1-4 9F05039 Z42078 EW BOOST PMP 1C ECW SCREEN WASH BOOSTER PUMP 1C C START** 9.2.1-4 9F05039 Z42078 STPEGS UFSAR 7.3-38 Revision 1 8 TABLE 7.3-5 (Continued)

SAFETY-INJECTION-ACTUATED EQUIPMENT LIST EQUIP. ESF FIGURE P & ID LOGIC SYSTEM INDENTIF. DESCRIPTION TRAIN FUNCTION NUMBER NUMBER NUMBER EW ECW PUMP 1A ESSENTIAL COOLING WATER PUMP 1A A START* 9.2.1-3 9F05038 Z42077 EW ECW PUMP 1B ESSENTIAL COOLING WATER PUMP 1B B START* 9.2.1-3 9F05038 Z42077 EW ECW PUMP IC ESSENTIAL COOLING WATER PUMP 1C C START* 9.2.2-3 9F05038 Z42077 EW ECW STRNR 1A ECW SELF-CLEANING STRAINER 1A A RUN** 9.2.1-3 9F05038 Z42080 EW ECW STRNR 1B ECW SELF-CLEANING STRAINER 1B B RUN** 9.2.1-3 9F05038 Z42080 EW ECW STRNR 1C ECW SELF-CLEANING STRAINER 1C C RUN** 9.2.1-3 9F05038 Z42080 EW EWO121 ECW PUMP DISCHARGE VALVE A OPEN** 9.2.1-3 9F05038 Z42081 EW EWO137 ECW PUMP DISCHARGE VALVE B OPEN** 9.2.1-3 9F05038 Z42081 EW EWO151 ECW PUMP DISCHARGE VALVE C OPEN** 9.2.1-3 9F05038 Z42081 EW FV-6914 ECW SCREEN WASH VALVE A OPEN** 9.2.1-4 9F05039 Z42082 EW FV-6924 ECW SCREEN WASH VALVE B OPEN** 9.2.1-4 9F05039 Z42082 EW FV-6934 ECW SCREEN WASH VALVE C OPEN** 9.2.1-4 9F05039 Z42082 EW FV-6935 ECW BLOWDOWN ISOLATION VALVE A CLOSE 9.2.1-3 9F05038 Z42083 EW FV-6936 ECW BLOWDOWN ISOLATION VALVE B CLOSE 9.2.1-3 9F05038 Z42083 EW FV-6937 ECW BLOWDOWN ISOLATION VALVE C CLOSE 9.2.1-3 9F05038 Z42083 STPEGS UFSAR 7.3-39 Revision 1 8 TABLE 7.3-5 (Continued)

SAFETY-INJECTION-ACTUATED EQUIPMENT LIST EQUIP. ESF FIGURE P & ID LOGIC SYSTEM INDENTIF. DESCRIPTION TRAIN FUNCTION NUMBER NUMBER NUMBER EW TRAV SCRN 1A ECW TRAVELLING WATER SCREEN 1A A START 9.2.1-4 9F05039 Z42079 EW TRAV SCRN 1B ECW TRAVELLING WATER SCREEN 1B B START 9.2.1-4 9F05039 Z42079 EW TRAV SCRN 1C ECW TRAVELLING WATER SCREEN 1C C START 9.2.1-4 9F05039 Z42079 HC RCB FAN 027 CONTAINMENT CUBICLES EXHAUST FAN 11A A TRIP 6.2.2-4 9V00016 Z41657 HC RCB FAN 028 CONTAINMENT CUBICLES EXHAUST FAN 11B B TRIP 6.2.2-4 9V00016 Z41657 HC RCB FAN 029 CONTAINMENT CUBICLES EXHAUST FAN 12A A TRIP 6.2.2-4 9V00016 Z41657 HC RCB FAN 030 CONTAINMENT CUBICLES EXHAUST FAN 12B C TRIP 6.2.2-4 9V00016 Z41657 HC RCFC FAN 001 REACTOR CONTAINMENT FAN COOLER 11A A START* 6.2.2-4 9V00016 Z41630 HC RCFC FAN 002 REACTOR CONTAINMENT FAN COOLER 12A A START* 6.2.2-4 9V0001 6 Z41630 HC RCFC FAN 003 REACTOR CONTAINMENT FAN COOLER 11B B START* 6.2.2-4 9V00016 Z41630 HC RCFC FAN 004 REACTOR CONTAINMENT FAN COOLER 12B B START* 6.2.2-4 9V00016 Z41630 HC RCFC FAN 005 REACTOR CONTAINMENT FAN COOLER 11C C START* 6.2.2-4 9V00016 Z41630 HC RCFC FAN 006 REACTOR CONTAINMENT FAN COOLER 12C C START* 6.2.2-4 9V00016 Z41630 HE EAB FAN 001 EAB HVAC RETURN AIR FAN 11A A START* 9.4.1-1 9V25000 Z41703 HE EAB FAN 002 EAB HVAC RETURN AIR FAN 11B B START* 9.4.1-1 9V25000 Z41703 HE EAB FAN 003 EAB HVAC RETURN AIR FAN 11C C START* 9.4.1-1 9V25000 Z41703 HE EAB FAN 010 EAB BATTERY ROOM EXHAUST FAN 11A A START 9.4.1-1 9V25000 Z41573 HE EAB FAN 011 EAB BATTERY ROOM EXHAUST FAN 11B B START 9.4.1-1 9V25000 Z41573 HE EAB FAN 012 EAB BATTERY ROOM EXHAUST FAN 11C C START 9.4.1-1 9V25000 Z41573 STPEGS UFSAR 7.3-40 Revision 1 8 TABLE 7.3-5 (Continued)

SAFETY-INJECTION-ACTUATED EQUIPMENT LIST EQUIP. ESF FIGURE P & ID LOGIC SYSTEM INDENTIF. DESCRIPTION TRAIN FUNCTION NUMBER NUMBER NUMBER HE EAB FAN 014 EAB HVAC SUPPLY AIR FAN 11A A START* 9.4.1-1 9V25000 Z41572 HE EAB FAN 015 EAB HVAC SUPPLY AIR FAN 11B B START* 9.4.1-1 9V25000 Z41572 HE EAB FAN 016 EAB HVAC SUPPLY AIR FAN 11C C START* 9.4.1-1 9V25000 Z41572 HE EAB FAN 030 ELECTRICAL PENETRATION SPACE EMERGENCY FAN 11C C START 9.4.1-1 9V00020 Z41724 HE EAB FAN 031 ELECTRICAL PENETRATION SPACE EMERGENCY FAN 11B B START 9.4.1-1 9V00020 Z41724 HE EAB FAN 032 ELECTRICAL PENETRATION SPACE EMERGENCY FAN 11A A START 9.4.1-1 9V00020 Z41724 HE EAB HEATER EAB SPACE HEATER PANEL BREAKER A TRIP NONE NONE EVFAD01 HE EAB HEATER EAB SPACE HEATER PANEL BREAKER B TRIP NONE NONE EVFAD01 HE EAB HEATER EAB SPACE HEATER PANEL BREAKER C TRIP NONE NONE EVFAD01 HE EAB HX 009 EAB MAIN AIR HANDLING UNIT HEATING COIL 11A Abandoned HE EAB HX 012 EAB MAIN AIR HANDLING UNIT HEATING COIL 11B B TRIP 9.4.1-1 9V25 000 Z41708 HE EAB HX 015 EAB MAIN AIR HANDLING UNIT HEATING COIL 11C C TRIP 9.4.1-1 9V25000 Z41708 HE FV-9603 CONTROL ROOM HVAC HALON FIRE PROTECTION DAMPER A OPEN 9.4.1-2 9V25005 Z41702 HE FV-9603 CONTROL ROOM HVAC HALON FIRE PROTECTION DAMPER B OPEN 9.4.1-2 9V25005 Z41702 HE FV-9652 EAB SUPPLY AIR HANDLING UNIT OUTLET DAMPER C CLOSE** 9.4.1-1 9V25000 Z41581 HE FV-9653 EAB SUPPLY AIR HANDLING UNIT OUTLET DAMPER C OPEN** 9.4.1-1 9V25000 Z41581 HE F V-9654 EAB SUPPLY AIR HANDLING UNIT OUTLET DAMPER B CLOSE** 9.4.1-1 9V25000 Z41581 HE FV-9655 EAB SUPPLY AIR HANDLING UNIT OUTLET DAMPER B OPEN** 9.4.1-1 9V25000 Z41581 HE FV-9656 EAB SUPPLY AIR HANDLING UNIT OUTLET DAMPER A CLOSE** 9.4.1-1 9V25000 Z41581 HE FV-9657 EAB SUPPLY AIR HANDLING UNIT OUTLET DAMPER A OPEN** 9.4.1-1 9V25000 Z41581 CN-3 119 STPEGS UFSAR 7.3-41 Revision 1 8 TABLE 7.3-5 (Continued)

SAFETY-INJECTION-ACTUATED EQUIPMENT LIST EQUIP. ESF FIGURE P & ID LOGIC SYSTEM INDENTIF. DESCRIPTION TRAIN FUNCTION NUMBER NUMBER NUMBER HE FV-9699 CONTROL ROOM HVAC HALON FIRE PROTECTION DAMPER A OPEN 9.4.1-2 9V25005 Z41702 HE FV-9699 CONTROL ROOM HVAC HALON FIRE PROTECTION DAMPER B OPEN 9.4.1-2 9V25005 Z41702 HE FV-9700 CONTROL ROOM HVAC HALON FIRE PROTECTION DAMPER A OPEN 9.4.1-2 9V25005 Z41702 HE FV-9700 CONTROL ROOM HVAC HALON FIRE PROTECTION DAMPER B OPEN 9.4.1-2 9V25005 Z41702 HE REHEAT COIL CONTROL ROOM & EAB HVAC OUTSIDE AIR REHEAT COIL BREAKER A TRIP** 9.4.1-2 9V25003 Z41770 HE REHEAT COIL EAB REHEAT COILS BREAKER (1)

A TRIP 9.4.1-1 9V25001 Z41704 HE REHEAT COILS EAB REHEAT COILS BREAKERS (6)

A TRIP 9.4.1-1 9V25002 Z41704 HE REJEAT COILS EAB REHEAT COILS BREAKERS (4)

A TRIP 9.4.1-2 9V25005 Z41704 HF FHB AHU 004 ESF PUMPS SUPPLEMENTARY COOLER 11A A START** 9.4.2-1 9V00012 Z41614 HF FHB AHU 005 ESF PUMPS SUPPLEMENTARY COOLER 11B B START** 9.4.2-1 9V00012 Z41614 HF FHB AHU 006 ESF PUMPS SUPPLEMENTARY COOLER 11C C START** 9.4.2-1 9V00012 Z41614 HF FHB AHU 012 SUPPLEMENTARY COOLER

- SUMP ISOLATION VALVE CUBICLE 11A A START** 9.4.2-1 9V00012 Z41741 HF FHB AHU 013 SUPPLEMENTARY COOLER

- SUMP ISOLATION VALVE CUBICLE 11B B START** 9.4.2-1 9V00012 Z41741 HF FHB AHU 014 SUPPLEMENTARY COOLER

- SUMP ISOLATION VALVE CUBICLE 11C C START** 9.4.2-1 9V00012 Z41741 HG DGB FAN 001 DIESEL GENERATOR ROOM EMERGENCY VENT FAN 11A A START** 9.4.6-1 9V00015 Z41621 HG DGB FAN 002 DIESEL GENERATOR ROOM EMERGENCY VENT FAN 11B B START** 9.4.6-1 9V00015 Z41621 HG DGB FAN 003 DIESEL GENERATOR ROOM EMERGENCY VENT FAN 11C C START** 9.4.6-1 9V00015 Z41621 HG TV-9743 DIESEL GENERATOR ROOM RECIRCULATION DAMPER A CLOSE** 9.4.6-1 9V00015 Z41622 HG TV-9743A DIESEL GENERATOR ROOM INTAKE DAMPER A OPEN** 9.4.6-1 9V00015 Z41622 HG TV-9744 DIESEL GENERATOR ROOM RECIRCULATION DAMPER B CLOSE** 9.4.6-1 9V00015 Z41622 STPEGS UFSAR 7.3-42 Revision 1 8 TABLE 7.3-5 (Continued)

SAFETY-INJECTION-ACTUATED EQUIPMENT LIST EQUIP. ESF FIGURE P & ID LOGIC SYSTEM INDENTIF. DESCRIPTION TRAIN FUNCTION NUMBER NUMBER NUMBER HG TV-9744A DIESEL GENERATOR ROOM INTAKE DAMPER B OPEN** 9.4.6-1 9V00015 Z41622 HG TV-9745 DIESEL GENERATOR ROOM RECIRCULATION DAMPER C CLOSE** 9.4.6-1 9V00015 Z41622 HG TV-9745A DIESEL GENERATOR ROOM INTAKE DAMPER C OPEN** 9.4.6-1 9V00015 Z41622 HM MAB AHU 001 CCW PUMP SUPPLEMENTARY COOLER 11A A START** 9.4.3-3 9V00008 Z41553 HM MAB AHU 002 CCW PUMP SUPPLEMENTARY COOLER 11B B START** 9.4.3-3 9V00008 Z41553 HM MAB AHU 003 CCW PUMP SUPPLEMENTRARY COOLER 11C C START** 9.4.3-3 9V00008 Z41553 HM MAB AHU 007 CVCS VALVE CUBICLE ROOM 044 FAN COOLER C START 9.4.3-3 9V000 08 Z41553 HM MAB AHU 010 CVCS VALVE CUBICLE ROOM 033 FAN COOLER 11A A START 9.4.3-3 9V00008 Z41553 HM MAB AHU 011 CVCS VALVE CUBICLE ROOM 033 FAN COOLER 11B B START 9.4.3-3 9V00008 Z41553 HM MAB AHU 014 CVCS VALVE CUBICLE ROOM 226 FAN COOLER 11A B START 9.4.3-3 9V00008 Z41553 HM MAB AHU 015 CVCS VALVE CUBICLE ROOM 226 FAN COOLER 11B C START 9.4.3-3 9V00008 Z41553 HM MAB AHU 019 ESSENTIAL CHILLER AREA ROOM 067 FAN COOLER 11A A START 9.4.3-3 9V00008 Z41553 HM MAB AHU 020 ESSENTIAL CHILLER AREA ROOM 067E FAN COOLER 11B B START 9.4.3-3 9V00008 Z41553 HM MAB AHU 021 ESSENTIAL CHILLER AREA ROOM 067F FAN COOLER 11C C START 9.4.3-3 9V00008 Z41553 HM MAB AHU 022 RADIAITON & HYDROGEN MONITORS ROOM FAN COOLER 11A A START 9.4.3-3 9V00008 Z41554 HM MAB AHU 023 RADIATION & HYDROGEN MONITORS ROOM FAN COOLER 11B C START 9.4.3-3 9V00008 Z41554 HZ ECW FAN 001 ECW PUMP CUBICLE VENT FAN 11A A START** 9.4.7-1 9V00027 Z41674 HZ ECW FAN 002 ECW PUMP CUBICLE VENT FAN 12A A START** 9.4.7-1 9V00027 Z41674 HZ ECW FAN 003 ECW PUMP CUBICLE VENT FAN 11B B START** 9.4.7-1 9V00027 Z41674 HZ ECW FAN 004 ECW PUMP CUBICLE VENT FAN 12B B START** 9.4.7-1 9V00027 Z41674 STPEGS UFSAR 7.3-43 Revision 1 8 TABLE 7.3-5 (Continued)

SAFETY-INJECTION-ACTUATED EQUIPMENT LIST EQUIP. ESF FIGURE P & ID LOGIC SYSTEM INDENTIF. DESCRIPTION TRAIN FUNCTION NUMBER NUMBER NUMBER HZ ECW FAN 005 ECW PUMP CUBICLE VENT FAN 11C C START** 9.4.7-1 9V00027 Z416 74 HZ ECW FAN 006 ECW PUMP CUBICLE VENT FAN 12C C START** 9.4.7-1 9V00027 Z41674 HZ ECWIS HTR ECW INTAKE STRUCTURE SPACE HEATER PANEL BREAKER A TRIP NONE NONE EVFAC01 HZ ECWIS HTR ECW INTAKE STRUCTURE SPACE HEATER PANEL BREAKE R B TRIP NONE NONE EVFAC01 HZ ECWIS HTR ECW INTAKE STRUCTURE SPACE HEATER PANEL BREAKER C TRIP NONE NONE EVFAC01 HZ FV-9894 ECW PUMP CUBICLE INTAKE DAMPER A OPEN** 9.4.7-1 9V00027 Z41675 HZ FV-9894A ECW PUMP CUBICLE EXHAUST DAMPER A OPEN** 9.4.7-1 9V00027 Z41675 HZ FV-9895 ECW PUMP CUBICLE INTAKE DAMPER B OPEN** 9.4.7-1 9V00027 Z41675 HZ FV-9895A ECW PUMP CUBICLE EXHAUST DAMPER B OPEN** 9.4.7-1 9V00027 Z41675 HZ FV-9896 ECW PUMP CUBICLE INTAKE DAMPER C OPEN** 9.4.7-1 9V00027 Z41675 HZ FV-9896A ECW PUMP CUBICLE EXHAUST DAMPER C OPEN** 9.4.7-1 9V00027 Z41675 PM MCC 1A5 MCC - NON-CLASS 1E LOADS CONNECTED TO CLASS 1E BUS A TRIP NONE NONE EPMAK01 PM MCC 1B5 MCC - NON-CLASS 1E LOADS CONNECTED TO CLASS 1E BUS B TRIP NONE NONE EPMAL01 PM MCC 1C5 MCC - NON-CLASS 1E LOADS CONNECTED TO CLASS 1E BUS C TRIP NONE NONE EPMAM01 RC PZR HTR 1A PRESSURIZER HEATER BACKUP GROUP 1A A TRIP NONE NONE Z42151 RC PAR HTR 1B PRESSURIZER HEATER BACKUP GROUP 1B C TRIP NONE NONE Z42151 RH RHR PUMP 1A RESIDUAL HEAT REMOVAL PUMP 1A A STOP 5.4-6 9F20000 Z42180 RH RHR PUMP 1B RESDIUAL HEAT REMOVAL PUMP 1B B STOP 5.4-6 9F20000 Z42180 RH RHR PUMP 1C RESDIUAL HEAT REMOVAL PUMP 1C C STOP 5.4-6 9F20000 Z42180 RM FV-7659 REACTOR MAKEUP WATER NON

-ESSENTIAL SERVICES ISOL. VALVE C CLOSE 9.2.7-1 9F05033 Z40072 STPEGS UFSAR 7.3-44 Revision 1 8 TABLE 7.3-5 (Continued)

SAFETY-INJECTION-ACTUATED EQUIPMENT LIST EQUIP. ESF FIGURE P & ID LOGIC SYSTEM INDENTIF. DESCRIPTION TRAIN FUNCTION NUMBER NUMBER NUMBER RM FV-7663 REACTOR MAKEUP WATER NON

-ESSENTIAL SERVICES ISOL. VALVE B CLOSE 9.2.7-1 9F05033 Z40072 SI FV-3936 RWST TO SFPCCS ISOLATION VALVE A CLOSE 6.3-1 9F05013 Z42008 SI FV-3937 RWST TO SFPCCS ISOLATION VALVE B CLOSE 6.3-1 9F05013 Z42008 SI HHSI PUMP 1A HIGH HEAD SAFETY INJECTION PUMP 1A A START* 6.3-1 9F05013 Z42000 SI HHSI PUMP 1B HIGH HEAD SAFETY INJECTION PUMP 1B B START* 6.3-2 9F05014 Z42000 SI HHSI PUMP 1C HIGH HEAD SAFETY INJECTION PUMP 1C C START* 6.3-3 9F05015 Z42000 SI LHSI PUMP 1A LOW HEAD SAFETY INJECTION PUMP 1A A START* 6.3-1 9F05013 Z42000 SI LHSI PUMP 1B LOW HEAD SAFETY INJECTION PUMP 1B B START* 6.3-2 9F05014 Z42000 SI LHSI PUMP 1C LOW HEAD SAFETY INJECTION PUMP 1C C START* 6.3-3 9F05015 Z42000 SI XSI0039A ACCUMULATOR DISCHARGE ISOLATION VALVE A OPEN 6.3-4 9F05016 Z42028 SI XSI0039B ACCUMULATOR DISCHARGE ISOLATION VALVE B OPEN 6.3-4 9F05016 Z42028 SI XSI0039C ACCUMULATOR DISCHARGE ISOLATION VALVE C OPEN 6.3-4 9F05016 Z42028 PK DG 11 BRKR STANDBY DIESEL GENERATOR FEEDER BREAKER A SEE FIG. 8.3-4 SH3 NONE Z42121 PK DG 12 BRKR STANDBY DIESEL GENERATOR FEEDER BREAKER B SEE FIG. 8.3-4 SH3 NONE Z42121 PK DG 13 BRKR STANDBY DIESEL GENERATOR FEEDER BREAKER C SEE FIG. 8.3-4 SH3 NONE Z42121 SF SEQUENCER 1A ESF LOAD SEQUENCER A START 8.3-4 SH2 NONE Z42117 STPEGS UFSAR 7.3-45 Revision 1 8 TABLE 7.3-5 (Continued)

SAFETY-INJECTION-ACTUATED EQUIPMENT LIST EQUIP. ESF FIGURE P & ID LOGIC SYSTEM INDENTIF. DESCRIPTION TRAIN FUNCTION NUMBER NUMBER NUMBER SF SEQUENCER 1B ESF LOAD SEQUENCER B START 8.3-4 SH2 NONE Z42118 SF SEQUENCE R 1C ESF LOAD SEQUENCER C START 8.3-4 SH2 NONE Z42119

Actuation is through the ESF load sequencer.

- Equipment not directly actuated by ESFAS signal. Actuation is from equipment directly actuated.

7.4 SYSTEMS

REQUIRED FOR SAFE SHUTDOWN The functions necessary for safe shutdown are ava ilable from instrumentation channels that are associated with the major systems in both the primary and secondary portions of the plant. These channels normally serve a variety of operational f unctions, including startup a nd shutdown, as well as protective functions. There are no identifiable safe shutdown systems per se. However, prescribed procedures for securing and maintaining the plant in a safe condition can be instituted by appropriate alignment of selected systems in the plant.

The instrumentation and control functions required for maintaining safe shutdown of the reactor discussed in this section are the minimum need under nonacciden t conditions. These functions permit the necessary operations that will:

1. Prevent the reactor from achievi ng criticality in violation of the Technical Specifications.

2. Provide an adequate heat sink so that design and safety limits are not exceeded.

The designation of systems that can be used for safe shutdown depends on identifying those systems which provide the following capabilities for maintaining a safe shutdown:

1. Circulation of reactor coolant

2. Boration

3. Residual heat removal

7.4.1 Description

In the event of unit shutdown, the unit will be brought to and maintained at a safe shutdown condition under control from the main control room or from the auxiliary shut down stations outside the control room, including the Auxiliary Shutdown Panel (ASP).

The auxiliary shutdown stations are described in Section 7.4.1.9. Safe shutdown is hot standby as defined in the Technical Specifications. The South Texas Project Electric Generating Station (STPEGS) capability to achieve cold shutdown is described in Appendix 5.4.A. The portions of the Reactor Trip System (RTS) required to achieve the shutdown condition are described in Section 7.2. The preferred method of circulation of reactor coolant is forced circulation with the reactor coolant pumps (RCPs) supplying the driving head. With a loss of offsite power (LOOP) the RCPs are not available and reactor c oolant circulation is maintained by natural circulation. The minimum system and component controls and monitoring indicators required to maintain a safe shutdown under a nonaccid ent condition are tabulated and discussed below. The system and component contro ls and monitoring indicator s provided outside the control room (on the ASP and at other auxiliary control stati ons) are discussed in Section7.4.1.9.

1. Systems and Components Utilized for Safe Shutdown

STPEGS UFSAR 7.4-2 Revision 16

a. Auxiliary Feedwater System (AFWS) b. Atmospheric steam relief valves (Main Steam [MS] safety valves and steam generator [SG] power-operated relief valves)

c. Pressurizer backup heaters

d. Centrifugal charging pumps*

e. Boric acid transfer pumps*

f. Letdown stop valves*

2. Supporting Systems and Components*

a. Essential cooling water (ECW) pumps*

b. Component cooling water (CCW) pumps*

c. Reactor Containment fan coolers (RCFCs)*

d. Standby diesel generators (SBDG) (and associated onsite electrical distribution system)* e. Control room ventilation*

f. Emergency Ventilation System for those areas housing equipment required for safe

shutdown*

g. Qualified Display Processing System (QDPS)*

3. Essential Monitoring Indicators

a. Steam Generators

1) Water level for each SG*

2) Pressure for each SG*

b. Reactor Coolant System (RCS)

1) Pressurizer water level*

2) RCS wide-range pressure*

3) RCS wide-range temperature (T hot and T cold)*

Essential systems and components for safe shutdown Essential systems and components for safe shutdown

STPEGS UFSAR 7.4-3 Revision 16

c. Auxiliary Feedwater System

1) Auxiliary feedwater (AFW) flow to each SG* d. Chemical and Volume Control System (CVCS)

1) Charging flow

2) RCP seal injection flow e. Condensate Storage and Transfer System

1) Auxiliary feedwater storage tank (AFST) level The description and design criteria for the essential monitoring indicators are described in Section 7.5 and Appendix 7B. 7.4.1.1. Auxiliary Feedwater Control. The Auxiliary Feedwater System (AFWS) consists of three motor-driven pumps and one steam turb ine-driven pump, associated piping, valves, instruments, and controls as shown in Figure 10.4.9-1. The three motor-driven pump trains and the turbine-driven pump train are started automatically by the Engineered Safety Features Actuation System (ESFAS), the AMSAC system and Engineered Safety Features (ESF) load sequencers, as discussed below. All four pumps can be started manually from the control room or the ASP. Each pump feeds one SG through an individual AFW line. Flow control is provided by individual, motor-operated regulator valves that can be manually controlled from the control room or the ASP. When being controlled from the control room, the flow is limited below a preset value using the QDPS, described in Section 7.5.6. AFW flow indication and SG level for each SG is provided in the control room and on the ASP. Each AFW pump may be remote-manually cross-c onnected in the absence of a safety actuation signal to feed any combination of steam generators if instrument air is available. Manual valve operability is also provided.

The AFW turbine-driven pump is supplied with steam from SG 1D through the steam inlet valve and the turbine trip throttle valve. The steam inlet valve is normally open, allowing steam flow to the normally closed turbine trip throttle valve. Both valves receive open signals on an AFW initiation. Manual control of the steam inlet valve and the turbine trip throttle valve is available in the control room and on the ASP.

Status indication is provided in the control room and at the ASP for the motor-driven pumps, steam inlet valve, turbine trip a nd throttle valve, regulator valves, and isolation valves.

The AFWS is described in Section 10.4.9.

1. Initiating Circuits

Essential systems and components for safe shutdown STPEGS UFSAR 7.4-4 Revision 16 The motor-driven pumps are immediately star ted on a two-out-of-four low-low water level signal from any SG or an AMSAC signal a nd are started by the ESF load sequencers following a safety injection (S I) signal or a LOOP. The AFW valves are automatically actuated to their proper position by a two-out-of-four low-low wa ter level signal from any SG, an AMSAC signal or an SI signal. The flow to the SGs is not automatically provided after a LOOP until an SG low-low water level signal, an AMSAC signal or an SI signal is received. When being controlled from the control room, the AFW regulator valves are controlled by QDPS to limit the flow (at all times) into the SG to below a preset high value. After a two-out-of-four low-low water level signal from any SG, an AMSAC signal or an SI signal, flow is maintained between upper and lower limits using the QDPS, until manually reset. The control for an AFW regulator valve is show n on Figure 7.3-21B. The AMSAC system is described in Section 7.8.

2. Logic See Figure 7.2-16.

3. Bypass Control from the control room and automatic control are bypassed at the transfer switch panels when control is transferred to the ASP. This transfer of control is alarmed and indicated in the control room through the ESF Status Monitoring System (Section 7.5-4).

4. Interlocks There are no interlocks.

5. Redundancy Four level sensors for each steam generator and three actuation trains are provided for system actuation logic redundancy. Any two of the four AFW pumps provide sufficient feedwater for safe shutdown requirements.

6. Diversity The SI signal, AMSAC signal and SG water leve l signals are provided fo r actuation diversity. AFWS diversity is provided by motor-driven pumps and one turbine-driven pump.

7. Actuated Devices Actuated devices are listed in Table 7.3-15.

8. Supporting Systems The Class 1E electric systems are required for AFW control. Ventilation support is required (Section 9.4.8). The AFST is required (Section 10.4.7).

STPEGS UFSAR 7.4-5 Revision 16

9. Portion of System not Required for Safety The ESF Status Monitoring System is not required for safety.

10. Design Basis Information Design bases for the AFWS are that the operation will be controlled automatically by the ESFAS or manually from the control room or th e ASP and that no single failure will prevent the system from performing the required safety function. AMSAC actuation is also provided as discussed in Section 7.8. The AFWS design basis is discussed in detail in Section 10.4.9.1. 7.4.1.2 Atmospheric Steam Relief. The MS safety valves and the SG power-operated relief valves (PORVs) are located upstream of the MS isolation valves outside of the Containment, and both provide a means of removing reactor heat thus achieving and maintaining a safe shutdown condition. The MS safety valves are full-capacity, spring-loaded valves which operate on MS line pressure only. They are described more fully in Section 10.3. These valves are independently capable of controlling SG pressure for a safe shutdown condition.

In order to avoid unnecessary, prol onged operation of the MS safety valves, the SF PORVs have been provided. The SG PORVs and their controls are designed as safety-related equipment; however the SG PORVs do not perform a safety function for sa fe shutdown. The safety-related function of the SG PORVs is described in Appendix 5.4.A.

A pressure transmitter and pressure controller are provided for each of the SGs to actuate the PORV and control the steam pressure at a predetermined setting. Manual control capability is provided both in the control room and on the ASP for PORV regulation. The status of the PORVs is indicated by the valve position i ndicating lights and analog po sition indication on the valve control stations. The SG PORVs are controlled using the QD PS, which is described in Section 7.5.6.

1. Initiating Circuits No initiating circuits are required for the self-actuating MS safety valves. Each PORV is automatically actuated to regulate SG pressure via the pressure contro ller and can be manually actuated by selecting the manual control mode. The required instrume ntation readout for manual system control is described in Section 7.5.

2. Logic No logic is required for the spring-loaded MS safety valves. Each PORV is individually controlled by its own pressure control loop. Normal PORV operation is the automatic mode, but alternatively it may be operated in a manual mode. Figure 7.4-1 shows the logic diagram for the SG PORVs. PORV control is provided by microprocessor-based equipment within the QDPS. Each control loop accepts the steam line pressure, valve position, and the setpoints as input variables and outputs a signal to control the PORV (Section 7.5.6.1.1.2).

3. Bypass STPEGS UFSAR 7.4-6 Revision 16 Placement of the PORV valve controller in the manual mode does not preclude the steam relief functional requirement, since the MS sa fety valves provide a steam pressure relief capability. Control of the PORVs from the control room is bypassed at the transfer switch panels when control is transferred to the ASP. This transfer of control is alarmed and indicated in the control room through the ESF Status Monitoring System (Section 7.5.4).

4. Interlock No interlock is provided.

5. Redundancy Any two of the four sets of MS safety valves or any two of the four PORVs provide sufficient steam relief to remove decay heat for safe shutdown requirements. Redundancy is accomplished on a system basis since any two of the four associated SGs are adequate for the heat removal requirements.

6. Diversity Diversity in the heat removal function is accomplished by the spring-loaded MS safety valves and SG PORVs.

7. Actuated Devices The PORVs are electro-hydraulically operated and fail closed on loss of power to the hydraulic pump or control circuitry. A switch for each PORV is installed on the transfer switch panels or the auxiliary shutdown panel to allow the PORV to be opened using reserve hydraulic pressure in the PORV accumulator following a loss of power to the hydraulic pump provided power is still available to the servo amplifier which is power from a battery backed 120 VAC safety related bus. Also, provisions are available for local manual control.

8. Supporting Systems The Class 1E electrical systems are required to operate the SG PORVs (Section 8.3).

9. Portion of System Not Required for Safety The SG PORVs and the ESF Status Monitoring System.

10. Design Basis Information The MS safety valves are self-actuated and sufficient to maintain safe shutdown. Therefore, the SG PORVs are not required for safe s hutdown. However, to achieve operational objectives the SG PORV controls are designed to meet those portions of Institute of Electrical and Electronics Engineers (IEEE) 279-1971 applicable to automatic and manual controls.

The PORVs are electrohydrau lically-operated, requiring 480 V, 3 phase power for the hydraulic pumps and 125 vdc for the manual and automatic control portion. The control circuits are designed so that a ny single failure will not prev ent proper system response when CN-3022 and CN-3034 STPEGS UFSAR 7.4-7 Revision 16 required. This is accomplished by redundant SG s with a PORV available on each SG, any two of which are sufficient for heat removal. Two PORVs are powered from independent Class 1E 480 V, 3-phase busses with the other two PORVs powered from a third independent class 1E 480 V, 3-phase bus. The control cirucuits are pwoered from four independent class 1E 125 VDC busses. In order to prevent inte raction between redundant systems, the control channels are wired independen tly and are separated, with no electrical connections among control channels. Except for two PORVs being powered from the same 480 V, 3-phase bus, the PORVs are electrically separated. 7.4.1.3 Pressurizer Heater Controls. Pressurizer heater control is provided to maintain the RCS at operating pressure following a reactor trip to prevent exce ssive cooling and depressurization of the system. Normal operation is automatic via th e proportional and backup heaters, as described in Section 7.7. If, for any reason, the normal pressure-regulating system is not available, the operator will control either of two backup heater groups A and B in the pressurizer by manual ON-OFF control switches provided in the control room and on the ASP. The pressurizer heaters are not required for safe shutdown. Note that the pressu rizer backup heater grou ps C and D are provided with non-Class 1E power and may be used if available and offsite power is present.

1. Initiating Circuits In normal automatic operation, the heaters are co ntrolled by pressurizer pressure and level as described in Section 7.7. In addition, the bac kup heater groups are provided with direct manual control for initiati on by the station operator.

2. Logic Figure 7.4-2 shows the logic diagram for backup heater groups A and B.

3. Bypass Control of the backup pressurizer heater groups A and B from the control room is bypassed at the transfer switch panels when control is transfer red to the ASP. This transfer of control is alarmed and indicated in the control room through the Main Control Room Annunciator System and is also indicated in the Emer gency Response Facilities Data Acquisition and Display System (ERFDADS) (Section 7.5.7).

4. Interlocks All pressurizer heater groups are connected with a level switch to cut off power to the heaters on pressurizer low-low water level, thereby preventing heater damage. This interlock is bypassed at the ASP for the manual control of pressurizer backup heater groups A and B.

5. Redundancy Two backup heater groups (A and B) are provi ded, either of which can provide the necessary energy input to the primary system for the safe shutdown condition.

6. Diversity STPEGS UFSAR 7.4-8 Revision 16 The A and B backup heater groups are powered from separate Class 1E power supplies.

7. Actuated Devices Pressurizer backup heater groups A and B are actuated devices.

8. Supporting Systems Pressurizer backup heater groups A and B are each powered from an independent Class 1E bus. 9. Portion of Systems Not Required for Safety The pressurizer heaters are not required for safety.

10. Design Bases Information The design bases of the pressurizer backup heater manual controls are to achieve operational objectives. The A and B backup pressurizer heater groups are desirable to respond to low reactor coolant pressure following a reactor trip with or without LOOP. The manual control equipment is designed to be powered from the Class 1E power system as discussed in Chapter 8. The A and B backup pressurizer heater manual controls maintain the RCS pressure during an extended safe shutdown. Sufficient time is available for manual operation. 7.4.1.4 Centrifugal Charging Pumps. If the unit is maintained in a safe shutdown condition for a prolonged time, a centrifugal charging pump may be required to maintain the reactor coolant inventory so that the water level in the pressurizer is maintained above the heaters. At the time the charging pump is brought into operation to repl enish to RCS, the boron concentration of the RCS may be increased if desired. Normal operation of the pressurizer level control system is automatic, as described in Section 7.7. Manual co ntrol is also provided both insi de and outside the main control room. During normal shutdown conditions, the charging flow control valve will regulate charging flow in order to maintain pressurizer water level. If th e charging flow control valve is not available for automatic or remote manual operation, controlled charging is available via the RCP seal injection path or through the normal charging path (Section 9.3.4.1) utilizing manual valve alignment to maintain pressurizer water level. A detailed desc ription of the charging por tion of the CVCS and its operation and safety evaluation is provided in Section 9.3.4.

1. Initiating Circuits The charging pumps and associated valves are controlled manually by the station operator for safe shutdown service.

STPEGS UFSAR 7.4-9 Revision 16

2. Logic See Figure 7.4-3.

3. Bypass Control from the control room of the charging pumps is manually bypa ssed at the transfer switch panels when control is transferred to the ASP. This transfer of control is alarmed and indicated in the control room through the ESF Status Monitoring System (Section 7.5.4).

4. Interlocks There are no interlocks associated with the manual controls.

5. Redundancy Two independent centrifugal charging pumps a nd control circuits are provided, either of which can provide the necessary input to the primary system for the safe shudown condition.

6. Diversity The two centrifugal charging pumps and associated valves are powered from independent Class 1E busses.

7. Actuated Devices The charging pumps and associated valves are the actuated devices.

8. Supporting Systems The charging pumps and associated valves a nd controls obta in power from the Class 1E Power System (Chapter 8). Ventilation and component cooling water support is required (Sections 9.4.3 and 9.2.2, respectively).

9. Portion of System Not Required for Safety The ESF Status Monitoring System is not required for safety.

10. Design Bases Information The design bases of the charging pump manual controls (in accordance with Section 3 of IEEE 279-1971) are:

a. The generating station condition wh ich requires protective action:

The charging pumps and their controls are needed to respond to low pressurizer water level following a reactor tr ip with or without LOOP.

STPEGS UFSAR 7.4-10 Revision 16

b. The range of transient and steady-state conditions of bot h the energy supply and the environment during normal, abnormal, and accident circumstances throughout which the system must perform:

The essential power supply is discussed in Chapter 8. The equipment is desinged to the pressure, temperature, and humidity envi ronment given in Section 3.11. Accident conditions other than earthquake are not applicabe to this discussion.

c. The malfunctions, accidents, or other unusual events which could physically damage protection system components, for which provisions must be incorporated to retain necessary protective action:

The charging pump manual controls are de signed to withstand the effects of a Safe Shutdown Earthquake (SSE) without loss of function. The equipment is designed, and its components located, to prevent loss of function from missile damage. Accident conditions other than earthquake are not applicable to this discussion.

d. Minimum performance requirements, including system response times, system accuracies, ranges of the magnitudes, and rates of change of sensed variables, to be accommodated until proper conclusion of the protective action is assured:

The charging pumps are required only for a prolonged safe shutdown situation.

Sufficient time is available for manual operation. 7.4.1.5 Boric Acid Transfer Pump Controls. For an extended safe shutdown lasting approximately 25 hours2.893519e-4 days 0.00694 hours 4.133598e-5 weeks 9.5125e-6 months or more, boration of the RCS may be required to counteract the positive reactivity insertion caused by xenon decay. The boric acid transfer pumps provide the means to transfer concentrated boric acid solution from the boric acid tanks to the charging system to accomplish the boration of the RCS. A detailed description of the boric acid transfer portion of the CV CS, along with its operation and safety evaluation, is provided in Section 9.3.4. The boric acid transfer pumps and associated valving are controlled automatically by the Reactor Makeup Control System (RMCS), as described in Section 9.3.4.1.2, or manua lly by the operator.

Manual control is provided for the boric acid transfer pumps in the main control room and at the ASP.

During normal shutdown conditions, the boric acid flow control valve will regulate the amount of boric acid flowing into the CVCS for reactor make up. If the boric acid flow control valve is not available for automatic or remote manual operation, start-stop boric acid pump operation will regulate the amount of boric acid bei ng transferred through alternate paths.

1. Initiating Circuits The boric acid transfer pumps and associated valves are controlled manually by the station operator for safe shutdown service.

STPEGS UFSAR 7.4-11 Revision 16

2. Logic See Figure 7.4-4.

3. Bypass Control from the control room of the boric acid transfer pumps is bypa ssed at the transfer switch panels when the control is transferred to the ASP. This transfer of control is alarmed and indicated in the control room through the ESF Status Monitoring System (Section 7.5.4).

4. Interlocks No interlocks are involved in the manual control system.

5. Redundancy Two independent boric acid transfer pumps are provided, either of which can provide the necessary concentrated boric acid to the charging pump suction for the safe shutdown condition.

6. Diversity The two boric acid transfer pumps are powered from independent Class 1E busses.

7. Actuated Devices The boric acid transfer pumps and associ ated valves are the actuated devices.

8. Supporting Systems The boric acid transfer pumps and associated valves and controls obtain power from the Class 1E Power System (Chapter 8). Ventilat ion support is requ ired (Section 9.4.3).

9. Portion of System Not required for Safety The ESF Status Monitoring System is not required for safety.

10. Design Bases Information The design bases of the boric acid transfer pump controls (in accordan ce with Section 3 of IEEE 279-1971) are:

a. The generating station condition wh ich requires protective action:

Prolonged hot shutdown (approximately 25 hours2.893519e-4 days 0.00694 hours 4.133598e-5 weeks 9.5125e-6 months or more) with significant effects from xenon decay with or without LOOP.

STPEGS UFSAR 7.4-12 Revision 16

b. The range of transient and steady-state conditions of bot h the energy supply and the environment during normal, abnormal, and accident circumstances throughout which the system must perform:

The Class 1E Power System is discussed in Chapter 8. The equipment is deigned for the pressure, temperature, and humidity envi ronment given in Section 3.11. Accident conditions other than earthquake are not applicable to this discussion.

c. The malfunctions, accidents, or other unusual events which could physically damage protection system components, for which provisions must be incorporated to retain necessary protective action:

The manual boric acid transfer pump controls are designed to withstand the effects of an SSE without loss of function. The system components are physically located to prevent loss of function from missile damage. Accident conditions other than earthquake are not applicab le to this discussion.

d. Minimum performance requirements, including system response times, system accuracies, ranges of the magnitude, and rates of change of sensed variables, to be accommodated until proper conclusion of the protective action is assured:

The boric acid transfer pump is requi red only for an extended safe shutdown (approximately 25 hours2.893519e-4 days 0.00694 hours 4.133598e-5 weeks 9.5125e-6 months or more). Thus there is ample time for manual operation. 7.4.1.6 Letdown Stop Valves. Valves are provided in the letdown line which are capable of terminating reactor coolant letdown. In the safe shutdown condition, the letdown is manually terminated if the makeup system is not in operation in order to maintain pressurizer water level above the heaters. This is accomplished by remote manual closure of the letdown stop valves in conjunction with downstream isolation valves. A detailed description of the letdown portion of the CVCS, along with its operation and safety evaluation, is provided in Section 9.3.4.1.2.

1. Initiating Circuits The letdown stop valves are closed by a pressurizer low water level signal or remote manually by the operator.

2. Logic See Figure 7.6-16.

3. Bypass Control of the letdown stop valves from the control room is bypassed at the transfer switch panel when control is transferred to the ASP. This transfer of control is alarmed and indicated in the control room through the ESF St atus Monitoring System (Section 7.5.4).

STPEGS UFSAR 7.4-13 Revision 16

4. Interlocks When controlled from the control room, the letdown stop valves are closed by the signals indicated in item 1, above. When a letdown stop valve is being closed or opened manually from the control room, should the letdown orific e header isolation valve not be closed an annunciator will sound; the operator must hold the letdown stop valve control switch in the desired position until valve position starts to chan ge. This time delay is provided to give the operator time to evaluate the valve positions so as to prevent flashing in the regenerative heat

exchanger. From the auxiliary shutdown panel, valve control is strictly manual. No automatic signals for closure of the valves are provided; no alarms are provided.

5. Redundancy Two independent letdown stop valves are provide

d. Either valve will stop the letdown flow for the safe shutdown condition.

6. Diversity The two letdown stop valves are powered and controlled from independent Class 1E busses.

7. Actuated Devices The letdown stop valves are the actuated devices.

8. Supporting Systems The valves and their controls are powered from the Class 1E Power System (Chapter 8).

9. Portion of System Not Required for Safety The ESF Status Monitoring System is not required for safety

10. Design Bases Information The design bases of the letdown stop valves ma nual controls (in accordance with Section 3 of IEEE 279-1971) are:

a. The generating station condition wh ich requires protective action:

Manual valve closure to respond to low per ssurizer water level fo llowing a reactor trip with or without LOOP.

b. The range of transient and steady-state conditions of bot h the energy supply and the environment during normal, abnormal, and accident circumstances throughout which the system must perform:

STPEGS UFSAR 7.4-14 Revision 16 The Class 1E Power System is discussed in Chapter 8. The equipment is designed for the pressure, temperature, and humidity envi ronment given in Section 3.11. Accident conditions other than earthquake are not applicable to this discussion.

c. Malfunctions, accidents, or other unusual events which could physically damage protection system components, for which provisions must be incorporated to retain necessary protective action:

The controls for the letdow n stop valves are designed to withstand the effects of an SSE without loss of function.

The system is designed, and its components are physically located, to prevent loss of function from missile damage. Accident conditions other than earthquakes are not applicable to this discussion.

d. Minimum performance requirements, including system response times, system accuracies, ranges of the magnitudes, and rates of change of sensed variables, to be accommodated until proper conclusion of the protective action is assured:

During safe shutdown the response of the RCS is relatively slow. Manual operation is sufficient. 7.4.1.7 Other Controls Requi red for Safe Shutdown. The other equipment and systems are required to maintain the unit in the safe shutdown condition are:

1. Condensate Storage and Transfer System (Section 10.4.7)

2. Essential Cooling Water System (ECWS) (Section 9.2.1)

3. Component Cooling Water System (CCWS) (Section 9.2.2)

4. RCFCs (section 6.2.2)

5. SBDGs (Section 8.3 and 9.5)

6. Control Room Envelope and Electrical Auxiliary Building (EAB) Heating Ventilating and Air Conditioning (HVAC) System (Section 9.4.1)

7. Emergency Ventilation Systems for areas housing equipment required for safe shutdown (Section 9.4) These systems are normally operating continuously except for the SBDGs and the emergency ventilation systems, which start automatically when required. The instrume ntation and control (I&C) for these systems are described in the respective sections noted above. Further discussion of the actuation and controls for the ESF systems is provided in Section 7.3.

STPEGS UFSAR 7.4-15 Revision 16 7.4.1.8 Equipment and Systems Available for Cold Shutdown. The systems and controls required for cold shutdown are described in Appendix 5.4.A. The capability to achieve safe shutdown from outside the control room is discussed in Section 7.4.1.9. 7.4.1.9 Safe Shutdown From Outside the Control Room. If temporary evacuation of the control room is required, the operators can establish and maintain the plant in a safe shutdown condition from outside the control room through the use of controls located at the ASP, transfer switch panels and other local control stations is maintaining safe shutdown from outside the control room, these panels provide the capability, in conjunction with limited local manual actions, for implementing cold shutdown from outside the control room. The effects of control room and relay room fires, and use of the ASP, transfer switch panels, and other local control station to mitigate the consequences thereof, are addressed in the Fire Hazards Analysis Report (FHAR) submitted to the Nuclear Regulatory Commission (NRC) under separate cover. 7.4.1.9.1 Auxiliary Shutdown Panel: The ASP is located in the EAB at El. 10 ft. Both Class 1E and non-Class 1E controls and indicators are provided. Electrical separation is maintained between separation groups (as indentified in Section 8.3) within the panel in accordance with the criteria described in Section 8.3.

The controls on the ASP are electri cally isolated from those in the control room by transfer switches located on the transfer switch panels, with the exception of the controls associated with the turbine-driven AFW pump train and associated flow regulation. The transfer switches for the turbine-driven AFW pump and associated flow regulation controls are located on the ASP. Safety-related display is provided by the QDPS via redundant plasma display units located on the ASP. The QDPS is described in Section 7.

5.6. The controls and monitoring indicators provided at the ASP ar e identified in Table 7.4-1. The monitored parameters available via the QDPS are identified in Table 7.5-1. Other nonsafety-related parameters are available at the ASP via the ERFDADS, which is described in Section 7.5.7. The ASP equipment layout is shown in Figure 7.4-6 and 7.4-7.

The ASP is intended for use following an evacuation of the control room only. No actions from the ASP are anticipated during normal plant operations. The transfer of control from the control room to the ASP is alarmed and indicated in the control room. Access to the ASP is administratively controlled.

STPEGS UFSAR 7.4-16 Revision 16 7.4.1.9.2 Transfer Switch Panels: The six transfer switch panels are located in the ÉAB with two of the panels located in each of their associated switchgear rooms on El. 10 ft, 35 ft, and 60 ft.

The transfer switches and contro ls provided on the panels are id entified in Table 7.4-2. The equipment layout of the transfer switch panels is shown in Figures 7.4-8 through 7.4-13. The switches and controls provided on th e transfer switch panels are Cl ass 1E. Electrical and physical separation is maintained between the separation groups in accordance with the criteria described in Section 8.3. The transfer switch panels provide c ontrol transfer between the control room and the ASP control circuits. In addition, control is provided on the transfer switch panels for equipment that requires one time or infrequent control during safe shutdown. Transfer of c ontrol from the control room is alarmed and indicated in the control room. The transfer switch panels are intended for use following an evacuation of the control room only. No actions from the transfer switch panels are anticipated during normal plant operations. Access to the transfer switch panels is administratively controlled. 7.4.1.9.3 Other Local Control Stations: In addition to the contro ls and indicators provided at the ASP and transfer switch panels, the following controls are provided outside the control room:

1. Reactor trip capability, provided at the reactor trip switchgear.

2. Start/stop controls and transfer switches for the SBDGs, located on each diesel generator (DG) local panel.

3. Start/stop controls for the essential chillers, located on each essential chiller local panel.

4. Start/stop controls and transfer switches for the Essential Cooling Water Intake Structure (ECWIS) ventilation fans, located at motor control centers.

5. Open/close controls for various support equipment not requiring immediate or constant

control, located at motor control centers.

6. Disconnect switches for solenoid valves to fail op en or closed (dependi ng on application) air-operated valves, located at th e auxiliary relay cabinets. 7.4.1.9.4 Communications: Communications are provided between the ASP, the control room, switchgear rooms, and the Technical Suppor t Center (TSC) via the dc-powered headset system. Onsite telephone extensi ons are provided at the ASP and other auxiliary shutdown control stations. Operator Communications Panels (OCP) are provided in the ASP and the TSC and the off site Emergency Operations Facility (EOF) and the control room. The communications systems are further described in Section 9.5.2. 7.4.1.9.5 Design Bases Information: In accordance with NRC General Design Criterion (GDC) 19, the capability of establishing a safe shutdown condition and maintaining the station in a safe status in that mode is considered an essentia l function. The controls a nd indications essential to this function are identified in Section 7.4.1. To ensure availability of the ASP, transfer switch panels, and essential local control st ations (those identified in Section 7.4.1.9.3) after control room evacuation, the following design features have been utilized:

STPEGS UFSAR 7.4-17 Revision 16

1. The ASP, including essential instrumentation mount ed on it, and the transfer switch panels are designed to withstand an SSE w ith no loss of essential functions. The essential local control stations are also designed to withstand an SSE with no loss of essential functions.

2. The ASP, transfer panels, and essential local stations, including essential controls and indicators, are designed to comply with applicable portions of IEEE 279-1971. An analysis for shutdown from outside the control room with respect to appropriate NRC criteria is provided in Section 7.4.2.7.

7.4.2 Analysis

Safe shutdown is a stable plant condition that is reached following a plant shutdown. The safe shutdown condition can be maintained safely for an extended period of time. In the unlikely event access to the control room is restricted, the plant can be safely kept at a sa fe shutdown by the use of the monitoring indicators and the controls discussed in Section 7.4.1.9 until the control room can be reentered.

The safety evaluation of the maintenance of a shutdown with the systems and associated instrumentation and controls identified in Section 7.4.1.1 through 7.4.1.8 has included consideration of the accident consequences that might jeopa rdize safe shutdown conditions. The accident consequences that are germane are those that w ould tend to degrade the ca pabilities for coolant circulation, boration, and residual heat removal. The results of the accident analyses are presented in Chapter 15. Of these, the following produce the most severe consequences that are pertinent:

1. Uncontrolled boron dilution

2. Loss of normal feedwater

3. Loss of external electrical load and/or turbine trip

4. Loss of ac power to the stati on auxiliaries (station blackout)

These analyses show that safety is not adversely affected by these incidents, and that the instruments and controls indicated in S ection 7.4.1.1 through 7.4.1.8 are available to control and/or monitor shutdown. These available systems will allow a maintenance of safe shutdown even under the accident conditions listed above, which would tend towa rds a return to critical ity or a loss of heat sink.

7.4.2.1 Analysis for Auxiliary Feedwater Controls. 1. Conformance to NRC GDC

a. GDC 13 STPEGS UFSAR 7.4-18 Revision 16 Instrumentation necessary to monitor station variables associated with safe shutdown is provided in the main control room and at the ASP. Controls for the AFW are provided at each location. A description of the surveillance instrumentation is provided in Section 7.5.

b. GDC 19 All controls and indications required for sa fe shutdown of the reactor are provided in the main control room. In the event the main control room must be evacuated, adequate controls and indications are located outside the main control room to (1) bring to and maintain the reactor in a safe shutdown condition and (2) provide potential capability to achieve cold shutdown.

The ASP and the transfer switch panels, located outside the main contorl room, are described in Seciton 7.4.1.9.

c. GDC 34 The AFW provides an adequate supply of feedwater (FW) to the SGs to remove reactor decay heat following reactor trip.

Two SGs with AFW supply are sufficient to remove reactor decay heat without exceeding design conditions of the RCs.

2. Conformance to NRC Regulatory Guides (RGs)

a. RG 1.22 The AFW controls are designed to allow periodic testing to satisfy Technical Specification requirements.

b. RG 1.29 The AFW controls are designed to withsta nd the effects of an earthquake without loss of function or physical damage. The AFW control system is classified seismic Category I in accordance with the Guide.

3. Conformance to IEEE 279-1971 The AFW controls are designed to conform to the applicable portions of IEEE 279-1971. The control and actuation circuits ar e designed such that any single failure will not prevent proper protective action (adequate AFW supply) when required. This is accomplished by redundant systems. Each AFW train, including valves, utilizes control power from independent Class 1E power systems.

4. Conformance to other Criteria, Guides, and Standards Conformance to other criteria, guides, and standards is indicated on Figure 7.1-1.

STPEGS UFSAR 7.4-19 Revision 16 7.4.2.2 Analysis for Atomspheric Steam Relief. 1. Conformance to NRC GDC

a. GDC 13 Instrumentation necessary to monitor station variables associated with safe shutdown is provided in the main control room and on the ASP. Controls for the SG PORVs are provided at each location. A description of the surveillance instrumentation is provided in Section 7.5.

b. GDC 34 The MS safety valves or the PORVs provide an adequate means of venting the SGs to remove reactor decay heat following reactor trip. Modulation of the PORVs provides the desired rate of heat removal from the RCS to maintain the unit in the safe shutdown condition. The atmospheric steam relief system has sufficient redundancy to ensure its intended function, assuming a single failure.

2. Conformance to NRC RGs

a. RG 1.22 The PORV controls can be tested periodically. The MS safety valves are tested at intervals identified in the Technical Specifications.

b. RG 1.29 The MS safety valves and PORVs are desi gned to withstand the effects of an SSE without loss of function. These valves are classified as seismic Category I in accordance with the Guide.

3. Conformance to IEEE 279-1971 Although the SG PORVs are not required for safe shutdown, the SG PORV controls are designed to conform to the portions of IEEE 279-1971 applicable to manual controls. The control circuits are designed such that any single failure will not prevent proper system response when required. This is accomplished by redundant SG s with a PORV available on each SG. Two PORVs are powered from independent Class 1E power systems and the other two PORVs by a third indpendent Class 1E power system. The four PORV control circuits are powered from independent Class 1E power systems. 7.4.2.3 Analysis for Pressurizer Heater Controls.

1. Conformance to NRC GDC STPEGS UFSAR 7.4-20 Revision 16

a. GDC 13 Instrumentation necessary to monitor station variables associated with safe shutdown is provided in the main control room and on the ASP. Manual controls for the pressurizer backup heaters ar e provided at each locati on. A description of the surveillance instrumentation is provided in Section 7.5.

b. GDC 34 The pressurizer backup heater groups A and B manual controls provide adequate control of the primary system pressure to prevent excessive de pressurization of the RCS. One group of heaters is sufficient to provide the necessary heat to the RCS to maintain the unit in the safe shutdown condition.

2. Conformance to NRC Regulatory Guides

a. RG 1.22 The pressurizer backup heater groups A and B manual controls are tested at intervals identified in the Technical Specifications.

b. RG 1.29 The pressurizer backup heater groups A and B manual controls are designed to withstand the effects of an SSE without loss of function or physical damage. The pressurizer backup heater manual controls are classified seismic Category I in accordance with the guide.

3. Conformance to IEEE 279-1971 Although the pressurizer heaters ar e not required for safety, to achieve operational objectives the pressurizer backup heater groups A and B manual controls are designed to meet those portions of IEEE 279-1971 applicable to manual controls. The manual control circuits are designed so that any single fa ilure will not prevent proper protective action (RCS pressure control) when required. This is accomplished by two pressurizer backup heater systems each utilizing power from an independent Class 1E power system. In order to prevent interaction between the redundant systems, the manual cont rol channels are wired independently and separated with no electrical connections between manual control channels. The automatic control function associated with the backup heaters is isolated from the automatic control circuitry. 7.4.2.4 Analysis for Centrifugal Charging Pumps.

1. Conformance to NRC GDC

a. GDC 13 STPEGS UFSAR 7.4-21 Revision 16 Instrumentation necessary to monitor station variables associated with safe shutdown is provided in the main control room and on the ASP. Manual controls for the centrifugal charging pumps are provided both inside and outside the control room. A description of the surveillance instrumentation is provided in Section 7.5.

b. GDC 19 The centrifugal charging pump manual controls provide adequate means to control the pressurizer level to preclude loss of the pressurizer heaters due to low-low water level. One centrifugal charging pump is sufficient to provide the necessary makeup to the RCS to maintain the safe shutdown condition.

2. Conformance to NRC RGs

a. RG 1.22 Operability of the centrifugal charging pump manual controls is confirmed by their use during operation.

b. RG 1.29 The centrifugal charging pump manual controls are design ed to withstand the effects of an SSE without loss of function or physical damage. The centrifugal charging pump manual controls are classified seismic Category I in accordance with the Guide.

3. Conformance to IEEE 279-1971 The centrifugal charging pump manual controls are designed to meet the portions of IEEE 279-1971 applicable to manual controls. The manua l control circuits are designed so that any single failure will not prevent proper protective action (makeup to the RCS) when required.

This is accomplished by two redundant centrifugal charging pump systems. Each charging pump utilizes power from an independent Class 1E power system. In order to prevent interaction between the redundant systems, the manual control channels are wired independently and separated with no electrical connections between manual control channels. The normal automatic control circuits are electrically isolated from the manual controls to assure manual control system independence.

4. Conformance to Other Criteria and Standards Conformance to other criteria and st andards is indicated in Figure 7.1-1.

7.4.2.5 Analysis for Boric Acid Transfer Pumps. 1. Conformance to NRC GDC

a. GDC 13 STPEGS UFSAR 7.4-22 Revision 16 Instrumentation necessary to monitor station variables associated with safe shutdown is provided in the main control room and on the ASP. Manual controls for the boric acid transfer pumps are provided both inside and outside the control room. A description of the surveillance instrumentation is provided in Section 7.5.

2. Conformance to NRC RGs

a. RG 1.22 Operability of the boric acid transfer pump manual controls is confirmed by their use during operation.

b. RG 1.29 The boric acid transfer pump manual controls are designed to withstand the effects of an SSE without loss of function or physical damage.

The boric acid transfer pump manual controls are classified seismic Category I in accordance with the Guide.

3. Conformance to IEEE 279-1971 The boric acid transfer pump manual controls are designed to meet those portions of IEEE 279-1971 applicable to manual controls. The manua l control circuits are designed so that any single failure will not prevent proper protective action (boric acid supply to the charging system) when required. This is accomplished by two redundant boric acid transfer pumps. Each boric acid transfer pump utilizes power from and independent Class 1E power system.

In order to prevent interaction between the redundant systems, the manual control channels are wired independently and separated with no electrical connections between manual control channels. The normal automatic control circuits are electrically isolated from the manual controls to prevent jeopardizing control system reliability.

4. Conformance to other criteria and st andards is indicated in Figure 7.1-1. 7.4.2.6 Analysis of Letdown Stop Valves.

1. Conformance to NRC GDC a. GDC 13

Instrumentation necessary to monitor station variables associated with safe shutdown is provided in the main control room and on the ASP. Manual controls for the letdown isolation function via the letdown stop valves are provided both in side and outside the control room.

A description of the surveillance instrumentation is provided in Section 7.5.

STPEGS UFSAR 7.4-23 Revision 16

b. GDC 19 The letdown stop valve controls provided adequate means to control the reactor coolant letdown to prevent exce ssive lowering of pressurizer water level. Either valve is sufficient to terminate letdown.

2. Conformance to NRC RGs

a. RG 1.22 The letdown stop valve controls can be tested periodically during operation by temporarily terminating the letdown during normal operation.

b. RG 1.29 The letdown stop valve controls are designed to withstand the effects of an earthquake without loss of function or physical damage. The letdow n stop valve controls are classified seismic Category I in accordance with the Guide.

3. Conformance to IEEE 279-1971 The letdown stop valve manual controls are designed to meet those portions of IEEE Standard 279-1971 applicable to manual controls. The manua l control circuits are designed so that any single failure will not prevent proper protective action (limiting reactor coolant losses via the letdown path) when required. This is accomplished by redundant letdown stop valves. Each letdown stop valve utilizes power from an independent Class 1E power system. In order to prevent interaction between the redundant systems the manual contro l channels are wired independently and separated with no electrical connections between manual control channels.

4. Conformance to Other Criteria and Standards Conformance to other guides and st andards is indicated in Figure 7.1-1. 7.4.2.7. Analysis for Shutdown From Outside the Control Room.

1. Conformance to NRC GDC

a. GDC 19 The ASP and transfer switch panels, in c onjunction with the essential local control stations discussed in Section 7.4.1.9, provide ad equate controls and indications located outside the main control room to maintain the reactor and the RCS in the safe shutdown condition in the event the main control room must be evacuated.

2. Conformance to NRC RGS

a. RG 1.22 STPEGS UFSAR 7.4-24 Revision 16 The ASP, transfer switch panels, and essential local control stations are designed to be tested periodically during station operation.

b. RG 1.29 The ASP, transfer switch panels, and essent ial local control stations are designed to withstand the effects of an SSE without loss of function or physical damage. The ASP, transfer switch panels, and essential local control stations are classified seismic Category I.

c. RG 1.68.2 The initial startup test program demonstrated the capability to establish and maintain hot standby and the potential for cold shutdown form outside the Control Room.

Refer to Sections 14.2.12.2, Test 98 and 14.2.12.3, Test 25.

3. Conformance to IEEE 279-1971 The ASP and transfer switch pa nels, including essential cont rols and indications, and the essential local control stations are designed to conform to applicable portions of IEEE 279-1971. The control circuits at the ASP, transf er switch panels, and essential local control stations are designed so that any single failure will not prevent proper protective action (maintaining safe shutdown) when required. This is accomplished by redundant controls for the systems required for safe shutdown utilizing independent Class 1E power systems. To prevent interaction between the redundant systems, the control channels are wired independently and separated with no electrical connections betw een redundant control systems. Nonessential control circuits and nonessential monitoring circuits are electrically isolated from essential controls and indications to prevent jeopa rdizing the reliability of the systems required for safe shutdown.

4. Conformance to Other Guides, Criteria, and Standards The additional guides, criteria, and standards listed in Figure 7.1-1 apply only to the essential instrumentation and controls required for safe shutdown from outside the control room. 7.4.2.8 Consideration of Selected Plant Contingencies. 7.4.2.8.1 Loss of Instrument Air Systems: Essential electrically-powered instrumentation is supplied from the Class 1E power systems. Therefore, loss of the instrument air system will not degrade instrumentation re quired for safe shutdown. 7.4.2.8.2 Loss of Cooling Water to Vital Equipment: Cooling water to equipment required for safe shutdown is provided on a train basis (Sections 9.2.1 and 9.2.2). The loss of a train of cooling water would affect only one train of safe shutdown equipment. Redundancy of safe shutdown equipment is provided; therefore, the loss of a train of cooling water will not degrade the safe shutdown capability.

STPEGS UFSAR 7.4-25 Revision 16 7.4.2.8.3 Plant Load Rejection, Turbine Trip, and Loss of Offsite Power: In the event of LOOP associated with plant load rejection on turbine trip, power fo r safe shutdown is provided by the onsite Class 1E power system. The SBDGs provide power for the operation of safety-related pumps and valves. The Class 1E 125 vdc and 120 vac systems provide power for the operation of control and instrumentation required to actuate and control essential components. See Section 8.3 for a full description of the various Class 1E power systems and their redundancy. 7.4.3 Shutdown Under Station Blackout Conditions Shutdown capability is provided by u tilizing only safety-related equipm ent. Safe shutdown of each unit can be achieved utilizing safety-related and Class 1E equipment/components listed in Section 2, Table 2-2 of the FHAR. The nonsafety-related equipm ent listed in Table 2-2 ar e not part of Station Blackout. The detailed information with respect to the safety class, standard, code, seismic category and Quality Assurance of equipment used in responding to a Station Bl ackout event is as id entified in Section 3.2, Table 3.2.A-1.

STPEGS UFSAR 7.4-26 Revision 16 TABLE 7.4-1 CONTROLS AND MONI TORING INDICATORS LOCATED ON THE AUXILIARY SHUTDOWN PANEL Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group 100I001 Steam Gen 1A W/R Water Level N1FW-LI-0501A N/A N 100I002 Steam Gen 1B W/R Water Level N1FW-LI-0502A N/A N 100I003 Steam Gen 1C W/R Water Level N1FW-LI-0503A N/A N 100I004 Steam Gen 1D W/R Water Level N1FW-LI-0504A N/A N 100I005 Przr Water Level N1RC-LI-0465A N/A N

100I006 Przr Water Level N1RC-LI-0466A N/A N 100I007 RCS W/R Pressure Loop 3 N1RC-PI-0406B N/A N 100I009 AFW Flow To SG 1A N1AF-FI-7525A N/A N

100I010 AFW Flow To SG 1B N1AF-FI-7524A N/A N

100I011 AFW Flow To SG 1C N1AF-FI-7523A N/A N

100I012 AFW Flow To SG 1D N1AF-FI-7526A N/A N 100I013 Extended Range Power Level CH 45 N1N1-NI-0045A N/A N 100I014 Extended Range Power Level CH 46 N1N1-NI-0046B N/A N 100I015 RCS Loop 1 W/R Cold Leg Temp N1RC-TI-0414A N/A N 100I016 RCS Loop 2 W/R Cold Leg Temp N1RC-TI-0424A N/A N 100I017 Charging Flow Indicator N1CV-FI-0205B N/A N STPEGS UFSAR 7.4-27 Revision 16 TABLE 7.4-1 (Continued) CONTROLS AND MONI TORING INDICATORS LOCATED ON THE AUXILIARY SHUTDOWN PANEL Device Instrument Separation (e) Item No.(a) Description(b) Tag No.c Position(d) Group 100I018 AFW Pressure, Loop D N1AF-PI-7529A N/A N 100I019 RCS W/R Pressure Loop 1 N1RC-PI-0407A N/A N 100I020 RHR HX 1A Outlet Temp N1RH-TI-0857 N/A N 100I021 RHR HX 1B Outlet Temp N1RH-TI-0858 N/A N 100I022 RHR HX 1C Outlet Temp N1RH-TI-0859 N/A N 100I023 RHR Pump 1A Disch Flow N1RH-FI-0867A N/A N 100I024 RHR Pump 1C Disch Flow N1RH-FI-0869A N/A N 100I025 RHR Pump 1B Disch Flow N1RH-FI-0868A N/A N 100I026 RCS Loop 3 W/R Cold Leg Temp N1RC-TI-0434A N/A N 100I027 RCS Loop 4 W/R Cold Leg Temp N1RC-TI-0444A N/A N 100K001 SG 1A PORV PV-7411 A1MS-PK-7411A N/A A 100K002 SG 1B PORV PV-7421 B1MS-PK-7421A N/A B 100K003 SG 1C PORV PV-7431 C1MS-PK-7431A N/A C 100K004 SG 1D PORV PV-7441 D1MS-PK-7441A N/A D 100K006 RHR HX 1A Outlet Flow Control N1SI-HK-0851 N/A N 100K007 RHR HX 1B Outlet Flow Control N1SI-HK-0852 N/A N 100K008 RHR HX 1C Outlet Flow Control N1SI-HK-0853 N/A N

STPEGS UFSAR 7.4-28 Revision 16 TABLE 7.4-1 (Continued) CONTROLS AND MONI TORING INDICATORS LOCATED ON THE AUXILIARY SHUTDOWN PANEL Device Instrument Separation (e) Item No.(a) Description(b) Tag No.c Position(d) Group 100K009 RX Head Vent Throttle HCV-602 B1RC-HK-602A N/A B 100K010 RX Head Vent Throttle HCV-601 A1RC-HK-601A N/A A 100K011 RHR HX 1A Outlet Temp Control HCV-0864 N1RH-HK-0864 N/A N 100K012 RHR HX 1B Outlet Temp Control HCV-0865 N1RH-HK-0865 N/A N 100K013 RHR HX 1C Outlet Temp Control HCV-0866 N1RH-HK-0866 N/A N 100K014 Charging Flow Control FCV-0205 N1CV-FK-0205A N/A N 100M001 Plasma Display QDPS C1AM-CRT-0001P N/A C 100M001A Plasma Display Electronic Box QDPS N/A N/A C 100M002 Plasma Keyboard QDPS C1AM-CRH-0002K N/A C 100M003 Plasma Display QDPS A1AM-CRT-0003P N/A A

100M004 Plasma Keyboard QDPS A1AM-CRH-0004K N/A A 100M005 QDPS Demux Card Cage N/A N/A N 100M006 QDPS Demux Power Supply N/A N/A N 100M007 Alarm Horn Aux. Relay N/A N/A N 100M008 Plasma Display/ERFDADS CRT Alarm Horn N/A N/A N 100S001 AFW PMP 11 A1AF-HS-7506C Stop Start A STPEGS UFSAR 7.4-29 Revision 16 TABLE 7.4-1 (Continued) CONTROLS AND MONI TORING INDICATORS LOCATED ON THE AUXILIARY SHUTDOWN PANEL Device Instrument Separation (e) Item No.(a) Description(b) Tag No.c Position(d) Group 100S002 AFW PMP 12 B1AF-HS-7507C Stop Start B 100S003 AFW PMP 13 C1AF-HS-7508C Stop Start C 100S004 Przr Htr Back-up GP 1A A1RC-HS-0676F Off On A 100S005 Przr Htr Back-up GP 1B C1RC-HS-0676G Off On C 100S006 Charging Pump 1A C1CV-HS-0287A Stop Start C 100S007 Charging Pump 1B A1CV-HS-0288A Stop Start A 100S008 Letdn Orifice Isol Vlv FV-0012 A1CV-HS-0012A Close Open A 100S009 Letdn Orifice Isol Vlv FV-0013 C1CV-HS-0013A Close Open C 100S010 Letdn Orifice Isol Vlv MOV-0014 C1CV-HS-0014A Close Open C 100S011 Boric Acid Transfer Pump 1A C1CV-HS-0209C Stop Start C 100S012 Boric Acid Transfer Pump 1B A1CV-HS-0209E Stop Start A 100S013 AFW Pump 14 Turb Trip & Throttle MOV-0514 Throttle Switch D1AF-HS-0514B Close Open D 100S014 AFW Pump 14 Turb Steam Inl Vlv MOV-0143 & Bypass Valve FV-0143 D1AF-HS-0143C Close Open D STPEGS UFSAR 7.4-30 Revision 16 TABLE 7.4-1 (Continued) CONTROLS AND MONI TORING INDICATORS LOCATED ON THE AUXILIARY SHUTDOWN PANEL Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group 100S015 Aux FW Pump 11 Isol Vlv MOV-0048 A1AF-HS-0048C Close Open A 100S016 Aux FW Pump 12 sol Vlv MOV-0065 B1AF-HS-0065C Close Open B 100S017 Aux Fw Pump 13 Isol Vlv MOV-0085 C1AF-HS-0085C Close Open C 100S018 Aux FW Pump 14 Isol Vlv MOV-0019 D1AF-HS-0019C Close Open D 100S019 AFW Pump 14 Stm Inl Vlv Transfer Switch MOV-0143/FV-0143 D1AF-HS-0143B CR ASP D 100S019A AFW Pump 14 Turb Steam Inlet Bypass Vlv FV-0143 N/A N/A (Lights Only) D 100S020 AFW Turb Trip & Throttle Valve MOV-0514 Transfer Switch D1AF-HS-0514C CR ASP D 100S021 AFW Turb Pump Isol Valve MOV-0019 Transfer Switch D1AF-HS-0019B CR ASP D 100S022 Pressurizer PORV PCV-0656A B1RC-HS-0656B Close Open B 100S023 Pressurizer PORV PCV-0655A A1RC-HS-0655B Close Open A 100S024 RHR Pump 1A Suct Isol Vlv MOV-0060A A1RH-HS-0060G Close Open A 100S025 RHR Pump 1C Suct Isol Vlv MOV-0061C A1RH-HS-0061I Close Open A 100S026 RHR Pump 1B Suct Isol Vlv MOV-0060B B1RH-HS-0060H Close Open B STPEGS UFSAR 7.4-31 Revision 16 TABLE 7.4-1 (Continued) CONTROLS AND MONI TORING INDICATORS LOCATED ON THE AUXILIARY SHUTDOWN PANEL Device Instrument Separation (e) Item No.(a) Description(b) Tag No.c Position(d) Group 100S027 RHR Pump 1A Suct Isol Vlv MOV-0061A B1RH-HS-0061G Close Open B 100S028 RHR Pump 1C Suct Isol Vlv MOV-0060C C1RH-HS-0060I Close Open C 100S029 RHR Pump 1B Suct Isol Vlv MOV-0061B C1RH-HS-0061H Close Open C 100S030 ACC TK 1A Disch Isol Vlv MOV-0039A A1SI-HS-0039J Close Open A 100S030A ACC TK 1A MOV-0039A N/A N/A (Lights Only) A 100S031 ACC TK 1B Disch Isol Vlv MOV-0039B B1SI-HS-0039K Close Open B 100S031A ACC TK 1B MOV-0039B N/A N/A (Lights Only) B 100S032 ACC TK 1C Disch Isol Vlv MOV-0039C C1SI-HS-0039L Close Open C 100S032A ACC TK 1C MOV-0039C N/A N/A (Lights Only) C 100S034 Letdown Stop Vlv LCV-0465 A1CV-HS-0465A Close Open A 100S035 Letdown Stop Vlv LCV-0468 C1CV-HS-0468A Close Open C

100S036 SG 1A AFW Flow Control Vlv FV-7525 A1AF-HS-7525 Jog Close Jog Open A 100S037 SG 1B AFW Flow Control Vlv FV-7524 V1AF-HS-7524 Jog Close Jog Open B STPEGS UFSAR 7.4-32 Revision 16 TABLE 7.4-1 (Continued) CONTROLS AND MONI TORING INDICATORS LOCATED ON THE AUXILIARY SHUTDOWN PANEL Device Instrument Separation (e) Item No.(a) Description(b) Tag No.c Position(d) Group 100S038 SG 1C AFW Flow Control Vlv FV-7523 C1AF-HS-7523 Jog Close Jog Open C 100S039 SG 1D AFW Flow Control Vlv FV-7526 D1AF-HS-7526 Jog Close Jog Open D 100S040 ACC TK 1C Disch Isol Vlv MOV-0039C Power Lockout C1SI-HS-0039P Power Off Power On C 100S041 SG 1D AFW Flow Control Vlv FV-7526 Transfer Switch D1AF-HS-7526B CR ASP D 100S043 RCS Isol Vlv RVHVS FV-3658A A1RC-HS-3658C Close Open A 100S044 SG 1D PORV Transfer Switch PV-7441 D1MS-HS-7441 CR ASP D 100S045 Przr PORV BLK Vlv MOV-0001A A1RC-HS-0001C Close Open A 100S046 RCS Isol Vlv RVHVS FV-3657A A1RC-HS-3657C Close Open A 100S047 RCS Isol Vlv RVHVS FV-3657B B1RC-HS-3657E Close Open B 100S048 RCS Isol Vlv RVHVS FV-3658B B1RC-HS-3658E Close Open B 100S049 Przr PORV BLK Vlv MOV-001B B1RC-HS-0001E Close Open B 100S050 AFW Pump 14 Turb Trip & Throttle MOV-0514 Trip

Switch D1AF-HS-7537B Trip D 100S052 ACC TK 1A Disch Isol Vlv MOV-0039A Power Lockout A1SI-HS-0039M Power Off Power On A STPEGS UFSAR 7.4-33 Revision 16 TABLE 7.4-1 (Continued) CONTROLS AND MONI TORING INDICATORS LOCATED ON THE AUXILIARY SHUTDOWN PANEL Device Instrument Separation (e) Item No.(a) Description(b) Tag No.c Position(d) Group 100S053 ACC TK 1B Disch Isol Vlv MOV-0039B Power Lockout B1SI-HS-0039N Power Off Power On B 100S057 Alarm Horn Selector and Silence N/A Off Enable (Push to Silence In

Position 2)

N 100S058 Letdown Orifice Hdr Isol Vlv FV-011 C1CV-HS-0011A Close Open C

a. Item No: Panel device item number as shown in Figure 7.4-6 and 7.4-7 b. Device

Description:

Instrument or control description c. Instrument Tag No: Instrument tag number as identified on piping and instrument diagrams or component logic diagrams d. Position: Switch positions

e. Separation Group: Electrical separation group as identified in Section 8.3.1.4

STPEGS UFSAR 7.4-34 Revision 16 TABLE 7.4-2 CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group Panel No. ZLP653 653S001 ESF Bus E1A to Xfmr E1A1 A1PK-HS-0001A Trip Close A 653S002 ESF Bus E1A to Xfmr E1A1 A1PK-HS-0001B CR Local A 653S003 ESF Bus E1A to Xfmr E1A2 A1PK-HS-0002A Trip Close A 653S004 ESF Bus E1A to Xfmr E1A2 A1PK-HS-0002B CR Local A 653S005 Exhaust Fan 11A RCB Containment Cubicle A1HC-HS-9753A Stop Start A 653S006 Exhaust Fan 11A RCB Containment Cubicle A1HC-HS-9753B CR Local A 653S007 Exhaust Fan 12A RCB Containment Cubicle A1HC-HS-9755A Stop Start A 653S008 Exhaust Fan 12A RCB Containment Cubicle A1HC-HS-9755B CR Local A 653S009 IVC/AFW PUMP 14 SPLY FAN 11D A1HC-HS-9747A Stop Start A 653S010 IVC/AFW PUMP 14 SPLY FAN 11D A1HC-HS-9747B CR Local A 653S011 IVC/AFW PUMP 11 SPLY FAN 11A A1HC-HS-9744A Stop Start A 653S012 IVC/AFW PUMP 11 SPLY FAN 11A A1HC-HS-9744B CR Local A 653S013 CCP 1B SUPPL CLR 11B RM 041 A1HM-S-9413A Stop Start A 653S014 CCP 1B SUPPL CLR 11B RM 041 A1HM-HS-9413B CR Local A TABLE 7.4-2 (Continued)

STPEGS UFSAR 7.4-35 Revision 16 CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation (e) Item No.(a) Description(b) Tag No.c Position(d) Group Panel No. ZLP653 (Continued) 653S015 BA XFER PMP 1B SUPPL CLR 11A RM 018A A1HM-HS-9413B Stop Start A 653S016 BA XFER PMP 1B SUPPL CLR 11A RM 018A A1HM-HS-9396B CR Local A 653S017 CCW Pump 1A SUPPL CLR 11A RM 067 A1HM-HS-9409A Stop Start A 653S018 CCW Pump 1A SUPPL CLR 11A RM 067 A1HM-HS-9409B CR Local A 653S019 CVCS VLV CUB SUPPL CLR 11A RM 033 A1HM-HS-9398A Stop Start A 653S020 CVCS VLV CUB SUPPL CLR 11A RM 033 A1HM-HS-9398B CR Local A 653S021 ESSEN CHLR AREA SUPPL CLR 11A RM 067 A1HM-HS-9406A Stop Start A 653S022 ESSEN CHLR AREA SUPPL CLR 11A RM 067 A1HM-HS-9406B CR Local A 653S023 ECW TRN A SPLY ESSEN CHLR 12A A1CH-HS-9504A CR ZLP-623 A 653S024 Exhaust Air Fan 11A EAB Battery Rooms, Train A A1HE-HS-9576A Stop Start A 653S025 Exhaust Air Fan 11A EAB Battery Rooms, Train A A1HE-HS-9576B CR Local A 653S026 PENT SPC HVAC EMER AHU 11A RM 001 A1HE-HS-9752B Stop Start A STPEGS UFSAR 7.4-36 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group Panel No. ZLP653 (Continued) 653S027 PENT SPC HVAC EMER AHU 11A RM 001 A1HE-HS-9752C CR Local A 653S028 CCW HX 1A Outlet Temp Control MOV-0643 A1CC-HS-0643A Jog Close Jog Open A 653S029 CCW HX 1A Outlet Temp Control MOV-0643 A1CC-HS-0643B CR Local A 653S030 CCW Pump 1A A1CC-HS-4509B Stop Start A 653S031 CCW Pump 1A A1CC-HS-4509C CR Local A 653S032 ECW Pump 1A A1EW-HS-6880A Stop Start A 653S033 ECW Pump 1A A1EW-HS-6880B CR Local A 653S034 Cent Chg Pump 1B A1CV-HS-0288B CR ASP A 653S035 Boric Acid Transfer Pump 1B A1CV-HS-0209F CR ASP A 653S036 ACC Tank 1A Disch Vlv MOV-0039A A1SI-HS-0039G CR ASP A 653S037 Power Lockout for MOV-0039A A1SI-HS-0039Q CR ASP A 653S038 SG 1A PORV Control PV-7411 A1MS-HS-7411 CR ASP A 653S039 AFW Pump 11 A1AF-HS-7506B CR ASP A STPEGS UFSAR 7.4-37 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group Panel No. ZLP654 654S001 ESF Bus E1B to Xfmr E1B1 B1PK-HS-0003A Trip Close B 654S002 ESF Bus E1B to Xfmr E1B1 B1PK-HS-0003B CR Local B 654S003 ESF Bus E1B to Xfmr E1B2 B1PK-HS-0004A Trip Close B 654S004 ESF Bus E1B to Xfmr E1B2 B1PK-HS-0004B CR Local B 654S005 Exhaust Fan 028 RCB Containment Cubicle B1HC-HS-9754A Stop Start B 654S006 Exhaust Fan 028 RCB Containment Cubicle B1HC-HS-9754B CR Local B 654S009 AFW PUMP 12 Vent FAN 002 B1HC-HS-9745B Stop Start B 654S010 AFW PUMP 12 Vent FAN 002 B1HC-HS-9745A CR Local B 654S011 CCW Pump 1B SUPPL CLR 11B RM 067E B1HM-HS-9410A Stop Start B 654S012 CCW Pump 1B SUPPL CLR 11B RM 067E B1HM-HS-9410B CR Local B 654S013 RMW PMP 1B SUPPL CLR 11B RM 062 B1HM-HS-9401A Stop Start B 654S014 RMW PMP 1B SUPPL CLR 11B RM 062 B1HM-HS-9401B CR Local B 654S015 CVCS VLV CUB SUPPL CLR 11B RM 033 B1HM-HS-9399A Stop Start B 654S016 CVCS VLV CUB SUPPL CLR 11B RM 033 B1HM-HS-9399B CR Local B STPEGS UFSAR 7.4-38 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group Panel No. ZLP654 (Continued) 654S017 ESSEN CHLR AREA SUPPL CLR 11B RM 067E B1HM-HS-9407A Stop Start B 654S018 ESSEN CHLR AREA SUPPL CLR 11B RM 067E B1HM-HS-9407B CR Local B 654S019 ECW TRN B SPLY ESSEN CHLR 12B B1CH-HS-9510A CR ZLP-624 B 654S020 Exh Fan 11B EAB Battery Rooms, Train B B1HE-HS-9574A Stop Start B 654S021 EXH Fan 11B EAB Btry Rooms, Train B B1HE-HS-9574B CR Local B 654S022 PENT SPC HVAC EMER AHU 11B RM 201 B1E-HS-9753B Stop Start B 654S023 PENT SPC HVAC EMER AHU 11B RM 201 B1HE-HS-9753C CR Local B 654S024 CCW HX 1B Outlet Temp Control Vlv MOV-0645 B1CC-HS-0645A Jog Close Jog Open B 654S025 CCW HX 1B Outlet Temp Control Vlv MOV-0645 B1CC-HS-0645B CR Local B 654S026 CCW Pump 1B B1CC-HS-4514B Stop Start B 654S027 CCW Pump 1B B1CC-HS-4514C CR Local B 654S028 ECW Pump 1B B1EW-HS-6885A Stop Start B 654S029 ECW Pump 1B B1EW-HS-6885B CR Local B 654S030 ACC TK 1B Disch Vlv MOV-0039B B1SI-HS-0039H CR ASP B STPEGS UFSAR 7.4-39 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group Panel No. ZLP654 (Continued) 654S031 Power Lockout for MOV-0039B B1SI-HS-0039R CR ASP B 654S032 SG 1B PORV PV-7421 B1MS-HS-7421 CR ASP B 654S033 AFW Pump 12 B1AF-HS-7507B CR ASP B 654S034 Reactor M/U Wtr Pump 1B B1RM-HS-7654B Stop Start B 654S035 Reactor M/U Wtr Pump 1B B1RM-HS-7654C CR Local B 654S036 AHU AH014 Clr Fan MAB Vlv Cub RM 226 B1HM-HS-9402A Stop Start B 654S037 AHU AH014 Clr Fan MAB Vlv Cub RM 226 B1HM-HS-9402B CR Local B Panel No. ZLP655 655S001 ESF Bus E1C to Xfmr E1C1 C1PK-HS-0005A Trip Close C 655S002 ESF Bus E1C to Xfmr E1C1 C1PK-HS-0005B CR Local C 655S003 ESF Bus E1C to Xfmr E1C2 C1PK-HS-0006A Trip Close C 655S004 ESF Bus E1C to Xfmr E1C2 C1PK-HS-0006B CR Local C 655S005 Exhaust Fan 030 RCB Containment Cubicle C1HC-HS-9756A Stop Start C 655S006 Exhaust Fan 030 RCB Containment cubicle C1HC-HS-9756B CR Local C 655S007 CCP 1A SUPPL CLR 11A RM 039 C1HM-HS-9412A Stop Start C STPEGS UFSAR 7.4-40 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation (e) Item No.(a) Description(b) Tag No.c Position(d) Group Panel No. ZLP655 (Continued) 655S008 CCP 1A SUPPL CLR 11A RM 039 C1HM-HS-9412B CR Local C 655S009 IVC/AFW PUMP 13 SPLY FAN 11C C1HC-HS-9746A Stop Start C 655S010 IVC/AFW PUMP 13 SPLY FAN 11C C1HC-HS-9746B CR Local C 655S011 CVCS VLV CUB SUPPL CLR 11B RM 226 C1HM-HS-9403A Stop Start C 655S012 CVCS VLV CUB SUPPL CLR 11B RM 226 C1HM-HS-9403B CR Local C 655S013 BA XFER PMP 1A SUPPL CLR 11B RM 018A C1HM-HS-9397A Stop Start C 655S014 CCW PUMP 1C SUPPL CLR 11C RM 067F C1HM-HS-9411A Stop Start C 655S015 CCW PUMP 1C SUPPL CLR 11C RM 067F C1HM-HS-9411B CR Local C 655S016 CVCS VLV CUB SUPPL CLR RM 044 C1HM-HS-9415A Stop Start C 655S017 CVCS VLV CUB SUPPL CLR RM 044 C1HM-HS-9415B CR Local C 655S018 ESSEN CHLR AREA SUPPL CLR 11C RM 067F C1HM-HS-9408A Stop Start C 655S019 ESSEN CHLR AREA SUPPL CLR 11C RM 067F C1HM-HS-9408B CR Local C STPEGS UFSAR 7.4-41 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group Panel No. ZLP655 (Continued) 655S020 ECW TRN C SPLY ESSEN CHLR 12C C1CH-HS-9416A CR ZLP-625 C 655S021 Exh Fan 11C EAB Btry Rooms, Train C C1HE-HS-9572A Stop Start C 655S022 Exh Fan 11C EAB Btry Rooms, Train C C1HE-HS-9572B CR Local C 655S023 PENT SPC HVAC EMER AHU 11C RM 301 C1HE-HS-9754B Stop Start C 655S024 PENT SPC HVAC EMER AHU 11C TM 301 C1HE-HS-9754C CR Local C 655S025 CCW HX 1C Outlet Temp Cntl MOV-0647 C1CC-HS-0647A Jog Close Jog Open C 655S026 CCW HX 1C Outlet Temp Cntl MOV-0647 C1CC-HS-0647B CR Local C 655S027 CCW Pump 1C C1CC-HS-4519B Stop Start C 655S028 CCW Pump 1C C1CC-HS-4519C CR Local C 655S029 ECW Pump 1C C1EW-HS-6890A Stop Start C 655S030 ECW Pump 1C C1EW-HS-6890B CR Local C 655S031 BA XFER PMP 1A SUPPL CLR 11B RM 018A C1HM-HS-9397B CR Local C 655S032 Centrifugal Charging Pump 1A C1CV-HS-0287B CR ASP C 655S033 Boric Acid Transfer Pump 1A C1CV-HS-0209D CR ASP C STPEGS UFSAR 7.4-42 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group Panel No. ZLP655 (Continued) 655S034 ACC Tk 1C Disch Isol vlv MOV-0039C C1SI-HS-0039I CR ASP C 655S035 Power Lockout for MOV-0039C C1SI-HS-0039S CR ASP C 655S036 SG 1C PORV Cont PV-7431 C1MS-HS-7431 CR ASP C 655S037 AFW Pump 13 C1AF-HS-7508B CR ASP C 655S038 RMW PMP 1A SUPPL CLR 11A RM 062 C1HM-HS-9400A Stop Start C 655S039 RMW PMP 1A SUPPL CLR 11A RM 062 C1HM-HS-9400B CR Local C 655S040 Reactor M/U Wtr Pump 1A C1RM-HS-7655B Stop Start C 655S041 Reactor M/U Wtr Pump 1A C1RM-HS-7655C CR Local C Panel No. ZLP700 700S001 Xfmr E1A1 to LC-E1A1 A1PL-HS-0001A Trip Close A 700S002 Xfmr E1A1 to LC-E1A1 A1PL-HS-0001B CR Local A 700S003 Xfmr E1A2 to LC-E1A2 A1PL-HS-0002A Trip Close A 700S004 Xfmr E1A2 to LC-E1A2 A1PL-HS-0002B CR Local A 700S005 Pump 11A MAB Essen Chld Wtr, Train A A1CH-HS-9500A Stop Start A 700S006 Pump 11A MAB Essen Chld Wtr, Train A A1CH-HS-9500B CR Local A STPEGS UFSAR 7.4-43 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation (e) Item No.(a) Description(b) Tag No.c Position(d) Group Panel No. ZLP700 (Continued) 700S008 DG 11 EMER SPLY FAN 11A A1HG-HS-9737B Stop Start A 700S009 DG 11 EMER SPLY FAN 11A A1HG-HS-9737C CR Local A 700S010 EAB Return Fan 11A EAB Supply/Exhaust Train A A1HE-HS-9337A Stop Start A 700S011 EAB Return Fan 11A EAB Supply/Exhaust Train A A1HE-HS-9337B CR Local A 700S012 EAB Supply Fan 11A EAB Supply/Exhaust Train A A1HE-HS-9350A Stop Start A 700S013 EAB Supply Fan 11A EAB Supply/Exhaust Train A A1HE-HS-9350B CR Local A 700S014 RHR Pass Sample OCIV FV-2454 A1AP-HS-2454A Close Open A 700S015 RHR Pass Sample OCIV Fv-2454 A1AP-HS-2454B CR Local A 700S016 RCFC FAN 12A A1HC-HS-9675A Stop Start A 700S017 RCFC FAN 12A A1HC-HS-9675B CR Local A 700S018 RCFC FAN 11A A1HC-HS-9666A Stop Start A 700S019 RCFC FAN 11A A1HC-HS-9666B CR Local A 700S020 RHR Pump 1A A1RH-HS-0867B Stop Start A 700S021 RHR Pump 1A A1RH-HS-0867A CR Local A STPEGS UFSAR 7.4-44 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group Panel No. ZLP700 (Continued) 700S022 RHR Pump 1A SUCT Isol Vlv A1RH-HS-0060D CR ASP A 700S023 RHR Pump 1C SUCT Isol Vlv A1RH-HS-0061F CR ASP A 700S024 Letdown Isol Vlv LCV-0465 A1CV-HS-0465B CR ASP A 700S025 Letdown Orifice Isol Vlv FV-0012 A1CV-HS-0012B CR A 700S026 Przr PORV PCV-0655A A1RC-HS-0655C CR ASP A 700S027 Przr PORV BLK Vlv MOV-0001A A1RC-HS-0001D CR ASP A 700S028 Przr HEATER Back-up Group 1A A1RC-HS-0676H CR ASP A 700S029 RVHVS Isol Vlv A1RC-HS-3657D CR ASP A 700S030 RVHVS Isol Vlv A1RC-HS-3658D CR ASP A 700S031 FWIV FV-7141/7142/7143/7144 & SG Preheater Bypass Valves FV-7189/7190/7191/7192 A1FW-HS-7141E CR CLOSE A 700S032 AFW to SG 1A Isol Vlv A1AF-HS-0048B CR ASP A 700S033 AFW to SG 1A Flow Reg Vlv FV-7525 A1AF-HS-7525B CR ASP A STPEGS UFSAR 7.4-45 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group Panel No. ZLP700 (Continued) 700S034 Reactor Head Vent Throttle Vlv HCV-0601 A1RC-HS-0601 CR ASP A Panel No. ZLP701 701S001 Xfmr E1B1 to LC E1B1 B1PL-HS-0008A Trip Close B 701S002 Xfmr E1B1 to LC E1B1 B1PL-HS-0008B CR Local B 701S003 Xfmr E1B2 to LC E1B2 B1PL-HS-0009A Trip Close B 701S004 Xfmr E1B2 to LC E1B2 B1PL-HS-0009B CR Local B 701S005 Pump 11B MAB Chld Wtr, Train B B1CH-HS-9505A Stop Start B 701S006 Pump 11B MAB Chld Wtr, Train B B1CH-HS-9505B CR Local B 701S008 DG 12 EMER SPLY FAN 11B B1HG-HS-9738B Stop Start B 701S009 DG 12 EMER SPLY FAN 11B B1HG-HS-9738C CR Local B 701S010 EAB Return Fan 11B EAB Sply/Exhaust, Train B B1HE-HS-9363A Stop Start B 701S011 EAB Return Fan 11B EAB Sply/Exhaust, Train B B1HE-HS-9363B CR Local B 701S012 EAB Return Fan 11B EAB Sply/Exhaust, Train B B1HE-HS-9376A Stop Start B 701S013 EAB Supply Fan 11B EAB Sply/Exhaust, Train B B1HE-HS-9376B CR Local B 701S014 RHR TRN A ISOL VLV Sample Isol Vlv FV-4458 B1PS-HS-4458A Close Open B STPEGS UFSAR 7.4-46 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group Panel No. ZLP701 (Continued) 701S015 RHR TRN A ISOL VLV Sample Isol Vlv FV-4458 B1PS-HS-4458B CR Local B 701S016 RHR TRN B ISOL VLV Sample Isol Vlv FV-4459 B1PS-HS-4459A Close Open B 701S017 RHR TRN B ISOL VLV Sample Isol Vlv FV-4459 B1PS-HS-4459B CR Local B 701S018 RHR TRN C ISOL VLV Sample Isol Vlv FV-4460 B1PS-HS-4460A Close Open B 701S019 RHR TRN C ISOL VLV Sample Isol Vlv FV-4460 B1PS-HS-4460B CR Local B 701S020 RCS Pass Sample Inlet OCIV FV-2455 B1AP-HS-2455A Close Open B 701S021 RCS Pass Sample Inlet OCIV FV-2455 B1AP-HS-2455B CR Local B 701S022 RCFC FAN 12B B1HC-HS-9669A Stop Start B 701S023 RCFC FAN 12B B1HC-HS-9669B CR Local B 701S024 RCFC FAN 11B B1HC-HS-9663A Stop Start B 701S025 RCFC FAN 11B B1HC-HS-9663B CR Local B 701S026 RHR Pump 1B B1RH-HS-0868B Stop Start B 701S027 RHR Pump 1B B1RH-HS-0868A CR Local B 701S028 RHR Pump 1B SUCT Isol Vlv MOV-0060B B1RH-HS-0060E CR ASP B STPEGS UFSAR 7.4-47 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group Panel No. ZLP701 (Continued) 701S029 RHR Pump 1A SUCT Isol Vlv MOV-0061A B1RH-HS-0061D CR ASP B 701S030 Przr PORV PCV-0656A B1RH-HS-0656C CR ASP B 701S031 Przr PORV BLK Vlv MOV-0001B B1RC-HS-0001F CR ASP B 701S032 RX Head Vent Throttle Valve HCV-0602 B1RC-HS-0602 CR ASP B 701S033 RVHVS Isol Vlv HV-3657B B1RC-HS-3657F CR ASP B 701S034 RVHVS Isol Vlv HV-3658B B1RC-HS-3658F CR ASP B 701S035 FWIV FV-7141/7142/7143/7144 & SG Preheater Bypass Valves FV-7189/7190/7191/7192 B1FW-HS-7141F CR CLOSE B 701S037 AFW To SG 1B OCIV MOV-0065 B1AF-HS-0065B CR ASP B 701S038 AFW to SG 1B Flow Reg Vlv FV-7524 B1AF-HS-7524B CR ASP B 701S039 RHR ICIV Prim Sample FV-4823 B1PS-HS-4823A Close Open B 701S040 RHR ICIV Prim Sample FV-4823 B1PS-HS-4823B CR Local B Panel No. ZLP709 709S001 Xfmr E1C1 to LC E1C1 C1PL-HS-0015A Trip Close C 709S002 Xfmr E1C1 to LC E1C1 C1PL-HS-0015B CR Local C STPEGS UFSAR 7.4-48 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group Panel No. ZLP709 (Continued) 709S003 Xfmr E1C2 to LC E1C2 C1PL-HS-0016A Trip Close C 709S004 Xfmr E1C2 to LC E1C2 C1PL-HS-0016B CR Local C 709S005 Pump PA006 MAB Essen Chld Wtr, Train C C1CH-HS-9511A Stop Start C 709S006 Pump PA006 MAB Essen Chld Wtr, Train C C1CH-HS-9511B CR Local C 709S008 DG 13 EMER SPLY FAN 11C C1HG-HS-9739B Stop Start C 709S009 DG 13 EMER SPLY FAN 11C C1HG-HS-9739C CR Local C 709S010 EAB Return Fan 11C EAB Sply/Exhaust, Train C C1HE-HS-9369A Stop Start C 709S011 EAB Return Fan 11C EAB Sply/Exhaust, Train C C1HE-HS-9369B CR Local C 709S012 EAB Supply Fan 11C EAB Sply/Exhaust, Train C C1HE-HS-9452A Stop Start C 709S013 EAB Supply Fan 11C EAB Sply/Exhaust, Train C C1HE-HS-9452B CR Local C 709S014 RCS LOOP A T(HOT) SMPL ICIV FV-4454 C1PS-HS-4454A Close Open C 709S015 RCS LOOP A T(HOT) SMPL ICIV FV-4454 C1PS-HS-4454B CR Local C 709S016 RCS LOOP C T(HOT) SMPL ICIV FV-4455 C1PS-HS-4455A Close Open C STPEGS UFSAR 7.4-49 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation(e) Item No.(a) Description (b) Tag No.c Position(d) Group Panel No. ZLP709 (Continued) 709S017 RCS LOOP C T(HOT) SMPL ICIV FV-4455 C1PS-HS-4455B CR Local C 709S018 Pass Liq Disch to PRT OCIV FV-2458 C1AP-HS-2458A Close Open C 709S019 Pass Liq Disch to PRT OCIV FV-2458 C1AP-HS-2458B CR Local C 709S020 RCFC FAN 12C C1HC-HS-9678A Stop Start C 709S021 RCFC FAN 12C C1HC-HS-9678B CR Local C 709S022 RCFC-FAN 11C C1HC-HS-9672A Stop Start C 709S023 RCFC FAN 11C C1HC-HS-9672B CR Local C 709S024 RHR Pump 1C C1RH-HS-0869A Stop Start C 709S025 RHR Pump 1C C1RH-HS-0869B CR Local C 709S026 RHR Pump 1C Suct Isol Vlv MOV-0060C C1RH-HS-0060F CR ASP C 709S027 RHR Pump 1B Suct Isol Vlv MOV-0061B C1RH-HS-0061E CR ASP C 709S028 Letdown Isol Vlv LCV-0468 C1CV-HS-0468B CR ASP C 709S029 Letdown Orifice Isol Vlv MOV-0014 C1CV-HS-0014B CR ASP C 709S030 Letdown Orifice Isol Vlv FV-0013 C1CV-HS-0013B CR ASP C 709S031 Przr Htr Backup Group 1B C1RC-HS-0676J CR ASP C STPEGS UFSAR 7.4-50 Revision 16 TABLE 7.4-2 (Continued)

CONTROL LOCATED ON THE TRANSFER SWITCH PANELS Device Instrument Separation (e) Item No.(a) Description(b) Tag No.c Position(d) Group Panel No. ZLP709 (Continued) 709S032 AFW to SG 1C Isol Vlv MOV-0085 C1AF-HS-0085B CR ASP C 709S033 AFW to SG 1C Flow Reg Vlv FV-7523 C1AF-HS-7523B CR ASP C 709S035 Letdown Orifice Hdr Isol Vlv FV-0011 C1CV-HS-0011B CR ASP C 709S035(f) Letdown Orif Hdr Isol Vlv FV-0011 C2CV-HS-0011B CR ASP C

a. Item No: Panel device item number as shown in Figures 7.48 through 7.4-13 b. Device

Description:

Instrument or control description c. Instrument Tag No: Tag number as identi fied on Piping and Instrument Diagrams or component logic diagrams d. Position: Switch positions e. Separation Group: Electrical separation group (A,B,C,D & N) as identified in Section 8.3.1.4 f. Unit 2 only STPEGS UFSAR 7.5-1 Revision 1 8 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION 7.5.1 Post-Accident Monitoring Instrumentation

7.5.1.1

Description:

A task analysis was conducted to identify the appropriate variables and establish appropriate design bases and qualification criteria for instrumentation employed by the operator for monitoring conditions in the Reactor Coolant System (RCS), the secondary heat removal system, and the Containment, including Engineered Safety Features (ESF) and other systems normally employed for attaining and maintaining a safe shutdown condition. The instrumentation is used by the operators to monitor the South Texas Project Electric Generating Station (STPEGS) throughout various operating conditions, including anticipated operational occurrences and post

-accident conditions. The analysis process ensures that the information available to the operator following an accident is derived from specially designed and qualified instrumentation installed at the plant.

7.5.1.2 Analysis: The task analysis performed in response to Regulatory Guide (RG) 1.97 is described in Appendix 7B. Table 7.5

-1 provides a listing of the variables identified in the task analysis. In addition, the table includes the following information on the STPEGS instrumentation utilized for each variable: (a) instrument range; (b) type and category (per the definitions found in Appendix 7B); (c) environmental qualification; (d) seismic qualification; (e) number of channels available; (f) display device and location; (g) the schedule for implementation; (h) power supply; and (i) a statement of conformance to RG 1.97, Rev. 2, or justification for deviations.

Seismic and environmental qualifications are further discussed in Sections 3.10 and 3.11.

To assist in understanding the information provided in Table7.5

-1, the following explanation of column headings is provided:

Variable: This column contains the RG 1.97 variable as defined in Appendix 7B.

Range/Status: This column contains the range of instruments used on STPEGS for RG 1.97 purposes and a description of STPEGS indications of valve position or pump status. The ranges indicated meet or exceed the requirements described in Appendix 7B.

Type/Category: This column contains the types and categories applicable to each variable as defined in Appendix 7B.

Environmental and Seismic Qualification: This column indicates whether or not the STPEGS instrumentation is seismically or environmentally qualified. A "yes" in the Environmental Qualification column indicates that the channel is environmentally qualified to a level which meets or exceeds the requirements specified in Appendix 7B for that variable.

Number of Channels: This column contains the number of instrument channels available on STPEGS for post

-accident monitoring purposes. This column does not take into account control room indication or recording capability. The number of channels available meets or exceeds the requirements in Appendix 7B, except for the cases in which justification for deviation from Appendix 7B is provided in Table 7.5-1.

STPEGS UFSAR 7.5-2 Revision 1 8 Control Room Indication: This column describes the control room indication and recording capability on STPEGS for each variable. An entry of "QDPS" indicates that display of the variable is accessible on the Qualified Display Processing System (QDPS) plasma display units via a single pushbutton action. The control room indication and recording capability meets or exceeds the requirements described in Appendix 7B.

Implementation Date: This column contains the STPEGS schedule for implementing the RG.

Power Supply: This column describes the power supply which powers the STPEGS instrumentation for each variable. The power supply provided meets or exceeds the requirements described in Appendix 7B.

Emergency Operations Facility Indication

This column provides the STPEGS Emergency Operations Center (EOF) indication capability for each variable.

Technical Support Center Indication: This column provides the STPEGS Technical Support Center (TSC) indication capability for each variable.

Conformance: This column provides a statement of the conformance to RG 1.97, Revision 2 or justification for deviation.

Further information concerning conformance to RG 1.97, Rev 2 is provided in Appendix 7B, which describes (a) the plant accident conditions under which the instrumentation must be operable; (b) the selection criteria (Type A, B, C, D, or E); (c) the qualification criteria (Category 1, 2, or 3): (d) the design criteria (number of channels, power requirements, servicing requirements, etc); and (e) the processing and display criteria (accessibility, historical record, etc.).

The post-accident monitoring instrumentation consists of the instrumentation identified in Table7.5

-1. The display systems of the post

-accident monitoring instrumentation are identified in Table 7.5

-1 and are further described in the sections identified below:

1. QDPS - Section 7.5.6.

2. Emergency Response Facilities Data Acquisition and Display System (ERFDADS)

- Section 7.5.7.

3. Radiation Monitoring System (RMS)

- Section 11.5.

7.5.2 Reactor

Trip System

Display instrumentation for monitoring during normal operation in the Reactor Trip System is discussed in Sections 7.2 and 7.7.

7.5.3 Safe Shutdown

Display instrumentation provided for monitoring safe shutdown during normal operations is discussed in Section 7.4.

STPEGS UFSAR 7.5-3 Revision 1 8 Display instrumentation provided for monitoring the achievement and maintenance of cold shutdown following a safe shutdown earthquake (SSE) and loss of offsite power (LOOP) is discussed in Appendix 5.4.A.

7.5.4 Engineered

Safety Features Status Monitoring System

The ESF Status Monitoring System consists of redundant logic devices which control indication lampboxes which are grouped based on equipment train that provide the operator in the control room with ESF operating status information and bypass or inoperable status information.

The ESF status monitoring capability is provided both on a system level and on a component level.

The ESF Status Monitoring System monitors the following systems:

1. Automatically actuated ESF systems

2. Manually actuated ESF systems

3. ESF support systems

The ESF Status Monitoring System monitors the status of those ESF components which are:

1. Automatically actuated by the Engineered Safety Features Actuation System (ESFAS).

2. Active and manually actuated.

3. Certain nonactive components. These components are monitored for bypass/inoperability on the basis of their ESF function. That is, nonactive components which could defeat an ESF function by being in a certain position or state are monitored during normal plant operation for capability to allow the ESF function.

Each ESF system includes the support systems and components for its bypass/inoperable status indication so that when a support system becomes bypassed or inoperative, the ESF systems that it supports are also indicated as inoperative.

The ESF operating status monitoring function is accomplished by monitoring the status of field contacts. This subsystem provides:

1. Visual indication (through lampbox lights) that specific ESF equipment is not in its safety position after receipt of a safety actuation signal.

2. Annunciation to alert the operator that an ESF system or any of its support systems is not in its safety position after the safety actuation sequence is completed.

The bypass or inoperable status monitoring function is provided to meet the requirements of RG 1.47 and Nuclear Regulatory Commission (NRC) Branch Technical Position (BTP) ICSB 21. This bypass or inoperable status monitoring function provides:

STPEGS UFSAR 7.5-4 Revision 1 8 1. Visual indication (through lampbox lights) that specific ESF equipment has been bypassed or deliberately rendered inoperable during normal plant operating modes.

2. Annunciation to alert the operator that an ESF system or any of its support systems has been bypassed or deliberately rendered inoperable during normal plant operating modes.

The bypass/inoperable status indication subsystem continuously monitors the status of field contacts and automatically indicates that a specific piece of ESF equipment has been bypassed or deliberately rendered inoperable. The following conditions (as applicable) are automatically detected for each monitored component of the ESF systems:

1. Loss of control power

2. Control handswitch in pull

-to-lock position

3. Circuit breaker not in operating position

4. Control transferred from the control room to a remote panel

5. Component not in its proper aligned position

The bypass/inoperable status indication is accomplished by lighting up the component level window.

This indication also provides individual system level annunciation (within the ESF Status Monitoring item) to alert the control room operator that an ESF system has been bypassed or rendered inoperable.

In accordance with RG 1.47, bypass or inoperable status indication is provided automatically for conditions which meet all three of the following guidelines:

1. The bypass or inoperable condition affects a system that is designed to automatically perform a safety-related function.

2. The bypass is utilized by plant personnel or the inoperable condition can reasonably be expected to occur more frequently than once per year and,

3. The bypass or inoperable condition is expected to occur when the affected system is normally required to be operable.

Deliberate manual actions which render ESF

-actuated components and devices inoperable (once a year or more frequently) are automatically displayed on a component level. Active components not directly actuated by ESF signal but rendered inoperative once a year or more frequently such that they compromise the safety functions of the ESF system are also automatically displayed on a component level to the control room operator.

Rendering a piece of ESF equipment inoperative through the use of features provided strictly for infrequent maintenance (less than once a year) is not automatically indicated. Such maintenance features may include manual valves provided for isolation of the equipment for repair and electrical cable connections, screw terminals, or manual disconnects. The bypass/inoperable indication of these conditions is manually initiated on an ESF system level.

STPEGS UFSAR 7.5-5 Revision 1 8 The capability for initiating a manual bypass indication and alarm is provided via a system level manual bypass switch to indicate the bypass/inoperable condition to the operator for those components or conditions which are not automatically monitored.

Manual bypass/inoperable indication may be set up or removed under administrative control. The automatic indication feature of the ESF Status Monitoring System cannot be removed by operator action. Bypass and/or status indication on a system level is provided for the following safety

-related systems:

1. Solid-State Protection System (SSPS) (bypass/inoperable only)

2. Safety Injection System (SIS) (including Residual Heat Removal [RHR] system components required for accident mitigation or safe shutdown)

3. Containment Spray System (CSS)

4. Containment Isolation Phase A

5. Containment Ventilation Isolation

6. Class 1E 125 vdc and 120 V Vital AC Systems

7. Containment Heat Removal System (CHRS)

8. Fuel Handling Building (FHB) Heating, Ventilating, and Air Conditioning (HVAC) Exhaust Subsystem

9. Electrical Penetration Space HVAC System

10. Control Room Envelope and Electrical Auxiliary Building (EAB) Main Area HVAC System

1 1. Feedwater (FW) Isolation 1 2. Steam Line Isolation 1 3. Auxiliary Feedwater System (AFWS)

1 4. Containment Isolation Phase B

The following support systems activate bypass indication of all supported safety systems listed above when they are bypassed or rendered inoperable:

1. Component Cooling Water System (CCWS)

2. Essential Cooling Water System (ECWS)

3. ESF Bus System (including the standby diesel generators and the ESF load sequencers)

STPEGS UFSAR 7.5-6 Revision 1 8 4. Essential Chilled Water System

5. Supporting HVAC equipment

The ESF Status Monitoring System is not required to operate during or after a design basis seismic event; however, the indicator light panels are mounted on the seismically designed and qualified control benchboard, except for the manual BYP/INOP TRAINS A, B, C pushbuttons which are located on an operator console. The indicator panels are designed and have been type

-tested to prove their structural integrity.

No credit is taken in the accident analyses of Chapter 15 for the operability of the ESF Status Monitoring System. The system is not designed to safety

-related requirements. Interfaces with safety-grade equipment are through qualified isolation devices, in accordance with Institute of Electrical and Electronics Engineers (IEEE) 384 and RG 1.75. These isolation devices are part of the ERFDADS (Section 7.5.7).

7.5.5 This section is not used.

7.5.6 Qualified

Display Processing System

7.5.6.1

Description:

The QDPS is an integrated system designed to perform the following functions:

1. Data acquisition and qualified displays for post

-accident monitoring.

2. Safety grade control (and position indication, as required) of several safety

-related valves.

3. Data acquisition, display, and control to address the separation requirements of the STPEGS design approach to a control room (CR) or relay room (RR) fire.

4. Steam generator (SG) narrow range water level compensation for the effect of temperature changes in the reference leg fluid.

5. Temperature averaging scheme for narrow range T hot signal per loop.

7.5.6.1.1 System

Description:

The system functions are performed by several subsystems. These subsystems, through related, have sufficient independence such that the individual functions can be performed with maximum reliability and minimum unnecessary interaction between functions. A block diagram indicating the interconnections of the various QDPS subsystems, as well as interfaces with other systems, is provided in Figure 7.5.6

-1.

7.5.6.1.1.1 Data Acquisition and Qualified Display for Post

-Accident Monitoring: The data acquisition and qualified display function is performed by a subsystem referred to as Plant Safety Monitoring System (PSMS). It is a modular and flexible general purpose system which performs the following functions:

STPEGS UFSAR 7.5-7 Revision 1 8 1. Implements qualified monitoring channels to comply with post

-accident monitoring Category 1 equipment design and qualification criteria defined in Appendix 7B.

2. Provides safety grade signal processing for instrumentation to detect inadequate core cooling as defined in NUREG

-0737, Item II.F.2. This includes signal processing for:

Reactor vessel water level Core exit temperature RCS subcooling Refer to Appendix 7A.II.F.2 for a detailed description.

3. Isolates Class 1E and associated signals to make them available to non

-Class 1E equipment, including the ERFDADS (Section 7.5.7).

4. Provides consolidated, unambiguous, human

-factored displays of appropriate parameters to address the requirements of paragraph 4.20 of IEEE 2 79-1971. See Figure 7.5.6

-2 for a schematic representation of signal processing for display consolidation.

The PSMS consists of four redundant, channelized, Class 1E data acquisition processors called remote processing units (RPUs). These RPUs send data to redundant database processing units (DPUs), which subsequently provide information to the operator via plasma display modules. A fifth, non

-Class 1E RPU (RPU N) provides data acquisition for non

-Class 1E signals which are needed to complete logical graphic displays. The RPUs perform the engineering unit conversion, limit checks, and isolation or buffering as required. The DPUs perform redundant sensor algorithms and auctioneering functions and then output the data base to the plasma display modules.

The plasma display modules provide graphic and alpha

-numeric display pages containing comprehensive, human

-engineered display information. Display page selection is performed using a function keyboard for each display module.

The variables required in the PSMS database are categorized into three types:

1. Safety grad e parameters required to address post

-accident and safe shutdown monitoring requirements.

2. Variables identified for monitoring the minimum functions required to achieve safe shutdown under postulated fire conditions.

3. Parameters included for display consolidation on the main control panels.

7.5.6.1.1.2 Safety Grade Control of Safety Related Valves: The safety grade valve control function is performed by a microprocessor

-based control system Eagle 21. This consists of a set of Class 1E equipment used to provide the following process control functions:

1. Closed-loop control and position indication for the SG power

-operated relief valves (PORV).

STPEGS UFSAR 7.5-8 Revision 1 8 2. Contact output signals for automatic control of AFW flow throttle valves within upper and lower flow limits.

3. Open-loop control and position indication for the reactor vessel head vent valves.

The SG PORV control equipment provides hardware to meet the requirements for full analog valve control including transfer, without position change, of operation from the control room to the auxiliary shutdown panel. A separate transfer switch selects the active control station. Each control loop accepts the steam line pressure, valve position, and the setpoints as input variables and outputs a 4-20 mA signal to control the valve.

Each AFW throttle valve control loop accepts an input from a flow transmitter and supplies two bistable output signals, low and high limits, to the valve controller. These signals maintain AFW flow as required by the AFW system design (Section 10.4.9 and Figure 7.3

-21B).

The reactor vessel head vent control loop accepts signal inputs from a pair of manual stations, one located in the control room and the other on the auxiliary shutdown panel (ASP). A separate transfer switch for each loop selects the active manual station.

7.5.6.1.1.3 Data Acquisition, Display, and Control to Address Separation Requirements of the STPEGS Design Approach to a CR or RR Fire: Signal buffering to meet fire protection isolation and separation requirements is achieved by using microprocessor based equipment, which provides interface with the Nuclear Steam Supply System (NSSS) process protection and control cabinets.

Field inputs for variables identified for monitoring the minimum functions required to achieve safe shutdown following a CR or RR fire are routed to the QDPS auxiliary process cabinets (APCs). The signals are split into two independently buffered outputs. One of these outputs is routed to the process protection or control cabinets, and the other serves as an input to the RPU (Figure 7.5.6

-3). With this configuration, the QDPS displays of these parameters are available should any failure occur in the process protection or control cabinets or input and output cabling.

7.5.6.1.1.4 Steam Generator Narrow Range Water Level Compensation and Display: The SG narrow range water level compensation system automatically compensates the SG water level signals for the effect of temperature changes in the reference leg fluid. This system serves to increase operating margin and to improve the accuracy of post

-accident level indications. With reference leg temperature compensation of the SG water level signals, the required increase in the low

-low S G water level reactor trip setpoint to account for reference leg heat-up following a high energy line break inside containment is minimized. The compensation system is designed to limit the reference leg heatup error to 2 percent of the level instrument span. SG water levels are displayed on the QDPS plasma displays and on main control panel indicators. For additional information, refer to Section 7.2.

7.5.6.1.1.5 T hot Temperature Averaging Scheme Display: The T hot Temperature Averaging Scheme (TAS) is used for calculating the narrow range hot leg resistance temperature detector (RTD) average temperature per loop. (This average signal replaces the signal previously derived from the hot leg bypass RTD). In addition to calculating a hot leg temperature average per loop, the three narrow range hot leg RTDs per loop are subjected to a sensor quality check that automatically rejects any failed sensor and incorporates a bias to compensate for the loss of any one STPEGS UFSAR 7.5-9 Revision 1 8 sensor in a loop. Should the sensor quality check detect more than one failed sensor per loop, the protective channels that have the Thot average signal as an input must be placed in partial trip. This partial trip is indicated on the control board (Section 7.2.1.1.5).

7.5.6.1.2 Equipment

Description:

The QDPS consists of the following equipment: four Class 1E APCs, two Class 1E database processing units, eight Class 1E plasma display units, three non-Class 1E demultiplexer (DMUX) units, and one non

-Class 1E RPU. Refer to Figure 7.5.6

-1 for system configuration.

7.5.6.1.2.1 Auxiliary Process Cabinets

- The four redundant APCs comply with IEEE 279-1971. Each channelized APC contains an RPU chassis, control system chassis, signal isolation/buffering equipment, and associated DC power supplies for field inputs originating from this respective instrument channel. Data is output to the DPUs, non

-Class 1E DMUX units and ERFDADS, via datalinks and individual analog signals as required. Each datalink is independently buffered such that no fault on a datalink will degrade system function beyond loss of data on that link. The ACPs are located in four physically separated fire areas, such that no single fire will affect more than one APC. The APCs are powered from the four separate 120 vac vital instrument buses.

7.5.6.1.2.2 Database Processing Units

- The two redundant DPUs comply with IEEE 279

-1971. Each DPU contains signal processing equipment, signal isolation/buffering equipment and the DC power supply. The DPUs receive data inputs from each of the RPUs and transmit data outputs to the Class 1E plasma display units, non

-Class 1E recorder DMUX, analog outputs to conventional indicators and recorders, and contact outputs to provide qualified status information and other destinations as necessary.

Each datalink is buffered such that no fault on a datalink will degrade system function beyond loss of information carried on that link. The DPUs are located in physically separated rooms with the separation group A and C APCs, and are powered by the separation group A and C 120 vac vital instrument buses, respectively. (Separation groups are discussed in Section

8.3.1.4.)

7.5.6.1.2.3 Plasma Display Units

- The eight plasma display units are grouped into two redundant sets of three display units each in the CR and the two redundant display units on the ASP. The plasma display units conform to IEEE 279

-1971. Each plasma display unit contains the microprocessor equipment and DC power supply necessary to receive data from each DPU and generate graphic and alpha-numeric display pages. A function keyboard attached to each display unit allows operator selection of specific display pages. One redundant set of plasma display units is powered by the separation group A 120 vac vital instrument bus and the other set by separation group C 120 vac vital instrument bus.

7.5.6.1.2.4 Demultiplexers

- Two of three DMUX units are located in the CR. The third DMUX unit is located in the ASP. The DMUX units are non Class 1E devices which provide system outputs to drive analog panel meters and recorders. The units are seismically qualified in accordance with IEEE 344

-1975 such that the recorder output will remain functional following a seismic instrument bus backed up by station batteries.

7.5.6.1.2.5 Remote Processing Unit N (RPU N)

- The single non

-Class 1E RPU N provides data acquisition for certain non

-Class 1E signals. The RPU is not required to function post

-accident and is not redundant. RPU N is located in the RR (EAB E1 35 ft) and is powered from the

non-Class 1E 120 vac vital instrument bus backed up by station batteries.

STPEGS UFSAR 7.5-10 Revision 1 8 7.5.6.2 Analysis. Even though IEEE 279

-1971 was not a design basis of the QDPS, an analysis was conducted to determine those criteria stated in the standard that were met by the system design. The following section discuss the applicability of the QDPS to the respective section of IEEE

279-1971. In performing this evaluation the functions performed by the QDPS are subdivided into the following subgroups: (a) steam generator water level compensation system and temperature averaging scheme (SGWLCS/TAS), (b) ESF

-qualified controllers (e.g., AFW throttle valve control), (c) qualified controllers utilized for achieving a safe shutdown, and (d) post

-accident monitoring displays. References to the QDPS from a system level in the succeeding discussion indicates that all QDPS subsystems meet the stated requirement. Furthermore, the applicability of the General Design Criteria (GDCs) are indicated below.

7.5.6.2.1 General Functional Requirement: This criterion only applies to the SGWLCS/TAS and the ESF

-qualified controllers. Other functions do not automatically initiate appropriate protective action.

7.5.6.2.2 Single-Failure Criterion: The QDPS is designed to provide redundant instrument channels for each safety

-grade function as described in Section 7.5.6.1. These redundant channels are electrically and physically independent. A single failure in the QDPS will no t prevent proper response at the system level. The loss of power to any vital instrument bus will result at most in loss of display from one channel. A failure modes and effects analysis has been performed and is presented in Table 7.5

-4. The design meets the requirements of GDC 21, 22, and 23.

7.5.6.2.3 Quality of Components and Modules: The QDPS meets the 99

-percent-availability requirement defined in NUREG

-0696, Section 1.5 under all pressure and temperature conditions exceeding cold shutdown conditions.

7.5.6.2.4 Equipment Qualification: The QDPS is seismically and environmentally qualified to IEEE 344

-1975 and IEEE 323

-1974, and meets the requirements of GDC 2 and 4 with the exception of RPU N which performs non

-Class 1E functions. The DMUX units are seismically qualified. Equipment qualification is also discussed in Sections 3.10 and 3.11.

7.5.6.2.5 Channel Integrity: The QDPS is designed to operate during accident conditions and maintain necessary functional capability and accuracy under extremes of conditions relating to environment, energy supply, malfunctions, and accidents.

7.5.6.2.6 Channel Independence: Channels that provide signals for the same function are electrically independent and physically separated to accomplish decoupling of the effects of unsafe environmental factors, electric transients, and physical accident consequences. The system is designed to minimize the potential for interactions between channels during maintenance operations or in the event of channel malfunction. One

-way datalink transmission with a time

-out function on the receiving end is used throughout the system to ensure that failure of a processor or datalink in one channel will not inhibit other system functions or the display of data from the remaining channels.

The QDPS features two redundant physically separated independent trains of display. The design ensures that an initiating failure (short

-circuit, fault, etc.) in either a DPU or display unit will not result in the loss of both trains of DPUs and/or display units. The design meets the requirements of GDC 22.

STPEGS UFSAR 7.5-11 Revision 1 8 7.5.6.2.7 Control and Protection System Interaction: The only subsystem that is used for both protective and control functions is SGWLCS/TAS. Furthermore, control grade signals are output from the post

-accident monitoring QDPS subsystem.

In all cases the transmission of signals from the QDPS for control or use by other non

-Class 1E devices is through qualified isolation devices which are part of the QDPS. Faults, such as short circuits, open circuits, ground, or the application of credible AC or DC fault potential at the output of an isolation device, will not prevent the associated protection system channel from meeting minimum performance requirements.

Noise and isolation testing are addressed in Reference 7.5

-1. The tests showed that the system remained functional within its specified accuracy, and met the acceptance criteria of isolation between the Class 1E safety instrumentation and non

-Class 1E instrumentation, thus fulfilling the performance demonstration option of RG 1.75 position C.4 and IEEE 384

-1974. In no case was the performance of the system degraded by abnormal electrical conditions imposed on the isolated input/output field wiring. In summary, the noise, fault, surge, and radio frequency interference test program demonstrated that the system performance did not degrade even when subjected to abnormal electrical conditions which far exceed those that can be reasonably postulated.

For the cases in which digital datalinks are utilized to transmit data to non

-Class 1E devices (i.e., ERFDADS, main control board DMUX, recorder DMUX, and ASP DMUX), one way datalink transmission through qualified isolation devices is utilized. This precludes the possibility of a failure in a non-Class 1E processor or datalink resulting in the loss of a safety

-related system function.

This design meets the requirements of GDC 24.

7.5.6.2.8 Derivation of System Inputs: To the maximum extent practicable, the QDPS inputs are derived from signals that are direct measures of the monitored variables.

7.5.6.2.9 Capability for Sensor Checks: The QDPS has built

-in diagnostics for checking the operational availability of each system component and input sensor during reactor operation.

This is achieved by continuous scanning by microprocessor based sensor data quality checks. A data quality is assigned to all channels of data input. The routine processes the redundant sensor inputs and, when possible, returns a group value of the valid sensors for use in the upper level displays.

7.5.6.2.10 Capability for Test and Calibration: The SGWLCS/TAS and ESF

-qualified controllers have the capability for testing and calibration during reactor operation. The post

-accident monitoring subsystem has the capability for checking the operational availability for each channel during reactor operation by cross checking between channels that bear a known relationship to each other. The safe shutdown qualified controllers are only required to be tested during scheduled station shutdowns. Refer to Section 7.2.2.2.3.10 for a description of the testing capabilities of the protection loops. The design meets the requirements of GDC 21.

7.5.6.2.11 Channel Bypass or Removal from Operation: The SGWLCS/TAS subsystems are designed to permit all channels, one at a time, to be maintained, tested, or calibrated during power operation with no loss of safety function. The ESF qualified controllers are designed to permit all channels, one at a time, to be maintained, tested, or calibrated during power operation. Access to the cabinets for removing channels from service is administratively controlled.

STPEGS UFSAR 7.5-12 Revision 1 8 7.5.6.2.12 Operating Bypasses: There are no operating bypasses in QDPS.

7.5.6.2.13 Indication of Bypasses: If one or more channels of the ESF

-qualified controllers have been deliberately rendered inoperable, this fact will be continuously indicated on the QDPS display. If one or more channels of the SGWLCS/TAS subsystem have been deliberately rendered inoperable in the QDPS hardware, the action will result in the partial trip of the respective

channel. 7.5.6.2.14 Access to Means for Bypassing: The design of the QDPS allows administrative control of the means for manually bypassing channels associated with the ESF

-qualified controller.

7.5.6.2.15 Multiple Setpoints: There are no multiple actuation setpoints associated with the QDPS. 7.5.6.2.16 Completion of Protective Action Once It Is Initiated: The SGWLCS subsystem of the QDPS is designed such that, once initiated, a protective action goes to completion.

7.5.6.2.17 Manual Initiation

The QDPS design includes no means for manual initiation of a protective function at the system level. System level initiation is included as part of the Reactor Trip System (RTS) and the ESFAS, with which the QDPS is integrated.

7.5.6.2.18 Access to Setpoint Adjustments, Calibration, and Test Points: The QDPS design permits access to all setpoints, data constants, and module calibration adjustments via a portable terminal which can be connected to the system through a serial port. Access to the cabinet s is administratively controlled.

7.5.6.2.19 Identification of Protective Actions: Protective actions initiated wholly or in part within the QDPS (SGWLCS/TAS and ESF controllers) are indicated on the control board.

7.5.6.2.20 Information Read

-Out: The QDPS is designed to provide the operator with accurate, complete, and timely display information pertinent to its own status and the status of plant variables. Through the use of cross

-channel checking, the design minimizes the development of conditions which would cause meters, annunciators, recorders, alarms, etc., to give inconsistent or erroneous indications which could be confusing to the operator.

The response time of the QDPS is based upon the response time of the monitored systems and the utilization of the process variables being monitored. The design meets the requirements of GDC 13 and 19. 7.5.6.2.21 System Repair: The QDPS is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules.

7.5.6.2.22 Identification: The QDPS and associated hardware has been distinctively identified as safety

-related equipment.

STPEGS UFSAR 7.5-13 Revision 1 8 7.5.7 Emergency Response Facilities Data Acquisition and Display System (ERFDADS) 7.5.7.1 ICS - ERFDADS Subsystem

- The ERFDADS functions are performed by several subsystems. Data acquisition is provided by the ICS through distributed processing units and through high speed datalinks from QDPS (Section 7.5.6), the Meteorological System (MET), and the Radiation Monitoring System (Section 11.5). ERFDADS performs the required data processing for offsite datalinks to the NRC ERDS. ICS work stations (i.e. CRT, CPU, & keyboard) are provided in the CR, TSC, ASR, and EOF. A simplified interconnection diagram is shown in Figure 7.5.7

-1.

The ERFDADS is a distributed subsystem of ICS that performs the following functions:

1. Implementation of the Safety Parameter Display System (SPDS) as described in NUREG-0696 and supplement 1 to NUREG

-0737.

2. Data acquisition and signal processing for the normal plant monitoring systems, including portions of the plant annunciator.

3. Data acquisition and signal processing for the ESF Status Monitoring System. The ESF Status Monitoring System is described in Section 7.5.4.

7.5.7.1.1.

Safety Parameter Display

- The SPDS, as described in NUREG

-0696 and NUREG-0737 Supplement 1, is implemented via the ERFDADS. The design of the ERFDADS is integrated with the implementation of RG 1.97 (Appendix 7B) and the Control Room Design Review (CRDR) (Appendix 7A, Item I.D.1).

The ERFDADS provides plant and environmental data to aid operators and management in the CR, TSC, and EOF to respond quickly to abnormal operating conditions and mitigate the consequences of an accident. The ERFDADS functions during normal operations and emergencies to provide the following services:

1. Provide plant and environmental data required for the reactor operators to quickly assess the safety status of the plant.

2. Allow technical personnel access to comprehensive plant data, enabling them to assist operators without adding to the number of personnel in the control room.

3. Provide reliable plant data to the CR, TSC, ASR, and EOF.

4. Aid the operators in the detection of abnormal operating conditions.

5. Assist in the identification of the causes leading to any abnormalities.

6. Monitor plant response to corrective actions.

7. Provide grouping of parameters to enhance the operators' ability to assess plant status quickly without surveying all CR displays.

STPEGS UFSAR 7.5-14 Revision 1 8 8. Provide human factors engineered display formats (simple and consistent display patterns and coding). 9. Provide display information on a real

-time basis, along with validation of data and functional comparison capability.

10. Provide display information on a real-time basis for monitoring the RG 1.97 variables, as defined in Section 7.5.1 and Appendix 7B. These variables are utilized to monitor the critical safety functions of:

Subcriticality Reactor coolant system integrity Reactor coolant inventory Reactor core cooling Heat sink maintenance Containment environment The bases for the parameter selection are presented in Appendix 7B.

Table 7.5-1 identifies the specific parameters and indicates those available in the TSC and EOF.

7.5.7.1.2 Equipment Description

7.5.7.1.2.1 Distributed Processors

- The ICS-ERFDADS subsystem consists of non

-Class 1E equipment that is utilized to receive field inputs from the RG 1.97

-defined analog and digital variables and other supplementary information directly from the QDPS, MET, and RMS via redundant high speed datalinks.

The ICS performs any data processing required beyond that performed by the remote data acquisition equipment. Redundant distributed processing units are provided with adequate memory capacity to support ICS data acquisition, management, and transmission functions on a real time basis.

7.5.7.1.2.2 Man/Machine Interface

- ICS workstations (CRT, CPU & keyboard) are located in the CR, TSC, ASR, and EOF to present ICS information (i.e. ERFDADS and Plant Computer) to operators and management in a concise, easily intelligible format.

The primary SPDS display page is available on all ICS workstations.

7.5.7.1.2.3 Power Supply

- The ERFDADS related equipment, located within the power block including peripherals, is provided with power from a dedicated non

-Class 1E uninterruptable power supply (UPS) capable of maintaining system operation for two hours. All ERFDADS equipment normal AC power to the UPS is provided from a non

-Class 1E diesel generator

-backed bus. The subject equipment is defined and controlled in accordance with plant procedures for the associated design documentation.

STPEGS UFSAR 7.5-15 Revision 1 8 ERFDADS equipment located within the EOF and equipment used to support communication with the EOF, is provided with reliable 120 vac power

. 7.5.7.2 System Operational Requirements

- The ERFDADS data channels meet the 99-percent-availability requirement defined in NUREG

-0696 Section 1.5 under pressure and temperature conditions exceeding cold shutdown conditions. The SPDS system meets an 80-percent-availability requirement during plant cold shutdown conditions.

Data processing through ICS is qualitatively comparable with other Post

-Accident Monitoring System, RMS, and QDPS data displayed in the CR with respect to accuracy and response tim

e. 7.5.7.3 HVAC Support

- Adequate HVAC, with sufficient reliability to support the ERFDADS availability requirements is provided to support the equipment in the TSC computer room. ERFDADS equipment located outside the TSC computer room is designed to function in the normal design environment for the areas in which the equipment is located.

The TSC HVAC is further described in Section 9.4.1.

7.5.7.4 Analysis- The ERFDADS design ensures that any failure or malfunction of the ERFDADS equipment beyond the Class 1E isolation devices does not compromise any safety

-related equipment, components, or structures.

A verification and validation plan is provided for the ERFDADS software to demonstrate conformance with the functional requirements of NUREG

-0696 and NUREG-0737. This plan provides for an independent review of the system software.

Isolation and separation of Class 1E signals is provided in accordance with RG 1.75. Inputs to the ERFDADS are isolated at the exit point of the isolation devices (Figures 7.5.6-1 and 7.5.7

-1).

This system is designed to meet the following criteria:

1. No single-point failure in any ERFDADS component has any effect on the plant operation. Any such failure is monitored in the CR. Redundant hardware is utilized when required to satisfy this requirement and to improve reliability.

2. Where redundant devices or assemblies are utilized, failure of one is detected and indicated to the ERF computer, and causes automatic transfer of functions to the other device or assembly

without effect upon system performance.

3. On-line diagnostic routines and transmission error checking provisions in the data network and host processors aid in maintaining validity of all data interchanges and in verification of the continuous functional integrity of system equipment.

STPEGS UFSAR 7.5-16 Revision 1 8 REFERENCES Section 7.5:

7.5-1 Nasrallan, C. N., "Noise, Fault, Surge, and Radio Frequency Interference Test Report: Westinghouse Eagle

-21 Digital Family as Used in QDPS, RSMS, RVLIS, and ICCM", WCAP

-11340 (Proprietary) and WCAP-11341 (Nonproprietary); November 1986; submitted by letter M. R. Wisenburg, HL&P to Vincent S. Noonan, NRC; dated December 5, 1986; ST

-HL-AE-1824. 7.5-2 Jaffe, D. H., "Issuance of Amendments Re: Elimination of Requirements for Hydrogen Recombiners and Hydrogen Monitors (TAC Nos. MC4229 and MC4230). November 30, 2004 (ST

-AE-NOC-04001311) 7.5-3 NRC Regulatory Issue Summary 2005

-20, "Revision to guidance formerly contained in NRC Generic Letter 91

-18, Information to Licensees Regarding Two NRC Inspection Manual Sections on Resolution of Degraded and Nonconforming Conditions and on Operability," September 26, 2005.

7.5-17 STPEGS UFSAR Revision 1 8 TABLE 7.5-1 POST-ACCIDENT MONITORING INSTRUMENTATION Sensor Qualification Control Sensor Conformance Type/ Number Room Power EOF TSC to RG 1.97, Variable Range/ Status Category Environmental Seismic of Channels Indication Supply Indication Indication Rev. 2 RCS Pressure (Wide Range) 0-3000 psig A1,B1,B2, C1,C2,D2 Yes Yes 1 QDPS 1 recorded 1E Yes Yes Note b RCS Wide Range Thot 0-700 F A1,B1,B2 Yes Yes 1 per loop QDPS 4 recorded 1E Yes Yes Conforms RCS Wide Range Tcold 0-700 F A1,B1,B2 Yes Yes 1 per loop QDPS 4 recorded 1E Yes Yes Conforms Wide Range Steam Generator Water Level 0-100% of span A1,B1,B2,D2 Yes Yes 1 per steam generator QDPS 4 recorded 1E Yes Yes Conforms Narrow Range Steam Generator Water Level 0-100% of span A1,B1,B2,D2 Yes Yes 4 per steam generator QDPS 1 per SG recorded 1E Yes Yes Conforms Pressurizer Water Level 0-100% of span A1,B1,D2 Yes Yes 4 QDPS 1 recorded 1E Yes Yes Conforms Containment Pressure

-5 to 65 psig A1,B1,B2, C1,C2,D2 Yes Yes 4 QDPS 2 recorded 1E Yes Yes Conforms Steam Line Pressure 0-1400 psig A1,B1,D2 Yes Yes 4 per loop QDPS 1 per loop recorded 1E Yes Yes Conforms Refueling Water Storage Tank Water Level 0-550,000 gal A1,B1,D2 Yes Yes 3 QDPS 2 meters 1E Yes Yes Conforms 2 recorded Containment Water Level (Wide Range)

El. -10'-5" to El. -4'-0" A1,B1,B2,C2, D2 Yes Yes 3 QDPS 1 recorded 1E Yes Yes Conforms (Note aa) Containment Water Level (Narrow Range)

El. -16'-3"to El. -10'-9" A1,B2,C2,D2 Yes Yes 2 QDPS 2 recorded 1E Yes Yes Conforms (Note aa) 7.5-18 STPEGS UFSAR Revision 1 8 TABLE 7.5-1 (Continued)

POST-ACCIDENT MONITORING INSTRUMENTATION Sensor Qualification Control Sensor Conformance Type/ Number Room Power EOF TSC to RG 1.97, Variable Range/ Status Category Environmental Seismic of Channels Indication Supply Indication Indication Rev. 2 Auxiliary Feedwater Storage Tank Water Level 0-535,000 gal A1,B1,D2 Yes Yes 3 QDPS 1 recorded 1E Yes Yes Conforms Auxiliary Feedwater Flow 0-700 gal/min A1,B1,D2 Yes Yes 1 per loop QDPS 4 meters 4 recorded 1E Yes Yes Note o High Range Containment Radiation Level Note ii A1,B1,B2,C2, E2 Yes Yes 2 QDPS 2 meters 2 recorded 1E Yes Yes Note s Steam Generator Blowdown Radiation Level Note ii A1,B2,C2 Yes Yes 1 per blowdown line QDPS 4 meters 4 recorded 1E Yes Yes Conforms Steam Line Radiation Level (Radioactivity Level

-Vent from SG Safety Relief Valves/PORVs)

Note ii A1,B2,C2,E2 Yes Yes 1 per steam line QDPS 4 meters 4 recorded 1E Yes Yes Conforms (Note gg) Core Exit Temperature 100-2200 F A1,B1,C1 Yes Yes 2 trains of 25 thermocouples each, equally distributed across core (in quadrants)

QDPS hottest thermocouple and average of hottest quadrant recorded 1E Yes Yes Conforms RCS Subcooling 200F sub-cooling to 50 F superheat A1,B1 Yes Yes 2 QDPS 2 recorded 1E Yes Yes Conforms 7.5-19 STPEGS UFSAR Revision 1 8 TABLE 7.5-1 (Continued)

POST-ACCIDENT MONITORING INSTRUMENTATION Sensor Qualification Control Sensor Conformance Type/ Number Room Power EOF TSC to RG 1.97, Variable Range/ Status Category Environmental Seismic of Channels Indication Supply Indication Indication Rev. 2 Neutron Flux (Extended Range) 10-8 to 200% Full Power B1,D2 Yes Yes 2 QDPS 2 recorded 1E Yes Yes Note r Neutron Flux Startup Rate

-1.0 to +7.0 dpm B1,D2 Yes Yes 2 recorded as neutron flux QDPS 1E Yes Yes Note r Reactor Vessel Water Level Upper Core Support Plate to Top of Vessel B1,C2,D2 Yes Yes 2 QDPS 1 recorded 1E Yes Yes Conforms Containment Isolation Valve Status Open/Closed C2,D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Note c Containment Hydrogen Concentration 0-10% Concentration B3,C3 Yes Yes 2 QDPS 1 recorded 1E Yes Yes Note kk Control Rod Position Indication Rods on Bottom D3 No No 1 per rod LED N-1E No No Conforms (Note x) Containment Pressure (Extended Range) 0-180 psig C1,C2 Yes Yes 2 QDPS 1 recorded 1E Yes Yes Conforms RCS Pressure (Extended Range) 0-3500 psig A1,B1,C1 Yes Yes 2 QDPS 2 recorded 1E Yes Yes Note b 7.5-2 0 STPEGS UFSAR Revision 1 8 TABLE 7.5-1 (Continued)

POST-ACCIDENT MONITORING INSTRUMENTATION Sensor Qualification Control Sensor Conformance Type/ Number Room Power EOF TSC to RG 1.97, Variable Range/ Status Category Environmental Seismic of Channels Indication Supply Indication Indication Rev. 2 Unit Vent Radiation Level Note a Note ii C2,E2 Yes No 1 CRT (RMS) N-1E Yes Yes Conforms (Notes a, w)

Fuel Handling Bldg. Exhaust Radiation Level Note ii C2,E2 Yes Yes 2 QDPS 2 meters 2 recorded 1E Yes Yes Conforms Site Environmental Radiation Level (Portable Monitoring) 10-3 to 10 4 R/hr gamma; 1 to 5 x 10 4 mR/hr beta/gamma C3,E3 No No N/A Portable Sampling N-1E No No Conforms Note cc Site Environmental Radioactive Level (Portable Monitoring Note dd C3,E3 No No N/A Portable Sampling N-1E No No Conforms Note dd Pressurizer PORV Status Open/Closed B2,D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Conforms Pressurizer PORV Block Valve Status Open/Closed D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Conforms Pressurizer Safety Valve Status Open/Closed B2,D2 Yes Yes 1 per valve 1 Alarm CRT (ERFDADS) N-1E Yes Yes Conforms Pressurizer Heater Breaker Position Open/Closed D2 Yes Yes 1 per bank 1 pair of lights per bank 1E Yes Yes Note e Pressurizer Pressure 1700-2500 psig D2 Yes Yes 4 QDPS 1 recorded 1E Yes Yes Conforms 7.5-21 STPEGS UFSAR Revision 1 8 TABLE 7.5-1 (Continued)

POST-ACCIDENT MONITORING INSTRUMENTATION Sensor Qualification Control Sensor Conformance Type/ Number Room Power EOF TSC to RG 1.97, Variable Range/ Status Category Environmental Seismic of Channels Indication Supply Indication Indication Rev. 2 RCP Status Breaker Position Open/Closed D2 No No 1 per pump 1 pair of lights per pump N-1E Yes Yes Conforms Motor Curren t 0-600 amps D3 No No 1 per pump 1 meter per pump N-1E No No Pressurizer Spray Valve Status Open/Closed D2 No No 1 per valve 1 light per valve N-1E Yes Yes Conforms Charging Flow 0-500 gal/min D2 Yes Yes 1 QDPS 1E Yes Yes Conform s Letdown Flow 0-300 gal/min D2 Yes Yes 1 1 meter N-1E Yes Yes Conforms Volume Control Tank Water Level 0-100% of span D2 Yes Yes 2 1 meter 1E Yes Yes Conforms CVCS Valve Status Open/Closed D2 Yes Isolation Valves Onl y 1 per valve 1 pair of lights per valve 1E/N-1E Yes Yes Conforms (Note f) Charging Pump Status On/Off D2 Yes Yes 1 per pump 1 pair of lights per pump 1E Yes Yes Conforms (Note f) Boric Acid Transfer Pump Status On/Off D2 Yes Yes 1 per pump 1 pair of lights per pump 1E Yes Yes Conforms (Note f) RCP Seal Injection Flow 0-20 gal/min D2 Yes Yes 1 per loop QDPS 4 recorded 1E Yes Yes Conforms (Note f) 7.5-22 STPEGS UFSAR Revision 1 8 TABLE 7.5-1 (Continued)

POST-ACCIDENT MONITORING INSTRUMENTATION Sensor Qualification Control Sensor Conformance Type/ Number Room Power EOF TSC to RG 1.97, Variable Range/ Status Category Environmental Seismic of Channels Indication Supply Indication Indication Rev. 2 SG Atmospheric PORV Status 0-100% Open D2,E2 Yes Yes 1 per valve QDPS 1 meter per valve 1E Yes Yes Conforms Main Steam Line Isolation Valve Status Open/Closed B2,D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Conforms (Note f) Main Steam Line Isolation Bypass Valve Status Open/Closed B2,D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Conforms (Note f) SG Safety Valve Status Open/Closed D2,E2 Yes Yes 1 per valve Alarm CRT (ERFDADS) N-1E Yes Yes Conforms Main Feedwater Control Valve Status Open/Closed D2 Yes Yes 1 per valve CRT (ERFDADS) 1E Yes Yes Conforms (Note f) Main Feedwater Control Bypass Valve Status Open/Closed D2 Yes Yes 1 per valve CRT (ERFDADS) 1E Yes Yes Conforms (Note f) Main Feedwater Isolation Valve Status Open/Closed D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Conforms (Note f) Main Feedwater Isolation Bypass Valve Status Open/Closed D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Y es Yes Conforms (Note f) Main Feedwater Flow 0-5.0 x 10 6 lbs/hr D2 No No 3 per loop QDPS 1 per loop recorded 1E Yes Yes Conforms 7.5-23 STPEGS UFSAR Revision 1 8 TABLE 7.5-1 (Continued)

POST-ACCIDENT MONITORING INSTRUMENTATION Sensor Qualification Control Sensor Conformance Type/ Number Room Power EOF TSC to RG 1.97, Variable Range/ Status Category Environmental Seismic of Channels Indication Supply Indication Indication Rev. 2 SG Blowdown Isolation Valve Status Open/Closed D2 Yes Yes 1 per valv e 1 pair of lights per valve 1E Yes Yes Conforms (Note f) SG Blowdown Sample Isolation Valve Status Open/Closed D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Conforms (Note f) HHSI Flow 0-2000 gal/min D2 Yes Yes 2 per SI pump (hot leg, cold leg) 6 meters N-1E Yes Yes Conforms (Note p) LHSI Flow 0-3500 gal/min (hot leg) 0-5000 gal/min (cold leg)

D2 Yes Yes 2 per SI pump (hot leg, cold leg) 6 meters N-1E Yes Yes Conforms (Note p) ECCS Accumulator Pressure 0-700 psig D2 Yes Yes 2 per tank 3 meters, 1 per tank, showing 2 channels N-1E Yes Yes Note bb ECCS Accumulator Isolation Valve Status Open/Closed D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Conforms ECCS Accumulator Tank Level 8700-9550 gal D3 No No 2 per tank 3 meters, 1 per tank showing 2 channels N-1E Yes Yes Note j Auxiliary Feedwater Valve Status Open/Closed D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Conforms (Note s f and jj) 7.5-24 STPEGS UFSAR Revision 1 8 TABLE 7.5-1 (Continued)

POST-ACCIDENT MONITORING INSTRUMENTATION Sensor Qualification Control Sensor Conformance Type/ Number Room Power EOF TSC to RG 1.97, Variable Range/ Status Category Environmental Seismic of Channels Indication Supply Indication Indication Rev. 2 Containment Spray Flow 0-3000 gal/min D2 Yes Yes 1 per train 3 meters N-1E Yes Yes Conforms (Note p) Containment Spray System Valve Status Open/Closed D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Conforms (Note f and p)

Containment Spray Pump Status On/Off D2 Yes Yes 1 per pump 1 pair of lights per pump 1E Yes Yes Conforms (Note f and p)

Note m Reactor Containment Fan Cooler Fan Status On/Off D2 Yes Yes 1 per fan 1 pair of lights per fan 1E Yes Yes Differential Pressure Alarm at low P D3 No No 1 per fan 1 alarm per fan N-1E Yes Yes CCW Pump Discharge Pressure 0-150 psig D2 Yes Yes 1 per train QDPS 1E Yes Ye s Conforms (Note f) Containment Ventilation Valve Status Open/Closed D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Conforms CCW Header Temperature 50-250 F D2 Yes Yes 1 per train QDPS 1E Yes Yes Conforms CCW Surge Tank Water Level 0-100% of span D2 Yes Yes 1 per tank compartment QDPS 1E Yes Yes Conforms (Note f) 7.5-25 STPEGS UFSAR Revision 1 8 TABLE 7.5-1 (Continued)

POST-ACCIDENT MONITORING INSTRUMENTATION Sensor Qualification Control Sensor Conformance Type/ Number R oom Power EOF TSC to RG 1.97, Variable Range/ Status Category Environmental Seismic of Channels Indication Supply Indication Indication Rev. 2 CCW Flow to ESF Components Pump Discharge RCFC RHR HX 0-20,000 gal/min 0-2500 gal/min 0-7000 gal/min D2 Yes Yes 1 per CCW pump discharge, 1 per ESF component QDPS 1E Yes Yes Conforms CCW Valve Status Open/Closed D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Conforms (Note f) ECW Flow to ESF Components CCW Pump Cooler CCW HX Standby DG 300 Ton Essential Chiller*

0-50 gal/min 0-18,000 gal/min 0-1900 gal/min

0-1300 gal/min D2 Yes Yes 1 per major ESF component QDPS 1E Yes Yes Conforms (Note f) ECW Valve Status Open/Closed D2 Yes Yes 1 per valve 1 pair of lights per valve or meter 1E/N-1E Yes Yes Conforms (Note f) ESF Environment Temperature Temperature above setpoint D2 Yes Yes 1 per ESF component/

cubicle 1 alarm N-1E Yes Yes Conforms (Note f and p)

ESF Cubicle Fan/Cooler Status Fan Stopped/

Running D2 Yes Yes 1 per fan/cooler 1 pair of lights per item 1E Yes Yes Conforms (Note f and p)

Standby Power and Emergency Power Source Status Bus Specific D2 Yes Yes 1 per bus 1 meter or alarm for each power source 1E/N-1E Yes Yes Conforms

The 150 ton chillers have been abandoned with the ECW isolation valves replaced with blanks and the associated ECW flow transmitters removed.

7.5-26 STPEGS UFSAR Revision 1 8 TABLE 7.5-1 (Continued)

POST-ACCIDENT MONITORING INSTRUMENTATION Sensor Qualification Control Sensor Conformance Type/ Number Room Power EOF TSC to RG 1.97, Variable Range/ Status Category Environmental Seismic of Channels Indication Supply Indication Indication Rev. 2 Other Safety

-Related Energy Sources Component Specific D2 Yes Yes 1 per source 1 meter or alarm for each power source 1E/N-1E Yes Yes Conforms (Note y) RHR Heat Exchanger Discharge Temperature 50-400 F D2 Yes Yes 1 per heat exchanger QDPS 3 recorded 1E Yes Yes Conforms (Note p) RHR Flow 0-4000 gal/min D2 Yes Yes 1 per train QDPS 3 meters 1E Yes Yes Conforms (Note p) RHR Valve Status Open/Closed D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Conforms (Note f and p)

Reactor Trip Breake r Position Open/Closed D2 Yes Yes 1 per breaker QDPS, 1 pair of lights per breaker 1E Yes Yes Conforms (Note f) Turbine Governor Valve Position Open/Closed D2 Yes No 1 per valve 1 pair of lights per valve N-1E Yes Yes Conforms (Note f, z)

Turbine Stop Valve Position Open/Closed D2 Yes No 1 per valve 1 pair of lights per valve N-1E Yes Yes Conforms (Note f, z)

Motor-Driven Auxiliary Feedwater Pump Status On/Off D2 Yes Yes 1 per pump 1 pair of lights per pump 1E Yes Yes Conforms (Note f) Auxiliary Feedwater Turbine Pump Status 0-2000 psig, Open/Closed D2 Yes Yes 1 pump discharge pressure indicator, 1 per steam inlet valve QDPS, 1 meter, 1 pair of lights per valve 1E Yes Yes Conforms (Note f) 7.5-27 STPEGS UFSAR Revision 1 8 TABLE 7.5-1 (Continued) POST-ACCIDENT MONITORING INSTRUMENTATION Sensor Qualification Control Sensor Conformance Type/ Number Room Power EOF TSC to RG 1.97, Variable Range/ Status Category Environmental Seismic of Channels Indication Supply Indication Indication Rev. 2 SI Pump Status On/Off D2 Yes Yes 1 per pump 1 pair of lights per pump 1E Yes Yes Conforms (Note f and p)

SI Valve Status Open/Closed D2 Yes Yes 1 per valve 1 pair of lights per valve 1E Yes Yes Conforms (Note f and p) Emergency Ventilation Damper Position Open/Closed D2 Yes Yes 1 per damper 1 pair of lights per damper 1E Yes Yes Conforms (Note f) Essential Cooling Water Pump Status On/Off D2 Yes Yes 1 per pump 1 pair of lights per pump 1E Y es Yes Conforms (Note f) CCW Pump Status On/Off D2 Yes Yes 1 per pump 1 pair of lights per pump 1E Yes Yes Conforms (Note f) RHR Pump Status On/Off D2 Yes Yes 1 per pump 1 pair of lights per pump 1E Yes Yes Conforms (Note f and p)

SI Actuation Status On/Off D2 Yes Yes 1 per actuation train 1 Alarm 1E Yes Yes Conforms Containment Isolation Actuation Status On/Off D2 Yes Yes 1 per actuation train 1 Alarm 1E Yes Yes Conforms Control Room Radiatio n Level Note ii E3 No No 1 CRT (RMS) N-1E Yes Yes Note l Note ii E2 Yes Yes 2 QPDS 2 meters 2 recorded 1E Yes Yes Conforms 7.5-28 STPEGS UFSAR Revision 1 8 TABLE 7.5-1 (Continued)

POST-ACCIDENT MONITORING INSTRUMENTATION Sensor Qualification Control Sensor Conformance Type/ Number Room Power EOF TSC to RG 1.97, Variable Range/ Status Category Environmental Seismic of Channels Indication Supply Indication Indication Rev. 2 Access Area Radiation Note ii E3 Yes No 1 per designated area CRT (RMS) N-1E Yes Yes Note l Condenser Vacuum Pump Radiation Level Note ii C3 No No 1 CRT (RMS) N-1E Yes Yes Note n Concentration from Liquid Pathways Liquid Radwaste Note ii E2 Yes No 1 per plant CRT (RMS) N-1E Yes Yes Note t Effluent Path Flow Rate/Status Liquid Radwaste Flow 0-100% of span E3 No No 1 CRT (RMS) N-1E Yes Yes Note q Valve Status Open/Closed E2 Yes No 1 per valve 1 pair of lights per valve N-1E Yes Yes Notes q, w Unit Vent Flow 37,000-290,500 ft ³/min E2 Yes No 1 CRT (ERFDADS) N-1E Yes Yes Note w Meteorological Parameters Wind Direction Wind Speed 0-540 0-50 mph (10m) 0-100 mph (60m)

E3 No No 15 CRT (ERFDADS) N-1E Yes Yes Notes u, l Atmospheric Stability T Sigma Theta

-6 to 6 F 0-60 7.5-29 STPEGS UFSAR Revision 1 8 TABLE 7.5-1 (Continued)

POST-ACCIDENT MONITORING INSTRUMENTATION Sensor Qualification Control Sensor Conformance Type/ Number Room Power EOF TSC to RG 1.97, Variable Range/ Status Category Environmental Seismic of Channels Indication Supply Indication Indication Rev. 2 Containment Atmospheric Temperature 50-200 F D3 No No 1 1 meter N-1E No No Note i Containment Sump Water Temperature 50-400 F D3 No No 1 per RHR HX inlet CRT (ERFDADS) N-1E Yes Yes Note k Quench Tank Temperature 50-350 F D3 No No 1 1 meter N-1E No No Conforms (Note ee) Quench Tank Pressure 0-100 psig D3 No No 1 1 meter N-1E No No Conforms (Note ee) Quench Tank Water Level 0-100% of span D3 No No 1 1 meter N-1E No No Conforms (Note ee) Radioactive Liquid Tank Level 0-100% of span D3 No No 1 per tank None N-1E No No Note hh Boric Acid Tank Charging Flow ---- ---- ---- ---- ---- ---- ---- ---- ---- Note g Heat Removal by the Containment Fan Heat Removal System

---- ---- ---- ---- ---- ---- ---- ---- Note m Radioactive Gas Holdup Tank Pressure

---- ---- ---- ---- ---- ---- ---- ---- Note ff 7.5-30 Revision 1 8 TABLE 7.5-1 (Continued)

NOTES a. To cover the required range of particulates and halogens, a combination of on

-line detection and grab sample capability with onsite analysis is employed. These monitors are environmentally qualified, but not seismically qualified, since they are attached to a nonseismic system.

b. Reactor Coolant System (RCS) Pressure

- one qualified channel of wide range RCS pressure and two qualified channels of extended range RCS pressure are used to monitor RCS pressure for STP.

c. Containment Isolation Valve Status

- STP has identified instrumentation that is necessary to assess the process of accomplishing or maintaining critical safety functions. The critical safety functions defined are equivalent to those utilized in the Westinghouse Owners Group Emergency Response Guidelines, i.e., Subcriticality, RCS Integrity, Reactor Coolant Inventory, Reactor Core Cooling, Heat Sink Maintenance, and Containment Environment.

Containment isolation valve status is not a critical safety function. However, the Containment isolation valve positions were designated variables for monitoring the actual gross breach of the Containment and are therefore designated as Category 2.

The appurtenances and power supplies for the Containment isolation valves meet the intent of Regulatory Guide (RG) 1.97 Category 1 instrumentation. For isolation valves in series, a single indication on each valve is sufficient to satisfy the requirements when those indications are powered from different trains.

d. Deleted

e. The STP has 2 banks of pressurizer heaters normally loaded on the Class 1E emergency buses. Hence, the requirements stated in NUREG

-0737,Section II.E.3.1 are met without necessitating operator action. Since the heater banks are normally loaded on emergency buses, heater breaker position was selected for determining pressurizer heater status.

f. A study performed on STP indicated that these parameters were needed in the minimum set of parameters necessary to monitor the performance of:

1. Plant safety systems employed for mitigating the consequences of an accident and subsequent plant recovery to attain a safe shutdown condition, including verification of the automatic actuation of safety systems.

2. Systems normally employed for attaining a cold shutdown condition.

7.5-31 Revision 1 8 TABLE 7.5-1 (Continued)

NOTES (Continued)

g. Boric Acid Tank Charging Flow

- For monitoring the performance of the Emergency Core Cooling System (ECCS), STP has designated Refueling Water Storage Tank (RWST) Level, High Head Safety Injection (HHSI) Flow, Low Head Safety Injection (LHSI) Flow, Containment Water Level, and ECCS Valve Status. Since the ECCS does not take suction from the Boric Acid Tank (BAT), the Boric Acid Charging Flow was not designated a key variable. If the operator uses the BAT for boration following an accident, normal charging flow and RCS sampling is used to demonstrate that the RCS is being borated.

h. Deleted.

i. The key STP variables for monitoring the accomplishment of Containment cooling are Containment Spray Flow, Containment Water Level (wide range), Containment Water Level (narrow range), Containment Pressure, Containment Spray System Valve Status, Containment Spray Pumps Status and Reactor Containment Building (RCB) fan cooler differential pressure/status. Immediately after Containment spray is initiated, the Containment atmosphere is saturated and the temperature is calculated from the Containment pressure.

j. The span of the installed instrument is approximately 14 inches from 39 to 64 percent of the tank volume. The two series check valves in each accumulator discharge line prevent fluid addition during operation. Accumulator isolation valve position, vent valve position and pressure (all of which are Category 2 instrumentation) provide the operator adequate information to monitor the status of the accumulators.

k. Containment sump water temperature is not required for ECCS operation or assurance that minimum net positive suction head (NPSH) requirements are met.

NPSH calculations conservatively assume saturated water is present (Section 6.2.2.3.5). Containment water level measurements indicate that a source of water is available and, as described in Note i, Containment cooling is verified by other plant parameters. Therefore this variable designation is Type D, Category 3. Should an indication of sump water temperature should be desirable, the Residual Heat Removal (RHR) heat exchanger inlet temperature should be used. 1. Conforms to RG 1.97, Rev. 3.

7.5-32 Revision 1 8 TABLE 7.5-1 (Continued)

NOTES (Continued)

m. Heat removal by the Containment Heat Removal System (CHRS)

- Other parameters were designated as STP type D variables to demonstrate that the Containment heat removal systems are operating properly. These include the following:

Containment Spray Flow Containment Spray System (CSS) valve status Containment Pressure Containment Water Level Containment Spray Pump Status Reactor Containment Fan Cooler (RCFC) Status

- Fan Status

- Differential Pressure

n. Condenser Vacuum Pump Radiation Monitor

- This parameter is considered to be a backup variable for the measurement of secondary side radiation.

Main steam line radiation monitors are adequate to provide primary indication of this information. The condenser vacuum pumps discharge is monitored for effluent release by the unit vent radiation monitor.

o. The STP design utilizes four physically separated auxiliary feedwater lines. The four Class 1E transmitters provide the redundancy required. The required redundancy with a four

-loop plant is provided by one channel per loop. Steam generator (SG) Water Level Wide Range provides a diverse backup. Total AFW flow (0

-2800gpm) is also displayed via the Qualified Display Processing System (QDPS).

p. These systems may see radiation from components in the recirculation path.

q. Effluent Path Flow Rate/Status

- Variables which provide the operator with information to estimate the magnitude of release of radioactive materials through identified pathways. Valve status is the primary variable and flow rate is a backup variable.

r. Neutron Flux

- No diverse variable is required since the failure of one channel will not cause the operator to violate the required safety function.

7.5-33 Revision 1 8 TABLE 7.5-1 (Continued)

NOTES (Continued)

s. Two Containment high

-range radiation monitors (HRRM) meet the requirements of a Type A variable.

These monitors are Class 1E, redundant, and qualified to Category 1 requirements as presented in Appendix 7B and Appendix 7A. These two qualified high

-rang e radiation monitors also satisfy the requirements of NUREG

-0737. Six non-qualified area monitors are located throughout Containment with a nominal range of 0.1 to 10,000 mR/hr that provide additional monitoring over this range. In addition, the off

-scale high readings of these low

-range monitors provide some information to resolve ambiguity above this range.

t. The study performed on STP indicated that these parameters were included in the minimum set of parameters necessary to monitor for release of radioactivity via liquid effluent pathways. These monitors are environmentally qualified, but not seismically qualified since they are attached to nonseismically qualified systems.

u. Meets requirements of RG 1.23. Refer to Table 2.3

-23 for additional information. v. Not used

w. These Category 2 sensors are environmentally, but not seismically qualified, since they are attached to a nonseismic system.

x. Rod position indication is provided in the Control Room (CR) via the digital rod position indication system light emitting diode (LED) display.

y. Instrument loops on Class 1E systems are qualified up to and including channel isolation devices. z. These Category 2 sensors are environmentally and seismically qualified; however, they are installed in a nonseismic system and are therefore not listed as seismically qualified instruments. They are installed using mountings similar to those used for comparable seismically qualified equipment.

aa. A description of the Containment water level measurement design is provided in Appendix 7A, item II.F.1.

bb. The maximum pressure allowed by the Technical Specifications is between 590 and 670 psig.

The two series check valves in each accumulator discharge line prevent fluid addition to the tank during operation. The accumulator discharge valves are also locked open during operation. Hence, any malfunction of the two check valves would be immediately indicated in the CR. The accumulator is also protected by a spring

-loaded safety valve with a setting of 700 psig. CN-3123 7.5-34 Revision 1 8 TABLE 7.5-1 (Continued)

NOTES (Continued) cc. Refer to Table 12.5

-1 for additional information.

dd. A scintillation

-type analyzer is provided to perform I

-131 equivalent analyses.

ee. Digital inputs to the Emergency Response Facilities Data Acquisition and Display System (ERFDADS) for the quench tank (pressurizer relief tank) are the following: high/low water level, high pressure, and high temperature. These digital points are available at the Emergency Operations Facility (EOF) and Technical Support Center (TSC) using ERFDADS.

ff. The STP Gaseous Waste Processing System (GWPS) does not utilize gas holdup tanks. The GWPS design description is provided in Section 11.3. This variable is not applicable to the STP design.

gg. As indicated in NUREG

-0737, Item II.F.1, offline monitors are not required for pressurized water reactor secondary side safety valve and dump valve discharge lines. Mainstream line radiation monitors have been provided, as indicated in this table (A1, B2, C2, E2 type and category). hh. Indication and alarm for Liquid Waste Processing System tank levels are provided in the radwaste control room, which is located in the Mechanical Auxiliary Building, except for the Reactor Coolant Drain Tank (RCDT). Level indication and alarms for the RCDT are provided in the CR. For further information, refer to Section 11.2 and Table 11.2

-5A. ii. Ranges for these instruments are stated in Table 11.5

-1 or Table 12.3.4

-1.

jj. For the AFW system components included in this group, "harsh" environment qualification is only required for the AFW turbine-driven pump steam inlet valve. All other components in this group do not require "harsh" environment qualification because accident analyses do not credit them for their accident mitigation function following a high energy line break in the faulted loop IVC compartment. In addition, the instruments listed in this group are not required to monitor or provide information to the operator in the faulted loop IVC compartment

. Note, the IVCs are divided into four separate cubicles (one for each train) separated by concrete structural walls. Each IVC cubicle contains the equipment associated with one safety train ensuring total train separation. A high

-energy line break in one cubicle will not adversely affect equipment in the other cubicles.

kk. Per Reference 7.5-2. the hydrogen monitors can be classified as Category 3.

7.5-35 Revision 1 8 STPEGS UFSAR TABLE 7.5-4 FAILURE MODES AND EFFECTS ANALYSIS QUALIFIED DISPLAY PROCESSING SYSTEM Failure Effect Description Method of on System Safety of Component Safety Function Plant Operating Mode*

Failure Mode (s)

Failure Detection Function Capability General Remarks Remote Processing Unit (RPU) (Typical)

1) Receive inputs from process sensors and process protection racks

2) Convert Data to process units 1,2,3,4, and 5 1 & 2) Failure of signal conditioning (analog input card failure) 1 & 2) Analog inputs exceeds reasonability limits RPU "Flags" data as having erroneous information. Its value is limited to reasonability limit, and a message to provide to display as failed channels, open signal conditioning card fuse, or signal card out of slot.

1 & 2) None

- A loss of RP U data to database processing unit (DPU) occurs. However, data from other redundant RPUs is available to plasma display unit via redundant DPUs RPU transfers data to DPU and RPUs A&C transfer data to the Emergency Response Facilities Data Acquisition and Display System (ERFDADS)

DPU (NE) (Typical)

1) Receive data from RPU

2) Scan data for error flags

3) Transmit data to plasma display module (PDM) 1,2,3,4, and 5 1, 2, 3,) Failure of input data link from RPU 1, 2, & 3) Annunciation, Error message displayed on PDM 1, 2, & 3) None

- Redundant DPU received same data via redundant data link DPU transfers data to the Emergency Response Facilities Data Acquisition and Display System (ERFDADS) DPU (NE) (Typical)

See above 1,2,3,4, and 5 CPU Failu re See Above None - Redundant DPU updated data on PDM Plasma Display Module (NE) (Typical)

Receive data from the assigned DPU and display it on screen 1,2,3,4, and 5 Device Failure (Blown Fuse)

Blank Screen None - Loss of data to display module occurs.

However, redundant display provided in control room Eagle 21 (NE) (Typical)

Perform Class 1E valve control 1,2,3,4, and 5 Failure to provide valve control Operator interface module indicates failed input or message available at plasma display Non - Redundant process components provided to required safety functions

Plant Modes

1. Power Operation

4. Hot Shutdown

2. Start-up 5. Cold Shutdown

3. Hot Standby

6. Refueling 7.5-36 Revision 1 8 STPEGS UFSAR TABLE 7.5-4 (Continued)

FAILURE MODES AND EFFECTS ANALYSIS QUALIFIED DISPLAY PROCESSING SYSTEM Failure Effect Description Method of on System Safety of Component Safety Function Plant Operating Mode*

Failure Mode (s)

Failure Detection Function Capability General Remarks Steam Generator Level Compensation (NE)

Provides density compensation in the steam generator level signal input to the steam generator low

-low level reactor trip set point 1,2,3,4, and 5 Temperature failure sensor Failure of one RTD per channel indicated on ERFDADS; failure of both RTDs in one channel in annunciated on the plasma display None - Redundant sensor channels provided Channel I AC Power (Channel II, III, & IV analogous)

Provides 120 vac power to channels components 1-6 Loss of AC power Analog ERF pt. to monitor voltage at distribution panel Digital under

-voltage ERF pt. at distribution panel None - Redundant channels provide system safety capability

1) Channel I AC failure lose APC A, DPUA &PAM I CB DISPLAY Redundant informati on provided by APC C, DPUC,

& PAM II CB DISPLAY

2) Channel II AC failure lose APC D only. Redundant information provided from APC A 3) Channel III AC failure lose APC B only. Redundant information provided from APC C

4) Channel IV AC failure lose APC C, DPUC & PAM II CB DISPLAY. Redundant information provided by APCA, DPUA, & PAMI CB DISPLAY

Plant Modes

1. Power Operation

4. Hot Shutdown

2. Start-up 5. Cold Shutdown

3. Hot Standby

6. Refueling 7.5-37 Revision 1 8 STPEGS UFSAR TABLE 7.5-4 (Continued) FAILURE MODES AND EFFECTS ANALYSIS QUALIFIED DISPLAY PROCESSING SYSTEM Failure Effect Description Method of on System Safety of Component Safety Function Plant Operating Mode*

Failure Mode (s)

Failure Detection Function Capability General Remarks RCS Hot Leg Temperature Averaging Provides the average narrow range hot leg temperature on signal to the reactor trip and ESF systems 1,2,3,4, and 5 Temperature sensor failure Failure of one RTD per loop indicated on ERFDADS; failure of two or more RTDs per loop in annunciated on the plasma display None - Redundant sensor channels provided

Plant Modes

1. Power Operation

4. Hot Shutdown

2. Start-up 5. Cold Shutdown

3. Hot Standby 6. Refueling STPEGS UFSAR 7.6-1 Revision 18 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY

7.6.1 Instrumentation

and Control Power Supply System

7.6.1.1 Description. The Instrumentation and Control (I & C) Power Supply System consists of six inverters and six distribution panels, two each for Channels I and IV, and one each for Channels II and III. Each inverter is independently connected to one distribution panel, as shown on Figure 8.3

-3 (sheet 1). The inverters provide power for the operation of the Nuclear Steam Supply System (NSSS) instrumentation and other vital instrumentation. This power is derived from the 480 V Class 1E AC Power Distribution System or the station Class 1E DC Power System, which assures continuous operation of NSSS instrumentation in the event of a loss of offsite power (LOOP). In addition to these power sources, each distribution panel may be connected to a source of regulated 120 vac power, also derived from the 480 V Class 1E AC Power Distribution System. The connection from the inverters or regulated source to Distribution Panels DP1201, DP1202, DP1203, DP1204, DP001 and DP002 is connected through a manually operated breaker located in each respective distribution panel.

For more information relative to Inspection and Enforcement (IE) Bulletin 79

-27, see the response t o Nuclear Regulatory Commission (NRC) Question 032.042.

7.6.1.2 Analysis. There are three independent 480 vac power sources, one serving two channels and the other two serving one channel each. There are four independent batteries, each served by two battery chargers. Each battery is connected to a bus serving the corresponding inverter(s). Failure of either the AC or DC source automatically switches the load to the alternate power source.

Each inverter is independently connected to its respective instrument distribution panel so that the loss of an inverter cannot affect more than one of the six distribution panels.

In addition, the six distribution panels are connected to backup sources of 120 vac power.

The connection from the inverters or regulated source to Distribution Panels DP1201, DP1202, DP1203, DP1204, DP001 and DP002 is connected through a manually operated breaker located in each respective distribution panel.

Loss of power to any distribution panel, as well as other bus, inverter, and charger problems, is alarmed in the control room. There are no inverter breaker controls on the control board, as no manual transfers are necessary in the event of loss of one power source.

The design is in compliance with General Design Criteria (GDC) 17, Institute of Electrical and Electronic Engineers (IEEE) Standard 308

-1974, and Regulatory Guides (RG) 1.6 and 1.32. Availability of this system is continuously indicated by the operational status of the systems it serves and is verified by periodic testing performed on the systems it serves.

The inverters are only seismically qualified.

7.6.2 Residual

Heat Removal Isolation Valves

STPEGS UFSAR 7.6-2 Revision 18 7.6.2.1 Description. There are two motor

-operated gate valves in series in each inlet line from the Reactor Coolant System (RCS) to the Residual Heat Removal System (RHRS), as shown on Figure 5.4

-6. They are normally closed and are manually opened from the control room for residual heat removal (RHR) after RCS pressure and temperature are reduced to approximately 350 psig and 350F, respectively. As shown on Figure 5.4

-6 and on the control logic (Figure 7.6

-2), the two valves in each RHR inlet line are powered from different Class 1E power sources. Additionally, power is locked at the motor control center (MCC) breaker for the valve closest to the RHR pump to mitigate the consequences of spurious opening of the valves during plant operation.

These valves are controlled by three RCS wide

-range pressure transmitters, shown on Figure 5.1

-1. The transmitters, PT

-405, PT-406, and PT-407, are located outside the Containment. Conformance of the design to Containment isolation requirements is discussed in Section 6.2.4. Two additional RCS wide-range pressure transmitters, PT

-403 and PT

-404, are also shown on Figure 5.1

-1. These transmitters are used for RCS cold overpressure mitigation (via the pressurizer power

-operated relief valves (PORVs). These two transmitters are located inside the Containment.

The signal from each transmitter controlling the RHR inlet isolation valves provides a permissive that allows valve opening below a preset pressure. The open permissive ensures that the valve is not opened when the RCS pressure plus the RHR pump discharge pressure is above the RHRS design pressure. The two valves in each RHR train receive pressure signals from different pressure transmitters, through the Engineered Safety Features (ESF) actuation train corresponding to the train of power supplied to the valve.

7.6.2.2 Analysis. The applicable requirements of IEEE 308

-1974 are applied to the electrical power supply for the RHRS pump motors and to the I&C for the motor

-operated RHR inlet isolation valves. Based on the scope definitions presented in IEEE 279

-1971 and 338

-1971, these criteria do not apply to the RHR isolation valve interlocks; however, in order to meet Nuclear Regulatory Commission (NRC) requirements and because of the possible severity of the consequences of loss of function, the requirements of IEEE 279

-1971 are applied with the following comments:

1. For the purpose of applying IEEE 279

-1971 to this circuit, the following definitions are used.

a. Protection System

The two valves in series in each line and the components of their interlocking circuits.

b. Protective Action

To Assure Operability of One RHRS Train

For assured plant cooldown, the protective action is the removal of the RHRS interlock when RCS pressure is below a preset pressure.

2. IEEE 279-1971, Paragraph 4.10: The above mentioned pressure interlock signals and logic are testable on

-line to the maximum extent possible without adversely affecting safety. This test includes the analog signal through to the associated output bistables in the process STPEGS UFSAR 7.6-3 Revision 18 equipment. This is done in the best interest of safety since opening the valve at power could potentially leave only one remaining valve to isolate the low

-pressure RHRS from the RCS. The pressure interlock signals and logic to the valves are tested routinely when the reactor is shutdown. This test verifies the protective action and assures functionality of the interlock for each RHRS train.

Since the two valves in each RHR train are powered by separate power trains and actuated by separated actuation trains, no single failure can compromise the required RHR functions. Operability for assured plant cooldown is assured because a failure in any one actuation or power train isolates only two trains, leaving the third train still operable. Interlock diversity is provided as approved in License Amendments 194/182.

The interlock system meets the appropriate qualification standards, as discussed in Sections 3.10 and 3.11.

7.6.3 Accumulator

Motor

-Operated Valves In considering that the requirements of IEEE 279

-1971 apply to protective actions at both the channel level and system level, it is noted that for the accumulator isolation valves, the basis for control and proper functions is administrative control and passivity; the scope of IEEE 279

-1971 covering protective action at the system level does not apply, although there is a requirement for protective action at the channel level. The interlock control features of the accumulator isolation valves at the channel level function in a confirmatory manner, and the requirements of IEEE 279

-1971 are applied with the following comments:

1. When the pressurizer pressure is above or below the P

-11 setpoint (approximately 1,900 psi), there are redundant interlock signals generated that are derived by sensors processed through circuitry designed to IEEE 279

-1971 requirements in the analog process control racks and distributed as binary input (voltage/no voltage) signals to the Solid

-State Protection System (SSPS) cabinets. Here they become logic signals that produce contact

-available outputs from the safeguards cabinets. Signals are generated from each cabinet when two out of three of the pressurizer pressure channels indicate a pressure above or below 1,900 psi, as shown on Figure 7.2

-6. When the pressure is above this setpoint, signals are sent to the accumulator isolation valves to automatically open them.

2. In addition to the above signal, which is utilized as part of the interlock control features for the accumulator isolation valves, each safeguards cabinet produces a safety injection (SI) signal which is also utilized in the control features for these valves.

3. The interlocks for the accumulator motor

-operated valves meet the appropriate qualification standards (IEEE 323 and 382), as discussed in Section 3.11.

The design of the interconnection of these signals to the accumulator isolation valve meets the following criteria established in previous NRC positions (BTP ICSB 4) on this matter:

1. Automatic opening of the accumulator valves when (1) the primary coolant system pressure exceeds a preselected value specified in the Technical Specifications or (2) an SI signal has been initiated. Both signals are provided to the valves.

STPEGS UFSAR 7.6-4 Revision 18

2. Utilization of an SI signal to automatically remove (override) any bypass features that are provided to allow an isolation valve to be closed for short periods of time when the RCS is at pressure. As a result of the confirmatory SI signal, isolation of an accumulator with the reactor at pressure is acceptable.

The control circuit for these valves is shown on Figure 7.6

-3. The valves and control circuits are further discussed in Sections 6.3.2 and 6.3.5.

The Safety Injection System (SIS) accumulator discharge isolation valves are motor

-operated, normally open valves and are controlled from the main control board.

These valves are interlocked such that:

1. They open automatically upon receipt of an SI signal with the main control board switch in either the AUTO or CLOSE position.

2. They open automatically whenever the RCS pressure is above the SI unblock pressure (P

-11) only when the main control board switch is in the AUTO position.

3. They cannot be closed as long as an SI signal is present.

The main control board switches for these valves are three position switches which provide a "spring return to Auto" from the open position and a "maintain position" for the closed position.

The "maintain closed" position is required to provide an administratively controlled manual block of the automatic opening of the valve at pressure above the SI unblock pressure (P

-11). The manual block or "maintain closed" position is required when performing periodic check valve leakage tests when the reactor is at pressure and at hot standby. The valve is closed from the control board by placing it in the "maintain closed" position. As part of the check valve leakage test when reactor pressure is above SI unblock pressure, the automatic open

-upon-pressure interlock is tested at the main control board by use of the valve indication lights. Administrative control is required to ensure that any accumulator valve that has been closed at pressures above the SI unblock pressure is returned to the AUTO position. Verification that the valve automatically returns to its normal full

-

open position is also required.

These normally open motor

-operated valves have ESF monitoring alarms indicating a mispositioning with regard to their emergency core cooling function. In addition, an annunciator system, as discussed in Section 6.3.5.5.1, is provided to alert the operator when a accumulator discharge isolation valve is closed when the RCS pressure is above the P

-11 setpoint.

When the reactor is at power, except during the tests described above, these valves are open and power to the valve operator is locked out. During plant shutdown, the accumulator valves are in a closed position. To prevent an inadvertent opening of these valves during that period, the accumulator valve breakers should be opened. Refer to Section 6.3.5.5.1 for discussion on power lockout for these valves. Administrative control is again required to ensure that these valve breakers are closed during the prestartup procedures.

STPEGS UFSAR 7.6-5 Revision 18

7.6.4 Switchover

From Injection To Recirculation

The automatic signal for switchover to recirculation form the injection phase during a Loss

-of-Coolant Accident (LOCA) is derived from the Refueling Water Storage Tank (RWST) low

-low level signal coincident with the latched SI signals. This signal is provided by the SSPS. The functional logic diagram showing this feature is presented in Figure 7.6

-9. Open-closed status lights are provided on the main control board for each miniflow valve, Containment sump isolation valve, and RWST isolation valves.

The automatic switchover signal actuates the following Emergency Core Cooling System (ECCS) components:

1. Close the high head and the low head SI pumps miniflow motor-operated valves (MOV) when the automatic signal is generated and the Main Control Board (MCB) manual switches for the miniflow MOVs are in the automatic position. Refer to Figure 7.6

-4 for the logic diagram.

2. Open the Containment sump isolation MOVs when the automatic signal is generated and the appropriated signals showing closure of the miniflow valves are received. Refer to Figure

7.6-5 for the logic diagram.

3. Initiate alarm in the main control room to notify the operator that switchover has commenced.

Further information regarding the switchover from the injection mode to the recirculation mode is given in Section 6.3.2.8. Also, during on

-line test of the automatic recirculation switchover signal, the test switchover signal is blocked as long as the RWST isolation valve is open.. Interlocking between testing and closure of the RWST isolation valve (XSI0001 A, B and C) is provided in the Safeguards Test Cabinets.

Additionally, the SIS includes an interlock which prevents the RWST isolation valves from being opened when the MCB manual switch is turned by operator action to open unless the corresponding sump isolation valve is closed (Figure 7.6

-6). 7.6.4.1 Analysis of Switchover to Recirculation from Injection Phase During LOCA. This automatic feature assures that minimal operator action is required for 5.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after an accident.

This is further discussed in Section 6.3.2.8. Functionally, the switchover to recirculation from injection phase after LOCA as well as redundancy and compliance with the single failure criteria, is similar to Westinghouse standard two

-train plants. In the translation of these functions into hardware there are some differences. Reliability goals of these functions are consistent with those of the standard two-train plants which have been previously reviewed. Although the recirculation switchover is automatic, there is a minimum of operator attention required as noted in Table 6.3

-7. The interlock provides for retention of the SI signal, should one be generated, that allows for the automatic switchover. In the automatic switchover circuit, the SI signal is individually sealed in (latched), so that loss of the SI actuation signal will not cause the automatic switchover circuit to return to the condition held prior to the advent of the SI actuation signal. The SI signal is maintained by the contact of a salve relay in the SSPS output cabinet that closes on SI and remains closed until manually reset from the control room. The manual reset switch is separate from the main SI reset STPEGS UFSAR 7.6-6 Revision 18 switch, which is not associated with this circuit. This switchover reset switch permits the operator to remove the actuation signal if the sump isolation valve must be closed and retained in a closed position following an accident; e.g., for maintenance purpose.

7.6.5 Monitoring

Combustible Gas in the Containment

7.6.5.1 Description. Two independent, redundant systems for Containment hydrogen monitoring are provided. The design of these systems follows, as applicable, the requirements for safety-related protective systems and meets the requirements of IEEE 279. The analyzers are seismically and environmentally qualified, as discussed in Sections 3.10 and 3.11. The analyzers are designed to operate at Containment pressures from

-2 to 60 psig.

Isolation valves are provided on both sides of the Containment for the Containment gas sample lines (Figure 7.6

-7). Valve control switches are provided in the main control room.

There are four operator

-selectable sampling points for each sampling and analysis system. The four points are located as follows:

1. Top of the Containment dome

- El. 225'/AZ 180 (AZ 0) 2. Above a steam generator

- El. 83'/SG 1D Area (SG 1C Area)

3. In the steam generator compartment

- El. 44'/SG 1D Area (SG 1D Area)

4. In the steam generator compartment

- El. 44'/SG 1A Area (SG 1B Area)

( ) Indicates redundant system location information

The operator may select any of the sampling points from the main control room.

Sampling lines are heat traced (outside Containment only) and free of water traps (runs where liquid could accumulate) and have a sampling conditioning system. The analyzer effluent is returned to the Containment. The sample conditioning system maintains a constant sample and reference gas flow, as required.

The output signal of each analyzer is indicated at the locally mounted analyzer and is indicated, recorded, and alarmed in the main control room. Both channels provide indication in the main control room via the Qualified Display Processing System (QDPS), and one channel is recorded as part of the Post

-Accident Monitoring System (PAMS) discussed in Section 7.5.1.

The operation of the hydrogen gas analyzer is based on the measurement of thermal conductivity of the gaseous Containment atmosphere sample. The thermal conductivity of the gas mixtures changes proportionally to the changes in the concentration of the individual gas constituents of the mixture.

The thermal conductivity of hydrogen is far greater (approximately seven times the thermal conductivity of air) than any other gases or vapors expected to be present. The analyzers have a range of 0

-to10-volume-percent H 2 and a minimum accuracy of 5 percent of range. The STPEGS UFSAR 7.6-7 Revision 18 performance of the hydrogen gas analyzer is periodically verified with a known sample of reference gas.

Each system is supplied electrical power from a separate Class 1E power supply.

7.6.5.2 Analysis. The Containment Hydrogen Monitoring System satisfies the single failure criterion and remains operable after postulated accidents. Any single failure in one hydrogen monitoring system does not affect its redundant and independent counterpart.

7.6.6 Other

Systems

7.6.6.1 Cold Water Slug Injection. Cold water slug injection interlocks are not required since South Texas Project Electric Generating Station (STPEGS) does not utilize RCS loop isolation valves.

7.6.6.2 Refueling Interlocks. Refueling interlocks are discussed in Section 9.1.4.3.

7.6.6.3 Interlocks for RCS Pressure Control During Low Temperature Operation

. The overall Pressurizer Pressure Relief System (PPRS) logic is indicated on Figures 7.2

-17A and 7.2

-17B. This system includes the interlocks for RCS pressure control during low temperature operation as well as narrow range pressurizer pressure inputs. The PPRS provides the following:

1. Capability for RCS depressurization following Conditions II, III, and IV events, as well as

2. Capability for RCS overpressure mitigation during cold shutdown, heatup, and cooldown operations to minimize the potential for impairing reactor vessel integrity when operating at or near the vessel ductility limits.

The basic function of the RCS pressure control during low temperature operation is discussed in Section 5.2.2.11. As noted in Section 5.2.2.11, this pressure control includes automatic actuation for two pressurizer power

-operated relief valves (PORVs). The function of the actuation logic is to continuously monitor RCS temperature and pressure conditions, with the actuation logic for each valve being manually armed when plant operation is at low temperatures. The monitored system temperature signals are processed to generate the reference pressure limit that is compared to monitored pressure, providing an actuation signal to cause the PORV to automatically open i f necessary to prevent pressure conditions from exceeding allowable limits. See Figure 7.2

-17A and 7.2-17B for the functional diagrams showing the interlocks for RCS pressure control during low temperature operation.

As shown on Figures 7.2

-17A and 7.2

-17B, the station variables required for this interlock are channelized as follows:

1. Protection Set II

a. Wide-range RCS temperature from hot legs

b. Wide-range RCS pressure (PT 403)

STPEGS UFSAR 7.6-8 Revision 18

2. Protection Set III

a. Wide-range RCS temperature from cold leg s

b. Wide-range RCS system pressure (PT 404)

The wide-range temperature signals, as inputs to Protection Sets II and III, continuously monitor RCS temperature conditions. In Protection Set II, the RCS hot leg wide range temperature channels send a continuous analog input to a low auctioneering device, which is located in the Protection Set II cabinet.

The lowest temperature value is selected and sent to a function generator in the same protection set which generates the allowable reference pressure signal as a function of this value. Also available from Protection Set II is the wide

-range RCS pressure signal which is sent to this protection set. The reference allowable pressure from the function generator is compared to the actual RCS pressure monitored by the wide range pressure channel. The error signal derived from the difference between the reference pressure and the actual measured pressure first annunciates a main control board alarm whenever the actual measured pressure approaches, within a predetermined amount, the reference pressure. On a further increase in actual pressure, the error signal generates an annunciated actuation signal to open PORV "A", if the corresponding actuation logic is armed. The actuation signal is manually disarmed (blocked) at temperatures above the arming point. This prevents unnecessary system actuation when at normal RCS operating conditions. The monitored generating station variables that generate the actuation signal for the "B" PORV are processed in a similar manner. In the case of PORV "B", the reference allowable pressure signal is generated in the Protection Set III cabinet from the lowest auctioneered wide range cold leg temperature in Protection Set III. The actual measured pressure signal is also from Protection Set III. Therefore, the generating station variables and actuation signal for PORV "B" are derived from a protection set that is independent of the set from which generating station variables used for PORV "A" are derived. Upon receipt of the

actuation signal, the PORV opens. Upon sufficient RCS inventory letdown, the operating RCS pressure decreases, clearing the actuation signal and closing the PORV.

Analysis of Interlock

The interlocks for RCS pressure control during low temperature operation meet the applicable design requirements (NRC Branch Technical Position RSB 5

-2, IEEE 279

-1971, and 338

-1971). They perform a protective function and provide automatic pressure control at low temperatures as a backup to the operator. The IEEE 279 design requirements are meet by including the pressure and temperature signal elements as noted above in the protection sets and from organizing the control of the two PORVs into two separate trains. Either of the two PORVs can accomplish the RCS pressure control function.

The design of the low temperature interlocks for RCS pressure control is such that pertinent features include the following:

1. No credible single failure will prevent the protective function from being performed, since two PORVs and two actuation logics are provided.

STPEGS UFSAR 7.6-9 Revision 18

2. Testing capability for elements of the interlocks within the protection system is consistent with the testing principles and methods discussed in Section 7.2.2.2.3.10. Each of the PORVs is testable on line.

3. Annunciation is provided to alarm (1) that plant conditions during cooldown are correct for system arming (low auctioneered temperature is low); (2) that a pressure transient has occurred (actual RCS pressure is higher than the allowable reference pressure); (3) that either PORV "A" or PORV "B" has received an actuation signal; and (4) that either PORV block valve is not fully open.

4. A loss of offsite power (LOOP) will not defeat the provisions for an electrical power source for the interlocks because these provisions are through onsite power which is described in Sections 7.6.1 and 8.3.

The pressureizer PORV control design meets the applicable requirements of IEEE 279

-1971. with the following clarifications:

1. For the purpose of applying IEEE 279

-1971 to this circuit, the following definitions are used:

a. Modified Cold Shutdown Design The PORV in each of the redundant lines and all components of the interlocks for RCS pressure control during low temperature operation. The equipment for one redundant line is defined as the Train A (Channel II) system; the equipment for the other line is defined as the Train B (Channel III) system.

b. Protective Action

The automatic control of RCS pressure during low temperature operation to prevent the actual pressure from exceeding the calculated reference pressure limit. This protective action can be satisfied by either train of the redundant system, the Train A (Channel II) system or the Train B (Channel II I) system. 2. IEEE 279-1971, Paragraph 4.2

Any single random failure within the Train A (Channel II) system or the Train B (Channel III) system will not prevent protective action at the system level when required.

3. IEEE 279-1971, Paragraph 4.10

The above mentioned pressure interlock signals and logic are tested on-line at power while the control room manually operated ARM/BLOCK switches are in the block position. This online testing is done to the maximum extent practicable without STPEGS UFSAR 7.6-10 Revision 18 adversely affecting safety. This test includes the analog signal through to the associated output bistables in the process equipment. There is no practicable design which permits an integrated on

-line test through to the final openings of the PORVs. Furthermore, the valves themselves are testable routinely when the reactor is shut down and the probability is low that the equipment would fail to actuate on demand between tests.

4. IEEE Standard 279

-1971, Paragraph 4.12

The protection action is manually blocked by the operator, using the ARM/BLOCK switch, by placing it in the BLOCK position when the plant is at temperatures greater than the range of concern for RCS low temperature operation. The operator is alerted that the system should be alarmed by the annunicators described above.

7.6.6.4 RHR Pump Low Flow Interlock. The RHR pump low flow interlock stops a running RHR pump when the discharge flow is below a preset value. The RHR pump, so that it does not operate under low flow conditions; e.g., after RHR inlet isolation valve closure. The interlock does not perform a primary protective function.

To improve operability and reliability, the RHR pump low flow interlock signal for each pump is channelized in independent redundant protection sets. RHR pump A is powered from a Train A Class 1E power source and receives its interlock signal from the Protection Set I flow transmitter for its discharge line, via actuation train A of the SSPS. Similarly, RHR pump B is Train

-B-powered and receives its signal from Protection Set III via actuation Train B, and pump C is Train

-C-powered and receives its signal from Protection Set IV via actuation Train C.

A single failure of the RHR pump Low Flow Interlock will only affect one train as discussed in Section 7.6.2.5 of Reference 7.6

-1.

The logic diagram for the interlock is shown on Figure 7.6

-11. The interlock causes the RHR pump to stop when flow in the discharge line is below the low flow setpoint (after a prescribed time delay to allow for pump startup) when the MCB switch for the pump is in the NORMAL position. The switch is a three-position switch (STOP/NORMAL/START), as shown, and is spring

-returned to NORMAL from the STOP and START positions.

7.6.6.5 Volume Control Tank Low

-Low Level Interlock. The volume control tank (VCT) low-low level interlock uses the two VCT level transmitters to sense low

-low level and controls the two VCT outlet isolation valves and the two suction valves from the RWST to the charging pumps.

These valves are shown on Figure 9.3.4

-3 as XCV0113A, XCV0112B, XCV0112C, and XCV0113B. This control system ensures that the charging pumps always have a source of fluid during normal plant operation and protects them against loss of net positive suction head (NPSH) and consequent cavitation damage. Upon reaching the low

-low level setpoint in the VCT, the RWST suction valve is opened and the VCT outlet isolation valve is closed, transferring suction from the VCT to the RWST.

(This same action is performed upon receipt of the SI signal.)

The VCT low

-low interlock signal for each pair of valves is channelized into independent and redundant protection sets, to improve reliability. Valves XCV00112B and XCV0112C are powered from Train C Class 1E sources and receive the low

-low level signal from LT

-112 in Protection Set IV CN-3 122 STPEGS UFSAR 7.6-11 Revision 18 via actuation Train C. Valves XCV0113A and XCV0113B are powered from Train B Class 1E sources and receive their signal from LT

-113 in Protection Set III via actuation Train B.

The logic diagrams for the VCT outlet isolation valves and RWST suction valves to the charging pumps are shown on Figures 7.6-12 and 7.6

-13 respectively. When the MCB switch is in the AUTO position, each RWST suction valve is opened upon receipt of the low

-low level signal (or the SI signal). Each VCT outlet isolation valve is closed upon receipt of the signals; the interlock also prevents each VCT outlet isolation valve from closing unless its corresponding RWST suction valve to the charging pumps is open.

7.6.6.6 Section Deleted.

7.6.6.7 Chemical and Volume Control System (CVCS) Seal Injection Isolation Valves Charging Header Pressure Interlock. The charging header pressure interlock closes the CVCS seal water injection Containment isolation valves when the Containment isolation Phase A signal and the low charging pump discharge header pressure signal are received. This interlock allows seal injection to the reactor coolant pumps to continue so long as a charging pump is operating, determined by the pump discharge header pressure being above a preset value.

The seal water injection Containment isolation valves (CV0033A, B, C, and D) are shown on Figure 9.3.4-1; the charging pump discharge header pressure transmitter (PT

-204) is shown on Figure 9.3.4

-3. The transmitter inputs to Protection Set III; closure signals are then sent to the isolation valves via actuation Train B. The valves are powered from Train B Class 1E power sources.

The logic diagram for the interlock is shown on Figure 7.6

-15. The interlock closes the normally open seal water injection Containment isolation valves when the MCB switch is in the AUTO position and the signal from actuation Train B is received indicating that low pump discharge header pressure has occurred coincident with the Containment isolation Phase A signal.

7.6.6.8 Letdown Valves Pressureizer Low Level Interlock.

The pressurizer low level interlocks closes the letdown stop valves and the letdown orifice header isolation valve when the pressurizer water level is below a preset value. The purpose of this interlock is to maintain RCS inventory by isolating letdown.

To improve operability and reliability, the pressurizer low level interlock signal is channelized into independent redundant protection sets. The functional diagram for this interlock is shown on Figures

7.2-12a and 7.2

-12b. The letdown stop valves (LCV

-465 and LCV

-468) and letdown orifice header isolation valve (FV

-0011) are shown on Figure 9.3.4

-1. Letdown stop valve LCV

-465 is powered from a Train A Class 1E power source and receives its interlock signal from the Protection Set I level transmitter (LT

-465) via actuation Train A. Similarly, letdown stop valve LCV

-468 is powered from a Train C power source and receives its interlock signal from the Protection Set IV level transmitter (LT-468) via actuation train C. Low level signals from the two transmitters are also combined in the SSPS so that if either one senses a low level, a closure signal is sent to the letdown orifice header isolation valve through actuation Train C.

STPEGS UFSAR 7.6-12 Revision 18 The logic diagrams for the valves are shown on Figure 7.6

-16 for the letdown stop valves and Figure 7.6-19 for the letdown orifice header isolation valve. The interlock causes each letdown stop valve to close when its MCB switch is in the each AUTO position and the pressurizer water level is below the present value. For the letdown orifice header isolation valve, the pressurizer low level interlock closes the valve and prevents the operator from reopening it from the main control room until the pressurizer water level is above the setpoint. The closure signals to each letdown stop valve are delayed so that the downstream valve can close before the stop valves, to prevent flashing in the regenerative heat exchanger.

7.6.6.9 Reactor Coolant Purity Control Interlock. The reactor coolant purity control interlock utilizes low

-low level signals from the boric acid tanks to close the concentrated boric acid polishing isolation valves. The purpose of this interlock is to isolate the nonsafety grade Reactor Coolant Purity Control System (RCPCS) from the boric acid storage subsystem of the CVCS. Th e interlock ensures that any postulated failures in the nonseismic, nonsafety RCPCS do not allow loss of boric acid required for shutdown.

To ensure that the valves are closed upon low

-low level in either tank A or B, two level transmitters are provided for each tank, using independent redundant protection sets. Isolation valve FV

-84000A is powered from Train A Class 1E DC power (Channel I); it receives its interlock signal from LT

-102 (Tank A, in Protection Set I) and LT

-106 (Tank B, in Protection Set IV) through actuation Train A. Isolation valve FV

-8400B is powered from Train B Class 1E DC power (Channel III); it receives its interlock signal from LT

-103 (Tank A, in Protection Set IV) and LT

-105 (Tank B, in Protection Set III) through actuation Train B. The tanks, level transmitters and isolation valves are shown on Figure 9.3.4-5.

The logic diagram for the interlock is shown on Figure 7.6

-18. When the MCB switch is in the AUTO position, the interlock causes the valve's solenoid to deenergize and the valve to fail closed when the water level in either boric acid tank is below the low

-low level setpoint.

7.6.7 Hot and Cold Leg Recirculation Motor

-Operated Valves

The SIS hot and cold leg recirculation isolation valves are motor

-operated, normally closed/open valves that are controlled from the MCB. The control circuit for the hot leg recirculation valves is shown on Figure 7.6

-10. The MCB switches for these valves are three

-position switches which provide a "spring return to normal" from the OPEN and CLOSE positions. Manual opening of the valve from the MCB is required when performing periodic check valve leakage tests. Administrative control is required to ensure that all hot leg recirculation isolation valves are returned to their normal closed positions. Verification that each valve has been returned to the closed position is required. Additionally, power to all hot leg recirculation and low head safety injection pump cold leg recirculation valve operators is locked out except during test procedures from a control switch located at the main control board.

These valves and their control are also discussed in Sections 6.3.2.2 and 6.3.5.5.2.

STPEGS UFSAR 7.6-13 Revision 18 7.6.8 Fire Protection Fire protection is discussed in the Fire Hazards Analysis Report, submitted under separate cover to the NRC.

STPEGS UFSAR 7.6-14 Revision 18 REFERENCES Section 7.6

7.6-1 NUREG-0781, Safety Evaluation Report Related to the Operation of South Texas Project Units 1 and 2 CN-3122 STPEGS UFSAR 7.7-1 Revision 1 8 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY The general design objectives of the plant control systems are:

1. To establish and maintain power equilibrium between the primary and secondary systems during steady

-state unit operation.

2. To constrain operational transients so as to preclude unit trip and reestablish steady-state unit operation.

3. To provide the reactor operator with monitoring instrumentation that indicates all required input and output control parameters of the systems and provides the operator with the capability of assuming manual control of the system.

7.7.1 Description

The plant control systems described in this section perform the following functions:

1. Reactor Control System The Reactor Control System enables the nuclear plant to accept a step load increase or decrease of 10 percent and a ramp increase or decrease of 5 percent per minute within the load range of 15 percent to 100 percent without reactor trip, steam dump, or pressurizer relief valve actuation, subject to possible xenon limitations. This system also maintains reactor coolant average temperature avg T () within prescribed limits by creating the bank demand signals for moving groups of rod cluster control assemblies (RCCAs) during normal operation and operational transients. The avg T control also supplies a signal to pressurizer water level control and steam dump control.

2. Rod Control System The Rod Control System provides for reactor power modulation by manual or automatic control of control rod banks in a preselected sequence and for manual operation of individual banks. 3. Monitoring and Indicating Systems These systems: (1) provide alarms to alert the operator if the required core reactivity shutdown margin is not available due to excessive control rod insertion; (2) display control rod position; and (3) provide alarms to alert the operator in the event of control rod deviation exceeding a preset limit.

4. Plant Control System Interlocks The plant control system interlocks prevent further withdrawal of the control banks when signal limits predict the approach of a departure from nucleate boiling ratio (DBNR) limit or kW/ft limit, and inhibit automatic turbine load change as required by the Nuclear Steam Supply System (NSSS).

STPEGS UFSAR 7.7-2 Revision 1 8 5. Pressurizer Pressure Control System This control system maintains or restores the pressurizer pressure to the design pressure

+35 psi (which is well within reactor trip and relief and safety valve actuation setpoint limits), following normal operational transients that induce pressure changes by control (manual or automatic) of heaters and spray in the pressurizer. It also provides steam relief by controlling the power

- operated relief valves (PORVs).

6. Pressurizer Water Level Control System The Pressurizer Water Level Control System establishes, maintains, and restores pressurizer water level within specified limits as a function of the average coolant temperature. Changes in level are caused by coolant density changes induced by loading, operational, and unloading transients. Level changes are produced by means of charging flow control (manual or automatic) as well as by manual selection of letdown orifices. Maintaining coolant level in the pressurizer within prescribed limits by actuating the charging and letdown system thus provides control of the reactor coolant water inventory.

7. Steam Generator Water Level Control System The Steam Generator (SG) Water Level Control System establishes and maintains the SG water level within prescribed limits during normal operating transients.

The SG Water Level Control System is capable of restoring the SG water level to within a predetermined band at unit trip conditions, providing feedwater isolation has not occurred (see Section 7.3 for signal derivatior) and the feedpump turbines are supplied with steam. The SGs can maintain a minimum heat sink capability for the Reactor Coolant System (RCS) with either manual or automatic control of the feedwater bypass control valves.

8. Steam Dump Control System The Steam Dump Control System controls the Turbine Bypass System and permits the nuclear plant to accept a sudden loss of load without incurring reactor trip. Steam is dumped to the condenser as necessary to accommodate excess power generation in the reactor during turbine load reduction transients.

The Steam Dump Control System also ensures that stored energy and residual heat are removed following a reactor trip to bring the plant to equilibrium no

-load conditions without actuation of the SG safety valves, maintains the plant at no

-load conditions, and permits a manually controlled cooldown of the plant.

9. Incore Instrumentation This instrumentation provides information on the neutron flux distribution and on the core outlet temperatures at selected core locations.

7.7.1.1 Reactor Control System. The Reactor Control System enables the nuclear plant to follow load changes automatically, including the acceptance of step load increases or decreases of 10 STPEGS UFSAR 7.7-3 Revision 1 8 percent and ramp increases or decreases of 5 percent per minute within the load range of 15 percent to 100 percent without reactor trip, steam dump, or pressure relief (subject to possible xenon limitations). The system is also capable of restoring coolant average temperature to within the programmed temperature deadband following a change in load. Manual control rod operation may be performed at any time within the range of defined insertion limits.

The Reactor Control System controls the reactor coolant average temperature by regulation of control rod bank position. The reactor coolant loop average temperatures are determined from hot leg and cold leg measurements in each reactor coolant loop. There is an average coolant temperature computed for each loop, where:

2 T T Tcold hotavg The error between the programmed reference temperature (based on turbine impulse chamber pressure) and the highest of the avg T measured temperatures (which is processed through a lead

-lag compensation unit) from each of the reactor coolant loops constitutes the primary control signal, as shown in general on Figure 7.7

-1 and in more detail on the functional diagram shown on Figure 7.2

-10. The system is capable of restoring coolant average temperature to the programmed value following a change in load. The programmed coolant temperature increases linearly with turbine load from zero power to the full

-power condition. The avg T also supplies a signal to pressurizer level control and steam dump control and rod insertion limit monitoring.

The temperature channels needed to derive the temperature input signals for the Reactor Control System are fed from protection channels via isolation amplifiers.

An additional control input signal is derived from the reactor power versus turbine load mismatch signal. This additional control input signal improves system performance by enhancing response and reducing transient peaks.

The core axial power distribution is controlled during load follow maneuvers by changing (a manual operator action) the boron concentration in the reactor coolant system. Th(Section 7.7.1.3.1) indicate any need for an adjustment in the axial power distribution. Adding boron to the reactor coolant reduces avg T and cause the rods (through the rod control system) to move toward the top of the core. This action reduces power peaks in the bottom of the core. Likewise, removing boron from the reactor coolant moves the rods further into the core to control power peaks in the top of the core.

7.7.1.2 Rod Control System.

The Rod Control System receives rod speed and direction signals from the RCS. The rod speed demand signal varies over the range of 3.75 to 45 in. /min (corresponding to 6 to 72 steps/min), depending on the magnitude of the input signal. Manual control is provided to move a control bank in or out at a prescribed fixed speed.

When the turbine load reaches approximately 15 percent of rated load, the operator may select the AUTOMATIC mode, and rod motion is then controlled by the Reactor Control System. A permissive interlock, C-5 (Table 7.7

-1), derived from measurements of turbine impulse chamber pressure prevents automatic withdrawal when the turbine load is below 15 percent. In the STPEGS UFSAR 7.7-4 Revision 1 8 AUTOMATIC mode, the rods are withdrawn (or inserted) in a predetermined programmed sequence by the automatic programming with the control interlocks (Table 7.7

-1). The shutdown banks are always in the fully withdrawn position during normal operation, and are moved to this position at a constant speed by manual control prior to criticality.

A reactor trip signal causes them to fall by gravity into the core. There are five shutdown banks.

The control banks are the only rods that can be manipulated under automatic control. Each control bank is divided into two groups to obtain smaller incremental reactivity changes per step. All RCCAs within a group are electrically paralleled to move simultaneously. There is individual position indication for each RCCA.

Power is supplied to rod drive mechanisms by two motor

-generator sets operating from two separate 480 V, three

-phase busses. Each generator is the synchronous type and is driven by 200

-hp induction motor. The AC power is distributed to the rod control power cabinets at 260 vac through the two series-connected reactor trip breakers.

The variable speed rod drive programmer affords the ability to insert small amounts of reactivity at low speed to accomplish fine control of reactor coolant average temperature about a small temperature deadband, as well as furnishing control at high speed. A summary of the RCCA sequencing characteristics is given below:

1. Two groups within the same bank are stepped so that the relative position of the groups does not differ by more than one step.

2. The control banks are programmed so that withdrawal of the banks is sequenced in the following order: control bank A, control bank B, control bank C, and control bank D. The programmed insertion sequence is the opposite of the withdrawal sequence, i.e., the last control bank withdrawn (bank D) is the first control bank inserted. 3. The control banks withdrawals are programmed so that when the first bank reaches a preset position, the second bank begins to move out simultaneously with the first bank, which continues to move toward its fully withdrawn position. When the second bank reaches a preset position, the third bank begins to move out, and so on. This withdrawal sequence continues until the unit reaches the desired power level. The control bank insertion sequence is the opposite. A maximum of two control banks are withdrawn or inserted at any time.

4. Overlap between successive control banks is adjustable between 0 to 50 percent (0 to 128 steps), with an accuracy or

+1 step. 5. Rod speeds for either the shutdown banks or manual operation of the control banks are capable of being manually adjusted between a minimum of 6 steps per minute and a maximum of less than or equal to 72 steps per minute (with an accuracy of +0 to

-10 steps per minute). 7.7.1.2.1 Rod Control System Features: Credible rod control equipment malfunction s which could potentially cause inadvertent positive reactivity insertions due to inadvertent rod withdrawal, incorrect overlap, or malpositioning of the rods are:

1. Failures in the manual rod controls:

CN-3174 STPEGS UFSAR 7.7-5 Revision 1 8 a. Rod motion control switch ( IN

-HOLD-OUT) b. Bank selector switch 2. Failures in the overlap and bank sequence program control:

a. Logic cabinet systems

b. Power supply systems 7.7.1.2.1.1 Failures in the Manual Rod Controls

- The rod motion control switch is a three-position lever switch. The three positions are: IN, HOLD, and OUT. These positions are effective when the bank selector switch is in manual. Failure of the rod motion control switch (contacts failing shorted or activated relay failures) would have the potential, in the worst case, to produce positive reactivity insertion by rod withdrawal when the bank selector switch is in the manual position or in a position which selects one of the banks.

When the bank selector switch is in the automatic position, the rods would obey the automatic commands and any failures in the rod motion control switch would have no effect on the rod motion regardless of whether the rod motion control switch is in the IN, HOLD, or OUT position.

In the case where the bank selector switch is selecting a bank and a failure occurs in the rod motion switch that would command the bank to move out even when the rod motion control switch was in an IN or HOLD position, the selected bank could inadvertently withdraw. This failure is bounded in the safety analysis (Chapter 15) by the uncontrolled bank withdrawal from a subcritical condition and at power transients. A reactivity insertion of up to 75 pcm/sec is assumed in the analysis due to rod movement. This value of reactivity insertion rate is consistent with the withdrawal of two banks.

A failure that can cause more that one group of four mechanisms to be moved at one time within a power cabinet is not a credible event, because the circuit arrangement for the movable and lift coils would cause the current available to the mechanisms to divide equally between coils in the two groups ( in a power supply ). The drive mechanism is designed such that it will not operate on half

-current. A second feature preventing movement of more that one group at a time is the multiplexing failure detection circuit included in each power cabinet. This failure detection circuit would stop rod withdrawal (or insertion).

The second case considered in the potential for inadvertent reactivity insertion due to possible failures is when the bank selector switch is in the manual position. Should there be a failure in the rod motion control switch, a scenario where the rods inadvertently withdraw in a programmed sequence could occur. The overlap and bank sequence are programmed when the switch selection is in either automatic or manual. This scenario is also bounded by the reactivity values assumed in the accident analysis ( Chapter 15). In this case, the operator can trip the reactor, or the protection system would trip the reactor via power range neutron flux

-

7.7.1.2.1.2 Failure of the Bank Selector Switch

- A failure of the bank selector switch produces no consequences when the IN

-HOLD-OUT switch is in the hold position. This is due to the following design features:

STPEGS UFSAR 7.7-6 Revision 1 8 The bank selector switch is series

-wired with the IN

-HOLD-OUT lever switch for manual and individual control rod bank operation. With the IN

-HOLD-OUT lever switch in the HOLD position, the bank selector switch can be positioned without rod movement.

7.7.1.2.1.3 Failures in the Overlap and Bank Sequence Program Control

- The Rod Control System design prevents the movements of the groups out of sequence, as well as limiting the rate of reactivity insertion. The main feature that performs the function of preventing malpositioning produced by groups out of sequence is included in the block supervisory memory buffer and control.

This circuitry accepts and stores the externally generated command signals. In the event of an out

-of -sequence input command to the rods while they are in movement, this circuit would inhibit the buffer memory from accepting the command. If a change signal command appears, this circuit would stop the system after allowing the slave cyclers to finish their current sequencing. Failure of the

components related to this system would also produce insertion limit and rod deviation alarms (Sections 7.7.1.3.3 and 7.7.1.3.4, respectively). Failures within the system such as failures of supervisory logic cards, pulser cards, etc., would also cause an urgent alarm.

1. An urgent alarm will be followed by the following actions:

a. Automatic deenergizing of the lift coil and reduced current energizing of the stationary gripper coils and movable gripper coils, stopping rod motion.

b. Activation of the alarm light, urgent failure, on the affected cabinet front panel, and

c. Activation of ROD CONTROL URGENT FAILURE annunciator window in the main control room.

2. The urgent alarm is produced in general by:

a. Regulation failure detector

b. Phase failure detector

c. Logic error detector d. Multiplexing error detector

e. Interlock failure detector 7.7.1.2.1.4 Logic Cabinet Failures

- The Rod Control System is designed to limit the rod speed control signal output to a value that will cause the pulser (logic cabinet) to drive the control rod driving mechanism (CRDM) at up to 72 steps/minute. If a failure should occur in the pulses or the RCS, highest stepping rate possible is 77 steps/minute, which corresponds to one step every 780 msec. A commanded stepping rate higher that 77 steps/minute would result in go pulses entering a slave cycler while it is sequencing its mechanisms through a 780 msec step. This condition stops the control bank motion automatically and alarms are activated locally and in the main control room. It also causes the affected slave cycler to reject further go pulses until it is reset.

Failures that cause the 780 msec step sequence time to shorten would not result in higher rod speeds since the stepping rate is proportional to the pulsing rate. Simultaneous failures in the pulser or Rod Control System and in the clock circuits that determine the 780 msec stepping sequence could result STPEGS UFSAR 7.7-7 Revision 1 8 in higher CRDM speed; however, in the unlikely event of these simultaneous multiple failures, the maximum CRDM operation speed would be no more than approximately 77 steps/minute due to physical limitation. This speed has been verified by tests conducted on the CRDMs.

Surveillance testing of the Rod Control System is performed at periodic intervals to detect failures that could lead to an increase in the rod speed.

7.7.1.2.1.5 Failures Causing Movement of the Rods Out of Sequence

- No single failure was discovered (Ref. 7.7

-2) that would cause a rapid uncontrolled withdrawal of control bank D (taken as worst case) when operating in the automatic bank overlap control mode with the reactor at near full power output. The analysis revealed that many of the failures postulated were in a safe direction and that rod movement is blocked by the rod control urgent alarm.

7.7.1.2.1.6 Power Supply System Failures

- Analysis of the power cabinet disclosed no single component failures that would cause the uncontrolled withdrawal of a group of rods serviced by the power cabinet. The analysis substantiates that the design of a power cabinet is fail

-preferred in regard to a rod withdrawal accident if a component fails. The result of the failure is either that of a blocking rod movement or that of dropping an individual rod, or rods, or a group of rods. No failure with the power cabinet which could cause erroneous drive mechanism operation will remain undetected. Sufficient alarm monitoring (including an urgent alarm) is provided in the design of the power cabinet for fault detection of those failures which could cause erroneous operation of a group of mechanisms. As noted in the foregoing, diverse monitoring systems are available for detection of failures that cause the erroneous operation of an individual CRDM.

7.7.1.2.1.7 Conclusion

- In summary, no single failure within the Rod Control System can cause either reactivity insertions or malpositioning of the control rods that would result in core thermal conditions not bounded by the analyses contained in Chapter 15.

7.7.1.3 Plant Control Signals for Monitoring and Indicating.

7.7.1.3.1 Monitoring Functions Provided by the Nuclear Instrumentation System: The power range channels are important because of their use in monitoring power distribution in the core within specified limits. They are used to measure power level, axial flux imbalance, and radial flux imbalance. These channels are capable of recording overpower excursions up to 200 percent of full power. Suitable alarms are derived from these signals as described below.

Basic power

-range signals are:

1. Total currents from a power range detector (four such signals from separate detectors); these detectors are vertical and have a total active length of 10 ft.

2. Current from the upper half of each power range detector (four signals).

3. Current from the lower half of each power range detector (four signals). Derived from these basic signals are the following (including standard signal processing for calibration):

1. Indicated nuclear power (four signals).

STPEGS UFSAR 7.7-8 Revision 1 8 2. - half flux minus lower

- half flux (four signals).

Alarm functions derived are:

1. Deviation (maximum minus minimum of four) in indicated nuclear power.

2. Upper radial tilt (maximum to average of four) on upper - half currents.

3. Lower radial tilt (maximum to average of four) on lower

- half currents.

4. (Upper and lower radial tilt alarms have an adjustable time delay to prevent actuation from short duration transient behavior)

Provision is made to continuously record, on strip charts on the control room recorder panel, the eight ion chamber signals; i.e., upper and lower currents for each detector. Nuclear power and axial imbalance are selectable for recording as well. Indicators are provided on the control board for nuclear power and for axial flux imbalance.

which determines the one

- output: above a preset (90 percent) power level, an alarm message is output immediately upon determining a delta flux exceeding the preset band presented in the COLR; below this preset power (usually one hour) amount of time in the past 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . For periods during which the alarm on flux difference is inoperable, applicable Technical Specifications are followed. Additional background information on the Nuclear Instrumentation System (NIS) can be found in Reference 7.7

-1. 7.7.1.3.2 Rod Position Monitoring:

Two separate systems are provided to sense and display control rod position, as described below:

1. Digital Rod Position Indication System The Digital Rod Position Indication System (DRPIS) measures the actual position of each control and shutdown rod using a detector which consists of discrete coils mounted concentrically with the rod drive pressure housing. The coils are located axially along the pressure housing and magnetically sense the entry and presence of the rod drive shaft through its centerline. For each detector, the coils are interlaced into two data channels, and are connected to the data cabinet electronics (Data A and B) by separate multi

-conductor cables. By employing two separate channels of information, the DRPIS can continue to function (at reduced accuracy) when one channel fails. Multiplexing is then used to transmit the digital position signals from the data cabinet electronic to the control board display unit. The DRPI Data Cabinets (Data "A" and "B") contain electronics which during plant shutdown can automatically deenergize the Data Cabinets, capture, process, and store single, or multiple rod drop times, and then reenergize the Data Cabinets. The digital position indication signals from the Data Cabinet electronics to the control board display unit are momentarily interrupted during the rod drop test.

STPEGS UFSAR 7.7-9 Revision 1 8 The control board display unit contains a column of light

-emitting diodes (LEDs) for each rod. At any given time, the one LED illuminated in each column shows the position for that particular rod. Since shutdown rods are always fully withdrawn with the plant at power, their position is displayed

+4 steps only from rod bottom to 18 steps and from 234 steps to 259 steps. All intermediate positions of the rod are represented by a single "transition" LED. Each rod of the control banks has its position displayed to

+4 steps throughout its range of travel.

Included in the system is a "rod at bottom" signal for each rod that operates a local alarm.

Also, a control room annunciator is actuated when any shutdown rod or control reaches the

bottom. 2. Demand Position System The Demand Position System counts pulses generated in the Rod Control System to provide a digital readout of the demanded bank position.

The Demand Position System and the DRPIS are separate systems. However, safety criteria

were not involved in the separation; rather, this was a design requirement resulting from operational needs. Operating procedures require the operator to compare the demand and indicated (actual) readings from the DRPIS to verify operation of the Rod Control System.

7.7.1.3.3 Control Bank Rod Insertion Monitoring: When the reactor is critical, the normal indication of incore reactivity status is the position of the control bank in relation to reactor used to calculate insertion limits for the control banks. Two alarms are provided to indicate low and low-low rod position, as follows:

1. The low alarm alerts the operator of an approach to the rod insertion limits required boron addition by following normal procedures with the Chemical and Volume Control System (CVCS). 2. The low-low alarm alerts the operator to take immediate action to add boron to the RCS by any one of several alternate methods.

The purpose of the control bank rod insertion monitor is to give warning to the operator of excessive rod insertion. The insertion limit maintains sufficient core reactivity shutdown margin following reactor trip, provides a limit on the maximum inserted rod worth in the unlikely event of a hypothetical rod ejection, and limits rod insertion so that acceptable nuclear peaking factors are maintained. Since the amount of shutdown reactivity required for the design shutdown margin following a reactor trip increases with increasing power, the allowable rod insertion limits must be decreased (the rods must be withdrawn further) with increasing power. Two parameters which are

leg and the cold leg, which is a direct function of reactor power, and Tavg, which is programmed as a function of power. The rod insertion monitor uses parameters for each control rod bank as follows:

LL Z C)B(A(auctavgauct where:

STPEGS UFSAR 7.7-10 Revision 1 8 LL Z Maximum permissible insertion limit for affected control bank auct T)( = Highest of all loops auctavg)(T = Highest avg T of all loops A,B,C, = Constants chosen to maintain LL Z actual limit based on physics calculations The control rod bank demand position, Z, is compared to LL Z as follows:

If Z - LL Z D, a LOW alarm is actuated.

If Z - E, Z LL a LOW-LOW alarm is actuated.

Since the highest values of Tavg and are chosen by auctioneering, a conservatively high representation of power is used in the insertion limit calculation.

Actuation of the low alarm alerts the operator of an approach to a reduced shutdown reactivity situation. Administrative procedures require the operator to add boron through the CVCS. Actuation of the LOW

-LOW alarm requires the operator to initiate emergency boration procedures. The value of E is chosen so that the low

-low alarm would normally be actuated before the insertion limit is reached. The value for D is chosen to allow the operator to follow normal boration procedures. Figure 7.7

-2 shows a block diagram representation of the control rod bank insertion monitor. The monitor is shown in more detail on the functional diagram shown on Figure 7.

2-10. In addition to the rod insertion monitor for the control banks, the plant computer monitors individual rod positions and provides an alarm that is associated with the rod deviation alarm discussed in Section 7.7.1.3.4 to warn the operator should any shutdown RCCA leave the fully withdrawn position.

Rod insertion limits are determined by:

1. Establishing the allowed rod reactivity insertion at full power consistent with the purposes given above.

2. Establishing the differential reactivity worth of the control rods when moved in normal sequence. 3. Establishing the change in reactivity with power level by relating power level to rod position.

4. Linearizing the resultant limit curve. All key nuclear parameters in this procedure are measured as part of the initial and periodic physics testing program.

Any unexpected change in the position of the control bank when under automatic control, or a change in coolant temperature when under manual control, provides a direct and immediate indication of a change in the reactivity status of the reactor. In addition, samples are taken periodically of coolant boron concentration. Variations in concentration during core life provide an additional check on the reactivity status of the reactor, including core depletion.

STPEGS UFSAR 7.7-11 Revision 1 8 7.7.1.3.4 Rod Deviation Alarm:

A rod deviation function is performed as part of the DRPIS where an alarm is generated if a preset limit is exceeded as a result of a comparison of any control rod against the other rods in a bank. The deviation alarm of a shutdown rod is annunciated when a preset insertion limit is exceeded.

The demanded and measured rod position signals are also monitored by the plant computer, which provides an audible alarm which can be printed whenever an individual rod position signal deviates from the other rods in the bank by a preset limit. The alarm can be set with appropriate allowance for instrument error and with sufficiently narrow limits to preclude exceeding core design hot channel factors. Figure 7.7

-3 is a block diagram of the rod deviation comparator and alarm design implemented by the plant computer. Additionally, the DRPIS contains rod deviation circuitry that detects and alarms the following conditions:

1. When any two rods within the same control bank are misaligned by a preset distance )12 (steps, and 2. When any shutdown rod is below the full

-out position by a preset distance (18 steps).

7.7.1.3.5 Rod Bottom Alarm:

A rod bottom signal for the rods in the DRPIS is used to operate a control relay, which generates the ROD BOTTOM alarm.

7.7.1.4 Plant Control System Interlocks.

The listing of the Plant Control System interlocks, along with the description of their derivations and functions, is presented in Table 7.7

-1. It is noted that the designation numbers for these interlocks are preceded by the letter "C". The development of these logic functions is shown on the functional diagrams (Figures 7.2

-10 through 7.2-17).

7.7.1.4.1 Rod Stops:

Rod stops are provided to prevent abnormal power conditions which could result from excessive control rod withdrawal initiated by either a control system malfunction or operator violation of administrative procedures.

Rod stops are the C

-1, C-2, C-3, C-4, C-5, and C-11 control interlocks identified in Table 7.7

-1. 7.7.1.4.2 Automatic Turbine Load Runback (DELETED) 7.7.1.4.3 Turbine Loading Stop: An interlock (C

-17) is provided to limit turbine loading during a rapid return to power transient when a reduction in reactor coolant temperature is used to increase reactor power (through the negative moderator temperature coefficient). This interlock limits the drop in coolant temperature so that is does not exceed cooldown accident limits and preserves satisfactory SG operating conditions. Subsequent automatic turbine loading can begin after the interlock has been cleared by an increase in coolant temperature, which is accomplished by reducing the boron concentration in the coolant.

7.7.1.5 Pressurizer Pressure Control.

The RCS pressure is controlled by using either the heaters (in the water region) or the spray (in the steam region) of the pressurizer plus steam relief for large transients. The electrical immersion heaters are located near the bottom of the pressurizer.

STPEGS UFSAR 7.7-12 Revision 1 8 A portion of the heaters (control group) is proportionally controlled to correct small pressure variations. These variations are due to heat losses, including heat losses due to a small continuous spray. the remaining (backup) heaters are automatically energized when all proportional heaters are energized and the compensated pressure signal continues to decrease.

The spray nozzles are located on the top of the pressurizer. Spray is initiated when the pressure controller spray demand signal is above a given setpoint. The spray rate increases proportionally with an increasing spray demand signal until it reaches a maximum value.

Steam condensed by the spray reduces the pressurizer pressure. A small continuous spray is normally maintained to reduce thermal stresses and thermal shock and to help maintain uniform water chemistry and temperature in the pressurizer.

PORVs limit system pressure for large positive pressure transients. In the event of a large load reduction, not exceeding the design plant load rejection capability, the pressurizer PORVs might be actuated for the most adverse conditions, e.g., the most negative Doppler coefficient, and the minimum incremental rod worth. The relief capacity of the PORVs is large enough to limit the system pressure to prevent actuation of the pressurizer high pressure reactor trip for the above condition.

A block diagram of the Pressurizer Pressure Control System is shown on Figure 7.7

-4. The functional diagram is shown on Figures 7.2

-12a and 7.2

-12b. 7.7.1.6 Pressurizer Water Level Control.

The pressurizer operates to control RCS pressure by maintaining a steam cushion over the reactor coolant. As the density of the reactor coolant adjusts to the various temperatures, the steam water interface moves to absorb the variations with relatively small pressure disturbances.

The water inventory in the RCS is maintained by the CVCS. During normal plant operation, the charging flow varies to produce the flow demanded by the pressurizer water level controller. The pressurizer water level is programmed as a function of coolant average temperature, with the highest average temperature (auctioneered) being used. The pressurizer water level decreases as the load is reduced from full load. This is a result of coolant contraction following programmed coolant temperature reduction from full power to low power. The programmed level is designed to match as nearly as possible the level changes resulting from the coolant temperature changes.

To control pressurizer water level during startup and shutdown operations, the charging flow is manually regulated from the main control room.

A block diagram of the Pressurizer Water Level Control System is shown on Figure 7.7

-5. The functional diagram is shown on Figures 7.2

-12a and 7.2

-12b. 7.7.1.7 Steam Generator Water Level Control.

Each SG is equipped with a three

-element feedwater (FW) flow controller that maintains a fixed water level. The three

-element FW controller regulates the FW valve by continuously comparing the FW flow signal, the SG water level signal, the level setpoint, and the pressure-compensated steam flow signal. In addition, the turbine

-driven main FW pump speed is varied to maintain a programmed pressure differential between the steam header and the feed pump discharge header. The speed controller continuously compares the actual with a programmed ref which is a linear function of steam flow. Continued delivery of FW to the SGs STPEGS UFSAR 7.7-13 Revision 1 8 is required as a sink for the heat stored and generated in the reactor following a reactor trip and turbine trip. An override signal closes the FW valves when the average coolant temperature is below a given temperature and the reactor has tripped. Manual override of the FW control system is available at all times.

When operating at low reactor power levels (as during startup), the steam and feedwater flow signals are not usable for control due to inherent flow signal inaccuracies.

Therefore, a secondary automatic control system is provided for operation at low power. This system uses the SG water level an d

nuclear power (power range neutron flux) signals in a feed forward control scheme in conjunction with the water level setpoint signal to position a bypass valve which is in parallel with the main FW control valve. Switchover between the bypass FW Control System (low power) and the Main FW Control System, depending upon whether reactor power is increasing or decreasing, is initiated by the operator before approximately 25 percent power.

A block diagram of the SG Water Level Control System is shown on Figure 7.7-6, and a block diagram of the Main FW Pump Speed Control System is shown on Figure 7.7

-7. The functional diagram for the both is shown on Figures 7.2

-14 and 7.2

-15. 7.7.1.8 Steam Dump Control.

The Steam Dump Control System is designed to accept a 50 percent loss of net load without tripping the reactor.

The Steam Dump Control System is able to accommodate this abnormal load rejection and to reduce the effects of the transient imposed upon the RCS. By bypassing main steam directly to the condenser through the Turbine Bypass System, an artificial load is thereby maintained on the primary system. The Rod Control System can then reduce the reactor temperature to a new equilibrium value without causing overtemperature and/or overpressure conditions.

The South Texas Project Electric Generating Station (STPEGS) has a 50 percent loss

-of-net-load capability. The steam dump flow capacity provides 40 percent of full

-load steam flow at full

-load steam pressure.

If the difference between the reference temperature based on turbine impulse chamber pressure and the lead/lag

-compensated auctioneered Tavg exceeds a predetermined amount, and the interlock mentioned below is satisfied, a demand signal actuates the steam dump to maintain the RCS temperature within the control range until a new equilibrium condition is reached.

To prevent actuation of steam dump on small load perturbations, an independent load rejection sensing circuit is provided. This circuit senses the rate of decrease in the turbine load as detected by the turbine impulse chamber pressure. It is provided to unblock the turbine bypass valves when the rate of load rejection exceeds a preset value corresponding to a 10 percent step load decrease or a sustained ramp load decrease of 5 percent/minute

. A block diagram of the Steam Dump Control System is shown on Figure 7.7

-8. The functional diagram is shown on Figure 7.2

-11. 7.7.1.8.1 Load Rejection Steam Dump Controller:

This circuit prevents a large increase in reactor coolant temperature following a large, sudden load decrease. The error signal is a difference between the lead/leag

-compensated auctioneered Tavg and the reference temperature based on turbine impulse chamber pressure.

STPEGS UFSAR 7.7-14 Revision 1 8 The Tavg signal is the same as that used in the RCS. The lead/lag compensation for the Tavg signal is to compensate for lags in the plant thermal response and in valve positioning. Following a sudden load decrease, the reference temperature immediately decreases and Tavg tends to increase, thus generating an immediate demand signal for steam dump. Since control rods are available, steam dump terminates as the error comes within the maneuvering capability of the control rods.

7.7.1.8.2 Turbine Trip Steam Dump Controller:

Following a turbine trip, as monitored by the turbine trip signal, the load rejection steam dump controller is defeated, and the turbine trip steam dump controller becomes active. Since control rods are not available in this situation (reactor trip on turbine trip), the demand signal is the error signal between the lead/lag

-compensated, auctioneered avg T and the no

-load reference. When the error signal exceeds a predetermined setpoint, the turbine bypass valves are tripped open in a prescribed sequence. As the error signal reduces in magnitude, indicating that the RCS avg T is being reduced toward the reference no

-load value, the turbine bypass valves are modulated by the turbine trip controller to regulate the rate of removal decay heat and thus gradually establish the equilibrium hot shutdown condition.

7.7.1.8.3 Steam Header Pressure Controller: Residual heat removal is maintained by the SG pressure controller (manually selected), which controls the amount of steam flow to the condensers. This controller operates a portion of the same turbine bypass valves to the condensers which are used during the initial transient following turbine or reactor trip on load rejection.

7.7.1.9 Incore Instrumentation: The Incore Instrumentation System consists of chrome l-alumel thermocouples at fixed core outlet positions and movable miniature neutron detectors which can be positioned at the center of selected fuel assemblies, anywhere along the length of the fuel assembly vertical axis. The basic system for insertion of these detectors is shown on Figure 7.7

-9.

7.7.1.9.1 Thermocouples:

Chromel-alumel thermocouples are threaded into guide tubes that penetrate the reactor vessel head through seal assemblies, and terminate at the exit flow end of the fuel assemblies. The thermocouples are provided with two primary seals, a conoseal and a swage-type seal from conduit to the thermocouple head. Thermocouple readings are monitored by the Qualified Display Processing System (QDPS) (Section 7.5).

7.7.1.9.2 Movable Neutron Flux Detector Drive System:

Miniature fission chamber detectors can be remotely positioned in retractable guide thimbles to provide flux mapping of the core. The stainless steel detector shell is welded to the leading end of the helically wrapped drive cable and to the stainless

-steel-sheathed coaxial cable. The retractable thimbles, into which the miniature detectors are driven, are pushed into the reactor core through conduits which extend from the bottom of the reactor vessel down through the concrete shield area and then to a thimble seal plate. Their distribution over the core is nearly uniform with about the same number of thimbles located in each quadrant.

The thimbles are closed at the leading ends, are dry inside, and serve as the pressure barrier between the reactor water pressure and the atmosphere. Mechanical seals between the retractable thimbles and the conduits are provided at the seal table. During reactor operation, the retractable thimbles are stationary. They are extracted downward from the core during refueling to avoid interference within the core. A space beyond the seal plate is provided for the retraction operation.

STPEGS UFSAR 7.7-15 Revision 1 8 The drive system for the insertion of the miniature detectors consists basically of drive assemblies, 5

-path rotary transfer assemblies, and 10

-path rotary transfer assemblies, as shown on Figure 7.7

-9. The drive system pushes hollow helically wrapped drive cables into the core with the miniature detectors attached to the leading ends of the cables and small

-diameter, sheathed coaxial cables threaded through the hollow centers back to the ends of the drive cables. Each drive assembly consists of a gear motor which pushes a helically wrapped drive cable and a detector through the selected thimble path by means of a special drive box, and includes a storage device that accommodates the total drive cable length.

Magnetic ball valves in series with the manual valves are provided for isolating a thimble leak. With the valve in the closed position, the valves form a 2,500 psig barrier. The magnetic ball valve serves as a check valve. The magnetic ball valve is normally closed and is opened when a flux detector is inserted through the valve, pushing the ball into a pocket in the valve. When the detector is removed from the thimble and out of the valve, the magnet pulls the ball back into the closed position. The manual isolation valve provides a backup means of isolating a thimble leak. The method of detecting the leakage would be during the performance of flux mapping.

If a leak has occurred, the backpressure on the ball valve will prevent the insertion of the detector. This will be indicated on the flux mapping panel.

A thimble leak might require cold shutdown for access to the flux thimble isolation valve. An incor e flux mapping system leak detector with alarm capability is provided.

The Nuclear Regulatory Commission (NRC) questioned the vibrational response of the bottom mounted instrumentation (BMI) thimbles in questions 492.6N, 492.7N, and 492.8N (Ref. 7.7

-3). Houston Lighting & Power (HL&P) (historical context) responded (Ref. 7.7

-4) to the NRC questions by stating that the failure of the BMI thimble is not attributed to the vibration of the 14

-ft core but to the use of a more flexible thimble and changes to thimble guide tube configuration. Information describing operational experience and modifications to the BMI design pursuant to European plant data was provided in References 7.7

-5 and 7.7-6. Physical changes to the BMI thimbles to eliminate excess thimble vibration pursuant to operational plant test data were described in References 7.7

-7 and 7.7-8. Commitments to examine thimble assemblies are provided in Reference 7.7

-9. Further commitments for thimble inspection and plans for follow

-up and corrective action are contained in References 7.7

-10 and 7.7

-11. As described in Reference 7.7

-12, it was decided to remove the flow limiter devices from Unit 1 and replace the 0.313

-inch-outisde-diameter thimbles in Unit 1 with 0.385

-inch-outside diameter thimbles. Unit 2 began operation with 0.385

-inch-outside-diameter thimbles installed. Flow limiter devices were not used in Unit 2.

A wall thickness eddy current inspection of all flux thimble tubes is scheduled for each refueling outage for each Unit. The inspection may be deferred by using an evaluation that considers the actual wear rate. Corrective actions to reposition, cap, or replace the thimble tube will be taken if the predicted wear (as a measure of percent through wall) for a given flux thimble tube is projected to exceed the established acceptance criterion of 80% (Reference 7.7

-13) prior to the next outage.

7.7.1.9.3 Control and Readout

Description:

The Control and Readout System provides the means for inserting the miniature neutron detectors into the reactor core and withdrawing the CN-3176 STPEGS UFSAR 7.7-16 Revision 1 8 detectors while plotting neutron flux versus detector position. The Control and Readout System is located in the control room. Limit switches in each transfer device provide path selection operation feedback. Each gear box drives an encoder for position feedback. One 5

-path operation selector is provided for each drive unit to insert the detector in one of five functional modes of operation. One

10-path operation selector is also provided for each drive unit that is then used to route a detector into any one of up to 10 selectable paths. A common path is provided to permit cross

-calibration of the detectors.

The control room contains the necessary equipment for control, position indication, and flux recording for each detector.

A "flux-mapping" consists, briefly, of selecting (by panel switches) flux thimbles in given fuel assemblies at various core quadrant locations. The detectors are driven to the top of the core and stopped automatically.

An X-Y plot (position versus flux level) is initiated with the slow withdrawal of the detectors through the core from the top to a point below the bottom. In a similar manner, other core locations are selected and plotted. Each detector provides axial flux distribution data along the center of a fuel assembly. Various radial positions of detectors are then compared to obtain a flux map for a region of the core.

The number and location of these thimbles were chosen to permit measurement of local to average peaking factors to an accuracy of 5percent (95 percent confidence). Measured nuclear peaking factors will be increased by 5 percent to allow for this accuracy. If the measured power peaking is larger than acceptable, reduced power capability will be indicated. Operating plant experience has demonstrated the adequacy of the incore instrumentation in meeting the design bases stated.

7.7.1.10 Boron Concentration Measurement System (BCMS).

The BCMS Model MK III has three components: an electronics console, a sampler tank assembly, and a remote display. The BCMS uses an integral neutron source and neutron detector. A sample of primary coolant containing boron passes through an annulus surrounding the neutron detector. The absorption of neutrons by the boron affects the neutron detection rate of the neutron detector. The relationship is approximately linear between the inverse of the neutron count rate and the boron concentration in the sample.

7.7.1.10.1 Sample Tank Assembly:

The sampler tank (Figure 7.

7-11) is a cylindrical floor-mounted steel tank filled with demineralized water and heated to approximately 125 F by thermostatically controlled heaters at the bottom of the tank. A coiled heat exchanger (Hx) is immersed in the sample tank water to heat up the sample fluid to approximately 125°F prior to entering the sampling annulus. A neutron detector is located in the sample annulus. The coolant sample flows around the neutron detector.

A neutron source is located outside the sample annulus (Figure 7.7-12). The reactor coolant sample enters the top of the tank, flows through the HX and into the bottom of the sample annulus. The sample continues upward past the neutron detector, out of the top of the tank through flow switches, and return to the CVCS. Two parallel input and two parallel output ports with valves are provided, STPEGS UFSAR 7.7-17 Revision 1 8 one pair for sample input and output and one pair for test input and test and grab sample output. The arrangement provides the capability for flushing, calibration, and removal of grab samples.

High flow, low flow, and high tank top temperature are displayed at the control panel. Both sample water temperature and tank water temperature are indicated on the control panel.

In addition to providing for coolant sample temperature control, the tank water serves as moderator and shielding for the neutron source. The volume of water in the tank provides sufficient shielding to limit the radiation levels from a 3.88

-Ci neutron source to less than 2 mR/hr at 24 in. from tank surfaces. In the event of a complete loss of water shielding, the radiation levels would rise to approximately 3.15 mR/hr due to gamma and 20 mR/hr due to neutrons at 24 in. from all tank surfaces. The measurement unit is designed so that tank connections are at the top to eliminate the possibility of loss of water shielding through accidental leakage. In addition, a water level device is provided to signal a low water level in the tank. A light on the control panel is lit when the water level device senses a low level. 7.7.1.10.2 Electronic Console:

The electronic console unit is a standard instrument cabinet containing the electronic circuitry and equipment for processing the information received from the measurement unit and for displaying the boron concentration measurement. The control panel is located behind the protective door on the console.

A block-type schematic diagram of the system is shown on figure 7.7

-10. The low

-level signal from the neutron detector is input to a preamplifier. The output of the preamplifier is coupled to a discriminator which eliminates noise and gamma pulses by pulse height discrimination. The discriminator is followed by a pulse amplifier which drives the logic circuitry of the boron analyzer time unit. This unit measures the count rate for a statistically meaningful period of time and converts the count rate to ppm boron. The output signal from the boron analyzer time unit is transmitted to local and remote (at the main control room) digital display where the signal is continuously displayed until a new value is measured and transmitted. The BCMS also has provisions from transmittal of data to the plant computer.

The BCMS is designed as an advisory system. It is not designed as a safeguards system or component of a safeguards system. The BCMS is not part of a control element or control system, nor is it designed for this use. No credit is taken for this system in any accident analysis. Therefore, redundancies of measurement components, self

-checking subsystems, malfunction annunciations, and diagnostic circuitry are not included in this system. As a general operating aid, it provides information as to when additional check analyses are warranted rather than a basis for fundamental operating decisions.

7.7.1.10.3 BCMS Summary: The BCMS measures the neutron absorption characteristics of the reactor coolant, which is directly related to the concentration of natural boron that would produce the same absorption characteristic. The system reports the measurement in terms of ppm total natural boron. Accurate measurement of the boron "worth," in terms of natural boron in the reactor coolant, is therefore provided irrespective of the Boron

-10/total boron ratio which exists. During operations, the boron concentration varies between 0 and 3,500 ppm. The BCMS accuracy curve for that range is shown on Figure 7.7

-13. This curve presumes sufficient reading to eliminate statistical errors, etc.

STPEGS UFSAR 7.7-18 Revision 1 8 The BCMS provides on

-line monitoring of the reactor coolant concentration. Therefore, boron concentration in the reactor coolant can be monitored as adjustments are being made. Further, the plant operators can monitor boron concentration directly, there is no time lapse or personnel requirement for collection and laboratory analysis of reactor coolant sample nor is there any waste material to be processed.

Limited device monitoring is provided to prevent system damage due to heater malfunction. If the heater fails in the OFF position, the water in the shield tank will return to room temperature. If the malfunction occurs in the ON position, the shield water temperature will rise. If no corrective action is taken, the water level will drop due to evaporation. A local high

-temperature alarm and low water level alarm are provided to indicate this condition. A local temperature display is also provided. If no corrective action is taken, the water will continue to evaporate and the heater element will be exposed to air, resulting in damage to the heater. Holes are provided in the top cover to allow for evaporation, thereby eliminating the expansion problem and allowing for additional water to be added, if needed. The abnormal reactor coolant sample temperature would cause erroneous boron concentration readings. Erroneous readings would be detected by the operator, as boron concentration changes would affect reactivity control, and changes in reactivity would be indicated on other instruments.

The output of the neutron detector is coupled to a preamplifier in the electronic console. The electronics console is located in close proximity to the tank to keep the detector cable short and minimize electrical noise.

System characteristics are listed in Table 7.7

-2. 7.7.2 Analysis The plant control systems are designed to assure high reliability during any anticipated operational occurrences, in conformance with General Design Criterion (GDC) 13. Equipment used in these systems is designed and constructed with a high level of reliability.

Proper positioning of the control rods is monitored in the control room by bank arrangements of the individual position columns for each RCCA. A rod deviation alarm alerts the operator of a deviation of one RCCA from the other rods in that bank position. There are also insertion limit monitors with visual and audible annunciation. A rod bottom alarm signal is provided to the control room for each RCCA. Four excore long ion chambers also detect asymmetrical flux distribution, which is indicative of rod misalignment.

Overall reactivity control is achieved by the combination of soluble boron and RCCAs. Long

-term regulation of core reactivity is accomplished by adjusting the concentration of boric acid in the reactor coolant. Short

-term reactivity control for power changes is accomplished by the Rod Control System, which automatically moves RCCAs and uses input signals including neutron flux, coolant temperature, and turbine load.

The axial core power distribution is automatically controlled by fluctuation in RCS boron concentration. Increasing boron concentration causes the control rods to move out of the core, thereby reducing the amount of power in the bottom of the core and redistributing power toward the STPEGS UFSAR 7.7-19 Revision 1 8 top. Conversely, reducing boron concentration causes the control rods to move into the core, thereby reducing the amount of power in the top and redistributing power toward the bottom.

The plant control systems prevent an undesirable condition in the operation of the plant that, if reached, will be protected by reactor trip. The description and analysis of this protection are covered in Section 7.2. Worst

-case failure modes of the plant control systems are postulated in the analysis of off-design operational transients and accidents covered in Chapter 15, such as the following:

1. Uncontrolled RCCA withdrawal from a subcritical condition

2. Uncontrolled RCCA withdrawal at power

3. RCCA misalignment

4. Loss of external electrical load and/or turbine trip

5. Loss of offsite power to the station auxiliaries

6. Excessive heat removal due to FW System malfunctions

7. Excessive load increase incident

8. Accidental depressurization of the RCS These analyses show that a reactor trip setpoint is reached in time to protect the health and safety of the public under those postulated incidents and that the associated coolant temperatures do not result in a violation of the DNB limit. Thus, there is no cladding damage and no release of fission products to the RCS under the assumption of these postulated worst

-case failure modes of the plant control systems. 7.7.2.1 Separation of Protection and Control System.

In some cases, it is advantageous to employ control signals derived from individual protection channels through isolation amplifiers contained in the protection channel. As such, a failure in the control circuitry does not adversely affect the protection channel, in conformance with GDC 24. Test results have shown that a short circuit or the application (credible fault voltage from within the cabinets) of 118 vac or 140 vdc on the isolated output portion of the circuit (nonprotection side of the circuit) does not affect the input (protection) side of the circuit.

Where a single random failure can cause a control system action that results in a generating station condition requiring protective action and can also prevent proper action of a protection system channel designed to protect against the condition, the remaining redundant protection channels are capable of providing the protective action even when degraded by a second random failure. This meets the applicable requirements of Section 4.7 of Institute of Electrical and Electronic Engineers (IEEE) 279

-1971. 7.7.2.2 Response Consideration of Reactivity.

Reactor shutdown with control rods is completely independent of the control functions since the trip breakers interrupt power to the

CRDMs, regardless of existing control signals. The design is such that the system can withstand accidental withdrawal of control groups or unplanned dilution of soluble boron without exceeding acceptable fuel design limits. The design meets the requirements of GDC 25.

STPEGS UFSAR 7.7-20 Revision 1 8 No single electrical or mechanical failure in the Rod Control System could cause the accidental withdrawal of a single RCCA from the partially inserted bank at full

-power operation. The operator could deliberately withdraw a single RCCA in the control bank; this feature is necessary in order to retrieve a rod, should one be accidentally dropped. In the extremely unlikely event of simultaneous electrical failures which could result in a single RCCA withdrawal, rod deviation would be displayed on the plant annunciator, and the individual rod position readouts would indicate the relative positions of the rods in the bank. Withdrawal of single RCCA by operator action, whether deliberate or by a combination of errors, would result in activation of the same alarm and the same visual indications.

Each bank of control and shutdown rods in the system is divided into one or two groups (group 1 and group 2) of up to four mechanisms each. The rods constituting a group operate in parallel through multiplexing thyristors. The two groups in a bank move sequentially so that the first group is always within one step of the second group in the bank. The group 1 and group 2 power circuits are installed in different cabinets, as shown on Figure 7.7

-14, which also shows that one group is always within one step (5/8

-in.) of the other group. A definite schedule of actuation or deactuation of the stationary gripper, movable gripper, and lift coils of a mechanism is required to withdraw the RCCA attached to the mechanism. Since the four stationary gripper, movable gripper, and lift coils associated with the RCCAs of a rod group are driven in parallel, any single failure which could cause rod withdrawal would affect a minimum of one group of RCCAs. Mechanical failures are in the direction of insertion or immobility.

Figure 7.7

-15 is a diagram of the design features that assure that no single electrical failure could cause the accidental withdrawal of a single RCCA from the partially inserted bank at full

-power operation. Figure 7.7

-15 shows the typical parallel connections on the lift, movable gripper, and stationary gripper coils for a group of rods. Since single failures in the stationary or movable circuits will result in dropping or preventing rod (or rods) motion, the discussion of single failure will be addressed to the lift coil circuits, as follows:

1. Due to the method of wiring the pulse transformers which fire the lift coil multiplex thyristors, three of the four thyristors in a rod group could remain turned off when required to fire, if, for example, the gate signal lead failed open at point

.1 X Upon UP demand, one rod in group 1, and four rods in group 2 would withdraw. A second failure at point 2 X in the group 2 circuit is required to withdraw one RCCA.

2. Timing circuit failures would affect the four mechanisms of a group or the eight mechanisms of the bank and would not cause a single rod withdrawal.

3. More than two simultaneous components failures are required (other than the open wire failures) to allow withdrawal of a single rod.

The identified multiple failure involving the least number of components consists of open circuit failure of the proper 2 out of 16 wires connected to the gate of the lift coil thyristors. The probability of open wire (or terminal) failure is 6 10 016.0X per hour by MIL

-HDB-217A. These wire failures STPEGS UFSAR 7.7-21 Revision 1 8 would have to be accompanied by failure, or disregard, of the indications mentioned above. The probability of this occurrence is therefore too low to be significant.

To erroneously withdraw a single RCCA, the operator would have to improperly set the bank selector switch, the lift coil disconnect switches, and the rod control switch. In addition, the three indications would have to be disregarded or ineffective. Such a series of errors would require a complete lack of understanding and administrative control. A probability number cannot be assigned to a series of errors such as this.

The Rod Position Indication System provides direct visual display of each RCCA position. The plant computer alarms for deviation of rods from their banks. In addition, a rod insertion limit monitor provides and audible and visual alarm to warn the operator of an approach to an abnormal condition due to dilution. The low

-low insertion limit alarm alerts the operator to follow emergency boration procedures. The facility reactivity control systems are such that acceptance fuel damage limits will not be exceeded even in the event of a single malfunction of either system.

An important feature of the Rod Control System is that insertion is provided by gravity fall of the rods. In all analyses involving reactor trip, the single highest worth RCCA is postulated to remain untripped in its full

-out position.

One means of detecting a stuck RCCA is available from the actual rod position information displayed on the control board. The control board position readouts, one for each rod, give the plant operator the actual position of the rod in steps. The indications are grouped by banks (e.g., control bank A, control bank B, etc.) to indicated to the operator the deviation of one rod with respect to other rods in a bank. This serves as a means to identify rod deviation.

The plant computer monitors the actual position of all rods. Should a rod be misaligned from the other rods in that bank by more that 15 in., the rod deviation alarm is actuated.

Misaligned RCCAs are also detected and alarmed in the control room via the Flux Tilt Mon itoring System, which is independent of the plant computer.

Isolated signals derive from the NIS are compared with one another to determine if a preset amount of deviation of average power level has occurred. Should such a deviation occur, the comparator output operates a bistable unit to actuate a control board annunciator. This alarm alerts the operator to a power imbalance cause by a misaligned rod. By use of individual rod position readouts, the operator can determine the deviating control rod and take corrective action. The design of the Plant Control System meets the requirements of GDC 23.

Refer to Section 4.3 for additional information on response considerations due to reactivity.

7.7.2.3 Step Load Changes Without Steam Dump.

The Plant Control System restores equilibrium conditions, without a trip, following ~10 percent step change in load demand, over the 15 to 100 percent power range for automatic control. Steam dump is blocked for load decrease less than or equal to 10 percent. A load demand greater than full power is prohibited by the turbine control load limit devices.

STPEGS UFSAR 7.7-22 Revision 1 8 A Plant Control System minimizes the reactor coolant average temperature deviation during the transient within a given value and restores average temperature to the programmed setpoint.

Excessive pressurizer pressure variations are prevented by using spray and heaters and PORVs in the pressurizer.

The Control System must limit nuclear power overshoot to acceptable values following a 10 percent increase in load to 100 percent.

7.7.2.4 Loading and Unloadi ng. Ramp loading and unloading of 5 percent per minute can be accepted over the 15 to 100 percent power range under automatic control without tripping the plant. The function of the control system is to maintain the coolant average temperature as a function of turbine generator load.

The coolant average temperature increases during loading and causes a continuos insurge to the pressurizer as a result of coolant expansion. The sprays limit the resulting pressure increase.

Conversely, as the coolant average temperature is decreasing during unloading, there is a continuous outsurge from the pressurizer resulting from coolant contraction. The pressurizer heaters limit the resulting system pressure decrease. The pressurizer water level is programmed so that the water level is above the setpoint for heater cutout during the loading and unloading transients. The primary concern during loading is to limit the overshoot in nuclear power and to provide sufficient margin in the over-temperature setpoint. The automatic load controls are designed to adjust the unit generation to match load requirements within the limits of the unit capability and licensed rating.

During rapid loading transients, a drop in reactor coolant temperature is sometimes used to increase core power. This mode of operation is applied when the control rods are not inserted deep enough into the core at the beginning of the transient to supply all the reactivity requirements of the rapid load increase (the Boron Control System is relatively ineffective for rapid power changes). The reduction in temperature is initiated by continued turbine loading past the point where the control rods are completely withdrawn from the core. The temperature drop is recovered and nominal conditions restored by a boron dilution operation.

Excessive drops in coolant temperature are prevented by interlock C

-17. This interlock circuit monitors the auctioneered (lowest) coolant average temperature indications and the programmed reference temperature, which is a function of turbine impulse pressure, and causes a turbine loading stop when the temperature difference reaches the setpoint.

The core axial power distribution is controlled during the reduced temperature return to power by the operator as necessary, to ensure compliance with the plant Technical Specifications.

7.7.2.5 Load Rejection Furnished By Steam Dump Control System.

When a load rejection occurs, if the difference between the required temperature setpoint of the RCS and the actual average temperature exceeds a predetermined amount, a signal actuates steam dump to maintain the RCS temperature within the control range until a new equilibrium condition is reached.

The reactor power is reduced at a rate consistent with the capability of the Rod Control System.

Reduction of the reactor power is automatic. The steam dump flow reduction is as fast as RCCAs are capable of inserting negative reactivity.

STPEGS UFSAR 7.7-23 Revision 1 8 The Rod Control System can then reduce the reactor temperature to a new equilibrium value without causing overtemperature and/or overpressure conditions. The steam dump steam flow capacity is 40 percent of full load steam flow at full load steam pressure.

The steam dump flow reduces proportionally as the control rods act to reduce the average coolant temperature. The artificial load is therefore removed as the coolant average temperature is restored to its programmed equilibrium value.

The bypass valves are modulated by the reactor coolant average temperature signal. The required number of turbine bypass valves can be tripped quickly to stroke full

-open or modulate, depending upon the magnitude of the temperature error signal resulting from loss of load.

7.7.2.6 Turbine Generator Trip With Reactor Trip.

Whenever the turbine generator uni t trips at an operating power level above 50 percent power, the reactor is also tripped. The unit is operated with a programmed average temperature as a function of load, with the full

-load average temperature significantly greater than the equivalent saturation pressure of the SG safety valve setpoint. The thermal capacity of the RCS is greater than that of the secondary system, and because the full load average temperature is greater than the no

-load temperature, a heat sink is required to remove heat stored in the reactor coolant to prevent lifting of SG safety valves for a trip from full power. This heat sink is provided by the combination of controlled release of steam to the condenser and by makeup of FW to the SGs.

The Steam Dump Control System is controlled from the reactor coolant average temperature signal, whose setpoint values are programmed as a function of turbine load. Actuation of the steam dump is rapid to prevent lifting of the SG safety valves. With the bypass valves open, the average coolant temperature starts to reduce quickly to the no

-load setpoint. A direct feedback of temperature acts to proportionally close the valves to minimize the total amount of steam which is bypassed.

Following the reactor trip, the main FW system is isolated when the average coolant temperature decreases below a given temperature or when the SG water level reaches a given high level.

Additional FW makeup is then provided by the Auxiliary Feedwater System and is controlled manually to restore and maintain SG water level while assuring that the reactor coolant temperature is at the desired value. Residual heat removal is maintained by the steam header pressure controller (manually selected), which controls the amount of steam flow to the condensers. This controller operates a portion of the same turbine bypass valves to the condensers which are used during the initial transient following turbine and reactor trip.

Pressurizer pressure and water level fall rapidly during the transient because of coolant contraction. Pressurizer water level is programmed so that the level is maintained above the heaters following the turbine reactor trip. However, if the heaters become uncovered following the trip, the CVCS provides full charging flow to restore water level in the pressurizer. Heaters are then turned on to restore water level in the pressurizer. Heaters are then turned on to restore pressurizer pressure to normal. The Steam Dump and FW Control Systems are designed to prevent the average coolant temperature from falling below the programmed no

-load temperature following the trip to ensure adequate reactivity shutdown margin.

STPEGS UFSAR 7.7-24 Revision 1 8 REFERENCES Section 7.7:

7.7-1 Lipchak, J. B. and R. A. Stokes, "Nuclear Instrumentation System", WCAP-8255 (January 1974).

7.7-2 Shopsky, W.E., "Failure Modes and Effects (FMEA) of the Solid State Full Length Rod Control System", WCAP

-8976 (1977).

7.7-3 Letter G. W. Knighton to J. H. Goldberg dated July 19, 1985.

7.7-4 ST-HL-AE-1339 dated February 3, 1986. 7.7-5 ST-HL-AE-1696 dated June 27, 1986.

7.7-6 ST-HL-AE-1842 dated December 19, 1986.

7.7-7 NS-NRC-87-3223 dated May 15, 1987.

7.7-8 ST-HL-AE-2161 dated May 20, 1986. 7.7-9 ST-HL-AE-2223 dated June 8, 1987.

7.7-10 ST-HL-AE-2458 dated January 5, 1988.

7.7-11 ST-HL-AE-2490 dated February 3, 1 988. 7.7-12 ST-HL-AE-2832 dated November 1, 1988.

7.7-13 ST-HL-AE-3780 dated July 25, 1991 CN-3176 STPEGS UFSAR 7.7-25 Revision 1 8 TABLE 7.7-1 PLANT CONTROL SYSTEM INTERLOCKS Designation Derivation Function C-1 1/2 Neutron flux (intermediate range) above set point Blocks automatic and manual control rod withdrawal C-2 1/4 Neutron flux (power range) above setpoint Blocks automatic and manual control rod withdrawal C-3 2/4 Overtemperature above setpoint Blocks automatic and manual control rod withdrawal C-4 2/4 Overpower above setpoint Blocks automatic and manual control rod withdrawal C-5 1/1 Turbine impulse chamber pressure below setpoint Blocks automatic control rod withdrawal C-7 1/1 Time derivative (absolute value) of turbine impulse chamber pressure (decrease only) above setpoint Make turbine bypass valves available for either tripping or modulation C-8 Turbine trip (2/3 turbine emergency trip fluid pressures below setpoint, or 2/4 turbine stop valves closed)

Blocks steam dump control via load rejection avg T controller Makes turbine bypass valves available for either tripping or modulation Absence of C

-8 signal blocks steam dump control via turbine trip avg T controller C-9 Presence of C

-9: 2/3 condenser pressures below setpoint and 1/4 circulating water pump breakers closed Presence of C

-9 allows steam dump to condenser STPEGS UFSAR 7.7-26 Revision 1 8 TABLE 7.7-1 (Continued)

PLANT CONTROL SYSTEM INTERLOCKS Designation Derivation Function C-9 (cont.) Absence of C

-9: 2/3 condenser pressures above setpoint or all 4 circulating water pump breakers open Absence of C

-9 blocks steam dump to condenser C-11 1/1 Bank D control rod position above setpoint Blocks automatic rod withdrawal C-17 Difference between avg T auctioneered and ref Tabove setpoint Stops automatic turbine loading until condition clears C-20* Two-of-two turbine impulse chamber pressures above setpoint Arms AMSAC: below setpoint, blocks AMSAC (generated in AMSAC; see Section 7.8)

ATWS Mitigation System Actuation Circuitry (AMSAC) is not part of the plant control system, but is a control

-grade system.

STPEGS UFSAR 7.7-27 Revision 1 8 TABLE 7.7-2 BORON CONCENTRATION MEASUREMENT SYSTEM SPECIFICIATIONS

Operating Conditions Line Voltage:

120 vac 10percent, 60 Hz 1 percent Heater voltage:

480 vac Pressure: 15 to 225 psig (sample)

Temperature:

70 to 140F (sample)

Sample flowrate:

0.025 to 0.5 gal/min Ambient temperature:

32 to 120 F Relative humidity:

15 to 95 percent Radiation levels:

less than 11 mR/hr at all tank surfaces Reading time:

variable depending on boron concentration, 4 minutes maximum at 3,000 ppm Accuracy Boron ppm parts of water Standard deviation 0 - 1,800 ppm 10 ppm 1,800 - 5,000 ppm 1.25 percent Drift: less than 2 ppm/week

STPEGS UFSAR 7.8-1 Revision 17 7.8 ATWS MITIGATION SYSTEM ACTUATION CIRCUITRY

7.8.1 Description

7.8.1.1 System Description. The ATWS (Anticipated Transient Without Scram) Mitigation System Actuation Circuitry (AMSAC) provides a backup to the Reactor Trip System (RTS) and Engineered Safety Feature Actuation System (ESFAS) for initiating turbine trip and auxiliary feedwater flow in the event of an anticipated transient without scram. The design of the AMSAC is based upon the limiting AMSAC event, a complete loss of main feedwater without an ensuing reactor trip, as described in Reference 7.8-1. The AMSAC is independent of and diverse from the RTS and the ESFAS with the exception of the analog inputs, steam generator reference leg temperature compensation circuitry, and the final actuation devices, and is classified as control-grade equipment. It is a highly reliable, microproce ssor-based, single-train system powered by a non-Class 1E source.

The AMSAC continuously monitors steam generator narrow range level, which is an anticipatory indication of a loss of heat sink, and initiates certain functions when the level drops below a predetermined setpoint and remains below this setpoint for longer than a predetermined time delay in three of the four steam generators. These functions are the tripping of the turbine, the initiation of auxiliary feedwater (AFW), isolation of the steam generator (SG) blowdown lines, and isolation of the SG sample lines.

The AMSAC is designed to be highly reliable, resistant to inadverten t actuation, and easily maintained. Reliability is assured through the us e of internal redundancy and continual self-testing by the system. Inadvertent actuations are minimized through the use of internal redundancy and majority voting at the output stage of the system. The time delay on low steam generator level and the coincidence logic used also minimize inadvertent actuations. The AMSAC is armed automatically allowing it to perform its actuations whenever reactor power exceeds a preselected power level, determined using turbine impulse chamber pressure. AMSAC remains armed sufficiently long after turbine impulse pr essure drops below the se tpoint to ensure that its functions will be performed in the event of a turbine trip.

7.8.1.1.1 Equipment Description

The AMSAC consists of a single train of equipment located in the control-grade cabinet of the Qualified Display Processing System (QDPS). With the exception of the common (non-Class 1E) AC cabinet power supply, the AMSAC is independent of the QDPS. The QDPS is described in detail in Section 7.5.6.

The design of the AMSAC is based upon the industry standard Intel mulibus format, which permits the uses of various readily available, widely used microprocesso r cards on a common data bus for various functions. This system uses INTEL 8086 microprocessors.

Steam generator level input signals are provided by four dedicated differential pressure-type level transmitters, one from each steam generator. These signals are conditioned by reference leg temperature compensation circuitry.

STPEGS UFSAR 7.8-2 Revision 17 The AMSAC is housed in the control-grade cabinet (Remote Processing Unit N) of the QDPS. The system hardware consists of two primary systems: the Actuation Logic System (ALS) and the Test/Maintenance System (T/MS). A simplified block diagram of the AMSAC architecture is presented in Figure 7.8-1.

Actuation Logic System

The ALS monitors the analog and digital inputs, performs the functional logic required, provides actuation outputs to trip the turbine and initiate AFW flow, and provides status information to the T/MS. The ALS consists of three groups of input/output (I/O) modules, three actuation logic processors (ALPs), one majority voting module, and one output relay panel. The I/O modules provide signal conditioning, isolation, and test features for interfaci ng the ALS and T/MS.

Conditioned signals are sent to three identical ALPs for analog-to-digital conversion, setpoint comparison, and coincidence logic performance. Each of the ALPs performs identical logic calculations using the same inputs and derives component actuation demands, which are then sent to the majority voting module. The majority voting module performs a two-out-of-three vote on the ALP demand signals. This module drives the relays providing outputs to the existing turbine trip and auxiliary feedwater initiation component circuits.

The ALS is designed such that a single failure of an input channel, ALP majority voting module component, or output relay shall neither actuate nor prevent actuation of the diverse turbine trip and AFW start. The ALS is designed to operate on the energize-to-actuate principle. On loss of power to AMSAC or failure of an integral power supply, the system outputs will not actuate.

Test/Maintenance System The T/MS consists of a test/maintenance processor, a digital-to-analog conversion board, a memory board, expansion boards, a self-health board, digita l output modules, a test/m aintenance panel, and a portable terminal/printer.

The T/MS provides the AMSAC with automated and manual testing as well as a maintenance mode. Automated testing is the continuously performed self-checking done by the system during normal operation. ALP status is monitored by the T/MS and sent to the Emergency Response Facilities Data Acquisition and Display System (E RFDADS, refer to Section 7.5.7) and the plant annunciator. Manual testing of the system by the maintenance staff can be performed on-line to provide assurance that the ALP system is fully operational. The maintenance mode permits the maintenance staff, under administrative control, to modify channel se tpoints, bypass status and calibration values, and initiate channel calibration.

The output relay panel provides component actuation signals to separately m ounted isolation relays, which provide output contacts for initiation of auxiliary feedwater and for turbine trip. AMSAC utilizes existing component final actuation devices.

7.8.1.1.2 Functional Performance Requirements: Analyses have shown that the most limiting ATWS is a loss of FW event without a reactor trip. The AMSAC automatically initiates AFW flow, trips the turbine, and isolates SG blowndown and sampling lines:

STPEGS UFSAR 7.8-3 Revision 17 To ensure a secondary heat sink following an anticipated transi ent (ANS Condition II) without a reactor trip To limit core damage following an anticipated transient without a reactor trip To ensure that the energy generated in the core is compatible with the design limits to protect the reactor coolant pressure boundary by maintaining the reactor coolant pressure to within ASME Stress Level C 7.8.1.1.3 AMSAC Interlocks

A single interlock, designated as C-20, is provided to allow for the automatic arming and blocking of the AMSAC. The system is blocked at reactor power levels below which the actions taken by the AMSAC following an ATWS need not be automatically initiated. Turbine impulse chamber pressure in a two-out-of-two logic scheme is used for this permissive; both turbine impulse chamber pressures above the setpoint will automatically arm the AMSAC. Either turbine impulse pressure signal dropping below this setpoint will automatically block the AMSAC following a preset time delay. This time delay is set to avoid blocking AMSAC before it can perform its functions in the event a turbine trip occurs. Th e operating status of the AMSAC is displayed on the main control board. (See Figure 7.2-17 for the functional logic diagram showing development of this interlock.)

A separate time delay on the low steam generator level three-out-of-four (3/4) logic signal is provided to allow the reactor protection system to gene rate a protective signal before AMSAC actuation occurs. (Ref. 7.8-3 for further explanation and Figure 7.8-2 for a logic diagram showing development of this time delay function.)

7.8.1.1.4 Steam Generator Level Sensor Arrangement: Steam Generator level for each SG is determined by a differential pressure-type transmitter. These steam generator level transmitters provide input to the AMSAC after they are conditioned to provide a temperature compensated signal.

7.8.1.1.5 Trip System: The steam generator level anal og inputs are used by the AMSAC to determine trip demand. Signal conditioning, engineering unit conversion, and digitization are performed on the transmitter outpu ts and used by each of the ALPs to derive a component actuation demand. If three of the four steam generators have a low level and the reacto r power level is greater than the C-20 permissive, then a trip demand signal is generated. This signal drives output relays for performing the necessary mitigative actions. (See Figure 7.2-7 for the functional logic diagram showing development of the trip demand signal and Figures 7.2-16 and 7.2-17 for the functional logic diagram showing the trip demand signal interface with the final ac tuation device logic.)

7.8.1.1.6 Isolation Devices: With the exception of common final actuation drives, AMSAC is maintained independently of the RTS and ESFAS with the following three exceptions.

The analog inputs to AMSAC are provided by Steam Generator Narrow Range (SGNR) level signals that are corrected for changes in transmitter reference leg temperature. The same SGNR level signals

are inputs to the RTS and ESFAS. Isolation amplifiers located in the analog protectio n racks provide isolation of the AMSAC circ uitry from the RTS/ESFAS.

Isolation of the nonsafety-related AMSAC from the RTS and ESFA S is provided through use of MDR isolation relays in isolation relay cabinets. A credible fault occurring in the nonsafety-related STPEGS UFSAR 7.8-4 Revision 17 AMSAC will not propagate through and degrade the RTS and ESFAS. A postulated failure of the isolation relays will not prevent occurrence of a reactor trip when it is required. Isolation between the nonsafety-related remote processing unit (RPU N) and the remainder of the safety-related QDPS is not impacted by the addition of AMSAC to RPU N.

Turbine impulse chamber pressure inputs to AMSAC are obtained through the isolation amplifiers located in the analog protection racks.

7.8.1.1.7 AMSAC Diversity from the Reactor Protection Systems: Equipment diverse from the RTS and ESFAS is used in the AMSAC to prevent common mode failures that might affect

the AMSAC and the RTS or ESFAS. The AMSAC is a digital, microprocessor-based system with the exception of the analog steam generator level transmitter inputs. Except for the analog inputs, steam generator reference leg temperature compensati on circuitry, and the final actuation circuitry for turbine trip/auxiliary feedwater, AMSAC equipment is diverse from the RTS/ESFAS systems, both in design type and manufacture.

Both the ESFAS and AMSAC initiate AFW. Diversity is provided by the different systems used to accomplish required logic and to develop the actuation signals.

Equipment similarity between the circuits that initiate AFW does not negate the ability of the plant systems to mitigate the consequences of postulated common mode failures in the actuation circuits.

A postulated common mode failure of identical components in the analog portion of the RTS that results in the inability to generate a reactor trip signal will not impact the ability of the digital AMSAC to generate the necessary mitigative actuations. Similarly, a postulated common mode failure affecting similar components in the digital QDPS portion of the ESFAS, affecting its ability to initiate AFW, and the same components in the AMSAC would impact the ability to automatically initiate AFW but not the ability of the RTS to generate a reactor trip signal.

Portions of the QDPS that accomplish reference leg temperature compensation for the steam generator narrow range level signals are common to AMSAC and RTS/ESFAS systems. Per Reference 7.8-3, "Equipment diversity to the extent reasonable and practicable to minimize the potential for common cause failures is required from the sensors output to, but not including, the final actuation device...". Reference 7.8-3 further states that "The narrow range steam generator water level delta p AMSAC signals shall have a trip accur acy [equal to that of the steam generator water level delta p signals used in the reactor protection system.]" Since the steam generator narrow range level signals (sensor outputs) to RTS/ESFAS are corrected for reference leg temperature variation at STPEGS, and to meet AMSAC accuracy requirements, equivalent analog inputs must be used for AMSAC. Therefore, for the purpose of diversity requirements, the 'sensor output' is taken to be the temperature compensated sensor output. This provides the required sens or output accuracy and reasonable diversity in that it would be impractical to provide a separate, diverse reference leg temperature compensation system for the AMSAC analog inputs.

7.8.1.1.8 Power Supply and Environmental Variations

The AMSAC power supply is the battery-backed non-Class 1E vita l bus supplying QDPS RPU N. Th e cabinet and all other AMSAC equipment are located in controlled environments such that variations in the ambient conditions are minimized. No AMSAC equipment is located inside the Containment.

STPEGS UFSAR 7.8-5 Revision 17 7.8.1.1.9 Setpoints: The AMSAC makes use of two setpoint s in the coincidence logic in order to determine if mitigative functions are required. One steam generator level signal from each steam generator is sensed to determine if a loss of secondary heat sink is imminent. The low level setpoint is selected in such a manner that a true loss of level will be detected by the system. The normal small variations in level will not result in a spurious AMSAC signal. This low level setpoint is approximately 15 percent of steam generator narrow range level span, which is less than the RTS/ESFAS trip setpoint.

To avoid AMSAC actuation upon loss of one operating main FW pump, AMSAC actuation is delayed to allow the standby main FW pump(s) to restore required level. An additional criteria that the reactor protection system should be allowed to function before AMSAC initiates AFW flow and trips the turbine is applied.

The C-20 permissive setpoint is sele cted in order to be consistent with ATWS investigations showing that the mitigative actions performed by the AMSAC need not be automatically actuated below a certain power level. The maximum allowable value of the C-20 permissive setpoint is defined by these investigations. The C-20 setpoint is approximately 30 percent of equivalent turbine impulse pressure which is intended to approximate 40 percent of nominal full reactor thermal power.

To ensure that the AMSAC remains armed long enough to permit its function in the event of a turbine trip, the C-20 permissive is maintained through a preset time delay after the turbine impulse chamber pressure drops below the arming setpoint.

The setpoints and the capability for their modification in the AMSAC are under administrative control.

7.8.1.2 Final System Drawings. The functional logic of the AMSAC is presented in Figures 7.8-2, 7.2-7, 7.2-16, and 7.2-17. Logic diagrams and electrical elementary drawings for the safety-related final actuation devices and the AMSAC interface are listed in Section 1.7.

7.8.2 Analysis

7.8.2.1 Safety Classification/Safety-Related Interface. The AMSAC is not safety-related and therefore need not meet the requirements of IEEE 279-1971. The AMSAC has been implemented such that the RTS and the ESFAS continue to meet all applicable safety-related criteria.

The AMSAC is independent of the RTS and ESFAS with the exception of the items discussed in

Section 7.8.1.1.6. The isolation provided between the RTS and the AMSAC, and between the ESFAS and the AMSAC, by the isolation relay cabinets and the turbine impulse chamber pressure circuits ensures that the applicable safety-related criteria for the RTS and the ESFAS are not violated.

7.8.2.2 Redundancy. AMSAC system redundancy is not required and has not been provided. To ensure high system reliability, portions of the AMSAC have been implemented as internally redundant such that a single failure of an input channel or AL P will neither actuate nor prevent actuation of the AMSAC.

7.8.2.3 Diversity from the Existing Trip System. A discussion of the diversity between the RTS and the AMSAC and between the ESFAS and the AMSAC is presented in Section 7.8.1.1.7.

STPEGS UFSAR 7.8-6 Revision 17 7.8.2.4 Electrical Independence. The AMSAC is electrically independent of the RTS and ESFAS from the sensors output up to the final actuation devices with the following exceptions:

the turbine impulse chamber pressure input used in the permi ssive logic of the AMSAC, and

the reference leg temperature compensation circuits (including transmitter inputs) for the steam generator level signals.

WCAP-8892A addresses the Westinghouse analog pr otection cabinet isolat ion, encompassing the existing isolation amplifier in the turbine impulse chamber pressure circuit (Sections 7.1.2.2.1 and 7.7.2.1). Similar isolation is provided between the safety related (RTS/ESFAS) and non-safety related (AMSAC) analog inputs from steam generator na rrow range levels channe ls. Isolation relays are provided to isolate the nonsafety AMSAC circuitry from the sa fety-related actuat ion circuits of the AFW system. These isolation relays have been tested in a manner consistent with Nuclear Regulatory Commission (NRC) requirements for Class 1E qua lified isolation devices (Section 8.3.1.5).

7.8.2.5 Physical Separation from the RTS and ESFAS. Because the AMSAC is nonsafety-related, it is included in separation group N (Section 8.3.1.4). Separation criteria of Section 8.3.1.4 are used to separate the AMSAC from the safety-related circuits of the RTS, ESFAS, and safety-related components.

7.8.2.6 Environmental Qualification. Equipment related to the AMSAC is designed to operate under conditions resulting from anticipated operational occurrences for the respective equipment location. (Section 3.11).

7.8.2.7 Seismic Qualification. Seismic qualification is not required for the AMSAC. Thus, the system has been classified as non-seismic Category I.

7.8.2.8 Test, Maintenance, and Surveillance Quality Assurance. NRC Generic Letter 85-06, "Quality Assurance Guidance for ATWS Equipment That Is Not Safety-Related," requires quality assurance procedures commensurate with the nonsafety-relate d classification of the AMSAC. The quality controls for the AMSAC are, at a minimum, consistent with exis ting plant procedures or practices for nonsafety-related equipment.

Design of the AMSAC followed established procedures relating to equipment procurement, document control, and specification of system components, materials, and services. In addition, specifications also define quality assurance practi ces for inspections, examinations, storage, shipping, and tests as appropriate to a specific item or service.

A computer software verification program and a firmware validation program have been implemented commensurate with the nonsafety-relate d classification of the AMSAC to ensure that the system design requirements implemented with the use of software have been properly implemented and to ensure compliance with the system functional, performance, and interface requirements.

System testing is completed prior to the installation and operation of the AMSAC, as part of the normal factory acceptance testing and the validation program. Periodic testing is performed both STPEGS UFSAR 7.8-7 Revision 17 automatically, through use of the system automatic self-checking capability, and manually, under administrative control via the AMSAC test/maintenance panel.

7.8.2.9 Power Supply. Power to the AMSAC is from a battery-backed, non Class 1E vital bus independent of the power supplies for the RTS and ESFAS. The station battery supplying power to the AMSAC is independent of those used for the RTS and ESFAS. The AMSAC is an energize-to-actuate system capable of performing its mitigative functions with a loss of offsite power. The

Class 1E portion of each isolation device is powered by Class 1E power.

7.8.2.10 Testability at Power. The AMSAC is testable at pow er. This testing is done via the system test/maintenance panel. The capability of the AMSAC to perform its mitigative actuations is bypassed at a system level while in the test mode. Total system testing is performed as a set of three sequential, partial, overlapping tests. The first of the tests checks th e analog input portions of the AMSAC in order to verify accuracy. Each of the analog input modules is checked separately. The second test checks each of the ALPs to verify th at the appropriate coincide nce logic is sent to the majority voter. Each ALP is tested separately. the last test exercises the majority voter and the integrity of the associated output relays. The major ity voter and associated out put relays are tested by exercising all possible input combinations to the majority voter. The integrity of each of the output relays is checked by confirming continuity of th e relay coils without ope rating the relays. The capability to individually operate the output relays, confirm integrity of the associated field wiring, and operate the corresponding isol ation relays an final actuation devices at plant shutdown is provided.

7.8.2.11 Inadvertent Actuation. The AMSAC has been designe d such that the frequency of inadvertent actuations is minimize

d. This high reliability is ensu red through use of three redundant ALPs and a majority voting module. A single failure in any of these modules will not result in a spurious AMSAC actuation. In addition, a three-out-of-four low steam generator level coincidence logic and a predetermined actuation time delay have been selected to further minimize the potential for inadvertent actuations.

7.8.2.12 Maintenance Bypasses. The AMSAC is blocked at the system level during maintenance, repair, calibration, or test. While the system is blocked, the bypass condition is continuously indicated by the ERFDADS computer.

7.8.2.13 Operating Bypasses. The AMSAC has been designed to allow for operational bypasses with the inclusion of the C-20 permissi ve. Above the C-20 setpoint, the AMSAC is automatically unblocked (i.e., armed); below the setpoint, the system is automatically blocked.

Justification for the C-20 setpoint was provided by the Westinghouse owners group via Reference 7.8-2. The operating status of the AMSAC is continuously indicated in the main control room via an annunciator window and the ERFDADS computer. CN-3063 7.8.2.14 Indication of Bypasses. Whenever the mitigative capabilities of the AMSAC are bypassed or deliberately rendered inoperable, this condition is continuously indicated in the main control room. In addition to the operating bypass, any manual ma intenance bypass is indicated via the AMSAC general warning sent to the ERFDADS computer.

7.8.2.15 Means for Bypassing. A system bypass selector switch permanently installed in QDPS RPU N is provided to bypass the system. Th is is a two-position selector switch with STPEGS UFSAR 7.8-8 Revision 17 NORMAL and BYPASS positions. At no time is it necessary to use any temporary means, such as installing jumpers or pulling fuses, to bypass the system.

7.8.2.16 Completion of Mitigative Actions Once Initiated. The AMSAC mitigative actions go to completion as long as the coin cidence logic is satisfied and the time delay requirements are met. If the level in the steam generators increases above the low level setpoint before the timer expires, then the coincidence logic will no longer be satisfied and the actua tion signal disappears. If the coincidence logic conditions are maintained for the duration of the time delay, then the mitigative actions go to completion. The AFW initiation signal is latched in at the component actuating devices and the turbine trip is latched at the turbine electrohydraulic control syst em. Deliberate operator action is then necessary to terminate AFW flow, clear the turbine trip signal using the main control board turbine trip reset switch, and proceed with the reopening of the turbine stop valves.

7.8.2.17 Manual Initiation. Manual initiation of AMSAC at the system level is not required. The capability to initiate AMSAC mitigative functions manually (i.e., initiate AFW, trip the turbine, and isolate SG blowdown and sampling lines) exists at the main control board.

7.8.2.18 Information Readout. The AMSAC has been designed such that the operating and maintenance staffs have accurate, complete and timely information pertinent to the status of the AMSAC. A system level general warning alarm is indicated in the control room. Diagnostic capability exists from the test/maintenance panel to determine the cause of any unanticipated inoperability or deviation. 7.8.3 Compliance with Standards and Design Criteria The AMSAC meets the applicable requirement s of 10 CFR 50.62 and the quality assurance requirements of NRC Generic Letter 85-06.

STPEGS UFSAR 7.8-9 Revision 17 REFERENCES Section 7.8:

7.8-1 Adler, M. R., "AMSAC Generic Design Package," WCAP-10858-P-A, June 1985.

7.8-2 Adler, M. R., "AMSAC Generic Design Package," WCAP-10858-P-A, Addendum 1, February 1987, submitted by WOG letter OG-87-10, dated February 26, 1987.

7.8-3 Adler, M. R. "AMSAC Generic Design Package," WCAP-10858-P-A, Revision 1, July 1987, submitted by WOG letter OG-87-35, dated August 3, 1987.

7.8-4 NRC Regulatory Issue Summary 2005-20, "Revision to the Guidance Formerly Contained in NRC Generic Letter 91-18, Information to Licensees Regarding Two NRC Inspection Manual Sections on Resolution of Degraded and Nonconforming Conditions and on Operability, " September 26, 2005.

STPEGS UFSAR 7A-1 Revision 1 8 APPENDIX 7A POST TMI REQUIREMENTS RESPONSES TO NUREG

-0737 CLARIFICATION OF TMI ACTION PLAN REQUIREMENTS INTRODUCTION This Appendix describes the compliance by the South Texas Project Electric Generating Station (STPEGS) with the "TMI Action Plan Requirements for Applicants for an Operating License" as identified in Enclosure 2 of NUREG

-0737. The item numbers contained within this Appendix correspond to the item numbers identified in NUREG

-0737. The format of each TMI Action Item response consists of the following divisions:

Position This section consists of a statement of the Nuclear Regulatory Commission (NRC) position relative to a given item as stated in the indicated reference document. Usually this position statement is taken directly from NUREG

-0737. Where the specific requirements are only referred to and are not restated in the text of NUREG

-0737, reference is made to another NRC document in which the requirements were promulgated.

Clarification This section contains a summary of clarifications to the original position as provided by the NRC.

STPEGS Response This section provides a synopsis of the STPEGS response to each TMI Action Item. A brief description of the design features providing the STPEGS compliance is presented. References to the text of the Updated Final Safety Analysis Report (UFSAR) are made as applicable.

STPEGS UFSAR 7A-2 Revision 1 8 I.A.1.1 SHIFT TECHNICAL ADVISOR Position Each licensee shall provide an on

-shift technical advisor to the shift manager. The shift technical advisor (STA) may serve more than one unit at a multi

-unit site if qualified to perform the advisor function for the various units.

The STA shall have a bachelor's degree or equivalent in a scientific or engineering discipline and have received specific training in the response and analysis of the plant for transients and accidents.

The STA shall also receive training in plant design and layout, including the capabilities of instrumentation and controls in the control room. The licensee shall assign normal duties to the STAs that pertain to the engineering aspects of assuring safe operations of the plant, including the review and evaluation of operating experience.

Clarification The letter of October 20, 1979 clarified the short

-term STA requirements. That letter indicated that the STAs must have completed all training by January 1, 1981. This paper confirms these requirements and requests additional information.

The need for the STA position may be eliminated when the qualifications of the shift managers and senior operators have been upgraded and the man

-machine interface in the control room has been acceptably upgraded. However, until those long

-term improvements are attained, the need for an STA program will continue.

The staff has not yet established the detailed elements of the academic and training requirements of the STA beyond the guidance given in its October 30, 1979 letter. In addition, the staff has made no decision on the level of upgrading required for licensed operating personnel and the man

-machine interface in the control room that would be acceptable for eliminating the need of an STA. Until these requirements for eliminating the STA position have been established, the staff continues to require that, in addition to the staffing requirements specified in its July 31, 1980 letter (as revised by item I.A.1.3 of this enclosure), an STA be available for duty on each operating shift when a plant is being operated in Modes 1

-4 for a pressurized water reactor (PWR) and Modes 1-3 for a boiling water reactor (BWR). At other times, an STA is not required to be on duty.

Since the October 30, 1979 letter was issued, several efforts have been made to establish, for the longer term, the minimum level of experience, education, and training for STAs. These efforts include work on the revision to American Nuclear Society (ANS) 3.1, work by the Institute of Nuclear Power Operations (INPO), and internal staff efforts.

INPO recently made available a document titled "Nuclear Power Plant Shift Technical Advisor

--Recommendations for Position Description, Qualifications, Education and Training". A copy of Revision 0 of this document, dated April 30, 1980, is attached as Appendix C. Sections 5 and 6 of the INPO document describe the education, training, and experience requirements for STAs. The NRC staff finds that the descriptions as set forth in Sections 5 and 6 of Revision 0 to the INPO document are an acceptable approach for the selection and training of personnel to staff the STA positions. [Note: This should not be interpreted to mean that this is an NRC requirement at this time.

The intent is to refer to the INPO document as acceptable for interim guidance for a utility in planning its STA program over the long term (i.e., beyond the January 1, 1981 requirement to have STPEGS UFSAR 7A-3 Revision 1 8 STAs in place in accordance with the qualification requirements specified in the staff's October 30, 1979 letter)].

No later than January 1, 1981, all licensees of operating reactors shall provide this office with a description of their STA training program and their plans for requalification training. This description shall indicate the level of training attained by STAs by January 1, 1981 and demonstrate conformance with the qualification and training requirements in the October 30, 1979 letter. Applicants for operating licenses shall provide the same information in their application, or amendments thereto, on a schedule consistent with the NRC licensing review schedule.

No later than January 1, 1981, all licensees of operating reactors shall provide this office with a description of their long

-term STA program, including qualification, selection criteria, training plans, and plans, if any, for the eventual phaseout of the STA program. (Note: The description shall include a comparison of the licensee/applicant program with the above

-mentioned INPO document. This request solicits industry views to assist NRC in establishing long

-term improvements in the STA program. Applicants for operating licenses shall provide the same information in their application, or amendments thereto, on a schedule consistent with the NRC licensing review schedule.)

STPEGS Response The South Texas Project Electric Generating Station (STPEGS) provides engineering and accident assessment expertise on shift by meeting the qualifications specified by Generic Letter 86

-04, "The Commission Policy Statement on Engineering Expertise on Shift." Candidates for the STA position are considered based upon an acceptable combination of education

and experience. With respect to the educational requirements, candidates will possess a bachelor's degree in a scientific or engineering discipline or equivalent. Candidates for the STA position shall posses an overall knowledge of the plant. Necessary training will be provided in accordance with the guidelines presented by the INPO document titled "Nuclear Power Plant Shift Technical Advisor

--Recommendations for Position Description, Qualifications, Education, and Training". On an annual basis, the STAs are required to successfully complete STA requalification training in order to continue to function as an STA.

A waiver for any portion of the above training and education requirements may be granted on a case

-by case basis. Training waivers will be considered when a candidate has documented accredited college courses or can demonstrate an acceptable level of knowledge through comprehensive examinations in the specific area to be waived.

Individuals not actively performing the STA functions or activities that keep the individual cognizant of plant conditions (at least three shifts per quarter), shall receive training sufficient to ensure cognizance of facility and procedure changes that occurred during the absence.

STPEGS UFSAR 7A-4 Revision 1 8 I.A.1.2 SHIFT MANAGER RESPONSIBILITIES Position

Description:

The objective is to increase the shift manager's attention to his command function by minimizing ancillary responsibilities. The Office of Nuclear Reactor Regulation (NRR) has required that all operating plant licensees review the administrative duties of the shift manager. The review should be performed by the senior officer at each utility who is responsible for plant operations.

Administrative functions that detract from or are subordinate to the management responsibility for

assuring the safe operation of the plant are to be delegated to other operations personnel not on duty in the control room. The same requirement will be imposed by the licensing review staff on all operating license applicants.

Clarification NUREG-0737 does not provide a clarification of this section.

STPEGS Response For the STPEGS position on this item see Section 13.1.2.2.2.

STPEGS UFSAR 7A-5 Revision 1 8 I.A.1.3 SHIFT MANNING Position This position defines shift manning requirements for normal operation. The letter of July 31, 1980 from D. G. Eisenhut to all power reactor licensees and applicants (copy attached) sets forth the interim criteria for shift staffing (to be effective pending general criteria that will be the subject of future rulemaking). Overtime restrictions were also included in the July 31, 1980 letter.

Clarification Page 3 of the July 31, 1980 letter is superseded in its entirety by the following:

Licensees of operating plants and applicants for operating licenses shall include in their administrative procedures (required by license conditions) provisions governing required shift staffing and movement of key individuals about the plant. These provisions are required to assure that qualified plant personnel to man the operational shifts are readily available in the event of an abnormal or emergency situation.

These administrative procedures shall also set forth a policy, the objective of which is to operate the plant with the required staff and develop working schedules such that use of overtime is avoided, to

the extent practicable, for the plant staff who perform safety

-related functions. (e.g., senior reactor operators, reactor operators, health physicists, auxiliary operators, instrumentation and controls [I&C]

technicians and key maintenance personnel).

Inspection and Enforcement (IE) Circular No. 80

-02, "Nuclear Power Plant Staff Work Hours", dated February 1, 1980 (copy attached) discusses the concern of overtime work for members of the plant staff who perform safety

-related functions.

The Staff recognizes that there are diverse opinions on the amount of overtime that would be considered permissible and that there is a lack of hard data on the effects of overtime beyond the generally recognized normal 8

-hour working day, the effects of shift rotation, and other factors. NRC has initiated studies in this area.

Until a firmer basis is developed on working hours, the administrative procedures shall include, as an interim measure, the following guidance, which generally follows that of IE Circular No. 8 0-02. Shift manning working hours and overtime are governed by 10CFR26, "Fitness for Duty Programs," Subpart I, "Managing Fatigue." NRC encourages the development of a staffing policy that would permit the licensed reactor operators and senior reactor operators to be periodically assigned to other duties away from the control board during their normal tours of duty.

If a reactor operator is required to work in excess of 8 continuous hours, he shall be periodically relieved of primary duties at the control board, such that periods of duty at the board do not exceed about 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months at a time.

CN-2966 HISTORICAL INFORMATION CN

-2966 HISTORICAL INFORMATION CN

-2966 STPEGS UFSAR 7A-6 Revision 1 8 Operating license applicants shall complete these administrative procedures before fuel loading. Development and implementation of the administrative procedures at operating plants will be reviewed by the Office of Inspection and Enforcement beginning 90 days after July 31, 1980.

See Section III.A.1.2 for minimum staffing and augment capabilities for emergencies.

STPEGS Response For the STPEGS position on this item, see Section 13.5.1.3, part 1 (g).

CN-2966 HISTORICAL INFORMATION CN

-2966 HISTORICAL INFORMATION CN

-296 6 STPEGS UFSAR 7A-7 Revision 1 8 I.A.2.1 IMMEDIATE UPGRADING OF REACTOR OPERATOR AND SENIOR REACTOR OPERATOR TRAINING AND QUALIFICATIONS Position Effective December 1, 1980, an applicant for an SRO license will be required to have been a licensed operator for 1 year.

Clarification Applicants for SRO either come through the operations chain (C operator to B operator to A operator, etc.) or are degree

-holding staff engineers who obtain licenses for backup purposes.

In the past, many individuals who came through the operator ranks were administered SRO examinations without first being an operator. This was clearly a poor practice and the letter of March 28, 1980 requires reactor operator experience for SRO applicants.

However, NRC does not wish to discourage staff engineers from becoming licensed SROs. This effort is encouraged because it forces engineers to broaden their knowledge about the plant and its operation.

In addition, in order to attract degree

-holding engineers to consider the shift manager's job as part of their career development, NRC should provide an alternate path to holding an operator's license for 1 year. The track followed by a high

-school graduate (a nondegreed individual) to become an SRO would be 4 years as a control room operator, at least one of which would be as a licensed operator, and participation in an SRO training program that includes 3 months on shift as an extra person.

The track followed by a degree

-holding engineer would be, at a minimum, 2 years of responsible nuclear power plant experience as a staff engineer, participation in an SRO training program equivalent to a cold applicant training program, and 3 months on shift as an extra person in training for an SRO position.

Holding these positions assures that individuals who will direct the licensed activities of licensed operators have had the necessary combination of education, training, and actual operating experience prior to assuming a supervisory role at that facility.

The staff realizes that the necessary knowledge and experience can be gained in a variety of ways. Consequently, credit for equivalent experience should be given to applicants for SRO licenses.

Applicants for SRO licenses at a facility may obtain their 1

-year operating experience in a licensed capacity (operator or senior operator) at another nuclear power plant. In addition, actual operating experience in a position that is equivalent to a licensed operator or senior operator at military propulsion reactors will be acceptable on a one

-to-one basis. Individual applicants must document this experience in their individual applications in sufficient detail so that the staff can make a finding regarding equivalency. Applicants for SRO licenses who possess a degree in engineering or applicable sciences are deemed to meet the above requirement, provided they meet the requirements set forth in sections A.1.a and A.2 in enclosure 1 in the letter from H. R. Denton to all power reactor STPEGS UFSAR 7A-8 Revision 1 8 applicants and licensees, dated March 28, 1980, and have participated in a training program equivalent to that of a cold senior operator applicant.

NRC has not imposed the 1

-year experience requirement on cold applicants for SRO licenses. Cold applicants are to work on a facility not yet in operation; their training programs are designed to supply the equivalent of the experience not available to them.

STPEGS Response Section 13.2 covers requirements for SROs.

STPEGS UFSAR 7A-9 Revision 1 8 I.A.2.3 ADMINISTRATION OF TRAINING PROGRAMS Position Pending accreditation of training institutions, licensees and applicants for operating licenses will assure that training center and facility instructors who teach systems, integrated responses, transient, and simulator courses demonstrate SRO qualifications and be enrolled in appropriate requalificatio n

programs.

Clarification The above position is a short

-term position. In the future, accreditation of training institutions will include review of the procedure for certification of instructors. The certification of instructors may, or may not, include successful completion of an SRO examination.

The purpose of the examination is to provide NRC with reasonable assurance, during the interim period, that instructors are technically competent.

The requirement is directed to permanent members of training staff who teach the subjects listed above, including members of other organizations who routinely conduct training at the facility. There is no intention to require guest lecturers who are experts in particular subjects (reactor theory, instrumentation, thermodynamics, health physics, chemistry, etc.) to successfully complete an SRO examination. Nor is it intended to require a system expert, such as the instrument and control supervisor teaching the control rod drive system, to sit for an SRO examinatio

n. STPEGS Response This item is covered in Section 13.2.1.1.5.

STPEGS UFSAR 7A-10 Revision 1 8 I.A.3.1 REVISE SCOPE AND CRITERIA FOR LICENSING EXAMINATIONS

-SIMULATOR EXAMS (ITEMS 3)

Position Simulator examinations will be included as part of the licensing examinations.

Clarification The Clarification does not alter the staff's position regarding simulator examinations.

The clarification does provide additional preparation time for utility companies and NRC to meet examination requirements as stated. A study is under way to consider how similar a nonidentical simulator should be for a valid examination. In addition, present simulators are fully booked months in advance.

Application of this requirement was stated on June 1, 1980 to applicants where a simulator is located at the facility. Starting October 1, 1981, simulator examinations will be conducted for applicants of facilities that do not have simulators at the site.

NRC simulator examinations normally require 2 to 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . Normally, two applicants are examined during this time period by two examiners.

Utility companies should make the necessary arrangements with an appropriate simulator training center to provide time for these examinations. Preferably, these examinations should be scheduled consecutively with the balance of the examination. However, they may be scheduled no sooner than 2 weeks prior to and no later than 2 weeks after the balance of the examination.

STPEGS Response A plant specific simulator has been procured for STPEGS. This facility is available for licensing examinations.

STPEGS UFSAR 7A-11 Revision 1 8 I.B.1.2 INDEPENDENT SAFETY ENGINEERING GROUP Position Each applicant for an operating license shall establish an onsite Independent Safety Engineering Group (ISEG) to perform independent reviews of plant operations.

The principal function of the ISEG is to examine plant operating characteristics, NRC issuances, Licensing Information Service advisories, and other appropriate sources of plant design and operating experience information that may indicate areas for improving plant safety. The ISEG is to perform independent review problems, and operational analysis, and aid in the establishment of programmatic requirements for plant activities. Where useful improvements can be achieved, it is expected that this group will develop and present detailed recommendations to corporate management for such things as revised procedures or equipment modifications.

Another function of the ISEG is to maintain surveillance of plant operations and maintenance activities to provide independent verification that these activities are performed correctly and that human errors are reduced as far as practicable. ISEG will then be in a position to advise utility management on the overall quality and safety of operations. ISEG need not perform detailed audits of plant operations and shall not be responsible for sign

-off functional such that it becomes involved in the operating organization.

Clarification The new ISEG shall not replace the plant operations review committee (PORC) and the utility's independent review and audit group as specified by current staff guidelines (Standard Review Plan, Regulatory Guide [RG] 1.33, Standard Technical Specifications). Rather, it is an additional independent group of a minimum of 5 dedicated, full

-time engineers, located onsite, but reporting offsite to a corporate official who holds a high

-level, technically oriented position that is not in the management chain for power production. The ISEG will increase the available technical expertise located onsite and will provide continuing, systematic, and independent assessment of plant activities. Integrating the STAs into the ISEG in some way would be desirable in that it could enhance the group's contact with and knowledge of day

-to-day plant operations and provide additional expertise. However, the STA on shift is necessarily a member of the operating staff and cannot be independent of it. It is expected that the ISEG may interface with the quality assurance (QA) organization, but preferably should not be an integral part of the QA organization.

The functions of the ISEG require daily contact with the operating personnel and continued access to plant facilities and records. The ISEG review functions can, therefore, best be carried out by a group physically located onsite. However, for utilities with multiple sites, it may be possible to perform portions of the independent safety assessment function in a centralized location for all the utility's plants. In such cases, an onsite group still is required, but it may be slightly smaller than would be the case if it were performing the entire independent safety assessment function. Such cases will be reviewed on a case

-by-case basis. At this time, the requirement for establishing an ISEG is being applied only to applicants for operating licenses in accordance with Action Plan item I.B.1.2. The staff intends to review this activity in about a year to determine its effectiveness and to see whether changes are required. Applicability to operating plants will be considered in implementing long

-term improvements in organization and management for operating plants (Action Plan item I.B.1.1).

STPEGS UFSAR 7A-12 Revision 1 8 STPEGS Response STPEGS does not maintain an Independent Safety Engineering Group. See the Operations Quality Assurance Plan, Chapter 16, for implementation of these activities.

STPEGS UFSAR 7A-13 Revision 1 8 I.C.1 GUIDANCE FOR THE EVALUATION AND DEVELOPMENT OF PROCEDURES FOR TRANSIENTS AND ACCIDENTS Position In letters of September 13 and 27, October 10 and 30, and November 9, 1979, the Office of Nuclear Reactor Regulation required licensees of operating plants, applicants for operating licenses and licensees of plants under construction to perform analyses of transients and accidents, prepare emergency procedure guidelines, upgrade emergency procedures, including procedures for operating with natural circulation conditions, and to conduct operator retraining (see also item I.A.2.1).

Emergency procedures are required to be consistent with the actions necessary to cope with the transients and accidents analyzed. Analyses of transients and accidents were to be completed in early 1980 and implementation of procedures and retraining were to be completed 3 months after emergency procedure guidelines were established; however, some difficulty in completing these requirements has been experienced. Clarification of the scope of the task and appropriate schedule revisions are being developed. In the course of review of these matters on Babcock and Wilcox (B&W)-designed plants, the staff will follow up on the bulletin and orders matters relating to analysis methods and results, as listed in NUREG

-0660, Appendix C (see Table C.l, items 3, 4, 16, 18, 24, 25, 26, 27; Table C.2, items 4, 12, 17, 18, 19, 20; and Table C.3, items 6, 35, 37, 38, 39, 4, 47, 55, 57).

Clarification The letters of September 13 and 27, October 10 and 30, and November 9, 1979, required that procedures and operator training be developed for transients and accidents. The initiating events to be considered should include the events presented in the UFSAR loss of instrumentation buses, and natural phenomena such as earthquakes, floods, and tornadoes. The purpose of this paper is to clarify the requirements and add additional requirements for the reanalysis of transients and accidents and inadequate core cooling.

Based on staff reviews to date, there appear to be some recurring deficiencies in the guidelines being developed. Specifically, the staff has found a lack of justification for the approach used (i.e, symptom-, event-, or function

- oriented) in developing diagnostic guidance for the operator and in procedural development. It has also been found that although the guidelines take implicit credit for operation of many systems or components, they do not address the availability of these systems under expected plant conditions nor do they address corrective or alternative actions that should be performed to mitigate the event should these systems or components fail.

The analyses conducted to date for guideline and procedure development contain insufficient information to assess the extent to which multiple failures are considered. NUREG

-0578 concluded that the single

-failure criterion was not considered appropriate for guideline development and called for the consideration of multiple failures and operator errors. Therefore, the analyses that support guideline and procedure development should consider the occurrences of multiple and consequential failures. In general, the sequence of events for the transients and accidents and inadequate core cooling analyzed should postulate multiple failures such that, if the failures were unmitigated, conditions of inadequate core cooling would result. Examples of multiple failure events include:

(1) Multiple tube ruptures in a single steam generator and tube rupture in more than one steam generator; (2) Failure of main and auxiliary feedwater;

STPEGS UFSAR 7A-14 Revision 1 8 (3) Failure of high

-pressure reactor coolant makeup system; (4) An anticipated transient without scram (ATWS) event following a loss of offsite power, stuck-open relief valve or safety/relief valve, or loss of main feedwater; and (5) Operator errors of omission or commission.

The analyses should be carried out far enough into the event to assure that all relevant thermal/hydraulic/neutronic phenomena are identified (e.g., upper head voiding due to rapid cooldown, steam generator stratification). Failures and operator errors during the long

-term cooldown period should also be addressed.

The analyses should support development of guidelines that define a logical transition from the emergency procedures into the inadequate core cooling procedure, including the use of instrumentation to identify inadequate core cooling conditions. Rationale for this transition should be discussed. Additional information that should be submitted includes:

(1) A detailed description of the methodology used to develop the guidelines; (2) Associated control function diagrams, sequence

-of-event diagrams, or others, if used; (3) The bases for multiple and consequential failure considerations; (4) Supporting analysis, including a description of any computer codes used; and (5) A description of the applicability of any generic results to plant

-specific applications.

Owners' group or vendor submittals may be referenced as appropriate to support this reanalysis. If owners' group or vendor submittals have already been forwarded to the staff for review, a brief description of the submittals and justification of their adequacy to support guideline development is all that is required.

Pending staff approval of the revised analysis and guidelines, the staff will continue the pilot monitoring of emergency procedures described in Task Action Plan item I.C.8 (NUREG

-0660). For PWRs, this will involve review of the loss of coolant, steam

-generator-tube rupture, loss of main feedwater, and inadequate core cooling procedures. The adequacy of each PWR vendor's guidelines will be identified to each near

-term operating license (NTOL) during the emergency

-procedure review. Since the analysis and guidelines submitted by the General Electric Company (GE) owners' group that comply with the requirements stated above have been reviewed and approved for trial implementation on six plants with applications for operating licenses pending, the interim program for BWRs will consist of trial implementation on these six plants.

Following approval of analysis and guidelines and the pilot monitoring of emergency procedures, the staff will advise all licensees of the adequacy of the guidelines for application to their plants.

Consideration will be given to human factors engineering and system operational characteristics, such as information transfer under stress, compatibility with operator training and control room design, the time required for component and system response, clarity of procedural actions, and control room

-personnel interactions. When this determination has been made by the staff, a long

-term plan for emergency procedure review, as described in task action plan item I.C.9, will be made available. At that time, the reviews currently being conducted on NTOLs under item I.C.8 will be discontinued, STPEGS UFSAR 7A-15 Revision 1 8 and the review required for applicants for operation licenses will be as described in the long

-term plan. Depending upon the information submitted to support development of emergency procedures for each reactor type or vendor, this transition may take place at different times. For example, if the GE guidelines are shown to be effective on the six plants chosen for pilot monitoring, the long

-term plan for BWRs may be complete in early 1981. Operating plants and applicants will then have the option of implementing the long

-term plan in a manner consistent with their operating schedule, provided they meet the final date required for implementation. This may require a plant that was reviewed for an operating license under item I.C.8 to revise its emergency procedures again prior to the final implementation date for Item I.C.9. The extent to which the long

-term program will include review and approval of plant

-specific procedures for operating plants has not been established. Our objective, however, is to minimize the amount of plant

-specific procedure review and approval required. The staff believes this objective can be acceptably accomplished by concentrating the staff review and approval on generic guidelines. A key element in meeting this objective is the use of staff-approved generic guidelines and guideline revisions by licensees to develop procedures. For this approach to be effective, it is imperative that, once the staff has issued approval of a guideline, subsequent revisions of the guideline should not be implemented by licensees until reviewed and approved by the staff. Any changes in plant

-specific procedures based on unapproved guidelines could constitute an unreviewed safety issue under 10 CFR 50.59. Deviations from this approach on a plant-specific basis would be acceptable provided the basis is submitted by the licensee for staff review and approval. In this case, deviations from generic guidelines should not be implementation of analysis and procedures for small-break loss

-of-coolant accident and inadequate core cooling should remain on the schedule contained in NUREG

-0578, Recommendation 2.1.9.

STPEGS Response For the STPEGS position on this item, see Section 13.5.2.1, Part 4.

STPEGS UFSAR 7A-16 Revision 1 8 I.C.2 SHIFT AND RELIEF TURNOVER PROCEDURES Position

Description:

Licensees are to revise plant procedures for shift and relief turnover to ensure that each oncoming shift is made aware of critical plant status information and system availability.

CLARIFICATION NUREG-0737 provided no clarification of this section.

STPEGS Response For the STPEGS position on this item, see Section 13.5.1.3, part 1 (f).

STPEGS UFSAR 7A-17 Revision 1 8 I.C.3 SHIFT MANAGER RESPONSIBILITY Position

Description:

Licensees are to revise plant procedures to assure that duties, responsibilities, and authority of the shift manager and control room operators are properly defined.

CLARIFICATION NUREG-0737 provided no clarification of this section.

STPEGS Response For the STPEGS position on this item, see Section 13.5.1.3, part 1 (b).

STPEGS UFSAR 7A-18 Revision 1 8 I.C.4 CONTROL ROOM ACCESS Position

Description:

Licensees are to revise procedures to assure that instructions covering the authority and responsibilities of the person in charge of access and clear lines of authority and responsibility in the control room in the event of an emergency are established.

Clarification NUREG-0737 provided no clarification of this section.

STPEGS Response For the STPEGS position on this item, see Section 13.5.1.3, part 1 (h).

STPEGS UFSAR 7A-19 Revision 1 8 I.C.5 PROCEDURES FOR FEEDBACK OF OPERATING EXPERIENCE TO PLANT STAFF Position In accordance with Task Action Plan I.C.5, Procedures for Feedback of Operating Experience to Plant Staff (NUREG

-0660), each applicant for an operating license shall prepare procedures to assure that operating information pertinent to plant safety originating both within and outside the utility organization is continually supplied to operators and other personnel and is incorporated into training and retraining programs. These procedures shall:

(1) Clearly identify organizational responsibilities for review of operating experience, the feedback of pertinent information to operators and other personnel, and the incorporation of such information into training and retraining programs; (2) Identify the administrative and technical review steps necessary in translating recommendations by the operating experience assessment group into plant actions (e.g.,

changes to procedures; operating orders);

(3) Identify the recipients of various categories of information from operating experience (i.e., supervisory personnel, shift technical advisors, operators, maintenance personnel, health physics technicians) or otherwise provide means through which such information can be readily related to the job functions of the recipients; (4) Provide means to assure that affected personnel become aware of and understand information of sufficient importance that should not wait for emphasis through routine training and retraining programs; (5) Assure that plant personnel do not routinely receive extraneous and unimportant information on operating experience in such volume that it would obscure priority information or otherwise detract from overall job performance and proficiency; (6) Provide suitable checks to assure that conflicting or contradictory information is not conveyed to operators and other personnel until resolution is reached; and, (7) Provide periodic internal audit to assure that the feedback program functions effectively at all levels. Clarification Each utility shall carry out an operating experience assessment function that will involve utility personnel having collective competence in all areas important to plant safety. In connection with this assessment function, it is important that procedures exist to assure that important information on operating experience originating both within and outside the organization is continually provided to operators and other personnel and that it is incorporated into plant operating procedures and training and retraining programs.

Those involved in the assessment of operating experience will review information from a variety of sources. These include operating information from the licensee's own plant(s), publications such as IE Bulletins, Circulars, and Notices, and pertinent NRC or industrial assessments of operating STPEGS UFSAR 7A-20 Revision 1 8 experience. In some cases, information may be of sufficient importance that it must be dealt with promptly (through instructions, changes to operating and emergency procedures, issuance of special changes to operating and emergency procedures, issuance of special precautions, etc.) and must be handled in such a manner to assure that operations management personnel would be directly involved in the process. In many other cases, however, important information will become available which should be brought to the attention of operators and other personnel for their general information to assure continued safe plant operation. Since the total volume of information handled by the assessment group may be large, it is important that assurance be provided that high

-priority matters are dealt with promptly and that discrimination is used in the feedback of other information so that personnel are not deluged with unimportant and extraneous information to the detriment of their overall proficiency. It is important, also, that technical reviews be conducted to preclude premature dissemination of conflicting or contradictory information.

STPEGS Response For the STPEGS position on this item, see Section 13.5.1.3, part 1 (i).

STPEGS UFSAR 7A-21 Revision 1 8 I.C.6 GUIDANCE ON PROCEDURES FOR VERIFYING CORRECT PERFORMANCE OF OPERATING ACTIVITIES Position It is required (from NUREG

-0660) that licensees' procedures be reviewed and revised, as necessary, to assure that an effective system of verifying the correct performance of operating activities is provided as a means of reducing human errors and improving the quality of normal operations. This will reduce the frequency of occurrence of situations that could result in or contribute to accidents.

Such a verification system may include automatic system status monitoring, human verification of operations and maintenance activities independent of the people performing the activity (see NUREG-0585, Recommendation 5), or both.

Implementation of automatic status monitoring, if required, will reduce the extent of human verification of operations and maintenance activities but will not eliminate the need for such verification in all instances. The procedures adopted by the licensees may consist of two phases

--one before and one after installation of automatic status monitoring equipment, if required, in accordance with item I.D.3.

Clarification Item I.C.6 of the U.S. Nuclear Regulator Commission Task Action Plan (NUREG

-0660) and Recommendation 5 of NUREG

-0585 propose requiring that licensees' procedures be reviewed and revised, as necessary, to assure that an effective system of verifying the correct performance of operating activities is provided. An acceptable program for verification of operating activities is described below.

The ANS has prepared a draft revision to American National Standards Institute (ANSI) Standard N18.7-1972 (ANS 3.2) "Administrative Controls and Quality Assurance for the Operational Phase of Nuclear Power Plants". A second proposed revision to RG 1.33., "Quality Assurance Program Requirements (Operation)", which is to be issued for public comment in the near future, will endorse the latest draft revision to ANS 3.2 subject to the following supplemental provisions:

(1) Applicability of the guidance of Section 5.2.6 should be extended to cover surveillance testing in addition to maintenance.

(2) In lieu of any designated SRO, the authority to release systems and equipment for maintenance or surveillance testing or return

-to-service may be delegated to an on

-shift SRO, provided provisions are made to ensure that the shift manager is kept fully informed of system status. (3) Except in cases of significant radiation exposure, a second qualified person should verify correct implementation of equipment control measures such as tagging of equipment.

(4) Equipment control procedures should include assurance that control room operators are informed of changes in equipment status and the effects of such changes.

(5) For the return

-to-service of equipment important to safety, a second qualified operator should verify proper systems alignment unless functional testing can be performed without STPEGS UFSAR 7A-22 Revision 1 8 compromising plant safety, and can prove that all equipment, valves, and switches involved in the activity are correctly aligned.

NOTE: A licensed operator possessing knowledge of the system involved and the relationship of the systems to plant safety would be a "qualified" person. The staff is investigating the level of qualification necessary for other operators to perform these functions.

For plants that have or will have automatic system status monitoring as discussed in Task Action Plan item I.D.3, NUREG

-0660, the extent of human verification of operations and maintenance activities will be reduced. However, the need for such verification will not be eliminated in all instances.

STPEGS Response For STPEGS position on this item, see Section 13.5.1.3, part 1 (j).

STPEGS UFSAR 7A-23 Revision 1 8 I.C.7 NUCLEAR STEAM SUPPLY SYSTEM (NSSS) VENDOR REVIEW OF PROCEDURES Position

Description:

Operating license applicants are required to obtain reactor vendor review of their low-power, power

-ascension and emergency procedures as a further verification of the adequacy of the procedures.

Clarification NUREG-0737 does not provide a clarification of this section.

STPEGS Response STPEGS is committed to base Emergency Operating Procedures on the NRC

-approved Westinghouse Emergency Response Guidelines (ERGs) as discussed in Section 13.5.2.1. Based on this commitment, vendor review of the Emergency Operating Procedures is not necessary.

STPEGS obtained reactor vendor review of pertinent low

-power and power

-ascension and emergency procedures as a further verification of the adequacy of the procedures.

STPEGS UFSAR 7A-24 Revision 1 8 I.C.8 PILOT MONITORING OF SELECTED EMERGENCY PROCEDURES FOR NEAR-TERM OPERATING LICENSE APPLICANTS Position

Description:

Licensees will be required to correct any deficiencies identified before full

-power operation.

Clarification NUREG-0737 does not provide a clarification of this section.

STPEGS Response For the STPEGS position on this item, see Section 13.5.2.1, part 4

.

STPEGS UFSAR 7A-25 Revision 1 8 I.D.1 CONTROL ROOM DESIGN REVIEWS Position In accordance with Task Action Plan I.D.1, Control Room Design Reviews (NUREG

-0660), all licensees and applicants for operating licenses will be required to conduct a detailed control room design review (CRDR) to identify and correct design deficiencies. This detailed control room design review is expected to take about a year. Therefore, NRR requires that those applicants for operating licenses who are unable to complete this review prior to issuance of a license make preliminary assessments of their control rooms to identify significant human factors and instrumentation problems and establish a schedule approved by NRC for correcting deficiencies. These applicants will be required to complete the more detailed control room reviews on the same schedule as licensees with operating plants.

Clarification NRR is presently developing human engineering guidelines to assist each licensee and applicant in performing detailed control room review. A draft of the guidelines has been published for public comment as NUREG/CR

-1580, "Human Engineering Guide to Control Room Evaluation". The due date for comments on this draft document was September 29, 1980. NRR will issue the final version of guidelines as NUREG

-0700, by February 1981, after receiving, reviewing, and incorporating substantive public comments for operating reactor licensees, applicants for operating licenses, human factors engineering experts, and other interested parties. NRR will issue evaluation criteria, by July 1981, which will be used to judge the acceptability of the detailed reviews performed and the design modifications implemented.

Applicants for operating licenses who will be unable to complete the detailed control room design review prior to issuance of a license are required to perform a preliminary control room design assessment to identify significant human factors problems. Applicants will find it of value to refer to the draft document NUREG/CR

-1580, "Human Engineering Guide to Control Room Evaluation", in performing the preliminary assessment. NRR will evaluate the applicants' preliminary assessments, including the performance by NRR of onsite review/audit. The NRR onsite review/audit will be on a schedule consistent with licensing needs and will emphasize the following aspects of the control room: (1) The adequacy of information presented to the operator to reflect plant status for normal operation, anticipated operational occurrences, and accident conditions; (2) The groupings of displays and the layout of panels; (3) Improvements in the safety monitoring and human factors enhancement of controls and control displays; (4) The communications from the control room to points outside the control room, such as the onsite technical support center, remote shutdown panel, offsite telephone lines, and to other areas within the plant for normal and emergency operation.

(5) The use of direct rather than derived signals for the presentation of process and safety information to the operator;

STPEGS UFSAR 7A-26 Revision 1 8 (6) The operability of the plant from the control room with multiple failures of nonsafety

-grade and nonseismic systems; (7) The adequacy of operating procedures and operator training with respect to limitations of instrumentation displays in the control room; (8) The categorization of alarms, with unique definition of safety alarms.

(9) The physical location of the shift manager's office either adjacent to or within the control room complex.

Prior to the onsite review/audit, NRR will require a copy of the applicants' preliminary assessment and additional information which will be used in formulating the details of the onsite review/audit.

STPEGS Response STPEGS has performed a CRDR in accordance with NUREG

-0737 as augmented by Supplement 1 to NUREG-0737. This review is described in Section S.5 of this Appendix.

STPEGS UFSAR 7A-27 Revision 1 8 I.D.2 PLANT SAFETY PARAMETER DISPLAY CONSOLE Position In accordance with Task Action Plan I.D.2, Plant Safety Parameter Display Console (NUREG

-0660), each applicant and licensee shall install a safety parameter display system (SPDS) that will display to operating personnel a minimum set of parameters which define the safety status of the plant. This can be attained through continuous indication of direct and derived variables as necessary to assess plant safety status.

Clarification These requirements for the SPDS are being developed in NUREG

-0696, which is scheduled for issuance in November 1980.

STPEGS Response STPEGS has implemented a SPDS via the Emergency Response Facilities Data Acquisition and Display System (ERFDADS). The ERFDADS is further described in Section S.4 of Supplement 1 to this Appendix and Section 7.5.7.

STPEGS UFSAR 7A-28 Revision 1 8 I.G.1 TRAINING DURING LOW

-POWER TESTING Position

Description:

NRR will require new operating licensees to conduct a set of low

-power tests to accomplish the objective. The set of tests will be determined on a case

-by-case basis for the first few plants. Then NRR will develop acceptance criteria for low

-power test programs to provide "hands on" training for plant evaluation and off

-normal events for each operating shift. It is not expected that all tests will be required to be conducted by each operating shift. Observation by one shift of training of another shift may be acceptable. See also Table C.1, Item 4, l8, 26; and Table C.2, Item

11. Clarification NUREG-0737 does not provide a clarification of this section.

STPEGS Response STPEGS complied with the requirements of this item as described in Chapter 14.2 and the response to Q640.21N.

STPEGS UFSAR 7A-29 Revision 1 8 II.B.1 REACTOR COOLANT SYSTEM VENTS Position Each applicant and licensee shall install reactor coolant system (RCS) and reactor vessel head high point vents remotely operated from the control room. Although the purpose of the system is to vent noncondensible gases from the RCS that may inhibit core cooling during natural circulation, the vents must not lead to an unacceptable increase in the probability of a loss

-of-coolant accident (LOCA) or a challenge to Containment integrity. Since these vents form a part of the reactor coolant pressure boundary, the design of the vents shall conform to the requirements of Appendix A to 10CFR50, "General Design Criteria". The vent system shall be designed with sufficient redundancy that assures a low probability of inadvertent or irreversible actuation.

Each licensee shall provide the following information concerning the design and operation of the high point vent system:

(1) Submit a description of the design, location, size, and power supply for the vent system, along with the results of analyses for LOCA initiated by a break in the vent pipe. The results of the analyses should demonstrate compliance with the acceptance criteria of 10CFR50.46.

(2) Submit procedure and supporting analysis for operator use of the vents that also includes the information available to the operator for initiating or terminating vent usage.

Clarification (A) General (1) The important safety function enhanced by this venting capability is core cooling. For events beyond the present design basis, this venting capability will substantially increase the plant's ability to deal with large quantities of noncondensible gas which interferes with core cooling.

(2) Procedures addressing the use of the RCS vents should define the conditions under which the vents should be used, as well as the conditions under which the vents should not be used. The procedures should be directed toward achieving a substantial increase in the plant being able to maintain core cooling without loss of Containment integrity for events beyond the design basis. The use of vents for accidents within the

normal design basis must not result in a violation of the requirements of 10CFR50.44 or 10CFR50.46.

(3) The size of the reactor coolant vents is not a critical issue. The desired venting capability can be achieved with vents in a fairly broad spectrum of sizes. The criteria for sizing a vent can be developed in several ways. One approach that may be considered is to specify a volume of noncondensible gas to be vented and in a specific venting time. For Containments particularly vulnerable to failure from large hydrogen releases over a short period of time, the necessity and desirability for contained venting outside the Containment must be considered (e.g., into a decay gas collection and storage system).

STPEGS UFSAR 7A-30 Revision 1 8 (4) Where practical the RCS vents should be kept smaller than the sizes corresponding to the definition of LOCA (10CFR50, Appendix A). This will minimize the challenges to the emergency core cooling system (ECCS) actuation, although it may result in leakage beyond technical specification limits. On PWRs the use of new or existing lines, whose smallest orifice is larger than the LOCA definition, will require a valve in series with a vent valve that can be closed from the control room to terminate the LOCA that would result if an open vent valve could not be reclosed. (5) A positive indication of valve position would be provided in the control room.

(6) The reactor coolant vent system shall be operable from the control room.

(7) Since the RCS vent will be part of the RCS pressure boundary, all requirements for the reactor pressure boundary must be met, and, in addition, sufficient redundancy should be incorporated into the design to minimize the probability of an inadvertent actuation of the system. Administrative procedures may be a viable option to meet the single

-failure criterion. For vents larger than the LOCA definition, an analysis is required to demonstrate compliance with 10CFR50.46.

(8) The probability of an opened vent path failing to close should be minimized; this is a new requirement. Each vent must have its power supplied from an emergency bus. A single-failure within its power and control aspects of the reactor coolant vent system should not prevent isolation of the entire vent system when required. On BWRs, block valves are not required in lines with safety valves that are used for venting.

(9) Vent paths from the primary system to within Containment should go to those areas that provide good mixing with Containment air.

(10) The reactor coolant vent system (i.e., vent valves, block valves, position indication devices, cable terminations, and piping) shall be seismically and environmentally qualified in accordance with IEEE 344

-1975 as supplemented by RGs 1.100, 1.92, and SEP 3.92, 3.43, and 3.10. Environmental qualifications are in accordance with the May 23, 1980 Commission Order and Memorandum (CLI 21). (11) Provisions to test for operability of the reactor coolant vent system should be a part of the design. Testing should be performed in accordance with subsection IVW of Section XI of the American Society of Mechanical Engineers (ASME) Code for Category B valves.

(12) It is important that the displays and controls added to the control room as a result of this requirement not increase the potential for operator error. A human factors analysis should be performed taking the following into consideration:

(a) The use of this information by an operator during both normal and abnormal plant conditions.

(b) The integration into emergency procedures.

(c) The integration into operator training.

(d) Other alarms during emergency and the need for prioritization of alarms.

(B) Boiling Water Reactor Design Consideration (Not applicable to STPEGS)

STPEGS UFSAR 7A-31 Revision 1 8 (C) PWR Vent Design Considerations (1) Each PWR licensee should provide the capability to vent the reactor vessel head. The reactor vessel head vent should be capable of venting noncondensible gas from the reactor vessel hot legs (to the elevation of the top of the outlet nozzle) and cold legs (through head jets and other leakage paths).

(2) Additional venting capability is required for those portions of each hot leg that canno t be vented through the reactor vessel head vent or pressurizer. It is impractical to vent each of the many thousands of tubes in a U

-tube steam generator; however, the staff believes that a procedure can be developed that assures sufficient liquid or steam can enter the U

-tube region so that decay heat can be effectively removed from the RCS. Such operating procedures should incorporate this consideration.

(3) Venting of the pressurizer is required to assure its availability for system pressure and volume control. These are important considerations, especially during natural circulation.

STPEGS Response The STPEGS design provides the capability of venting the RCS to ensure that, if noncondensible gases become present in the RCS, regardless of the means postulated for generation of such noncondensibles, gases can be vented from the system, thereby ensuring that the flow paths associated with natural circulation core cooling capability are maintained. The venting capability is provided by the pressurizer powe r-operated relief valves (PORVs) and their associated motor

-operated isolation valves, which can be used for the venting of the pressurizer, and by the Reactor Vessel Head Vent System (RVHVS), which provides redundant venting capability of the reactor vessel, RCS hot leg piping, and RCS cold leg piping via bypass leakage paths to the vessel head. The design features of these systems are discussed below.

The capability for venting of the pressurizer and the reactor vessel head is provided via safety grade, Class 1E, environmentally qualified, seismic Category I systems, which meet the single failure criterion assuring both vent opening and vent closing capabilities.

The venting of the pressurizer is provided by redundant pathways each consisting of a solenoid-operated PORV and a motor

-operated PORV isolation valve. The PORVs are normally closed, fail closed, solenoid valves that are energized to open. The PORV isolation valves are normally open.

The PORV isolation valve is closed by the operator should a PORV fail to close (see Appendix 7A, Item II.K.3.1). The pressurizer PORVs are described in further detail in Section 5.4.13 and the PORV isolation valves in Section 5.4.12.

The venting of the reactor vessel head is provided by redundant, parallel pathways, each consisting of two normally closed, fail

-closed, solenoid

-actuated isolation valves, which are energized to open and are powered from the same safety train. The piping up to and including the isolation valves is designated Safety Class 1. Two parallel, energize

-to-open, fail

-closed solenoid throttling valves are provided downstream of the isolation valves. The solenoid throttling valves are powered from the same safety trains as the solenoid vent valves. The throttling valves are controlled using the Qualified Display Processing System (QDPS), described in Section 7.5.6. The RVHVS is described in further detail in Section 5.4.15.

STPEGS UFSAR 7A-32 Revision 1 8 The design of the RCS venting systems, as described above, minimizes the probability of an inadvertent opening and the consequence of such an opening. Valves are provided in series to terminate a LOCA that could result if an open valve could not be reclosed. Postulated piping failures in the RCS venting systems are enveloped by the analyses of Section 15.6.

The pressurizer PORVs and RVHVS discharge to the pressurizer relief tank (PRT). Small amounts of gas can be vented to the PRT without being released to the Containment atmosphere. Post

-accident, larger volumes of gas would be vented to the Containment through the PRT rupture disk.

Position indication is provided in the control room for the pressurizer PORVs, PORV isolation valves, and the reactor vessel head vent isolation and throttling valves. The valves are remotely operable from the control room. A human factors analysis of the controls and displays was performed during the CRDR (See Appendix 7A, Supplement S.5).

The pressurizer PORVs, PORV isolation valves and the reactor vessel head vent isolation and throttling valves will be operability tested per ASME Code,Section XI (see Sections 5.4.12 and 5.4.13). The Westinghouse Owners Group (WOG) has developed ERGs that address RCS venting. The ERGs were used as guidance to develop the STPEGS procedures for RCS venting.

STPEGS UFSAR 7A-33 Revision 1 8 II.B.2 DESIGN REVIEW OF SHIELDING AND ENVIRONMENTAL QUALIFICATION OF EQUIPMENT FOR SPACES/SYSTEMS WHICH MAY BE USED IN POST

-ACCIDENT OPERATIONS Position With the assumption of a post

-accident release of radioactivity equivalent to that described in RGs 1.3 and 1.4 (i.e., the equivalent of 50 percent of the core radioiodine, 100 percent of the core noble gas inventory, and 1 percent of the core solids are contained in the primary coolant), each licensee shall perform a radiation and shielding

-design review of the spaces around systems that may, as a result of an accident, contain highly radioactive materials. The design review should identify the location of vital areas and equipment, such as the control room, radwaste control stations, emergency power supplies, motor control centers, and instrument areas in which personnel occupancy may be unduly limited or safety equipment may be unduly degraded by the radiation fields during postaccident operations of these systems.

Each licensee shall provide for adequate access to vital areas and protection of safety equipment by design changes, increased permanent or temporary shielding, or post

-accident procedural controls. The design review shall determine which types of corrective actions are needed for vital areas throughout the facility.

Clarification The purpose of this item is to ensure that licensees examine their plants to determine what actions can be taken over the short

-term to reduce radiation levels and increase the capability of operators to control and mitigate the consequences of an accident. These actions should be taken pending conclusions resulting in the long

-term degraded core rulemaking, which may result in a need to consider additional sources.

Any area which will or may require occupancy to permit an operator to aid in the mitigation of or recovery from an accident is designated as a vital area. For the purposes of this evaluation, vital areas and equipment are not necessarily the same vital areas or equipment defined in 10 CFR 73.2 for security purposes. The security center is listed as an area to be considered as potentially vital, since access to this area may be necessary to take action to give access to other areas in the plant.

The control room, technical support center (TSC), sampling station and sample analysis area must be included among those areas where access is considered vital after an accident. (See Item III.A.1.2 for discussion of the TSC and emergency operations facility.) The evaluation to determine the necessary vital areas should also include, but not be limited to, consideration of the post

-LOCA hydrogen control system, Containment isolation reset control area, manual ECCS alignment area (if any),

motor control centers (MCCs), instrument panels, emergency power supplies, security center, and radwaste control panels. Dose rate determinations need not be for these areas if they are determined not to be vital.

As a minimum, necessary modifications must be sufficient to provide for vital system operation and for occupancy of the control room, TSC, sampling station, and sample analysis area.

In order to assure that personnel can perform necessary post

-accident operations in the vital areas, the following guidance is to be used by licensees to evaluate the adequacy of radiation protection to the operators:

STPEGS UFSAR 7A-34 Revision 1 8 (1) Source Term The minimum radioactive source term should be equivalent to the source terms recommended in RGs 1.3, 1.4, 1.7, and Standard Review Plan (SRP) 15.6.5 with appropriate decay times based on plant design (i.e., you may assume the radioactive decay that occurs before fission products can be transported to various systems).

(a) Liquid-Containing Systems: 100 percent of the core equilibrium noble gas inventory, 50 percent of the core equilibrium halogen inventory, and 1 percent of all others are assumed to be mixed in the reactor coolant and liquids recirculated by residual heat removal (RHR), high

-pressure coolant injection (HPCI) and low

-pressure coolant injection (LPCI), or the equivalent of these systems. In determining the source term for recirculated, depressurized cooling water, you may assume that the water contains no noble gases.

(b) Gas-Containing Systems: 100 percent of the core equilibrium noble gas inventory and 25 percent of the core equilibrium halogen activity are assumed to be mixed in the Containment atmosphere. For vapor

-containing lines connected to the primary system (e.g., BWR steam lines), the concentration of radioactivity shall be determined assuming the activity is contained in the vapor space in the primary coolant system.

(2) Systems Containing the Source Systems assumed in your analysis to contain high levels of radioactivity in a post

-accident situation should include, but not be limited to, Containment, residual heat removal system (RHRS), safety injection systems (SIS), chemical and volume control system (CVCS), Containment spray recirculation system, sample lines, gaseous radwaste systems, and standby gas treatment systems (or equivalent of these systems). If any of these systems or others that could contain high levels of radioactivity were excluded, you should explain why such systems were excluded. Radiation from leakage of systems located outside of Containment need not be considered for this analysis. Leakage measurement and reduction is treated under Item III.D.1.1, "Integrity of Systems Outside Contain

-ment Likely To Contain Radioactive Material for PWRs and BWRs". Liquid waste systems need not be included in this analysis. Modifications to liquid waste systems will be considered after completion of Item III.D.1.4, "Radwaste System Design Features To Aid in Accident Recovery and Decontamination".

(3) Dose Rate Criteria The design dose rate for personnel in a vital area should be such that the guidelines of GDC 19 will not be exceeded during the course of the accident. GDC 19 requires that adequate radiation protection be provided such that the dose to personnel should not be in excess of 5 rem whole body, or its equivalent to any part of the body for the duration of the accident. When determining the dose to an operator, care must be taken to determine the necessary occupancy times in a specific area. For example, areas requiring continuous occupancy will require much lower dose rates than areas where minimal occupancy is required. Therefore, allowable dose rates will be based upon expected occupancy, as well as the radioactive source terms and shielding. However, in order to provide a general design objective, we are providing the following dose rate criteria with alternatives to be documented on a case

-by-case basis. The recommended dose rates are average rates in the area. Local hot spots may exceed the dose rate guidelines. These doses are design objectives and are not to be used to limit access in the event of an accident.

STPEGS UFSAR 7A-35 Revision 1 8 (a) Areas Requiring Continuous Occupancy: <15 mrem/hr (averaged over 30 days). These areas will require full

-time occupancy during the course of the accident. The control room and onsite TSC are areas where continuous occupancy will be required. The dose rate for these areas is based on the control room occupancy factors contained in SRP 6.4.

(b) Areas Requiring Infrequent Access: GDC 19. These areas may require access on an irregular basis, not continuous occupancy. Shielding should be provided to allow access at a frequency and duration estimated by the licensee. The plant radiochemical/ chemical analysis laboratory, radwaste panel, motor control center, instrumentation locations, and reactor coolant and Containment gas sample stations are examples of sites where occupancy may be needed often, but not continuously.

(4) Radiation Qualification of Safety

-Related Equipment The review of safety

-related equipment which may be unduly degraded by radiation during post

-accident operation of this equipment relates to equipment inside and outside of the primary Containment. Radiation source terms calculated to determine environmental qualification of safety

-related equipment consider the following:

(a) LOCA events which completely depressurize the primary system should consider releases of the source term (100 percent noble gases, 50 percent iodines, and 1 percent particulates) to the Containment atmosphere.

(b) LOCA events in which the primary system may not depressurize should consider the source term (100 percent noble gases, 50 percent iodines, and 1 percent particulate) to remain in the primary coolant. This method is used to determine the qualification doses for equipment in close proximity to recirculating fluid systems inside and outside of Containment. Non

-LOCA events both inside and outside of Containment should use 10 percent noble gases, 10 percent iodines, and 0 percent particulate as a source term.

STPEGS Position A review of the post

-accident radiation environment for both access and equipment qualification has been performed using the methodology and assumptions described below.

Source Terms For analyses of post

-accident radiation zones, the core inventory for STPEGS was generated using a 3-region core model (300, 600, 900 effective full

-power days [EFPD]) with a conservative core power level of 4100 MWt. This core inventory was partitioned as follows (using TID

-based source terms): Airborne Source: 100 percent noble gas, 50 percent halogens Liquid Source: 50 percent halogens, 1 percent solids Each source was diluted by the appropriate dilution volume. In the airborne case this was the Containment net free volume, while in the liquid case it was the total liquid volume of the primary system, accumulators, and the available volume of the refueling water storage tank (RWST).

CN-3137 STPEGS UFSAR 7A-36 Revision 1 8 The airborne source was assumed to be instantaneously released and distributed throughout the Containment atmosphere. In the liquid case the source was decayed for a short period equal to the time required for recirculation to begin. It was assumed to be distributed in the Containment sump (no decay assumed), portions of the RHR, SI, and Containment Spray systems.

The 30-day integrated Control Room and Technical Support Center (TSC) doses were determined using the Alternate Source Term (AST) assumptions 1.183.

Post-Accident Radiation Zones Using the TID-based source terms described, radiation zone maps were generated for the Reactor Containment Building (RCB), Mechanical and Electrical Auxiliary Building (MEAB), Fuel Handling Building (FHB), and the Isolation Valve Cubicle (IVC). The resulting zone maps can be found in Section 12.3 (Figure 12.3.1

-19 through 36) for the time t=o after the accident.

(1) Continuous Occupancy The areas requiring continuous occupancy, Control Room (Section 6.4) and the TSC, were found to

have an average dose rate less than 15 mR/hr for the 30 days following the accident. The 30

-day integrated doses were determined using the AST assumptions in RG 1.183 and found to be below GDC 19 limits (Table II.B.2

-2). (2) Infrequent Access The infrequent access areas were reviewed in conjunction with the use of the post

-accident radiation zones found in Section 12.3. Using these drawings, a review was made of the routes used to reach each area and the expected dose rates at each location was analyzed. Based on this review, each of the areas was found to be accessible from the control room. The area dose rate at various times, for each location, after the accident has been provided in Table II.B.2

-2. In the event entry is required in these areas, due consideration is given to the dose rates expected and appropriate time limits for presence in the area are imposed to ensure that the doses received will not exceed GDC 19 limits.

An evaluation was performed to confirm that the use of the AST in RG 1.183 does not negatively impact the post

-LOCA radiation zones or the vital area access doses. The revised Chapter 15 dose analyses using updated isotopic source terms and AST do result in a slight increase in vital area doses for the Steam Generator Tube Rupture Accident. However, the results remain within regulatory limits. Radiation Qualification of Safety Related Equipment The same TID-based source terms, described above, were employed in obtaining the post

-accident qualification doses. (LOCA doses were found to bound the high energy line break (HELB) doses).

Further discussion and the results of the analysis can be found in Section 3.11.

Table II.B.2

-1 summarizes these considerations.

CN-3137 CN-3137 CN-3137 CN-3137 CN-3137 STPEGS UFSAR 7A-37 Revision 1 8 TABLE 7.A.II.B.2

-1 RADIATION SOURCE TERMS FOR ENVIRONMENTAL QUALIFICATION OF SAFETY-RELATED EQUIPMENT LOCA Source Term Non-LOCA Containment (Noble Gas/Iodine/

High Energy Line Break Source Te rm Particulate)

(Noble Gas/Iodine/Particulate)

Percent Percent Outside (100/50/1)

(10/10/0) in RCS in RCS Larger of Inside (100/50/1)

(10/10/0) in Containment in RCS or (100/50/1) in RCS STPEGS UFSAR 7A-38 Revision 1 8 TABLE 7.A.II.B.2

-2 POST-ACCIDENT RADIATION LEVELS/DOSES Continuous Occupancy Areas:

30 day Doses (Rem)

Control Room (See Table s in Chapter 15 for doses from individual accidents)

Technical Support Center (See Table s in Chapter 15 for doses from individual accidents)

Infrequent Access Areas:

UFSAR Figure Dose Rate (R/Hr)

Reference Area Time after accident 1 hr 1 day 1 wk 1 month 12.3.1-36 Post-accident 0.75 4.5 x 10-2 1.1 x 10-2 6 x 10-4 sample station 12.3.1-27 Health Physics 6 x 10-3 3.6 x 10-4 9 x 10-5 4.8 x 10-6 counting room 12.3.1-27 Radwaste counting room 3.1 x 10-2 1.8 x 10-3 4.6 x 10-4 2.4 x 10-5 12.3.1-28 Plant vent 4.74 0.28 7.1 x 10-2 3.8 x 10-3 radiation monitor 12.3.1-25 Auxiliary shut

- 8 x 10-4 4.8 x 10-5 1.2 x 10-5 6.4 x 10-7 down panel CN-3137 STPEGS UFSAR 7A-39 Revision 1 8 II.B.3 POST-ACCIDENT SAMPLING CAPABILITY Position A design and operational review of the reactor coolant and Containment atmosphere sample line systems shall be performed to determine the capability of personnel to promptly obtain (less than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ) a sample under accident conditions without incurring a radiation exposure to any individual in excess of 3 and 18

-3/4 rem to the whole body or extremities, respectively. Accident conditions should assume an RG 1.3 or 1.4 release of fission products. If the review indicates that personnel could not promptly and safely obtain the samples, additional design features or shielding should be provided to meet the criteria.

A design and operational review of the radiological spectrum analysis facilities shall be performed to determine the capability to promptly quantify (in less than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months ) certain radionuclides that are indicators of the degree of core damage. Such radionuclides are noble gases (which indicate cladding failure), iodines and cesiums (which indicate high fuel temperatures), and nonvolatile isotopes (which indicate fuel melting). The initial reactor coolant spectrum should correspond to an RG 1.3 or 1.4 release. The review should also consider the effects of direct radiation from piping and components in the auxiliary building and possible contamination and direct radiation from airborne effluents. If the review indicates that analyses required cannot be performed in a prompt manner with existing equipment, then design modifications or equipment procurement shall be undertaken to meet the criteria. In addition to the radiological analyses, certain chemical analyses are necessary for monitoring reactor conditions. Procedures shall be provided to perform boron and chloride chemical analyses assuming a highly radioactive initial sample (RG 1.3 or 1.4 source term). Both analyses shall be capable of being completed promptly (i.e., the boron sample analysis within an hour and the chloride sample within the shift).

Clarification The following items are clarifications of requirements identified in NUREG

-0578, NUREG

-0660, or the September 13 and October 30, 1979 and December 27, 1983 clarification letters.

Criterion:

(1) The licensee shall have the capability to promptly obtain reactor coolant samples and Containment atmosphere samples. The combined time allotted for sampling and analysis should be 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months or less from the time a decision is made to take a sample.

Clarification:

Provide information on sampling(s) and analytical laboratories locations including a discussion of relative elevations, distances, and methods for sample transport. Responses to this item should also include a discussion of sample recirculation, sample handling and analytical times to demonstrate that the 3

-hour time limit will be met (see (6) below relative to radiation exposure). Also describe provisions for sampling during loss of off

-site power (i.e. designate an alternative backup power source, not necessarily the vital (Class 1E) bus, that can be energized in sufficient time to meet the 3

-hour sampling and analysis time limit).

STPEGS UFSAR 7A-40 Revision 1 8 Criterion:

(2) The licensee shall establish an onsite radiological and chemical analysis capability to provide, within the 3

-hour time frame established above, quantification of the following:

(a) certain radionuclides in the reactor coolant and Containment atmosphere that may be indicators of the degree of core damage (e.g.,

noble gases, iodines and cesiums, and nonvolatile isotopes);

(b) hydrogen levels in the Containment atmosphere; (c) dissolved gases (e.g., H 2), chloride (time allotted for analysis subject to discussion below), and boron concentration of liquids.

(d) Alternatively, have in

-line monitoring capabilities to perform all or part of the above analyses.

Clarification:

2(a) A discussion of the counting equipment capabilities is needed, including provisions to handle samples and reduce background radiation to minimize personnel radiation exposures as low as is reasonably achievable (ALARA).

Also a procedure is required for relating radionuclide concentrations to core damage. The procedure should include:

1. Monitoring for short

- and long-lived volatile and nonvolatile radionuclides such as Xe

-133, I-131, Cs-137, Cs-134, Kr-85, Ba-140 and Kr-88 (See Vol. II, Part 2, pp. 524

-527 of Rogovin Report for further information).

2. Provisions to estimate the extent of core damage based on radionuclide concentrations and taking into consideration other physical parameters such as core temperature data and sample location.

2(b) Show a capability to obtain a grab sample, transport and analyze for hydrogen. 2(c) Discuss the capabilities to sample and analyze for the accident sample species listed here and in RG 1.97, Rev. 2.

2(d) Provide a discussion of the reliability and maintenance information to demonstrate that the selected on

-line instrument is appropriate for this application.

(See (8) and (10) below relative to backup grab sample capability and instrument range and accuracy).

Criterion:

(3) Reactor coolant and Containment atmosphere sampling during post

-accident conditions shall not require an isolated auxiliary system [e.g., the letdown system, reactor water cleanup system (RWCUS)] to be placed in operation in order to use the sampling system.

Clarification:

System schematics and discussions should clearly demonstrate that post

-accident sampling, including recirculation, from each sample source is possible without use of an isolated auxiliary system. It should be verified that valves STPEGS UFSAR 7A-41 Revision 1 8 which are not accessible after an accident are environmentally qualified for the conditions in which they must operate.

Criterion:

(4) Pressurized reactor coolant samples are not required if the licensee can quantify the amount of dissolved gases with unpressurized reactor coolant samples. The measurement of either total dissolved gases or H 2 gas in reactor coolant samples is considered adequate.

Measuring the 0 2 concentration is recommended, but is not mandatory.

Clarification:

Discuss the method whereby total dissolved gas or hydrogen and oxygen can be measured and related to RCS concentrations. Additionally, if chlorides exceed 0.15 ppm, verification that dissolved oxygen is less than 0.1 ppm is necessary. Verification that dissolved oxygen is 0.1 ppm by measurement of a dissolved hydrogen residual of 10 cc/kg is acceptable for up to 30 days after the accident. Within 30 days, consistent with minimizing personnel radiation exposures ALARA, direct monitoring for dissolved oxygen is recommended.

Criterion:

(5) The time for a chloride analysis to be performed is dependent upon two factors: (a) if the plant's coolant water is seawater or brackish water and (b) if there is only a single barrier between primary Containment systems and the cooling water. Under both of the above conditions the licensee shall provide for a chloride analysis within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of the sample being taken. For all other

cases, the licensee shall provide the analysis to be completed within 4 days.

The chloride analysis does not have to be done onsite.

Clarification:

BWRs on sea or brackish water sites, and plants which use sea or brackish water in essential heat exchangers (e.g., shutdown cooling) that have only single barrier protection between the reactor coolant are required to analyze chloride within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . All other plants have 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months to perform a chloride analysis. Samples diluted by up to a factor of one thousand are acceptable as initial scoping analysis for chloride, provided (1) the results per reported as

_ ppm C1 (the licensee should establish this value; the number in the blank should be no greater than 10.0 ppm C1) in the RCS and (2) that dissolved oxygen can be verified at <0.1 ppm, consistent with the guidelines above in clarification no. 4. Additionally, if chloride analysis is performed on a diluted sample, an undiluted sample need also be taken and retained for analysis within 30 days, consistent with ALARA. Criterion:

(6) The design basis for plant equipment for reactor coolant and Containment atmosphere sampling and analysis must assume that is possible to obtain and analyze a sample without radiation exposures to any individual exceeding the criteria of GDC 19 (Appendix A, 10 CFR Part 50) (i.e., 5 rem whole body, 75 rem extremities). (Note that the design and operational review criterion was changed from the operational limits of 10 CFR Part 20 (NUREG

-0578) to the GDC 19 criterion (October 30, 1979 letter from H. R. Denton to all licensees).

Clarification:

Consistent with RG 1.3 or 1.4 source terms, provide information on the predicted personnel exposures based on person motion for sampling, transport, and analysis of all required parameters.

STPEGS UFSAR 7A-42 Revision 1 8 Criterion: (7) The analysis of primary coolant samples for boron is required for PWRs. (Note that Rev. 2 of RG 1.97 specifies the need for primary coolant boron analysis capability at BWR plants).

Clarification:

PWRs need to perform boron analysis. The guidelines for BWRs are to have the capability to perform boron analysis but they do not have to do so unless boron was injected.

Criterion:

(8) If in-line monitoring is used for any sampling and analytical capability specified herein, the licensee shall provide backup sampling through grab samples, and shall demonstrate the capability of analyzing the samples.

Established planning for analysis at offsite facilities is acceptable. Equipment provided for backup sampling shall be capable of providing at least one sample per day for 7 days following onset of the accident, and at least one sample per week until the accident condition no longer exists.

Clarification:

A capability to obtain both diluted and undiluted backup samples is required.

Provisions to flush in

-line monitors to facilitate access for repair is desirable. If an off-site laboratory is to be relied upon for the backup analysis, an explanation of the capability to ship and obtain analysis for one sample per week thereafter until accident condition no longer exists should be provided.

Criterion:

(9) The licensee's radiological and chemical sample analysis capability shall include provisions to:

(a) Identify and quantify the isotopes of the nuclide categories discussed above to levels corresponding to the source terms given in RGs 1.3 or 1.4 and 1.7. Where necessary and practicable, the ability to dilute samples to provide capability for measurement and reduction of personnel exposure should be provided. Sensitivity of onsite liquid sample analysis capability should be such as to permit measurement of Ci/g. (b) Restrict background levels of radiation in the radiological and chemical analysis facility from sources such that the sample analysis will provide results with an acceptably small error (approximately a factor of 2).

This can be accomplished through the use of sufficient shielding around samples and outside sources, and by the use of a ventilation system design which will control the presence of airborne radioactivity.

Clarification (9) (a) Provide a discussion of the predicted activity in the samples to be taken and the methods of handling/dilution that will be employed to reduce the activity sufficiently to perform the required analysis. Discuss the range of radionuclide concentration which can be analyzed for, including an assessment of the amount of overlap between post

-accident and normal sampling capabilities.

(9) (b) State the predicted background radiation levels in the counting room, including the contribution from samples which are present. Also STPEGS UFSAR 7A-43 Revision 1 8 provide data demonstrating what the background radiation levels and radiation effect will be on a sample being counted to assure an accuracy within a factor of 2.

Criterion:

(10) Accuracy, range, and sensitivity shall be adequate to provide pertinent data to the operator in order to describe radiological and chemical status of the reactor coolant systems.

Clarification:

The recommended ranges for the required accident sample analyses are given in RG 1.97, Rev. 2. The necessary accuracy within the recommended ranges are as follows:

- Gross activity, gamma spectrum: measured to estimate core damage, these analyses should be accurate within a factor of two across the entire range.

- Boron: measure to verify shutdown margin. In general this analysis should be accurate within +/-5 percent of the measured value (i.e., at 6,000 ppm B the tolerance is +/-300 ppm while at 1,000 ppm B the tolerance is +/-50 ppm). For concentrations below 1,000 ppm th e

tolerance band should remain at +/-50 ppm.

- Chloride: measured to determine coolant corrosion potential.

For concentrations between 0.5 and 20.0 ppm chloride the analysis should be accurate within +/-10 percent of the measured value. At concentrations below 0.5 ppm the tolerance band remains at +/-0.05 ppm. - Hydrogen to Total Gas: monitored to estimate core degradation and corrosion potential of the coolant.

An accuracy of +/-10 percent is desirable between 50 and 2000 cc/kg but +/-20 percent can be acceptable. For concentration below 50 cc/kg the tolerance remains at +/-5.0 cc/kg.

- Oxygen: monitored to assess coolant corrosion potential.

For concentrations between 0.5 and 20.0 ppm oxygen the analysis should be accurate within +/-10 percent of the measured value. At concentrations below 0.5 ppm the tolerance bank remains at +/-0.05 ppm. - pH: measured to access coolant corrosion potential.

Between a pH of 5 to 9, reading should be accurate within +/-0.3 pH units. For all other ranges +/-0.5 pH units is acceptable. To demonstrate that the selected procedures and instrumentation will achieve the above listed accuracies, it is necessary to provide information demonstrating their applicability in the post

-accident water STPEGS UFSAR 7A-44 Revision 1 8 chemistry and radiation environment. This can be accomplished by performing tests utilizing the standard test matrix provided below or by providing evidence that the selected procedure or instrument has been used successfully in a similar environment.

Standard Test Matrix For Undiluted Reactor Coolant Sample in a Post

-Accident Environment Nominal Constituent Concentration (ppm)

Added as (chemical salt)

I- 40 Potassium Iodide Cs+ 250 Cesium Nitrate Ba+2 10 Barium Nitrate La+3 5 Lanthanum Chloride Ce+4 5 Ammonium Cerium Nitrate C1- 1 0 B 2000 Boric Acid Li+_ 2 Lithium Hydroxide NO 3 150 NH 4 5 K+ 20 Gamma Radiation 10 4 rad/gm of Adsorbed Dose (Induced Field)

Reactor Coolant NOTES: 1) Instrumentation and procedures which are applicable to diluted samples only should be tested with an equally diluted chemical test matrix. The induced radiation environment should be adjusted commensurate with the weight of actual reactor coolant in the sample being tested.

2) For PWRs, procedures which may be affected by spray additive chemicals must be tested in both the standard test matrix plus appropriate spray additives. Both procedures (with and without spray additives) are required to be available.

3) For BWRs, if procedures are verified with boron in the test matrix, they do not have to be tested without boron.

4) In lieu of conducting tests utilizing the standard test matrix for instruments and procedures, provide evidence that the selected instrument or procedure has been used successfully in a similar environment.

All equipment and procedures which are used for post

-accident sampling and analyses should be calibrated or tested at a frequency which will ensure, to a high degree of reliability, that it will be available if required. Operators should receive initial and refresher training in post

-accident sampling, analysis, and transport. A minimum frequency for the above efforts is considered to be every 6 months if indicated by testing. These provisions should be submitted in revised Technical STPEGS UFSAR 7A-45 Revision 1 8 Specifications in accordance with Enclosure 1 of NUREG

-0737. The staff will provide model Technical Specifications at a later date.

Criterion:

(11) In the design of the post

-accident sampling and analysis capability, consideration should be given to the following items:

(a) Provisions for purging sample lines, for reducing plateout in sample lines, for minimizing sample loss or distortion, for pre

-venting blockage of sample lines by loose material in the RCS or Containment, for appropriate disposal of the samples, and for flow restrictions to limit reactor coolant loss from a rupture of the sample line. The post

-accident reactor coolant and Containment atmosphere samples should be representative of the reactor coolant in the core area and the Containment atmosphere following a transient or accident. The sample lines should be as short as possible to minimize the volume of fluid to be taken from Containment. The residues of sample collection should be returned to Containment or to a closed system. (b) The ventilation exhaust from the sampling station should be filtered with charcoal absorbers and high

-efficiency particulate air (HEPA) filters.

Clarification:

(11) (a) A description of the provisions which address each of the items in clarification 11.a should be provided. Such items, as heat tracing and purge velocities, should be addressed. To demonstrate that samples are representative of core conditions, a discussion of mixing, both short

- and long-term, is needed. If a given sample location can be rendered inaccurate due to the accident (i.e., sampling from a hot or cold leg loop which may have a steam or gas pocket) describe the backup sampling capabilities or address the maximum time that this condition can exist. BWRs should specifically address samples which are taken from the core shroud area and demonstrate how they are representative of core conditions. Passive flow restrictors in the sample lines may be replaced by redundant, environmentally qualified, remotely operated isolation valves to limit potential leakage from sampling lines. The automatic Containment isolation valves should close on Containment isolation or safety injection signals.

(11) (b) A dedicated sample station filtration system is not required, provided a positive exhaust exists which is subsequently routed through charcoal absorbers and HEPA filters.

STPEGS Response

STPEGS UFSAR 7A-46 Revision 1 8 1. The requirements of NUREG 0737 for Post Accident Sampling System (PASS) were deleted as part of Amendment No. 133 to Facility Operating License No. NPF

-76 and Amendment No. 122 to Facility Operating License No. NPF

-80 issued November 7, 2001 via Document ST-AE-NOC-01000894 South Texas Projects, Units 1 and 2

- Issuance of Amendments on the Elimination of Requirements for Post Accident Sampling (TAC Nos. MB2900 and MB2904.

STPEGS UFSAR 7A-47 Revision 1 8 II.B.4 TRAINING FOR MITIGATING CORE DAMAGE Position Licensees are required to develop a training program to teach the use of installed equipment and systems to control or mitigate accidents in which the core is severely damaged. They must then implement the training program.

Clarification Shift technical advisors and operating personnel from the plant manager through the operations chain to the licensed operators shall receive all the training indicated in Enclosure 3 to H. R. Denton's March 28, l980 letter.

Managers and technicians in the I&C, health, physics, and chemistry departments shall receive training commensurate with their responsibilities.

STPEGS Response

This training is provided as described in Section 13.2.1.1 and 13.2.2.4.

STPEGS UFSAR 7A-48 Revision 1 8 II.D.1 PERFORMANCE TESTING OF BOILING

-WATER REACTOR AND PRESSURIZED

-WATER REACTOR RELIEF AND SAFETY VALVES (NUREG

-0578, SECTION 2.1.2)

Position PWR and BWR licensees and applicants shall conduct testing to qualify the RCS relief and safety valves under expected operating conditions for design

-basis transients and accidents.

Clarification Licensees and applicants shall determine the expected valve operating conditions through the use of analyses of accidents and anticipated operational occurrences referenced in RG 1.70, Rev. 2. The single failures applied to these analyses shall be chosen so that the dynamic forces on the safety and relief valves are maximized. Test pressures shall be the highest predicted by conventional safety analysis procedures. Reactor coolant system relief and safety valve qualification shall include qualification of associated control circuitry, piping and supports, as well as the valves themselves.

A. Performance Testing and Relief and Safety Valves

- The following information must be provided in report form by October 1, 1981: (1) Evidence supported by test of safety and relief and valve functionability for expected operating and accident (non

-ATWS) conditions must be provided to NRC. The testing should demonstrate that the valves will open and reclose under the expected flow conditions.

(2) Since it is not planned to test all valves on all plants, each licensee must submit to NRC a correlation or other evidence to substantiate that the valves tested in the Electric Power Research Institute (EPRI) or other generic test program demonstrate the functionability of as

-installed primary relief and safety valves. This correlation must show that the test conditions used are equivalent to expected operating and accident conditions as prescribed in the UFSAR. The effect of a s-built relief and safety valve discharge piping on valve operability must also be accounted for, if it is different from the generic test loop piping.

(3) Test data, including criteria for success and failure of valves tested, must be provided for NRC staff review and evaluation. These test data should include data that would permit plant-specific evaluation of discharge piping and supports that are not directly tested.

B. Qualification of PWR Block Valves

- Although not specifically listed as a short

-term lessons

-learned requirement in NUREG

-0578, qualification of PWR block valves is required by the NRC Task Action Plan NUREG

-0660 under task item II.D.1. It is the understanding of the NRC that testing of several commonly used block valve designs is already included in the generic EPRI PWR safety and relief valve testing program to be completed by July 1, 1981.

By means of this letter, NRC is establishing July 1, 1982 as the date for verification of block valve functionability. By July 1, 1982, each PWR licensee, for plants so equipped, should provide evidence supported by test that the block or isolation valves between the pressurizer and each power

-operated relief valve can be operated, closed, and opened for all fluid conditions expected under operating and accident conditions.

STPEGS UFSAR 7A-49 Revision 1 8 C. ATWS Testing

- Although ATWS testing need not be completed by July 1, 1981, the test facility should be designed to accommodate ATWS conditions of approximately 3,200 to 3,500 (Service Level C pressure limit) psi and 700 F with sufficient capacity to enable testing of relief and safety valves of the size and type used on operating PWRs.

STPEGS Response Reports titled "PWR Safety and Relief Valve Adequacy Report", and "PWR Safety and Relief Valve Test Program, PORV Block Valve Adequacy Report", supported by test of safety and relief valve functionability for expected operating and accident (non

-ATWS) conditions, have been completed. In addition, a report titled "Pressurizer Safety and Relief Line Piping and Support Evaluation" has also been completed. These reports were submitted via separate cover letter (see ST

-HL-AE-1466 dated October 31, 1985). These reports and the reports referenced therein indicate the valves, piping arrangements, and fluid inlet conditions for South Texas Units 1 and 2 are indeed bounded by those values and test parameters of the EPRI Safety and Relief Valve Test Program. The EPRI tests confirm the ability of the safety, relief and block valves to open and close under the expected operating fluid conditions. Although not specifically addressed by the EPRI Safety and Relief Valve Test Program, the results above provide the information necessary to address ATWS events (i.e., relief capability at high pressure).

STPEGS UFSAR 7A-50 Revision 1 8 II.D.3 DIRECT INDICATION OF RELIEF AND SAFETY VALVE POSITION Position Reactor coolant system relief and safety valves shall be provided with a positive indication in the control room derived from a reliable valve position detection device or a reliable indication of flow in the discharge pipe.

Clarification (1) The basic requirement is to provide the operator with unambiguous indication of valve position (open or closed) so that appropriate operator actions can be taken.

(2) The valve position should be indicated in the control room. An alarm should be provided in conjunction with this indication.

(3) The valve position indication may be safety grade. If the position indication is not safety grade, a reliable single

-channel direct indication powered from a vital instrument bus may be provided if backup methods of determining valve position are available and are discussed in the emergency procedures as an aid to operator diagnosis of an action.

(4) The valve position indication should be seismically qualified consistent with the component or system to which it is attached.

(5) The position indication should be qualified for its appropriate environment (any transient or accident that would cause the relief or safety valve to lift) and in accordance with Commission Order, May 23rd, 1980 (CLI 81). (6) It is important that the displays and controls added to the control room as a result of this requirement not increase the potential for operator error. A human factors analysis should be performed, taking the following into consideration:

(a) The use of this information by an operator during both normal and abnormal plant conditions.

(b) The integration into emergency procedures.

(c) The integration into operator training.

(d) Other alarms during emergency and need for prioritization of alarms.

STPEGS Response Position indication is provided for each safety valve and PORV that indicates when the valve is not in its fully closed position. The position detectors are seismically and environmentally qualified. Position indication for each valve is displayed in the control room, and an alarm is provided if any of the PORVs or safety valves are not fully closed. Relief and safety valve position indication is further described in Sections 5.4.13 and 7.5, and Appendix 7B.

STPEGS UFSAR 7A-51 Revision 1 8 Other nonsafety

-related instrumentation is provided on the valve discharge piping and the PRT to provide alternate means of assessing the status of the safety valves and PORVs (see Figures 5.1

-3 and 5.1-4). The integration of the position indication and alarms into the control room design was performed taking into consideration human factors concerns as described in Appendix 7A, Items I.D.1 and S.5.

STPEGS UFSAR 7A-52 Revision 1 8 II.E.1.1 AUXILIARY FEEDWATER SYSTEM EVALUATION Position The Office of Nuclear Reactor Regulation is requiring reevaluation of the auxiliary feedwater systems (AFWS) for all PWR operating plant licensees and operating license applications. This action includes:

(1) Perform a simplified AFWS reliability analysis that uses event

-tree and fault

-tree logic techniques to determine the potential for AFWS failure under various loss

-of-main-feedwater-transient conditions. Particular emphasis is given to determining potential failures that could result from human errors, common causes, single

-point vulnerabilities, and test and maintenance outages; (2) Perform a deterministic review of the AFWS using the acceptance criteria of Standard Review Plan Section 10.4.9 and associated Branch Technical Position ASB 10

-1 as principal guidance; and (3) Reevaluate the AFWS flow rate design bases and criteria.

Clarification Operating Plant Licenses - Items 1 and 2 above have been completed for Westinghouse (W), Combustion Engineering (C

-E), and two B&W operating plants (Rancho Seco, short

-term only, and TMI-1). As a result of staff review of items 1 and 2, letters were issued to these plants that required the implementation of certain short

- and long-term AFWS upgrade requirements. Included in these letters was a request for additional information regarding item 3 above. The staff is now in the process of evaluating licensees' responses and commitments to these letters.

The remaining B&W operating plants (Oconee 1

-3, Crystal River 3, ANO

-1, and Davis

-Besse 1) have submitted the analysis described in item 1 above. The analysis is presently undergoing staff review. When the results of the staff reviews are complete, each of the remaining B&W plants will receive a letter specifying the short

- and long-term AFWS upgrade requirements based on item 1 above. Included in these letters will be a request for additional information regarding items 2 a nd 3 above. Operating License Applicants

- Operating license applicants have been requested to respond to staff letters of March 10, 1980 (W and C-E) and April 24, 1980 (B&W). These responses will be reviewed during the normal review process for these applications.

STPEGS Response A reliability analysis and deterministic review for the AFWS are provided in Appendix 10A.

STP provided a response to this issue in ST

-HL-AE-1546. Pertinent information from this response has been incorporated into the accident analysis described in Section 15, the cooldown analysis described in Section 10.4.9, and the safe shutdown assessment in Section 2 of the Fire Hazards Report.

STPEGS UFSAR 7A-53 Revision 1 8 II.E.1.2 AUXILIARY FEEDWATER SYSTEM AUTOMATIC INITIATION AND FLOW INDICATION PART 1: Auxiliary Feedwater System Automatic Initiation Position Consistent with satisfying the requirements of GDC 20 of Appendix A to 10CFR50 with respect to the timely initiation of the AFWS, the following requirements shall be implemented in the short

-term: (1) The design shall provide for the automatic initiation of the AFWS.

(2) The automatic initiation signals and circuits shall be designed so that a single failure will not result in the loss of AFWS function.

(3) Testability of the initiating signals and circuits shall be a feature of the design.

(4) The initiating signals and circuits shall be powered from the emergency busses.

(5) Manual capability to initiate the AFWS from the control room shall be retained and shall be implemented so that a single failure in the manual circuits will not result in the loss of system function. (6) The AC motor

-driven pumps and valves in the AFWS shall be included in the automatic actuation (simultaneous and/or sequential) of the loads onto the emergency busses.

(7) The automatic initiating signals and circuits shall be designed so that their failure will not result in the loss of manual capability to initiate the AFWS from the control room.

In the long term, the automatic initiation signals and circuits shall be upgraded in accordance with safety-grade requirements.

Clarification The intent of this recommendation is to assure a reliable automatic initiation system. This objective can be met by providing a system that meets all the requirements of Institute of Electrical and Electronics Engineers (IEEE) Standard 279

-1971. The staff has determined that the following salient paragraphs of IEEE 279

-1971 should be addressed as a minimum:

IEEE 279-1971, Paragraph

4.1 General

Functional Requirements

4.2 Single

Failure 4.3, 4.4 Qualification

4.6 Channel

Independence

4.7 Control

and Protection System Interaction 4.9, 4.10 Capability for Testing 4.11 Channel Bypass

STPEGS UFSAR 7A-54 Revision 1 8 4.12 Operating Bypass 4.13 Indication of Bypass 4.17 Manual Initiation STPEGS Response Safety-grade automatic initiation of the AFWS is provided as described in Sections 7.3 and 10.4.9. The automatic initiation meets the appropriate requirements of IEEE 279

-1971. PART 2: Auxiliary Feedwater System Flow Rate Indication Position Consistent with satisfying the requirements set forth in GDC 13 to provide the capability in the control room to ascertain the actual performance of the AFWS when it is called upon to perform its intended function, the following requirements shall be implemented:

(1) Safety-grade indication of AFW flow to each SG shall be provided in the control room.

(2) The AFW flow instrument channels shall be powered from the emergency busses, consistent with satisfying the emergency power diversity requirements of the AFW system set forth in Auxiliary Systems Branch Technical Position 10

-1 of the SRP, Section 10.4.9.

Clarification The intent of this recommendation is to assure a reliable indication of AFWS performance. This objective can be met by providing an overall indication system that meets the following appropriate design principles:

(1) For Babcock and Wilcox Plants (Not applicable to STPEGS)

(2) For Westinghouse and Combustion Engineering Plants (a) To satisfy these requirements, W and CE plants must provide as a minimum one AFW flow rate indicator and one wide

-range SG level indicator for each SG or two flow rate indicators.

(b) The flow indication system should be:

(i) Environmentally qualified (ii) Powered from highly reliable, battery

-backed non

-Class 1E power source (iii) Periodically testable (iv) Part of plant quality assurance program (v) Capable of display on demand It is important that the displays and controls added to the control room as a result of this requirement not increase the potential for operator error. A human factors analysis should be performed taking into consideration:

STPEGS UFSAR 7A-55 Revision 1 8 (1) The use of this information by an operator during both normal and abnormal plant conditions.

(2) The integration into emergency procedures.

(3) The integration into operator training.

(4) Other alarms during emergency and need for prioritization of alarms.

STPEGS Response Safety-grade AFW flow indication to each SG is provided as described in Sections 7.5 and 10.4.9 and Appendix 7B.

Safety-grade wide

-range SG water level indication is provided as described in Section 7.5 and Appendix 7B.

The integration of the AFW and wide

-range SG water level displays into the control room was performed taking into consideration human factors concerns as described in Appendix 7A (Items I.D.1 and S.5) and Appendix 7B.

STPEGS UFSAR 7A-56 Revision 1 8 II.E.3.1 EMERGENCY POWER SUPPLY FOR PRESSURIZER HEATERS Position Consistent with satisfying the requirements of GDC 10, 14, 15, 17, and 20 of Appendix A to 10CFR Part 50 for the event of loss of offsite power, the following positions shall be implemented:

(1) The pressurizer heater power supply design shall provide the capability to supply, from either the offsite power source or the emergency power source (when offsite power is not available), a predetermined number of pressurizer heaters and associated controls necessary to establish and maintain natural circulation at hot standby conditions. The required heaters and their controls shall be connected to the emergency buses in a manner that will provide redundant power supply capability.

(2) Procedures and training shall be established to make the operator aware of when and how the required pressurizer heaters shall be connected to the emergency buses. If required, the procedures shall identify under what conditions selected emergency loads can be shed from the emergency power source to provide sufficient capacity for the connection of the pressurizer heaters.

(3) The time required to accomplish the connection of the preselected pressurizer heater to the emergency buses shall be consistent with the timely initiation and maintenance of natural circulation conditions.

(4) Pressurizer heater motive and control power interfaces with the emergency buses shall be accomplished through devices that have been qualified in accordance with safety

-grade requirements.

Clarification (1) Redundant heater capacity must be provided, and each redundant heater or group of heaters should have access to only one Class 1E division power supply.

(2) The number of heaters required to have access to each emergency power source is that number required to maintain natural circulation in the hot standby condition.

(3) The power sources need not necessarily have the capacity to provide power to the heaters concurrently with the loads required for LOCA.

(4) Any changeover of the heaters from normal offsite power to emergency onsite power is to be accomplished manually in the control room.

(5) In establishing procedures to manually load the pressurizer heats onto the emergency power sources, careful consideration must be given to:

(a) which engineered safety feature (ESF) loads may be appropriately shed for a given situation; (b) reset of the safety injection actuation signal to permit the operation of the heaters; and (c) instrumentation and criteria for operator use to prevent overloading a diesel generator.

STPEGS UFSAR 7A-57 Revision 1 8 (6) The Class 1E interfaces for main power and control power are to be protected by safety

-grade circuit breakers (see also RG 1.75).

(7) Being non-Class 1E loads, the pressurizer heaters must be automatically shed from the emergency power sources upon the occurrences of a safety injection actuation signal (see item 5.b. above).

Documentation Required The applicant shall provide sufficient documentation to support a reasonable assurance finding by the NRC that each of the subparts of the position stated above are met. The documentation should include, as a minimum, supporting information including system design description, logic diagrams, electrical schematic, test procedures, and Technical Specifications.

Technical Specification Changes Required Changes to Technical Specifications (if any) should be submitted as part of this response.

STPEGS Response The following are in response to the above positions and clarifications.

Position (1) As stated in Section 8.3.1.1.4.1.1, two banks of pressurizer heaters are independently supplied from separate Class 1E systems, one from ESF Train A and one from ESF Train C. All loads connected to the Class 1E system have the capability of being supplied from the offsite power source and the emergency on

-site (i.e., standby diesel generator (DG)) power source. The control circuits required for this emergency condition for these two heater banks are supplied from independent Class 1E DC systems. Only one set of heaters is required to maintain natural circulation at hot standby conditions.

(2) As indicated in Table 8.3

-3, these pressurizer heaters are capable of being manually loaded on the standby DG during LOOP. It is not necessary to shed load to connect these heaters to the standby DG. These heaters can be manually controlled from the Main Control Board or the Auxiliary Shutdown Panel (ASP). Procedures and training will include the operation of these heaters. (3) As indicated in Table 8.3

-3, the pressurizer heaters can be manually energized upon completion of load sequencing after LOOP if an SI signal is not present. (SI must be reset before the heaters can be energized.) This ensures the capability for maintenance of natural circulation.

(4) The pressurizer heater power and control system power interfaces with the emergency buses are accomplished through isolation devices qualified as Class 1E.

STPEGS UFSAR 7A-58 Revision 1 8 Clarification (1) Each of the two pressurizer heater banks has access to only one Class 1E train.

(2) Either redundant bank of heaters will maintain natural circulation.

(3) These heaters are not required during LOCA or Main Steam Line Break (MSLB) conditions. Under administrative control, each standby DG has capacity to supply the necessary pressurizer heaters concurrently with LOOP loads.

(4) These heaters are powered from ESF buses. Therefore, no manual changeover from normal offsite to onsite power is required. The heaters are to be manually loaded on the ESF busses.

The heaters are not automatically sequenced and the SI signal must be reset before the heaters can be loaded on the ESF bus ses. (5) (a) Load shedding is not required. Each standby DG has the capacity to supply the necessary pressurizer heaters concurrently with LOOP loads (LOCA/MSLB loads not present). (b) Procedures have been established for resetting the SI signal. The SI signal must be reset to energize these heaters.

(c) Not applicable. See Clarification (3) above.

(6) The power and control circuits for these pressurizer heaters are from Class 1E load centers E1A and E1C. Isolation devices are qualified as Class 1E devices. (7) As stated in Section 8.3.1.1.4.1.1 these heaters are disconnected in the presence of an SI signal. Documentation Required System description and testing are discussed in Section 8.3. The logic diagram for the pressurizer heaters is shown on Figure 7.4-2. Technical Specification Changes Required The STPEGS Technical Specifications have been submitted.

STPEGS UFSAR 7A-59 Revision 1 8 II.E.4.1 DEDICATED HYDROGEN PENETRATIONS Position Plants using external recombiners or purge systems for post

-accident combustible gas control of the Containment atmosphere should provide Containment penetration systems for external recombiner or purge systems that are dedicated to that service only, that meet the redundancy and single

-failure requirements of GDC54 and 56 of Appendix A to 10CFR50, and that are sized to satisfy the flow requirements of the recombiner or purge system.

The procedures for the use of combustible gas control systems following an accident that results in a degraded core and release of radioactivity to the Containment must be reviewed and revised, if necessary.

Clarification (1) An acceptable alternative to the dedicated penetration is a combined design that is single

-

failure-proof for Containment isolation purposes and single

-failure-proof for operation of the recombiner or purge system.

(2) The dedicated penetration or the combined single

-failure-proof alternative shall be sized such that the flow requirements for the use of the recombiner or purge system are satisfied. The design shall be based on 10CFR50.44 requirements. (3) Components furnished to satisfy this requirement shall be safety grade.

(4) Licensees that rely on purge systems as the primary means for controlling combustible gases following a LOCA should be aware of the positions taken in SECY 399, "Propose d Interim Amendments to 10CFR Part 50 Related to Hydrogen Control and Certain Degraded Core Considerations". This proposed rule, published in the Federal Register on October 2, 1980, would require plants that do not now have recombiners to have the capacity to install external recombiners by January 1, 1982. (Installed internal recombiners are an acceptable alternative to the above.)

(5) Containment atmosphere dilution systems are considered to be purge systems for the purposes of implementing the requirements of this TMI Task Action item.

STPEGS Response Per 10CFR50.44, hydrogen recombiners are no longer required for design basis accidents. Therefore, dedicated hydrogen control penetrations are not required, and this item is not applicable to STPEGS.

A nonsafety-related means of purging hydrogen from the Containment is provided. Only the penetrations and the Containment isolation valves are safety

-related in the Supplementary Containment Purge System (Section 9.4.5.2.7). Since this system is not the primary means for controlling hydrogen

, these penetrations are not the subject of this item.

Since the hydrogen recombiners are not used, the shielding and personnel exposure limitations associated with recombiner use and development of procedures for reduction of doses are not applicable to STPEGS.

STPEGS UFSAR 7A-60 Revision 1 8 II.E.4.2 CONTAINMENT ISOLATION DEPENDABILITY Position (1) Containment isolation system designs shall comply with the recommendations of SRP Section 6.2.4 (i.e., that there be diversity in the parameters sensed for the initiation of Containment isolation).

(2) All plant personnel shall give careful consideration to the definition of essential and nonessential systems, identify each system determined to be essential, identify each system determined to be nonessential, describe the basis for selection of each essential system, modify their Containment isolation designs accordingly, and report the results of the reevaluation to the NRC.

(3) All nonessential systems shall be automatically isolated by the Containment isolation signal.

(4) The design of control systems for automatic Containment isolation valves shall be such that resetting the isolation signal will not result in the automatic reopening of Containment isolation valves. Reopening of Containment isolation valves shall require deliberate operator action. (5) The Containment setpoint pressure that initiates Containment isolation for nonessential penetrations must be reduced to the minimum compatible with normal operating conditions.

(6) Containment purge valves that do not satisfy the operability criteria set forth in Branch Technical Position (BTP) CSB 6

-4 or the Staff Interim Position of October 23, l979, must be sealed closed as defined in SRP 6.2.4, item II.3.f during operational conditions l, 2, 3, and 4.

Furthermore, these valves must be verified to be closed at least every 31 days. (A copy of the Staff Interim Position is enclosed as Attachment 1.)

(7) Containment purge and vent isolation valves must close on a high radiation signal.

Clarification (1) The reference to SRP 6.2.4 in position l is only to the diversity requirements set forth in that document. (2) For post-accident situations, each nonessential penetration (except instrument lines) is required to have two isolation barriers in series that meet the requirements of GDC54, 55, 56, and 57, as clarified by SRP, Section 6.2.4. Isolation must be performed automatically (i.e., no credit can be given for operator action). Manual valves must be sealed closed, as defined by SRP, Section 6.2.4, to qualify as an isolation barrier. Each automatic isolation valve in a nonessential penetration must receive the diverse isolation signals.

(3) Revision 2 to RG 1.141 will contain guidance on the classification of essential versus nonessential systems and is due to be issued by June 1981. Requirements for operating plants to review their list of essential and nonessential systems will be issued in conjunction with this Guide, including an appropriate time schedule for completion.

STPEGS UFSAR 7A-61 Revision 1 8 (4) Administrative provisions to close all isolation valves manually before resetting the isolation signals is not an acceptable method of meeting position 4.

(5) Ganged reopening of Containment isolation valves is not acceptable. Reopening of isolation valves must be performed on a valv e-by-valve basis, or on a line

-by-line basis, provided electrical independence and other single

-failure criteria continue to be satisfied.

(6) The Containment pressure history during normal operation should be used as a basis for arriving at an appropriate minimum pressure setpoint for initiating Containment isolation. The pressure setpoint selected should be far enough above the maximum observed (or expected) pressure inside the Containment during normal operation so that inadvertent Containment isolation does not occur during normal operation from instrument drift or fluctuations due to the accuracy of the pressure sensor. A margin of 1 psi above the maximum expected Containment pressure should be adequate to account for instrument error. Any proposed values greater than 1 psi will require detailed justification. Applicants for an operating license and operating plant licensees that have operated less than one year should use pressure history data from similar plants that have operated more than one year, if possible, to arrive at a minimum Containment setpoint pressure.

(7) Sealed-closed purge isolation valves shall be under administrative control to assure that they cannot be inadvertently opened. Administrative control includes mechanical devices to seal or lock the valve closed, or to prevent power from being supplied to the valve operator.

Checking the valve position light in the control room is an adequate method for verifying every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months that the purge valves are closed.

STPEGS Response (1) The STPEGS Containment isolation signal is generated by diverse parameters. Containment phase A isolation, steam line isolation, FW line isolation, and Containment ventilation isolation are all initiated by the SI signal. The SI signal is initiated by the following parameters:

Containment pressure HI

-1 Pressurizer low pressure Low compensated steamline pressure Manual actuation Containment phase A isolation and steam line isolation may also be initiated manually.

The Containment phase B isolation signal is initiated automatically by Containment pressure HI-3 and may be manually initiated by the manual Containment spray switches.

Containment ventilation isolation is also initiated by high Containment purge radiation. The Containment isolation system is described in more detail in Sections 6.2.4 and 7.3.

(2) A reevaluation of the classification of each system penetrating the Containment has been performed. The results of this reevaluation are indicated on Figure 6.2.4

-1. Justifications for those systems classified as essential are provided below:

Main Steam to Turbine

-Driven AFW Pump: The main steam supply to the turbine

-driven AFW pump is essential to ensure that the AFW pump is provided with steam STPEGS UFSAR 7A-62 Revision 1 8 for motive power. The main steam system is described in further detail in Section 10.3. Auxiliary Feedwater System: The AFWS is required post

-accident to maintain SG inventory and provide decay heat removal. The AFWS is described in further detail in Section 10.4.9.

Safety Injection System:

The low head and high head SI subsystems are required to provide emergency core cooling post

-accident. The low head safety injection (LHSI) subsystem, in conjunction with the RHR heat exchangers, is required for decay heat removal. The SI sytem is described in further detail in Section 6.3.

Containment Spray System: The Containment Spray System (CSS) is required post

-accident for Containment cooling and airborne iodine removal. The CSS is described in further detail in Sections 6.2.2 and 6.5.2.

Component Cooling Water to Reactor Containment Fan Coolers: CCW to the RCFCs is required to provide Containment cooling. The RCFCs are described in further detail in Section 6.2.2. The CCWS is described in further detail in Section 9.2.2.

Component Cooling Water to Residual Heat Removal Heat Exchangers: The CCW supply to the RHR heat exchangers is required to provide decay heat removal in conjunction with the LHSI system. See Section 6.3 for ECCS operation and Section 9.2.2 for CCW system operation.

Component Cooling Water to Reactor Coolant Pumps: During many of the postulated accidents and transients, the capability to operate the RCPs is very desirable. Without the LOOP, the RCPs are manually tripped by the operator when determined necessary to do so. The CCW supply to the RCPs is used to maintain seal integrity during RCP operation. The CCWS is described in further detail in Section 9.2.2. A subsystem of the CCW to the RCP heat exchangers also provides cooling water to the Reactor Coolant Drain Tank heat exchanger and the Excess Letdown heat exchanger. The supply lines to these heat exchangers are isolated by Class 3 motor

-operated valves (1 common and 1 in each heat exchanger branch line) while the return lines have Class 3 check valves (2 in each line). These heat exchangers are not essential and, therefore, the branch lines to these heat exchangers are isolated by an SI signal. The Containment penetrations are not isolated for this subsystem until a HI

-3 setpoint is reached.

Reactor Coolant Pump Seal Injection: The RCP seal injection is used to maintain the integrity of the RCP seals. The RCP seal injection isolation valves are isolated upon receipt of a Containment phase A isolation signal concurrent with a charging header low pressure signal, indicative of a charging system failure. Thus, by providing the CCW to the RCPs and also the RCP seal injection, the RCP seal integrity is ensured.

RCP seal injection is described in further detail in Section 9.3.4.

Containment Pressure Monitoring System (Normal and Wide

-Range): Containment pressure monitoring instrumentation is required post

-accident for the detection of potential or actual breach of the Containment. Containment isolation is provided by STPEGS UFSAR 7A-63 Revision 1 8 the use of a sealed bellows arrangement inside the Containment and a diaphragm in the pressure transmitter outside the Containment. The Containment pressure monitoring system is described in further detail in Section 6.2.4.

RCS Wide-Range Pressure: The RCS wide

-range pressure transmitters are required for post-accident monitoring and SI termination. Containment isolation is provided by a sealed bellows arrangement inside the Containment with armored capilliary tubing to the penetration and a sealed bellows arrangement outside the Containment. The RCS primary fluid is contained by the inside Containment bellows assembly. The capillary tubing penetrating the Containment is filled with distilled water. Thus a double Containment isolation barrier to both the RCS primary fluid and the Containment atmosphere is provided. The RCS wide range pressure instrumentation is discussed in further detail in Section 7.5.

As indicated above, the RCP seal injection is automatically isolated when necessary.

Containment isolation for the Containment pressure monitoring instrumentation and the RCS wide

- range pressure is provided by a bellows assembly. The balance of the essential systems can be remote manually isolated by the operator when it is determined prudent to do so.

(3) Nonessential penetrations (see Figure 6.2.4

-1) have two isolation barriers in series that meet the requirements of GDC 54, 55, 56, or 57. Nonessential systems are automatically isolated by the Containment isolation signals or are sealed closed. The Containment isolation system design is described in more detail in Section 6.2.4.

The Containment penetrations for CCW supply and return to the RCP heat exchangers, excess letdown heat exchanger, and reactor coolant drain tank are shared penetrations between essential and nonessential equipment. The Containment penetrations remain open to supply the essential equipment until a HI

-3 signal is reached. (4) The design of the STPEGS Containment isolation system is such that the resetting of the Containment isolation signal does not result in automatic reopening of any Containment isolation valves. The reopening of the Containment isolation valves requires deliberate operator action and can only be performed on a valve

-by-valve basis. (5) The Containment pressure setpoint (HI

-1) is established by the Technical Specifications. The setpoint is based on normal Containment operating pressures including anticipated transients not requiring Containment isolation, and instrument drift and accuracy.

As discussed in Item 2 above, the nonessential portion of the CCW supply is isolated by Safety Class 3 valves if the Containment pressure setpoint (HI

-1) is reached, thus generating an SI signal. The CCW to the RCP heat exchangers is isolated by Safety Class 2 valves if Containment pressure exceeds the HI

-3 setpoint. This pressure setpoint is established at a value that is lower than the pressure in the CCW piping to preclude Containment atmosphere leakage through these lines.

STPEGS UFSAR 7A-64 Revision 1 8 (6) The normal Containment purge system isolation valves will be sealed shut during operational conditions other than cold shutdown and refueling. The valve position indication light shall be checked as required by the Technical Specifications to verify that the valve is closed. The supplementary Containment purge system may be operating during normal plant operations. Normal and supplementary purge system isolation valves receive the Containment ventilation isolation signal. This signal is generated by the following parameters:

Safety injection signal Containment phase A isolation manual actuation Containment spray manual actuation High Containment purge radiation An analysis has been performed which shows that in the event of a LOCA or other Design Basis Accident (DBA) while the supplementary Containment purge system is in operation, isolation occurs in a timely manner such that resultant offsite doses are well within the guidelines of 10CFR100. The analysis also demonstrates that STPEGS meets the requirements of 10CFR50.46, even if the Containment supplementary purge system is operating at the time of a LOCA event. The Containment normal and supplementary purge systems are described in further detail in Section 9.4.5.

(7) As indicated in item (6) above, the Containment purge isolation valves, of both the normal and supplementary Containment purge systems, are closed automatically by a Containment ventilation isolation signal. This signal is initiated by an SI signal, a high Containment purge radiation signal, manual actuation of Containment isolation phase A, or manual actuation of Containment spray.

STPEGS UFSAR 7A-65 Revision 1 8 II.F.1 ADDITIONAL ACCIDENT MONITORING INSTRUMENTATION Introduction Item II.F.1 of NUREG

-0660 contains the following subparts:

(1) Noble gas effluent radiological monitor.

(2) Provisions for continuous sampling of plant effluents for post

-accident releases of radioactive iodines and particulates and onsite laboratory capabilities (this requirement was inadvertently omitted from NUREG

-0660; see Attachment 2 that follows for position).

(3) Containment high

-range radiation monitor.

(4) Containment pressure monitor.

(5) Containment water level monitor.

(6) Containment hydrogen concentration monitor.

NUREG-0578 provided the basic requirements associated with items (1) through (3) above. Letters issued to all operating nuclear power plants dated September 13, 1979 and October 30, 1979 provided clarification of staff requirements associated with items (1) through (6) above. Attachments 1 through 6 present the NRC position on these matters.

It is important that the displays and controls added to the control room as a result of this requirement not increase the potential for operator error. A human factors analysis should be performed taking into consideration:

(a) The use of this information by an operator during both normal and abnormal plant conditions.

(b) The integration into emergency procedures.

(c) The integration into operator training.

(d) Other alarms during emergency and need for prioritization of alarms.

STPEGS UFSAR 7A-66 Revision 1 8 II.F.1, ATTACHMENT 1, NOBLE GAS EFFLUENT MONITOR Position Noble gas effluent monitors shall be installed with an extended range designed to function during accident conditions as well as during normal operating conditions. Multiple monitors are considered necessary to cover the ranges of interest. (1) Noble gas effluent monitors with an upper range capacity of 10 5 -133) are considered to be practical and should be installed in all operating plants.

(2) Noble gas effluent monitoring shall be provided for the total range of concentration extended from normal condition (ALARA) concentrations to a maximum of 10 5 -133). Multiple monitors are considered to be necessary to cover the ranges of interest. The range capacity of individual monitors should overlap by a factor of ten.

Clarification (1) Licensees shall provide continuous monitoring of high

-level, post

-accident releases of radioactive noble gases from the plant. Gaseous effluent monitors shall meet the requirements specified in the enclosed Table II.F.1

-1. Typical plant effluent pathways to be monitored are also given in the table.

(2) The monitors shall be capable of functioning both during and following an accident. System designs shall accommodate a design basis release, and then be capable of following decreasing concentrations of noble gases.

(3) Offline monitors are not required for the PWR secondary side main steam safety valve and dump valve discharge lines. For this application, externally mounted monitors viewing the main steam line upstream of the valves are acceptable with procedures to correct for the low energy gammas the external monitors would not detect. Isotopic identification is not required.

(4) Instrumentation ranges shall overlap to cover the entire range of effluents from normal (ALARA) through accident conditions.

The design description shall include the following information.

(a) System description, including:

(i) Instrumentation to be used, including range of sensitivity, energy dependence or response, calibration frequency and technique, and vendor's model number, if applicable.

(ii) Monitoring locations (or points of sampling), including description of method used to assure representative measurements and background correction.

(iii) Location of instrument readout(s) and method of recording, including description of the method or procedure for transmitting or disseminating the information or data.

(iv) Assurance of the capability to obtain readings at least every 15 minutes during and following an accident.

STPEGS UFSAR 7A-67 Revision 1 8 (v) The source of power to be used.

(b) Description of procedures or calculation methods to be used for converting instrument readings to release rates per unit time, based on exhaust air flow and considering radionuclide spectrum distribution as a function of time after shutdown.

STPEGS UFSAR 7A-68 Revision 1 8 TABLE II.F.1

-1 HIGH-RANGE NOBLE GAS EFFLUENT MONITORS REQUIREMENT:

Capability to detect and measure concentrations of noble gas fission products in plant gaseous effluents during and following an accident. All potential accident release paths shall be monitored.

PURPOSE: To provide the plant operator and emergency planning agencies with information on plant release of noble gases during and following an accident.

DESIGN BASIS MAXIMUM RANGE Design range values may be expressed in Xe

-133 equivalent values for monitors employing gamma radiation detectors or in microcuries per cubic centimeter of air at standard temperature and pressure for monitors employing beta radiation detector (1R/hr at 1 ft = 6.7 Ci Xe

-133 equivalent for point source). Calibrations with a higher energy source are acceptable. The decay of radionuclide noble gases after an accident (i.e., the distribution of noble gases changes) should be taken into account.

10 5 Undiluted Containment exhaust gases (e.g., PWR reactor building purge, PWR drywell purge through the standby gas treatment system).

Undiluted PWR condenser air removal system exhaust.

10 4 Diluted Containment exhaust gases (e.g., >10:1 dilution, as with auxiliary building exhaust air).

BWR reactor building (secondary Containment) exhaust air.

PWR secondary Containment exhaust air.

10 3 Buildings with systems containing primary coolant or primary coolant offgases (e.g., PWR auxiliary buildings, BWR turbine buildings.)

PWR steam safety valve discharge, atmospheric steam dump valve discharge.

10 2 Other release points (e.g., radwaste buildings, fuel handling/storage buildings).

REDUNDANCY:

Not required; monitoring the final release point of several discharge inputs is acceptable.

SPECIFICATIONS:

None; sampling design criteria per ANSI N13.1.

POWER SUPPLY:

Vital instrument bus or dependable backup power supply to normal AC.

STPEGS UFSAR 7A-69 Revision 1 8 TABLE II.F.1

-1 (Continued)

HIGH-RANGE NOBLE GAS EFFLUENT MONITORS CALIBRATION:

Calibrated monitors using gamma detectors to Xe

-l33 equivalent (1 R/hr at 1 ft = 6.7 Ci Xe

-133 equivalent for point source). Calibrate monitors using beta detectors to Sr

-90, or similar long

-lived beta isotope of at least 0.2 MeV. DISPLAY: Continuous and recording as equivalent Xe

-actual noble gases.

QUALIFICATION:

The instruments shall provide sufficiently accurate responses to perform the intended function in the environment to which they will be exposed during accidents.

DESIGN Offline monitoring is acceptable for all ranges of noble gas CONSIDERATIONS:

concentrations.

Inline (induct) sensors are acceptable for 10 2 5 gases. For less than 10 2 -line monitoring is recommended.

Upstream filtration (prefiltering to remove radioactive iodines and particulates) is not required; however, design should consider all alternatives with respect to capability to monitor effluents following an accident.

For externally mounted monitors (e.g., PWR main steam line), the thickness of the pipe should be considered in accounting for low

-energy gamma radiation.

STPEGS UFSAR 7A-70 Revision 1 8 II.F.1, ATTACHMENT 2, SAMPLING AND ANALYSIS OF PLANT EFFLUENTS Position Because iodine gaseous effluent monitors for the accident condition are not considered to be practical at this time, capability for effluent monitoring of radioiodines for the accident condition shall be provided with sampling conducted by adsorption on charcoal or other media, followed by onsite laboratory analysis.

Clarification (1) Licensees shall provide continuous sampling of plant gaseous effluent for post

-accident releases of radioactive iodines and particulates to meet the requirements of the enclosed Table II.F.1-2. Licensees shall also provide onsite laboratory capabilities to analyze or measure these samples. This requirement should not be construed to prohibit design and development of radioiodine and particulate monitors to provide online sampling and analysis for the accident condition.

If gross gamma radiation measurement techniques are used, then provisions shall be made to minimize noble gas interference.

(2) The shielding design basis is given in Table II.F.1

-2. The sampling system design shall be such that plant personnel could remove samples, replace sampling media, and transport the samples to the onsite analysis facility with radiation exposures that are not in excess of the criteria of GDC 19 of 5 rem whole

-body exposure and 75 rem to the extremities during the duration of the accident. (3) The design of the systems for the sampling of particulates and iodines should provide for sample nozzle entry velocities which are approximately isokinetic (same velocity) with expected induct or instack air velocities. For accident conditions, sampling may be complicated by a reduction in stack or vent effluent velocities to below design levels, making it necessary to substantially reduce sampler intake flow rates to achieve the isokinetic condition. Reductions in air flow may well be beyond the capability of available sampler flow controllers to maintain isokinetic conditions; therefore, the staff will accept flow control devices which have the capability of maintaining isokinetic conditions with variations in stack or duct design flow velocity of +/-20 percent. Further departure from the isokinetic condition need not be considered in design. Corrections for nonisokinetic sampling conditions, as provided in Appendix C of ANSI 13.1

-1969 may be considered on an ad hoc basis.

(4) Effluent streams which may contain air with entrained water, e.g. air ejector discharge, shall have provisions to ensure that the adsorber is not degraded while providing a representative sample, e.g., heaters.

STPEGS UFSAR 7A-71 Revision 1 8 TABLE II.F.1

-2 SAMPLING AND ANALYSIS OR MEASUREMENT OF HIG H-RANGE RADIOIODINE AND PARTICULATE EFFLUENTS IN GASEOUS EFFLUENT STREAMS EQUIPMENT:

Capability to collect and analyze or measure representative samples of radioactive iodines and particulates in plant gaseous effluents during and following an accident. The capability to sample and analyze for radioiodine and particulate effluents is not required for PWR secondary main steam safety valve and dump valve discharge lines.

PURPOSE: To determine quantitative release of radioiodines and particulates for dose calculation and assessment.

DESIGN BASIS 10 2 SHIELDING deposited on sampling media; 30 minutes sampling time, ENVELOPE: average gamma energy (E) of 0.5 MeV.

SAMPLING MEDIA:

Iodine >90 percent effective adsorption for all forms of gaseous iodine.

Particulates >90 percent effective retention for 0.3 SAMPLING CONSIDERATIONS:

Representative sampling per ANSI N13.1

-1969. Entrained moisture in effluent stream should not degrade adsorber.

Continuous collection required whenever exhaust flow occurs.

Provisions for limiting occupational dose to personnel incorporated in sampling systems, in sample handling and transport, and in analysis of samples.

ANALYSIS:

Design of analytical facilities and preparation of analytical procedures shall consider the design basis sample.

Highly radioactive samples may not be compatible with generally accepted analytical procedures. In such case, measurement of emissive gamma radiations and the use of shielding and distance factors should be considered in design.

STPEGS UFSAR 7A-72 Revision 1 8 II.F.1, ATTACHMENT 3, CONTAINMENT HIGH

-RANGE RADIATION MONITOR Position In Containment radiation

-level monitors with a maximum range of 10 8 rad/hr shall be installed. A minimum of two such monitors that are physically separated shall be provided. Monitors shall be developed and qualified to function in an accident environment.

Clarification (1) Provide two radiation monitor systems in Containment which are documented to meet the requirements of Table II.F.1

-3. (2) The specification of 10 8 rad/hr in the above position was based on a calculation of post

-accident Containment radiation levels that included both particulate (beta) and photon (gamma) radiation. A radiation detector that responds to both beta and gamma radiation cannot be qualified to post

-LOCA Containment environments but gamma

-sensitive instruments can be so qualified. In order to follow the course of an accident, a Containment monitor that measures only gamma radiation is adequate. The requirement was revised in the October 30, 1979 letter to provide for a photon-only measurement with an upper range of 10 7 R/hr. (3) The monitors shall be located in Containment(s) in a manner as to provide a reasonable assessment of area radiation conditions inside Containment. The monitors shall be widely separated so as to provide independent measurements and shall "view" a large fraction of the Containment volume. Monitors should not be placed in areas which are protected by massive shielding and should be reasonably accessible for replacement, maintenance, or calibration. Placement high in a reactor building dome is not recommended because of potential maintenance difficulties.

(4) For BWR Mark III Containments, two such monitoring systems should be inside both the primary Containment (drywell) and the secondary containment

. (5) The monitors are required to respond to gamma photons with energies as low as 60 keV and to provide an essentially flat response for gamma energies between 100 keV and 3 MeV, as specified in Table II.F.1

-3. Monitors that use thick shielding to increase the upper range will underestimate post

-accident radiation levels in Containment by several orders

-of-magnitude because of their insensitivity to low energy gammas and are not acceptable.

STPEGS UFSAR 7A-73 Revision 1 8 TABLE II.F.1

-3 CONTAINMENT HIGH

-RANGE RADIATION MONITOR REQUIREMENT:

The capability to detect and measure the radiation level within the reactor Containment during and following an accident.

RANGE: 1 rad/hr to 10 8 rads/hr (beta and gamma) or, alternatively, 1 R/hr to 10 7 R/hr (gamma only).

RESPONSE: 60 keV to 3 MeV photons, with linear energy response

+20 percent) for photons of 0.1 MeV to 3 MeV. Instruments must be accurate enough to provide usable information.

REDUNDANT:

A minimum of two physically separated monitors (i.e., monitoring widely separated spaces within Containment.)

DESIGN AND Category 1 instruments as described in Appendix A, except QUALIFICATION:

as listed below.

SPECIAL In situ calibration by electronic signal substitution is CALIBRATION:

acceptable for all range decades above 10 R/hr. In situ calibration for at least one decade below 10 R/hr shall be by means of calibrated radiation source. The original laboratory calibration is not an acceptable position due to the possible differences after in situ installation. For high

-range calibration, no adequate sources exist, so an alternate was provided.

SPECIAL Calibrate and type

-test representative specimens of ENVIRONMENTAL detectors at sufficient points to demonstrate linearity QUALIFICATION:

through all scales up to 10 6 R/hr. Prior to initial use, certify calibration of each detector for at least one point per decade of range between 1 R/hr and 10 3 R/hr. CN-3123 STPEGS UFSAR 7A-74 Revision 1 8 II.F.1, ATTACHMENT 4, CONTAINMENT PRESSURE MONITOR Positi on A continuous indication of Containment pressure shall be provided in the control room of each operating reactor. Measurement and indication capability shall include three times the design pressure of the Containment for concrete, four times the design pressure for steel, and

-5 psig for all Containments.

Clarification (1) Design and qualification criteria are outlined in Appendix A.

(2) Measurement and indication capability shall extend to 5 psia for sub

- atmospheric Containments.

(3) Two or more instruments may be used to meet requirements. However, instruments that need to be switched from one scale to another scale to meet the range requirements are not acceptable.

(4) Continuous display and recording of the Containment pressure over the specified range in the control room is required.

(5) The accuracy and response time specifications of the pressure monitor shall be provided and justified to be adequate for their intended function.

STPEGS UFSAR 7A-75 Revision 1 8 II.F.l, ATTACHMENT 5, CONTAINMENT WATER LEVEL MONITOR Position A continuous indication of Containment water level shall be provided in the control room for all plants. A narrow

-range instrument shall be provided for PWRs and cover the range from the bottom to the top of the Containment sump. A wide

-range instrument shall also be provided for PWRs and shall cover the range from the bottom of the Containment to the elevation equivalent to a 600,000 gallon capacity. For BWRs, a wide

-range instrument shall be provided and cover the range from the bottom to 5 feet above the normal water level of the suppression pool.

Clarification (1) The Containment wide

-range water level indication channels shall meet the design and qualification criteria as outlined in Appendix A. The narrow

-range channel shall meet the requirements of RG 1.89. (2) The measurement capability of 600,000 gallons is based on recent plant designs. For older plants with smaller water capacities, licensees may propose deviations from this requirement based on the available water supply capability at their plant. (3) Narrow-range water level monitors are required for all sizes of sumps, but are not required in those plants that do not contain sumps inside the Containment.

(4) For BWR pressure

-suppression Containments, the emergency core cooling system suction line inlets may be used as a starting reference point for the narrow

-range and wide

-range water level monitors, instead of the bottom of the suppression pool.

(5) The accuracy requirements of the water level monitors shall be provided and justified to be adequate for their intended function.

STPEGS UFSAR 7A-76 Revision 1 8 II.F.1, ATTACHMENT 6, CONTAINMENT HYDROGEN MONITOR Position A continuous indication of hydrogen concentration in the Containment atmosphere shall be provided in the control room. Measurement capability shall be provided over the range of 0 to 10 percent hydrogen concentration under both positive and negative ambient pressure.

Clarification (1) Design and qualification criteria are outlined in Appendix A.

(2) The continuous indication of hydrogen concentration is not required during normal operation.

If an indication is not available at all times, continuous indication and recording shall be functioning within 30 minutes of the initiation of safety injection.

(3) The accuracy and placement of hydrogen monitors shall be provided, and justified to be adequate for their intended function.

STPEGS Response Implementation of the NUREG

-0737, ITEM II.F.1, instrumentation was integrated with the activities of NUREG-0737, Supplement 1, specifically the CRDR and the implementation of RG 1.97 as described in Sections S.5 and S.6 of this Appendix, respectively. A human factors analysis was performed during the CRDR.

Appendix 7B, Table 7B.1

-1 identifies the variables which satisfy the II.F.1 requirements. Instrumentation adequacy and qualifications are addressed in the analysis presented in Appendix 7B. Table 7.5-1 provides further information as to instrument ranges, qualifications, and display methodology.

Instrumentation calibration requirements are identified in the Technical Specifications. A calibration program is in place as identified in Section 13.5.

Instrumentation provided by STPEGS to respond to each attachment of NUREG

-0737, Item II.F.1 is further discussed below.

(1) Noble Gas Monitor The STPEGS design includes one wide-range noble gas monitor for the unit vent which detects and measures concentrations of noble gas fission products in plant gaseous effluents during and following an accident. Three detectors with overlapping ranges provide a monitoring range from normal to 10 5 An adjacent

-to-line monitor is provided for each main steam line to monitor the concentration in steam that is released to the environment via the SG safety valves or the SG PORVs.

The range of the monitor is identified in Table 7.5

-1. The monitor is powered from a Non 1E Vital AC power source.

STPEGS UFSAR 7A-77 Revision 1 8 The instrumentation is a part of the Radiation Monitoring System (RMS) as described in Section 11.5. Procedures for use of the instrumentation in determining release rates will be provided as described in Section 13.5.

(2) Iodine/Particulate Sampling Iodine and particulate isokinetic sampling capability, with onsite analysis, of the plant gaseous effluents is continuously provided, both during and following an accident.

The sampling station for the unit vent is located on the 60

-ft elevation of the MAB. The station is accessible post

-accident. The plant effluent sampling system and analysis capability are further discussed in Section 11.5.

(3) Containment High Range Radiation Monitor Redundant Class 1E, monitors are provided in the Containment Building. The monitors are positioned to be accessible for calibration and repair and so that they will be exposed to a representative volume of the Containment atmosphere. The range of the monitors is 1R/hr to 10E8/hr gamma. An evaluation was performed to confirm that the use of the Alternate Source Term (AST) described in RG 1.183 does not impact the Containment High Range Radiation Monitor analyses.

(4) Containment Pressure Redundant Class 1E Containment pressure and extended range Containment pressure monitoring channels provide continuous monitoring and recording of Containment pressure. These monitors cover a range from normal to accident conditions.

(5) Containment Water Level The STPEGS design includes redundant, Class 1E, wide

-range level monitors.

In addition, Class 1E narrow range monitors are provided in the normal and secondary sumps. These monitoring channels provide continuous monitoring and recording of the Containment water level for use in diagnosis of a LOCA.

(6) Containment Hydrogen The STPEGS design includes redundant, Class 1E, hydrogen concentration monitoring from 0 to 10 percent. Continuous indication and recording can be initiated by the operator within 30 minutes of the initiation of safety injection. The Hydrogen Monitoring System is described further in Section 7.6.5. Per 10CFR50.44, hydrogen recombiners are no longer required for design basis accidents.

CN-3137 STPEGS UFSAR 7A-78 Revision 1 8 II.F.2 INSTRUMENTATION FOR DETECTION OF INADEQUATE CORE COOLING Position Licensees shall provide a description of any additional instrumentation or controls (primary or backup) proposed for the plant to supplement existing instrumentation (including primary coolant saturation monitors) in order to provide an unambiguous, e asy-to-interpret indication of inadequate core cooling (ICC). A description of the functional design requirements for the system shall also be included. A description of the procedures to be used with the proposed equipment, the analysis used in developing these procedures, and a schedule for installing the equipment shall be provided.

Clarification (1) Design of new instrumentation should provide an unambiguous indication of ICC. This may require new measurements or a synthesis of existing measurements that meet design criteria (item 7). (2) The evaluation is to include reactor water level indication.

(3) Licensees and applicants are required to provide the necessary design analysis to support the proposed final instrumentation system for ICC, to evaluate the merits of various instruments to monitor water level, and to monitor other parameters indicative of core cooling conditions.

(4) The indication of ICC must be unambiguous in that it should have the following properties:

(a) It must indicate the existence of ICC caused by various phenomena (i.e., high

-void fraction-pumped flow as well as stagnant boil

-off). (b) It must not erroneously indicate ICC because of the presence of an unrelated phenomenon.

(5) The indication must give advanced warning of the approach of ICC.

(6) The indication must cover the full range from normal operation to complete core uncovery.

For example, water level instrumentation may be chosen to provide advanced warning of two

-phase level drop to the top of the core. This could be supplemented by other indicators such as incore and core exit thermocouples, provided the indicated temperatures can be correlated to provide an indication of the existence of ICC, and to infer the extent of core uncovery. Alternatively, full

-range level instrumentation to the bottom of the core may be employed in conjunction with other diverse indicators such as core exit thermocouples, to preclude misinterpretation due to any inherent deficiencies or inaccuracies in the measurement system selected. (7) All instrumentation in the final ICC system must be evaluated for conformance to Appendix A (sic), "Design and Qualification Criteria for Accident Monitoring Instrumentation", as clarified or modified by the provisions of items 8 and 9 that follow. This is a new requirement.

(8) If a computer is provided to process liquid level signals for display, seismic qualification is not required for the computer and associated hardware beyond the isolator or input buffer at a location accessible for maintenance following an accident. The single

-failure criteria of Item 2, Appendix A (sic), need not apply to the channel beyond the isolation device if it is designed STPEGS UFSAR 7A-79 Revision 1 8 to provide 99 percent availability with respect to functional capability for liquid

-level display. The display and associated hardware beyond the isolation device need not be Class 1E, but should be energized from a high reliability power source that is battery backed. The quality assurance provisions cited in Appendix A (sic), Item 5, need not apply to this portion of the instrumentation system. This is a new requirement.

(9) Incore thermocouples located at the core exit, or at discrete axial levels of the ICC monitoring system and that are part of the monitoring system, should be evaluated for conformity with Attachment 1, "Design and Qualification Criteria for PWR Incore Thermocouples", which is a new requirement.

(10) The types and locations of displays and alarms should be determined by performing a human factors analysis taking into consideration: (a) The use of this information by an operator during both normal and abnormal plant conditions.

(b) Integration into emergency procedures.

(c) Integration into operator training.

(d) Other alarms during emergency and need for prioritization of alarms. (The referenced Attachment 1 and Appendix A (sic) are attached to NUREG

-0737. Attachment 1 is also reproduced here.)

STPEGS UFSAR 7A-80 Revision 1 8 II.F.2 ATTACHMENT 1, DESIGN AND QUALIFICATION CRITERIA FOR PRESSURIZED

-WATER REACTOR INCORE THERMOCOUPLES (1) Thermocouples located at the core exit for each core quadrant, in conjunction with core inlet temperature data, shall be of sufficient number to provide indication of radial distribution of the coolant enthalpy (temperature) rise across representative regions of the core. Power distribution symmetry should be considered when determining the specific number and location of thermocouples to be provided for diagnosis of local core problems.

(2) There should be a primary operator display (or displays) having the capabilities which follow: (a) A spatially oriented core map available on demand indicating the temperature or temperature difference across the core at each core exit thermocouple location.

(b) A selective reading of core exit temperature, continuous on demand, which is consistent with parameters pertinent to operator actions in connection with plant

-specific inadequate core cooling procedures. For example, the action requirement and the displayed temperature might be either the highest of all operable thermocouples or the average of five highest thermocouples.

(c) Direct readout and hard

-copy capability should be available for all thermocouple temperatures. The range should extend from 200F (or less) to 1,800F (or more).

(d) Trend capability showing the temperature

-time history of representative core exit temperature values should be available on demand.

(e) Appropriate alarm capability should be provided consistent with operator procedure requirements.

(f) The operator

-display device interface shall be human

-fact or-designed to provide rapid access to request displays.

(3) A backup display (or displays) should be provided with the capability for selective reading of a minimum of 16 operable thermocouples, 4 from each core quadrant, all within a time interval no greater than 6 minutes. The range should extend from 200F (or less) to 2,300 F (or more).

(4) The types and locations of displays and alarms should be determined by performing a human factors analysis taking into consideration:

(a) the use of this information by an operator during both normal and abnormal plant conditions, (b) integration into emergency procedures, (c) integration into operator training, and (d) other alarms during emergency and need for prioritization of alarms.

(5) The instrumentation must be evaluated for conformance to Appendix B, "Design and Qualification Criteria for Accident Monitoring Instrumentation", as modified by the provisions of items 6 through 9 which follow.

STPEGS UFSAR 7A-81 Revision 1 8 (6) The primary and backup display channels should be electrically independent, energized from independent station Class 1E power sources, and physically separated in accordance with RG 1.75 up to and including any isolation device. The primary display and associated hardware beyond the isolation device need not be Class 1E, but should be energized from a high

-reliability power source, battery backed, where momentary interruption is not tolerable. The backup display and associated hardware should be Class 1E.

(7) The instrumentation should be environmentally qualified as described in Appendix B, item 1, except that seismic qualification is not required for the primary display and associated hardware beyond the isolator/input buffer at a location accessible for maintenance following an accident.

(8) The primary and backup display channels should be designed to provide 99 percent availability for each channel with respect to functional capability to display a minimum of four thermocouples per core quadrant. The availability shall be addressed in Technical Specifications.

(9) The quality assurance provisions cited in Appendix B, item 5, should be applied except for the primary display and associated hardware beyond the isolation device.

STPEGS Response The STPEGS design includes redundant instrumentation to monitor the approach to, existence of, and recovery from ICC. The monitored parameters, selected to provide an unambiguous indication of ICC, are the RCS subcooled margin, the water level above the reactor core, and the RCS temperature at the core exit.

The implementation of the instrumentation used for monitoring the RCS sub

- cooled margin, reactor vessel water level, and core exit temperatures has been integrated with the activities of NUREG

-0737, Supplement 1 (See Section S.1 through S.5 of Appendix 7A) and the implementation of RG 1.97 (see Section 7.5.1 and Appendix 7B). Table 7.5

-1 provides information as to instrument ranges, qualifications, and display methodology. The QDPS, as described in Section 7.5.6, performs the signal processing and display for the instrumentation to detect ICC.

The Inadequate Core Cooling Monitoring System installed on STPEGS includes the following:

Core exit thermocouple (TC) monitoring Core subcooling margin monitoring Reactor vessel water level monitoring A detailed system description of each of the above ICC monitoring subsystems is given below:

A. Core Exit Thermocouple System The number of required Core Exit Thermocouples (CETs) is governed by Technical Specifications. The following description will reflect the original design with 50 CETs as a "nominal" number. The descriptions will continue to reflect 50 CETs but the actual number is subject to change based on plant conditions such as have occurred when CETs have broken within the thermocouple tubing inside the reactor head.

STPEGS UFSAR 7A-82 Revision 1 8 The core exit thermocouple monitoring system consists of two redundant trains that monitor all of the STPEGS chromel

-alumel core exit thermocouples (25 on each train). A block diagram of the system is shown in Figure 7A.II.F.2

-1. The core exit thermocouples are mounted at the top of the core support plate.

The cables from the thermocouples are routed to the in

-Containment qualified reference junction boxes. Each reference junction box includes three redundant platinum resistance temperature detectors (RTDs) for reference junction temperature compensation.

The uncompensated core exit thermocouple signals and the reference junction box temperature signals are routed to the Class 1E remote processing units (RPU) A and C. Each RPU consolidates the input data, performs conversion to process units, and formats the data for transmission to the Class 1E database processing units (DPU) and to the non

-Class 1E ERFDADS. The RPU to ERFDADS and DPU communications are via isolated RS

-422 communication datalinks.

The Class 1E database processing units receive isolated datalink inputs from each RPU and calculate the compensated core exit thermocouple value. The value chosen for the reference junction box temperature is a function of data quality of the three RTD signals. Following the calculation of all 50 compensated core exit thermocouple values, the information from the DPUs is transmitted to six control room and two auxiliary shutdown panel flat panel QDPS plasma displays. Each DPU also provides isolated analog outputs to drive non-Class 1E recorders in the main control room.

Each plasma display unit displays individual thermocouple temperatures and provides two levels of alarm when pre

-set temperatures are exceeded. These plasma display units are seismically and environmentally qualified Class 1E components.

The analog recorders trend the hottest core

-exit thermocouple and also the maximum quadrant average core exit TC temperature.

The equipment used for core exit temperature monitoring (shown in figure 7A.II.F.2-1) has been designed to meet the intent of IEEE 279

-1971 as discussed in Section 7.5.6.2.

Consistent with the requirements of NUREG

-0737, an evaluation was made of the minimum number of valid core exit thermocouples necessary for measuring core cooling. The evaluation determined the complement of core exit thermocouples necessary to detect initial core recovery and trend the ensuing core heatup. The evaluations account for core nonuniformities, including incore effects of the radial decay power distributions, excore effects of condensate runback in the hot legs, and nonuniform inlet temperatures. Based on this evaluation, adequate core cooling is ensured with two valid core exit thermocouples channels per quadrant with two core exit thermocouples per required channel. The core exit thermocouple pair are oriented radially to permit evaluation of core radial decay power distribution. Core exit temperature is used to determine whether to terminate Safety Injection, if still in progress, or to reinitiate Safety Injection if it has been stopped. Core exit temperature is also used for unit stabilization and cooldown control.

Two OPERABLE channels of core exit thermocouples are required in each quadrant to provide indication of radial distribution of the coolant temperature rise across representative regions of the core. Power distribution symmetry was considered in determining the specific number and locations provided for diagnosis of local core problems. Two randomly selected STPEGS UFSAR 7A-83 Revision 1 8 thermocouples are not sufficient to meet the two thermocouples per channel requirement in any quadrant. The two thermocouples in each channel must meet the additional requirement that one is located near the center of the core and the other near the core perimeter, such that the pair of core exit thermocouples indicate the radial temperature gradient across their core quadrant. The unit specific response to Item II.F.2 of NUREG

-0737 further discusses the core exit thermocouples. Two sets of two thermocouples ensure a single failure will not disable the ability to determine the radial temperature gradient. The subcooling margin monitor requirements are not affected by allowing 2 thermocouples/channel/quadrant as long as each channel has at least four operable thermocouples in any quadrant (e.g., A Train has four operable thermocouples in one of the quadrants, and C Train has four operable thermocouples in the same quadrant or any other quadrant). This preserves the ability to withstand a single failure. B. Core Subcooling Margin Monitor The core subcooling margin monitor is designed to give an early warning to the plant personnel that core conditions are approaching a saturation condition.

The inputs to the core subcooling margin monitor include the following:

wide-range and extended-range RCS pressure (3 channels) core exit thermocouples (50, 2 channels) reference junction box RTD values (6 channels)

A block diagram of the core subcooling margin monitor is shown in Figure 7A.II.F.2

-2. One channel of RCS pressure (wide

-range/extended

-range) is input into each of RPU B, C, and D. Also, 25 uncompensated thermocouple channels and the corresponding three reference junction box RTD signals are input into each of RPU A and C. The outputs of each of the RPUs are routed to each DPU. The core subcooling margin is then calculated using the wide

-range/extended

-range RCS pressure and compensated core exit thermocouple readings. The value of RCS pressure utilized in the calculation is the average of the valid pressure signals. The value of core subcooling margin is based upon the auctioneered high quadrant average temperature.

The subcooling calculated values are provided as margin to saturation on all of the plasma displays at the main control room and auxiliary shutdown panel. Alarming functions are provided when the core subcooling margin indication moves into the superheat region.

The equipment used for core subcooling margin monitoring (shown on Figure 7A.II.F.2

-2) has been designed to meet the intent of IEEE 279

-1971 as discussed in Section 7.5.6.2.

C. Reactor Vessel Water Level System The Reactor Vessel Water Level System (RVWLS) provides the capability for measurement of the reactor coolant inventory in the upper head and plenum regions of the reactor vessel. STPEGS has provided a heated junction thermocouple (HJTC) system supplied by C

-E. This system measures the water level inventory in the reactor vessel above the upper core alignment plate, even when a steam/water two

-phase mixture exists in the reactor vessel. This is accomplished by the use of two identical probe assemblies, each containing eight HJTC sensors with individual splash shields which are axially distributed inside a separator tube.

STPEGS UFSAR 7A-84 Revision 1 8 The HJTC sensors located inside this separator tube measure the collapsed water level (water inventory) in the reactor vessel above the upper core alignment plate. An HJTC sensor consists of two physically separated thermocouple junctions, one of which is electrically heated. The basic principle of the system operation is to determine whether a sensor is covered with water by detecting the temperature difference between adjacent heated and unheated thermocouples. When the water level inside the probe falls below a given sensor location during a loss of coolant event, the heated junction temperature increases due to the relatively poor cooling ability (lower heat transfer coefficient) of steam versus water. When the relative temperature difference between heated and unheated junctions exceeds a predetermined value, the sensor registers as being uncovered (i.e., surrounded by steam only).

The probes for STPEGS are of the "split

-probe" design, having two sensors located in the upper head region and six sensors located in the upper plenum region. This design allows unambiguous indication of water level in either region regardless of their instantaneous relative pressures. The sensors are located from the top of the vessel down to the top of the fuel alignment plate, giving the operator unambiguous indication of water level during system conditions associated with the approach to and recovery from ICC.

The two upper sensors are located in the uppermost position possible in each region of the probe (one sensor in the upper head region and one sensor in the upper plenum region) to indicate the formation of a void space as early as possible. Two sensors (one in each region) are located as low as practicable to indicate the draining of the water inventory in that region. This lower sensor in the upper head is located 2 inches above the reactor vessel closure head mating surface. This elevation is important because when the liquid level falls below the closure head head mating surface, communication between the upper head and downcomer annulus through the orifice holes essentially ceases. The fluid in the "bottom hat" trough does not communicate with any other region in the reactor vessel. Hence, location of a sensor in this region would not provide the reactor operator with any useful information, and quite possibly could be misleading. There are four other HJTC sensor locations in the lower (upper plenum) portion of each probe. These sensors do not have separator tube flow holes or support tube slots associated with their position. Three of these sensor locations are in the upper plenum at the elevation of the top of the hot leg, centerline of the hot leg, and bottom of the hot leg. The sensor location at the top of the hot leg is important since it indicates to the reactor operator when natural circulation cooling is possible.

When the water level in reactor vessel falls below this elevation, the loss of natural circulation becomes imminent. A sensor located at the bottom of the hot leg is important because, when the water level drops below this elevation, communication between the liquid inventory in the reactor vessel and the reactor coolant system piping ceases and the water inventory in the reactor vessel may drop more rapidly than before. A liquid level below this elevation implies that core cooling could be threatened. The fourth sensor is positioned half

-way between the sensor located at the bottom of the hot leg and the sensor located just above the upper core plate. This sensor location provides continuity in the liquid level indication in the upper plenum. The maximum distance between sensors in the upper plenum is slightly less than 1.5 ft.

The RVWLS is composed of two trains of HJTC instruments. Each HJTC instrument is assembled into a probe assembly. Each probe has eight electrically independent HJTC sensors as discussed above. Each HJTC train is powered from Class 1E power. The cables from the probes are routed to in

-Containment qualified junction boxes. The signals are then STPEGS UFSAR 7A-85 Revision 1 8 routed to the Class 1E HJTC processors outside Containment. The HJTC processors perform the following functions:

1. Determine if liquid inventory exists at each HJTC sensor position.

2. Provide control of heater power for proper HJTC output signal level.

3. Provide status of each HJTC assembly.

4. Provide a Class 1E redundant datalink with the QDPS, which then transmits the following data for display in the control room:

a. Temperature of each heated/unheated thermocouple.

b. Status of each HJTC sensor: covered, uncovered, operating or failed.

c. Liquid level inventory above the alignment plate.

d. Liquid level inventory in the upper head.

The QDPS displays items c and d. The ERFDADS displays items a, b, c, and d.

The QDPS provides control room displays showing the reactor vessel and two vertical level indicator columns, one for each HJTC probe. Each column contains a discrete indication corresponding to each of the HJTC sensors in the probe and a percentage indication of the liquid level inventory in the head and plenum areas.

The information transmitted to the QDPS is retransmitted to the non

-Class 1E ERFDADS via isolated RS 422 communication datalinks and is then used to provide display capabilities in the TSC and EOF.

A block diagram of the reactor vessel water level system is shown in Figure 7A.II.F.2

-3. The equipment used for reactor vessel water level monitoring (shown on Figure 7A.II.F.2

-3) has been designed to meet the intent of IEEE 279

-1971 as discussed in Section 7.5.6.2.

NUREG-0737 Required Documentation Item II.F.2 of NUREG

-0737 specifies the following required documentation concerning instrumentation for detection of ICC:

(1) A description of the proposed final system including:

(a) a final design description of additional instrumentation and displays; (b) a detailed description of existing instrumentation systems (e.g., subcooling meters and incore thermocouples), including parameter ranges and displays, which provide operating information pertinent to ICC considerations; and (c) a description of any planned modifications to the instrumentation systems described in item 1.b above.

STPEGS UFSAR 7A-86 Revision 1 8 (2) The necessary design analysis, including evaluation of various instruments to monitor water level, and available test data to support the design described in item 1 above.

(3) A description of additional test programs to be conducted for evaluation, qualification, and calibration of additional instrumentation.

(4) An evaluation, including proposed actions, on the conformance of ICC instrument system to this document, including Attachment 1 and Appendix A (sic). Any deviations should be justified.

(5) A description of the computer functions associated with ICC monitoring and functional specifications for relevant software in the process computer and other pertinent calculators. The reliability of nonredundant computers used in the system should be addressed.

(6) A current schedule, including contingencies, for installation, testing and calibration, and implementation of any proposed new instrumentation or information displays.

(7) Guidelines for use of the additional instrumentation, and analyses used to develop these procedures.

(8) A summary of key operator action instructions in the current emergency procedures for ICC and a description of how these procedures will be modified when the final monitoring system is implemented.

(9) A description and schedule commitment for any additional submittals which are needed to support the acceptability of the proposed final instrumentation system and emergency procedures for ICC.

The following is a discussion of each of the above items as they relate to the STPEGS instrumentation for detection of ICC:

(1) The inadequate core cooling systems are described above.

The parameter ranges and control room displays are summarized in Table 7.5

-1. (2) An indication of a declining subcooled margin in the RCS will provide the earliest warning that conditions are developing which could lead to ICC. If the event is allowed to progress, saturation conditions will be observed, along with indication of a declining water level above the reactor core. Reactor vessel water level alone does not identify the existence of ICC, only the potential for ICC. Maintaining the water level at the point above the core is not essential for adequate core cooling. A steam/water froth region extending down into the core could equate to a water level below the top the core and yet provide adequate core cooling. Only as the top of the froth region drops below the top of the core would ICC tend to occur. RCS pressure and core exit temperatures indicate this phase of the event by a continuing decline in the margin to saturation progressing into the superheat region. Alternatively, the recovery from ICC and the subsequent stages of the event would be monitored to verify that corrective actions taken have resulted in the expected plant response.

The ICC instrumentation previously described has been designed to provide these indications of approaching ICC to the operator.

STPEGS UFSAR 7A-87 Revision 1 8 (3) The ICC instrumentation systems have been successfully tested to demonstrate their ability to perform all required functions.

(4) An evaluation of the conformance of the thermocouple/core subcooling margin monitor system and the reactor vessel water level system to NUREG

-0737 Attachment 1 and Appendix B is as follows:

(a) Attachment 1, Item (1)

The 50 Class 1E core exit thermocouples are fully qualified and comply with the recommendations of RGs 1.89 and 1.100. The thermocouples are located at the core exit and in an arrangement such that each of the redundant microprocessor systems has core exit thermocouples distributed over the entire core, in sufficient number to determine the radial temperature rise across representative regions of the core. Power distribution symmetry was considered in determining proper TC locations. The wide

- range/extended

-range RCS pressure sensors are located on three separate RCS loops, as shown on Figure 5.1

-1. The RVWLS probes for STPEGS are of the "split

-probe" design, having two sensors located in the upper head region and six sensors located in the upper plenum region, ranging from the top of the vessel down to the top of the fuel alignment plate. The two probes are located approximately 180 degrees from each other, in opposite core quadrants.

(b) Attachment 1, Item (2)

The following illustrate the utilization of the ICC QDPS displays when monitoring the STPEGS Critical Safety Function trees.

i. Core Cooling

- This display is utilized in monitoring the core cooling status tree. Core exit thermocouple temperature, core subcooling, and RVWL indications are utilized.

ii. Inventory

- This display is utilized in monitoring the inventory status tree. The only ICC indication utilized is RVWL.

The South Texas QDPS display structure also enables the operators to monitor various subsystems within the plant. Included on these displays is ICC information as follows: i. RCS - The RCS subsystem display exhibits all of the ICC information, i.e., core subcooling, maximum thermocouple indication, and RVWLS reading. The associated RCS trend display shows the RVWLS variable trends for the previous 30 minutes.

ii. P-T SAT-LMT - The QDPS display structure also includes a pressure

-temperature plot as a function of time which illustrates to the operator the RCS temperature margin to saturation. Also illustrated on the display is a digital value corresponding to subcooling margin and auctioneered high quadrant TC average temperature.

STPEGS UFSAR 7A-88 Revision 1 8 iii. SI TERM/REIN

- The STPEGS Emergency Operating Procedures utilize ICC indications for specifying the conditions necessary for SI termination and reinitiation. iv. T/C QUAD TEMP

- A QDPS display is also available to the operator which provides a summary a core exit thermocouple quadrant data (minimum, average, and maximum reading) and their relationship to RCS hot leg and cold leg wide range temperatures. Also illustrated on the display is a digital value corresponding to subcooling margin.

v. CORE EXIT T/C MAP

- A more detailed level of display is also available on the core exit thermocouples. This page provides a core map of all 50 core exit thermocouples at their respective core locations.

vi. T/C TEMP - Finally, a detailed data list of all 50 core exit TCs is available. The information provided on this page includes the following: the power train associated with each TC; the sensor tag number; the TC location; and the TC reading in degrees Fahrenheit. Also provided on this page are reference junction box RTD readings.

The QDPS display structure provides an integrated display of all the STPEGS RG 1.97, Rev. 2 Category 1 variables, including the ICC instrumentation. The ICC data, which is displayed in a mimic of the reactor vessel, includes: (1) the maximum core exit TC temperature; (2) the core subcooling margin; and (3) the RVWLS reading.

Alarm capability

- The core exit thermocouple display pages are designed such that any numeric thermocouple readout greater than 1200F will be displayed in inverse video and flashed.

The core subcooling margin will indicate "SUBCOOL" when the auctioneered high quadrant TC average temperature is at or below the RCS coolant saturation point. "SUBCOOL" and the respective numeric value in degrees Fahrenheit will be displayed in inverse video when the subcooling margin is less than a specified value. "SUPERHEAT" and the respective numeric value in degrees Fahrenheit will be displayed in inverse video and flashed when the auctioneered high quadrant TC average temperature exceeds the coolant saturation temperature.

Trend Capability

- In addition to being displayed on the QDPS, the maximum core exit thermocouple channel, the maximum quadrant average temperature, the RVWLS readings and the core subcooling margin are sent to the QDPS recorder demultiplexer in order to obtain a paper copy of the parameter time history of the respective variables.

(c) Attachment 1, Item (3) Backup Display

- Since the STPEGS QDPS features two redundant trains of display, one train of display units is considered the primary display and the other is considered the backup display. As such, the backup displays for monitoring ICC are also quali-fied displays. Item (h) below addresses TC operability.

(d) Attachment 1, Item (4)

STPEGS UFSAR 7A-89 Revision 1 8 Human factors consideration of the types and locations of displays and alarms is discussed in Appendix 7A, Section S.5. The ICC display instrumentation is considered in the overall human factors evaluation.

(e) Attachment 1, Item (5)

Conformance to the specific items of Appendix B of NUREG

-0737 is addressed in the analysis presented in Appendix 7B. Table 7.5

-1 provides further information as to instrument ranges, qualification, and display methodology.

(f) Attachment 1, Item (6)

The QDPS trains are electrically independent, are energized from independent Class 1E power sources, and are separated in accordance with RG 1.75 except in the reactor vessel head, where the required circuits to the TCs are separated to the maximum extent practicable. Both the primary and backup displays and associated hardware are Class 1E. (g) Attachment 1, Item (7)

The instrumentation for ICC monitoring is seismically and environmentally qualified as discussed in Sections 3.10 and 3.11.

(h) Attachment 1, Item (8)

The QDPS and the ICC monitoring instrumentation are designed to provide 99 percent availability for each channel. The operability requirement of a minimum of four TCs per core quadrant has been addressed in the Technical Specifications.

(i) Attachment 1, Item (9)

Quality assurance requirements for these instruments are addressed in Appendix 7B.

(5) The QDPS features two redundant trains of Class 1E displays. One train of display units is considered the primary display and the other is considered the backup display. The QDPS is also datalinked to the Emergency Response Facilities (ERF) computer which performs independent processing of the ICC instrumentation inputs to independently display all required ICC parameters.

(6) The ICC instrumentation was installed, tested, and operational prior to fuel load.

(7 & 8) The ICC instrumentation is part of the integrated design for STPEGS. &8)Plant specific emergency operating procedures addressing use of the information from the ICC instrumentation system were developed taking into account recommendations from the C

-E generic procedures and from the WOG Emergency Response Guidelines (ERGs). The STPEGS operator training program includes material associated with the use of the ICC instrumentation system.

(9) No additional submittals are anticipated to support the acceptability of the STPEGS ICC instrumentation. Emergency Operating Procedures (EOPs) have been developed and are available for NRC review as required.

STPEGS UFSAR 7A-90 Revision 1 8 II.G.1 EMERGENCY POWER FOR PRESSURIZER EQUIPMENT Position Consistent with satisfying the requirements of GDC 10, 14, 15, 17, and 20 of Appendix A to 10 CFR Part 50 for the event of loss

-of-coolant power, the following positions shall be implemented:

Power Supply for Pressurizer Relief and Block Valves and Pressurizer Level Indicators.

(1) Motive and control components of the PORVs shall be capable of being supplied from either the offsite power source or the emergency power source when the offsite power is not available.

(2) Motive and control components associated with the PORV block valves shall be capable of being supplied from either the offsite power source or the emergency power source when the offsite power is not available. (3) Motive and control power connections to the emergency busses for the PORVs and their associated block valves shall be through devices that have been qualified in accordance with safety-grade requirements.

(4) The pressurizer level indication instrument channels shall be powered from the vital instrument busses. The busses shall have the capability of being supplied from either the offsite power source or the emergency power source when offsite power is not available.

Clarification (1) Although the primary concern resulting from lessons learned from the accident at TMI is that the PORV block valves must be closable, the design should retain, to the extent practicable, the capability to also open these valves.

(2) The motive and control power for the block valve should be supplied from an emergency power bus different from the source supplying the PORV.

(3) Any changeover of the PORV and block valve motive and control power from the normal offsite power to the emergency onsite power is to be accomplished manually in the control room. (4) For those designs in which instrument air is needed for operation, the electrical power supply should be required to have the capability to be manually connected to the emergency power sources. Documentation Require d The applicant shall provide sufficient documentation to support a reasonable assurance finding by the NRC that each of the positions stated above are met. The documentation should include, as a minimum, supporting information including system design description, logic diagrams, electrical schematics, test procedures, and Technical Specifications.

Technical Specification Changes Required Changes to Technical Specifications (if any) should be submitted as part of this response.

STPEGS UFSAR 7A-91 Revision 1 8 STPEGS Response The following are in response to the above positions and clarifications.

Position (1) The PORVs are solenoid

-operated valves and are Class 1E qualified. Power and control circuits are fed from Class 1E busses. Thus, these valves are capable of being supplied power from either the offsite power source or the emergency onsite power source.

(2) The PORV block valves are motor

-operated valves and are Class 1E qualified. Power and control circuits are fed from Class 1E buses. Thus, these valves are capable of being supplied power from either the offsite power source or the emergency onsite power source.

(3) See (1) and (2) above. Motive and control power is supplied to the PORV and their associated block valves through Class 1E devices.

(4) The pressurizer level indication instrumentation and their associated busses are Class 1E qualified and powered from the Class 1E vital instrument buses. As indicated in Section 8.3.1.1.4.5, these vital instrument buses are fed from Class 1E inverters. Thus, they are capable of being supplied from either the offsite power source or the emergency onsite power source. Clarification (1) The capability to open or close the PORV block valves is provided from the Main Control Board. (2) Two parallel sets of PORV and PORV block valves are provided with one set (PORV and block valve in series) assigned to Train A and the other set assigned to Train B. Requirements for redundant closure capability are satisfied by an active fail closed PORV (DC powered) and an active block valve (AC powered).

(3) This does not apply to STPEGS. The power and control circuits are fed from Class 1E circuits. (4) These valves are not air

-operated. Documentation Required System descriptions and testing are discussed in Section 8.3.

The pressurizer PORVs are shown on logic diagram Figure 7A.II.G.1

-1 and Figure 5.1

-3. The PORV block valves are shown on logic diagram Figure 7A.II.G.1

-2 and Figure 5.1

-3. Technical Specification Changes Required The STPEGS Technical Specifications have been submitted.

STPEGS UFSAR 7A-92 Revision 1 8 II.K.1.5 REVIEW OF SAFETY

-RELATED VALVE POSITIONS Position Review all safety

-related valve positions, positioning requirements, and positive controls to assure that valves remain positioned (open or closed) in a manner to ensure the proper operation of engineered safety features. Also review related procedures, such as those for maintenance, testing, plant and system startup, and supervisory periodic (e.g., daily/shift checks) surveillance to ensure that such valves are returned to their correct positions following necessary manipulations and are maintained in their proper positions during all operational modes.

STPEGS Response Safety-related valve positions, positioning requirements, and controls have been reviewed to assure that valves remain in their correct positions for ESF operation. Plant procedures provide the necessary verifications to ensure that valves are maintained in their correct positions during all operational modes.

STPEGS UFSAR 7A-93 Revision 1 8 II.K1.10 OPERABILITY STATUS OF SAFETY

-RELATED SYSTEMS Position Review and modify as necessary your maintenance and test procedures to ensure that they require:

a. Verification, by test or inspection, of the operability of redundant safety

-related systems prior to the removal of any safety

-related system from service.

b. Verification of the operability of all safety

-related systems when they are returned to service following maintenance or testing.

c. Explicit notification of involved reactor operational personnel whenever a safety

-related system is removed from and returned to service.

STPEGS Response

a. Procedures require verification that redundant safety

-related components are available prior to the removal from service of any safety

-related component.

b. Procedures require verification of the operability of safety

-related systems when they are returned to service following maintenance or testing.

c. Procedures require notification of appropriate operational personnel when a safety

-related system is removed from or returned to service.

STPEGS UFSAR 7A-94 Revision 1 8 II.K.1.17 TRIP PER PRESSURIZER LOW

-LEVEL BISTABLE Position For your facilities that use pressurizer water level coincident with pressurizer pressure for automatic initiation of safety injection into the reactor coolant system, trip the low pressurizer level set point bistables such that, when the pressurizer pressure reaches the low set point, safety injection would be initiated regardless of the pressurizer level. In addition, instruct operators to manually initiate safety injection when the pressurizer pressure indication reaches the actuation set point whether or not the level indication has dropped to the actuation set point.

STPEGS Response The STPEGS design does not include the pressurizer water level coincident with pressurizer pressure trip.

STPEGS UFSAR 7A-95 Revision 1 8 II.K.2.l3 THERMAL MECHANICAL REPORT

- EFFECT OF HIGH PRESSURE INJECTION ON VESSEL INTEGRITY FOR SMALL

-BREAK LOSS

-OF-COOLANT ACCIDENT WITH NO AUXILIARY FEEDWATER Position A detailed analysis shall be performed of the thermal

-mechanical conditions in the reactor vessel during recovery from small breaks with an extended loss of all feedwater.

Clarification The position deals with the potential for thermal shock of reactor vessels resulting from cold SI flow. One aspect that bears heavily on the effects of SI flow is the mixing of SI water with reactor coolant in the reactor vessel. B&W provided a report on July 30, 1980 that discussed the mixing question and the basis for a conservative analysis of the potential for thermal shock to the reactor vessel. Other pressurized water reactor vendors are also required to address this issue with regard to recovery from small breaks with an extended loss of all feedwater. In particular, demonstration shall be provided that sufficient mixing would occur of the cold high

-pressure injection water with reactor coolant so that significant thermal shock effects to the vessel are precluded.

STPEGS Response (Historical Context)

The following discussion is retained for "historical purposes." STPEGS' position on pressurized thermal shock is in accordance with 10CFR50.61 and is discussed in UFSAR Section 5.3.3.6.

Westinghouse, in support of the WOG, has performed analyses of the thermal mechanical conditions in generic groupings of Westinghouse reactor vessels during recovery from a spectrum of small LOCAs. The analyses were presented in WCAP

-l00l9, "Summary Report on Reactor Vessel Integrity for Westinghouse Operating Plants", and submitted to the NRC in December 1981.

Plant specific reference nilductility transition temperatures (RTNDT) were calculated by Westinghouse and provided to the WOG in a report titled "Calculation of Operating and NTOL Vessel RT NDT Values", dated December 31, 1981 including an Addendum to the report titled "Calculation of RT NDT Values for Westinghouse Domestic Near Term Operating License Reactor Vessels".

The results of this report indicate that the RT NDT values for the STPEGS will remain far below the screening values identified in SECY 82

-465 for the entire plant lifetime. On this basis an STPEGS specific analysis is not required.

STPEGS UFSAR 7A-96 Revision 1 8 II.K.2.l7 POTENTIAL FOR VOIDING IN THE REACTOR COOLANT SYSTEM DURING TRANSIENTS Position Analyze the potential for voiding in the RCS during anticipated transients.

Clarification The background for this concern and a request for this analysis was originally sent to the B&W licensees in a letter from R. W. Reid, NRC, to all B&W operating plants, dated January 9, 1980.

The results of this evaluation have been submitted by the B&W licensees and are presently undergoing staff review.

STPEGS Response Westinghouse, in support of the WOG, has performed a study which addresses the potential for void formation in Westinghouse

-designed NSSS during natural circulation cooldown/depressurization transients. This study is generic in nature and is applicable to STPEGS. A summary of the results of the study are documented in the Emergency Response Guidelines for low pressure plants.

STPEGS UFSAR 7A-97 Revision 1 8 II.K.2.19 SEQUENTIAL AUXILIARY FEEDWATER FLOW ANALYSIS Position Provide a benchmark analysis of sequential auxiliary feedwater flow to the steam generators following a loss of main feedwater.

Clarification This requirement was originally sent to the B&W licensees in a letter from D.

F. Ross, Jr., NRC, to all B&W operating plants, dated August 21, 1979.

The results of this analysis have been submitted by the B&W licensees and are presently undergoing staff review.

STPEGS Response The NRC has concluded that the concerns expressed by this Action Item are not applicable to plants with inverted U

-tube steam generators such as those of STPEGS.

STPEGS UFSAR 7A-98 Revision 1 8 II.K.3.1 INSTALLATION AND TESTING OF AUTOMATIC POWER

-OPERATED RELIEF VALVE ISOLATION SYSTEM Position All PWR licensees should provide a system that uses the PORV block valve to protect against a small-break LOCA. This system will automatically cause the block valve to close when the RCS pressure decays after the PORV has opened. Justification should be provided to assure that failure of this system would not decrease over

-all safety by aggravating plant transients and accidents.

Each licensee shall perform a confirmatory test of the automatic block valve closure system following installation.

Clarification Implementation of this action item was modified in the May 1980 version of NUREG

-0660. The change delays implementation of this action item until after the studies specified in TMI Action Plan Item II.K.3.2 have been completed, if such studies confirm that the subject system is necessary.

STPEGS Response Westinghouse, in support of the WOG, performed the studies required by TMI Action Item II.K.3.2. The results of these studies, WCAP 9804, concluded that with the incorporation of specific post

-TMI modifications, which have been implemented on the STPEGS, the reduction in PORV LOCA frequency is such that an automatic PORV block valve closure system is not required.

Therefore, automatic PORV block valve closure is not required in the STPEGS design.

STPEGS UFSAR 7A-99 Revision 1 8 II.K.3.2 REPORT ON OVERALL SAFETY EFFECT OF POWER

-OPERATED RELIEF VALVE ISOLATION SYSTEM Position (1) The licensee should submit a report for staff review documenting the various actions taken to decrease the probability of a small

-break LOCA caused by a stuck

-open PORV, and show how those actions constitute sufficient improvements in reactor safety.

(2) Safety valve failure rates based on past history of the operating plants designed by the specific NSSS vendor should be included in the report submitted in response to (1) above.

Clarification Based on its review of feedwater transients and small LOCAs for operating plants, the Bulletins and Orders Task Force in the NRR recommended that a report be prepared and submitted for staff review that documents the various actions that have been taken to reduce the probability of a small

-break LOCA caused by a stuck

-open PORV, and show how these actions constitute sufficient improvements in reactor safety. Action Item II.K.3.2 of NUREG

-0660, published in May 1980, changed the implementation of this recommendation as follows: In addition to modifications already implemented on PORVs, the report specified above should include safety examination of an automatic PORV isolation system identified in Task Action Plan Item II.K.3.1.

Modifications to reduce the likelihood of a stuck

-open PORV will be considered sufficient improvements in reactor safety if they reduce the probability of a small-break LOCA caused by a stuck-open PORV such that it is not a significant contributor to the probability of a small

-break LOCA due to all causes. (According to WASH

-1400, the median probability of a small

-break LOCA S 2 with a break diameter between 0.5 in. and 2.0 in. is 10

-3 per reactor

-year with a variation ranging from 10-2 to 10-4 per reactor

-year.) The above-specified report should also include an analysis of safety valve failures based on the operating experience of the PWR vendor designs. The licensee has the option of preparing and submitting either a plant

-specific or a generic report. If a generic report is submitted, each licensee should document the applicability of the generic report to his own plant.

Based on the above guidance and clarification, each licensee should perform an analysis of the probability of a small

-break LOCA caused by a stuck

-open PORV or safety valve. This analysis should consider modifications that have been made since the TMI

-2 accident to improve the probability.

This analysis shall evaluate the effect of an automatic PORV isolation system specified in Task Action Plan Item II.K.3.1. In evaluating the automatic PORV isolation system, the potential of causing a subsequent stuck

-open safety valve and the overall effect on safety (e.g., effect on other accidents) should be examined.

Actual operational data may be used in this analysis where appropriate. The bases for any assumptions used should be clearly stated and justified.

The results of the probability analysis should then be used to determine whether the modifications already implemented have reduced the probability of a small

-break LOCA due to a stuck

-open PORV or safety valve a sufficient amount to satisfy the criterion stated above, or whether the automatic PORV isolation system specified in Task Action Item II.K.3.1 is necessary.

STPEGS UFSAR 7A-100 Revision 1 8 In addition to the analysis described above, the licensee should compile operational data regarding pressurizer safety valves for PWR vendor designs. These data should then be used to determine safety valve failure rates.

The analyses should be documented in a report. If this requirement is implemented on a generic basis, each licensee should review the appropriate generic report and document its applicability to his own plant(s). The report and the documentation of applicability (where appropriate) should be submitted for NRC staff review by the specified date.

STPEGS Response The WOG submitted WCAP

-9804, "Probabilistic Analysis and Operational Data in Response to NUREG-0737 Item II.K.3.2 for Westinghouse NSSS Plants", on March 13, 1981. This report provides a probabilistic analysis to determine the probability of a PORV LOCA, estimates the effect of the post

-TMI modifications, evaluates an automatic PORV isolation concept, and provides PORV and safety valve operational data for Westinghouse plants. The report is generic and is applicable to STPEGS. WCAP 9804 indicates that a significant reduction in the probability of a small

-break LOCA due to a stuck open PORV has been obtained by the incorporation of specific TMI modifications. The report further indicates that this reduction in probability is such that an automatic PORV isolation system is not required, see TMI Action Item II.K.3.1.

STPEGS UFSAR 7A-101 Revision 1 8 II.K.3.3 REPORTING SAFETY AND RELIEF VALVE FAILURES AND CHALLENGES Position (NUREG-0694) Assure that any failure of a PORV or safety valve to close will be reported to the NRC promptly. All challenges to the PORVs or safety valves should be documented in the annual report.

Clarification No clarification provided.

STPEGS Response As of January 5, 2005, STPEGS no longer documents challenges to the PORVs or safety valves in the monthly Operating Report based on the following relief granted by the NRC in the referenced letter: The reporting requirements for the [monthly operating report] MOR include challenges to the pressurizer power operated relief valves or pressurizer safety valves.

The reporting of challenges to the pressurizer power operated relief valves or pressurizer safety valves was included in TSs based on the guidance in NUREG

-0694, "[Three Mile Island] TMI

-Related Requirements for New Operating Licensees." The industry proposed and the NRC accepted the elimination of the reporting requirements in TSs for challenges to pressurizer power operated relief valves or pressurizer safety valves in Revision 4 to TSTF

-258, "Changes to Section 5.0, Administrative Controls." The NRC staff's acceptance of TSTF

-258 and subsequent approval of plant

-specific adoptions of TSTF

-258 is based on the fact that the information on challenges to relief and safety valves is not used in the evaluation of the MOR data, and that the information needed by the NRC is adequately addressed by the reporting requirements in 10 CFR 50.73, "Licensee event report system."

STPEGS will report to the NRC the failure of a PORV or safety valve to close in accordance with NUREG-1022.

Reference:

Letter, D. H. Jaffe to J. J. Sheppard, "South Texas Project, Units 1 and 2

- Issuance of Amendments re: Deletion of Monthly Operating Reports and Occupational Radiation Exposure Reports (TAC Nos. MC4599 and

MC4600)," January 5, 2005 (AE

-NOC-05001329)

STPEGS UFSAR 7A-102 Revision 1 8 II.K.3.5 AUTOMATIC TRIP OF REACTOR COOLANT PUMPS DURING LOSS

-OF-COOLANT ACCIDENT Position Tripping of the reactor coolant pumps in case of a LOCA is not an ideal solution. Licensees should consider other solutions to the small

-break LOCA problem (for example, an increase in safety injection flow rate). In the meantime, until a better solution is found, the reactor coolant pumps should be tripped automatically in case of a small

-break LOCA. The signals designated to initiate the pump trip are discussed in NUREG

-0623. Clarification This action has been revised in the May 1980 version of NUREG

-0660 to provide for continued study of criteria for early reactor coolant pump trip. Implementation, if any is required, will be delayed accordingly. As part of the continued study, all holders of approved emergency core cooling (ECC) models have been required to analyze the forthcoming LOFT test (L3

-6). The capability of the industry models to correctly predict the experimental behavior of this test will have a strong input on the staff's determination of when and how the reactor coolant pumps should be tripped.

STPEGS Response The NRC, via Generic Letter No. 83

-10c ("Resolution of TMI Action Item II.K.3.5, Automatic Trip of Reactor Coolant Pump"), dated February 8, 1983, provided guidelines for the resolution of TMI Action Item II.K.3.5.

Westinghouse, in support of the WOG, performed a study to determine appropriate RCP trip criteria and justification of a manual RCP trip in response to GL 83

-10c. The results of this study have been submitted to the NRC by the following:

1. RCP trip criterion incorporation into WOG ERGs, Revision 1, submitted to the NRC by WOG Letter, 0G

-111, dated November 30, 1983.

2. Generic applicability of RCB trip criterion, WOG report, "Evaluation of Alternate RCP Trip Criteria", submitted to the NRC by WOG letter OG

-110, dated December 1, 1983.

3. Justification of manual RCP trip, WOG report, "Justification of Manual RCP Trip for Small Break LOCA Events", submitted to the NRC by WOG letter 0G

-117, dated March 12, 1984.

The plant-specific information requested by Generic Letter 83

-10c was provided to the NRC in letters from Mr. J. H. Goldberg, Houston Lighting and Power Company to Mr. Darrel G. Eisenhut, NRC, dated December 28, 1983 and May 15, 1984.

The information provided in the above submittals, in conjunction with the incorporation of the guidance of the WOG ERGs, Revision 1, into the STPEGS emergency operation procedures, addresses TMI Action Item II.K.3.5 and Generic Letter 83

-10c. Additionally, a partial response to NRC Generic Letter 85

-12 regarding "Implementation of TMI Action Item II.K.3.5, "Automatic Trip of Reactor Coolant Pumps", was provided in a letter from M. R. Wisenburg to H. L. Thompson dated November 6, 1985 (reference ST

-HL-AE-1433).

STPEGS UFSAR 7A-103 Revision 1 8 NRC Review and Conclusions The NRC review and conclusions are presented in the STP SER, SSER 1, SSER 3, SSER 4, and Inspection Report 87

-23. In SSER 4, the NRC concluded, "The Staff considers the applicant's revision acceptable, and thus the issue of RCP trip resolved for South Texas Units 1 and 2".

Inspection Report 87

-23 summarized activities performed during an NRC plant inspection which included an evaluation of plant specific aspects of the issue such as selected RCP trip parameter, instrumentation redundancy and uncertainty, potential RCP and RCP

-related problems, operator training, and operating procedures. The inspection team found all aspects acceptable and concluded that "TMI Item II.K.3.5 is considered closed".

STPEGS UFSAR 7A-104 Revision 1 8 II.K.3.9 PROPORTIONAL INTEGRAL DERIVATIVE CONTROLLER MODIFICATION Position The Westinghouse

-recommended modification to the proportional integral derivative (PID) controller should be implemented by affected licensees.

Clarification The Westinghouse

-recommended modification is to raise the interlock bistable trip setting to preclude derivative action from opening the PORV. Some plants have proposed changing the derivative action setting to zero, thereby eliminating it from consideration. Either modification is acceptable to the staff. This represents a newly available option.

STPEGS Response The PORV PID controllers have been modified to preclude derivative action from opening the PORVs. The input and output jumpers to and from the derivative circuit portion of the controller were removed to prevent derivative action from opening the PORVs.

STPEGS UFSAR 7A-105 Revision 1 8 II.K.3.10 PROPOSED ANTICIPATORY TRIP MODIFICATION Position The anticipatory trip modification proposed by some licensees to confine the range of use to high

-power levels should not be made until it has been shown on a plant

-by-plant basis that the probability of a small

-break LOCA resulting from a stuck-open PORV is substantially unaffected by the modification.

Clarification The evaluation is required for only those licensee/applicants who propose the modification.

STPEGS Response The South Texas Units 1 and 2 design incorporates this trip modification. The NRC has raised the question of whether the pressurizer PORVs would be actuated for a turbine trip without reactor trip below a power level of 50 percent (P

-9 setpoint). A best estimate transient analysis (from 52 percent power) has been performed.

The transient was initiated from the setpoint for the P

-9 interlock, namely 50 percent of the reactor full power level plus 2 percent for power measurement uncertainty. This is a conservative starting point and would bracket all transients initiated from a lower power level. The core physics parameters used were the ones that would result in the most positive reactivity feedbacks (i.e., highest resulting power levels). The steam dump valves were assumed to be actuated by the load rejection controller.

Based upon the results from the analysis, the peak pressure reached in the the pressurizer is less than the pressurizer PORV setpoint. Thus, the peak pressure would not activate the PORVs.

STPEGS UFSAR 7A-106 Revision 1 8 II.K.3.11 JUSTIFICATION OF USE OF CERTAIN PORVs Position A PORV supplied by Control Components, Inc. (CCI) used in the McGuire plant (owned by Duke Power) failed during the functional testing. Because this valve is different from the Copes

-Vulcan design, which comprises the operational data for W-designed plants, its failure mechanism and failure rate must be determined to be equitable with that of the Copes

-Vulcan valves, in order to include both in the same population. At present, a data base for operational failures for this valve does not exist.

Any plant using or planning to use this valve without modification should provide complete justification for such use in light of this failure. This matter should be addressed on a plant

-by-plant basis. The valve should be modified as recommended by the manufacturer and tested. Plants using this valve (modified or unmodified) should record each valve actuation and each valve failure. Failures must be reported to the NRC. The licensee must compare such failure with those of Copes

-Vulcan valves with a view toward further modification or replacement, as necessary.

Clarification No further clarification is required.

STPEGS Response The PORVs for STPEGS were supplied by the Airesearch Division of the Garrett Corporation. These valves have been subjected to IEEE qualification testing, per WCAP 9688, that includes, but is not limited to, cycling, aging, and radiation exposure that exceeds conditions anticipated in the operating environment.

STPEGS UFSAR 7A-107 Revision 1 8 II.K.3.12 CONFIRM EXISTENCE OF ANTICIPATORY REACTOR TRIP UPON TURBINE TRIP Position Licensees with Westinghouse

-designed operating plants should confirm that their plants have an anticipatory reactor trip upon turbine trip. The licensee of any plant where this trip is not present should provide a conceptual design and evaluation for the installation of this trip.

Clarification No further clarification is required.

STPEGS Response Anticipatory reactor trip upon turbine trip exists in the STPEGS design and is described in Section 7.2.1.1.3.6.

STPEGS UFSAR 7A-108 Revision 1 8 II.K.3.17 REPORT ON OUTAGES OF EMERGENCY CORE COOLING SYSTEMS

- LICENSEE REPORT AND PROPOSED TECHNICAL SPECIFICATION CHANGES Position Several components of the ECCS are permitted by Technical Specifications to have substantial outage times (e.g., 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for one diesel

-generator; 14 days for the high pressure coolant injection system). In addition, there are no cumulative outage time limitations for ECCS. Licensees should submit a report detailing outage dates and lengths of outages for all ECCS for the last 5 years of operation. The report should also include the causes of the outages (i.e., controller failure, spurious isolation, etc.)

Clarification The present Technical Specifications contain limits on allowable outage times for ECCS and components. However, there are no cumulative outage time limitations on these same systems. It is possible that ECCS equipment could meet present Technical Specification requirements, but have a high unavailability because of frequent outages within the allowable Technical Specifications.

The licensees should submit a report detailing outage dates and length of outages for all ECCS for the last 5 years of operation, including causes of the outages. This report will provide the staff with a quantification of historical unreliability due to test and maintenance outages, which will be used to determine if a need exists for cumulative outage requirements in the Technical Specifications.

Based upon the above guidance and clarification, a detailed report should be submitted. The report should contain (1) outage dates and duration of outages, (2) cause of the outage, (3) ECCS or components involved in the outage, and (4) corrective action taken. Test and maintenance outages should be included in the above listings that are to cover the last 5 years of operation. The licensee should propose changes to improve the availability of ECCS equipment, if needed.

Applicant for an operating license shall establish a plan to meet these requirements.

STPEGS Response Later rules, regulations for reporting and reliability (i.e., Maintenance Rule, NPRDS, Performance Monitors, INPO Availability Reports, etc.) ensure that the intent of Section II.K.3.17 of NUREG-0737 are met.

STPEGS UFSAR 7A-109 Revision 1 8 II.K.3.25 EFFECT OF LOSS OF ALTERNATING CURRENT POWER ON PUMP SEALS Position The licensees should determine, on a plant

-specific basis, by analysis or experiment, the consequences of a loss of cooling water to the reactor recirculation pump seal coolers. The pump seals should be designed to withstand a complete loss of AC power for at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . Adequacy of the seal design should be demonstrated.

Clarification The intent of this position is to prevent excessive loss of RCS inventory following an anticipated operational occurrence. Loss of AC power for this case is construed to be loss of offsite power. If seal failure is the consequence of loss of cooling water to the RCP seal coolers for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months due to loss of offsite power, one acceptable solution would be to supply emergency power to the CCW pump. This topic is addressed for B&W reactors in Section II.K.2.16.

STPEGS Response During normal operation, seal injection flow from the CVCS is provided to cool the RCP seals, and the CCWS provides flow to the thermal barrier heat exchanger to limit the heat transfer from the reactor coolant to the RCP internals. In the event of LOOP, the RCP motor is deenergized and both of these cooling supplies are terminated; however, the diesel generators are automatically started, and CCW to the thermal barrier heat exchanger is automatically restored within seconds (see Table 8.3

-3). This is adequate to provide seal cooling and prevent seal failure due to loss of seal cooling during a loss of offsite power. The CCWS and the CVCS are described in Sections 9.2.2 and 9.3.4, respectively.

STPEGS UFSAR 7A-110 Revision 1 8 II.K.3.30 REVISED SMALL-BREAK LOSS

-OF-COOLANT ACCIDENT METHODS TO SHOW COMPLIANCE WITH 10 CFR PART 50, APPENDIX K Position The analysis methods used by NSSS vendors and/or fuel suppliers for small

-break LOCA analysis for compliance with Appendix K to 10CFR50 should be revised, documented, and submitted for NRC approval. The revisions should account for comparisons with experimental data, including data from the LOFT Test and Semiscale Test facilities.

Clarification As a result of the accident at TMI

-2, the Bulletins and Orders Task Force was formed within the NRR. This task force was charged, in part, to review the analytical predictions of feedwater transients and small

-break LOCAs for the purpose of assuring the continued safe operation of all operating reactors, including a determination of acceptability of emergency guidelines for operators.

As a result of the task force reviews, a number of concerns were identified regarding the adequacy of certain features of small

-break LOCA models, particularly the need to confirm specific model features (e.g., condensation heat transfer rates) against applicable experimental data. These concerns, as they applied to each light

-water reactor (LWR) vendor's models, were documented in the task force reports for each LWR vendor. In addition to the modeling concerns identified, the task force also concluded that, in light of the TMI

-2 accident, additional systems verification of the small

-break LOCA model as required by II.4 of Appendix K to 10CFR50 was needed. This included providing predictions of Semiscale Test S 10B, LOFT Test (L3

-1), and providing experimental verification of the various modes of single

-phase and two

-phase natural circulation predicted to occur in each vendor's reactor during small

-break LOCAs.

Based on the cumulative staff requirements for additional small

-break LOCA model verification, including both integral system and separate effects verification, the staff considered model revision as the appropriate method for reflecting any potential upgrading of the analysis methods.

The purpose of the verification was to provide the necessary assurance that the small

-break LOCA models were acceptable to calculate the behavior and consequences of small primary system breaks. The staff believes that this assurance can alternatively be provided, as appropriate, by additional justification of the acceptability of present small

-break LOCA models with regard to specific staff concerns and recent test data. Such justification could supplement or supersede the need for model revision.

The specific staff concerns regarding small

-break LOCA models are provided in the analysis sections of the Bulletins and Orders Task Force reports for each LWR vendor, (NUREG

-0635, -0565, -0626, -0611, and

-0623). These concerns should be reviewed in total by each holder of an approved ECCS model and addressed in the evaluation as appropriate.

The recent tests include the entire Semiscale small

-break test series and LOFT Tests (L3

-1 and L3-2). The staff believes that the present small

-break LOCA models can be both qualitatively and quantitatively assessed against these tests. Other separate effects tests (e.g., Oak Ridge National Laboratory core uncovery tests) and future tests, as appropriate, should also be factored into this assessment.

STPEGS UFSAR 7A-111 Revision 1 8 Based on the preceding information, a detailed outline of the proposed program to address this issue should be submitted. In particular, this submittal should identify (1) which areas of the models, if any, the licensee intends to upgrade, (2) which areas the licensee intends to address by further justification of acceptability, (3) test data to be used as part of the overall verification/upgrade effort, and (4) the estimated schedule for performing the necessary work and submitting his information for staff review and approval.

STPEGS Response

[HISTORICAL INFORMATION]

The Westinghouse small

-break evaluation model used to analyze the STPEGS units is in conformance with 10CFR50, Appendix K. However, Westinghouse has revised their small

-break LOCA analysis model to address NRC concerns. The revised model was submitted to the NRC by Westinghouse in WCAP

-10054, dated March 26, 1982. WCAP

-10054 is applicable to STPEGS. Section 15.6.5 discusses the small

-break LOCA analysis.

HISTORICAL INFORMATION HISTORICAL INFORMATION

STPEGS UFSAR 7A-112 Revision 1 8 II.K.3.31 PLANT-SPECIFIC CALCULATIONS TO SHOW COMPLIANCE WITH 10 CFR PART 50.46 Position Plant-specific calculations using NRC

-approved models for small

-break LOCAs, as described in item II.K.3.30 to show compliance with 10CFR50.46, should be submitted for NRC approval by all licensees.

Clarification See "Clarification" for item II.K.3.30.

STPEGS Response Westinghouse, in support of the WOG, has performed analyses to resolve the small

-break LOCA concern for STPEGS. Consideration of break location sensitivity was necessary due to the asymmetric design of the AFW systems at South Texas.

The analysis was performed with the NRC

-approved Westinghouse small

-break analysis model using NOTRUMP as described in WCAP

-10079-P-A and WCAP

-10054-P-A with some modifications made to the model as described in WCAP

-11232. The results of current analyses are presented in Section 15.6.5.

STPEGS UFSAR 7A-113 Revision 1 8 III.A.1.1 Upgrade Emergency Preparedness Information is provided in the South Texas Project Electric Generating Station Emergency Plan

STPEGS UFSAR 7A-114 Revision 1 8 III.A.1.2 Upgrade Licensee Emergency Support Facilities Information is provided in the South Texas Project Electric Generating Station Emergency Plan

STPEGS UFSAR 7A-115 Revision 1 8 III.A.2 IMPROVING LICENSEE EMERGENCY PREPAREDNESS

--LONG-TERM Position Each nuclear facility shall upgrade item emergency plans to provide reasonable assurance that adequate protective measures can and will be taken in the event of a radiological emergency. Specific criteria to meet this requirement is delineated in NUREG

-0654 (FEMA

-REP-1), "Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparation in Support of Nuclear Power Plants".

Changes to Previous Requirements and Guidance The final regulations on emergency planning (45 FR 55401

-55413), which become effective on November 3, 1980, require the submittal and implementation of the radiological emergency response plans of licensees and state and local entities within the plume exposure and ingestion emergency planning zones (EPZ) by January 2, 1981.

NUREG-0654 has been revised to include changes developed from team reviews and comments obtained during the comment period.

The revised NUREG

-0654 establishes the schedule for installation of meteorological equipment to meet a prescribed implementation date (also see proposed Revision 1 to RG 1.23). The NRC rule establishes July 1, 1981 as the date when the prompt notification capability is to be functional. Item III.A.1.2 establishes dates when emergency response facilities must be functional.

Clarification In accordance with Task Action Plan item III.A.1.1, "Upgrade Emergency Preparedness", each nuclear power facility was required to immediately upgrade its emergency plans with criteria provided October 10, 1979, as revised by NUREG

-0654 (FEMA

-REP-1, issued for interim use and comment, January 1980). New plans were submitted by January 1, 1980, using the October 10, 1979 criteria. Reviews were started on the upgraded plans using NUREG

-0654. Concomitant to these actions, amendments were developed to 10 CFR Part 50 and Appendix E to 10 CFR Part 50, to provide the long

-term implementation requirements. These new rules were issued in Federal Register on August 19, 1980, with an effective date of November 3, 1980. The revised rules delineate requirements for emergency preparedness at nuclear reactor facilities.

NUREG-0654 (FEMA

-REP-1), "Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparedness in Support of Nuclear Power Plants", provides detailed items to be included in the upgraded emergency plans and, along with the revised rules, provides for meteorological criteria, means for providing for a prompt notification to the population, and the need for emergency response facilities (see Item III.A.1.2).

Implementation of the new rules levied the requirement for the licensee to provide procedures implementing the upgraded emergency plans to the NRC for review. Publication of Revision 1 to NUREG-0654 (FMEA

-REP-1) which incorporates the many public comments received is expected in October 1980. This is the document that will be used by NRC and FEMA in their evaluation of emergency plans submitted in accordance with the new NRC rules.

NUREG-0654, Revision 1; NUREG

-0696, "Functional Criteria for Emergency Response Facilities", and the amendments to 10 CFR Part 50 and Appendix E to 10 CFR Part 50 regarding emergency preparedness, provide more detailed criteria for emergency plans, design, and functional criteria for STPEGS UFSAR 7A-116 Revision 1 8 emergency response facilities and establishes firm dates for submission of upgraded emergency plans for installation of prompt notification systems. These revised criteria for rules supersede previous Commission guidance for the upgrading of emergency preparedness at nuclear power facilities.

Revision 1 to NUREG

-0654, "Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparedness in Support of Nuclear Power Plants", provides meteorological criteria to fulfill, in part, the standard that "Adequate methods, systems, and equipment for assessing and monitoring actual or potential offsite consequences of a radiological emergency condition are in use" (see 10 CFR Part 50.47). The position in Appendix 2 to NUREG

-0654 outlines four essential elements that can be categorized into three functions: measurements, assessment, and communications.

Proposed Revision 1 to RG 1.23, "Meteorological Measurements Programs in Support of Nuclear Power Plants", has been adopted to provide guidance criteria for the primary meteorological measurements program consisting of a primary system and secondary system(s) where necessary, and a backup system. Data collected from these systems are intended for use in the assessment of the offsite consequences of a radiological emergency condition.

Appendix 2 to NUREG

-0654 delineates two classes of assessment capabilities to provide input the evaluation of offsite consequences of a radiological emergency condition. Both classes of capabilities provide input to decisions regarding emergency actions. The Class A capability should provide information to determine the necessity for notification, sheltering, evacuation, and, during the initial phase of a radiological emergency, making confirmatory radiological measurements. The Class B capability should provide information regarding the placement of supplemental meteorological monitoring equipment, and the need to make additional confirmatory radiological measurements. The Class B capability shall identify the areas of contaminated property and foodstuff requiring protective measures and may also provide information to determine the necessity for sheltering and evacuation.

Proposed Revision 1 to RG 1.23 outlines the set of meteorological measurements that should be accessible from a system that can be interrogated; the meteorological data should be presented in the prescribed format. The results of the assessments should be accessible from this system; this information should incorporate human factors engineering in its display to convey the essential information to the initial decision makers and subsequent management team. An integrated system should allow the eventual incorporation of effluent monitoring and radiological monitoring information with the environmental transport to provide direct dose consequence assessments.

Requirements of the new emergency-preparedness rules under paragraphs 50.47 and 50.54 and the revised Appendix E to Part 50 taken together with NUREG

-0654 Revision 1 and NUREG

-0696, when approved for issuance, go beyond the previous requirements for meteorological programs. To provide a realistic time frame for implementation, a staged schedule has been established with compensating actions provided for interim measures.

STPEGS Response The STPEGS response to this item is covered by Section 7A.S (responses to NUREG

-737, Supplement 1) and the STPEGS Emergency Plan.

STPEGS UFSAR 7A-117 Revision 1 8 III.D.1.1 INTEGRITY OF SYSTEMS OUTSIDE CONTAINMENT LIKELY TO CONTAIN RADIO ACTIVE MATERIAL FOR PRESSURIZED

-WATER REACTORS AND BOILING-WATER REACTORS Position Applicants shall implement a program to reduce leakage from systems outside Containment that would or could contain highly radioactive fluids during a serious transient or accident to as

-low-as practicable levels. This program shall include the following:

(1) Immediate leak reduction (a) Implement all practicable leak reduction measures for all systems that could carry radioactive fluid outside of Containment.

(b) Measure actual leakage rates with system in operation and report them to the NRC.

(2) Continuing Leak Reduction

- Establish and implement a program of preventive maintenance to reduce leakage to as

-low-as-practicable levels. This program shall include periodic integrated leak tests at intervals not to exceed each refueling cycle.

Clarification Applicants shall provide a summary description, together with initial leak-test results, of their program to reduce leakage from systems outside the Containment that would or could contain coolant or other highly radioactive fluids or gases during or following a serious transient or accident.

(1) Systems that should be leak tested are as follows (any other plant system which has similar functions or post

-accident characteristics, even though not specified herein, should be included):

Residual heat removal Containment spray recirculation High-pressure injection recirculation Containment and primary coolant sampling Reactor core isolation cooling Makeup and letdown (PWRs only)

Waste gas (includes headers and cover gas system outside of the Containment in addition to decay or storage system)

Include a list of systems containing radioactive materials which are excluded from program and provide justification for exclusion.

(2) Testing of gaseous systems should include helium leak detection or equivalent testing methods.

STPEGS UFSAR 7A-118 Revision 1 8 (3) Should consider program to reduce leakage potential release paths due to design and operator deficiencies as discussed in our letter to all operating nuclear power plants regarding North Anna and related incidents, dated October 17, 1979.

STPEGS Response Immediate Leak Reduction and Leakage Testing

The following systems have been identified as systems outside Containment that would or could contain highly radioactive fluids during a serious transient or accident:

1. High Head Safety Injection System (recirculation portion only).

2. Low Head Safety Injection System (recirculation portion only).

3. Containment Spray System (recirculation portion only).

4. Containment Hydrogen Monitoring System.

5. Post Accident Sampling System.

6. Primary Sampling System (portion common with PASS).

A leakage reduction plan is being implemented for these systems. This program begins with incorporation into the design of those features that reduce radioactive releases to ALARA levels (Sections 12.3.1 and 12.3.2).

Leakage testing will be incorporated into this program. The program will be based on the requirements of the ASME Boiler and Pressure Vessel (B&PV) Code,Section XI and 10CFR50, Appendix J as applicable. The SI and Containment spray systems are subject to the in

-service inspection requirements of the ASME B&PV Code Section XI, including pressure tests. Operating pressure leakage tests will be performed on appropriate portions of the systems identified above at intervals not exceeding refueling outages.

A program to meet III.D.1.1 was implemented prior to fuel loa

d. Continuing Leak Reduction

The systems included in this program will receive periodic inspection (primarily by system walkdown) for leakage. This inspection will be conducted during the leak testing and at other intervals as determined by maintenance policy. Maintenance will be performed on those components identified as requiring work to limit actual leakage.

Excluded Systems

The following systems are excluded from this program:

1. Liquid Waste Processing System (LWPS). This system is not required to function post

-accident and is isolated on phase A Containment isolation.

2. Gaseous Waste Processing System (GWPS). The system is not required to function post

-accident and is isolated on phase A Containment isolation.

3. CVCS, letdown portion. The letdown portion of the CVCS is not required to function post

-accident. The plant can be brought to a safe condition without the letdown system. The letdown system is isolated on phase A Containment isolation.

STPEGS UFSAR 7A-119 Revision 1 8 4. CVCS, reactor coolant pump seal leak

-off portion. The seal leak

-off portion of the CVCS is not required to function post

-accident. The seal leak

-off is isolated on a Containment isolation signal. The system remains isolated post

-accident. If seal leak

-off is required post

-accident, pressure in the seal leak

-off header will increase and the header relief valve will lift providing a flow path to the pressurizer relief tank.

5. CVCS, charging portion. The charging portion of the CVCS is not required to function post

-accident and is isolated on a Containment isolation signal.

6. CVCS, seal injection portion. The letdown portion of the CVCS is isolated on a Containment isolation signal, therefore the seal injection portion of the CVCS will not contain highly radioactive fluids under post

-accident conditions. Surveillance of the leaktightness of the systems which routinely contain radioactive fluids or gases and are excluded from the program, as listed above, is assured by routine surveillance of the auxiliary building and the airborne radiation monitors in this building. Leaktightness of these systems is determined by the objectives of keeping occupational and routine releases ALARA as described in Section 12.3. The sampling system components are provided with packless valves to minimize discharge caused by leakage.

The portions of the reactor coolant charging, letdown, and pump seal leakoff systems, in use during normal operations, are monitored with the rest of the RCS for leakage during steady

-state conditions by the RCS water inventory balance (see Section 5.2.5). Portions of these systems are ASME Class 2 and 3 and are subject to the requirements of the ASME B&PV Code,Section XI.

North Anna and Related Incidents

The STPEGS design has been reviewed with respect to the North Anna and related incidents. The STPEGS design is sufficiently different from the North Anna design to preclude a similar occurrence. The volume control tank (VCT) relief is routed to the recycle holdup tank (RHT). Venting off the holdup tank is routed to the GWPS.

STPEGS UFSAR 7A-120 Revision 1 8 III.D.3.3 IMPROVED INPLANT IODINE INSTRUMENTATION UNDER ACCIDENT CONDITIONS Position (1) Each licensee shall provide equipment and associated training and procedures for accurately determining the airborne iodine concentration in areas within the facility where plant personnel may be present during an accident.

(2) Each applicant for a fuel

-loading license to be issued prior to January 1, 1981 shall provide the equipment, training, and procedures necessary to accurately determine the presence of airborne radioiodine in areas within the plant where plant personnel may be present during an accident. Clarification Effective monitoring of increasing iodine levels in the buildings under accident conditions must include the use of portable instruments using sample media that will collect iodine selectively over xenon (e.g., silver zeolite) for the following reasons:

(1) The physical size of the auxiliary and/or fuel handling building precludes locating stationary monitoring instrumentation at all areas where airborne iodine concentration data might be required. (2) Unanticipated isolated "hot spots" may occur in locations where no stationary monitoring instrumentation is located.

(3) Unexpectedly high background radiation levels near stationary monitoring instrumentation after an accident may interfere with filter radiation readings.

(4) The time required to retrieve samples after an accident may result in high personnel exposures if these filters are located in high

-dose-rate areas.

After January 1, 1981, each applicant and licensee shall have the capability to remove the sampling cartridge to a low

-background, low

-contamination area for further analysis. Normally, counting rooms in auxiliary buildings will not have sufficiently low backgrounds for such analyses following an accident. In the low background area, the sample should first be purged of any extrapped noble gases using nitrogen gas or clean air free of noble gases. The licensee shall have the capability to measure accurately the iodine concentrations present on these samples under accident conditions. There should be sufficient samplers to sample all vital areas.

For applicants with fuel loading date prior to January 1, 1981, provide by fuel loading (until January 1, 1981) the capability to accurately detect the presence of iodine in the region of interest following an accident. This can be accomplished by using a portable or cart

-mounted iodine sampler with attached single

-channel analyzer (SCA).

The SCA window should be calibrated to the 365 KeV of iodine

-131 using the SCA. This will give an initial conservative estimate of presence of iodine and can be used to determine if respiratory protection is required. Care must be taken to assure that the counting system is not saturated as a result of too much activity collected on the sampling cartridge.

STPEGS UFSAR 7A-121 Revision 1 8 STPEGS Response STPEGS plans to have onsite approximately 14 portable high volume air samplers, 14 portable low volume air samplers, and 6 portable continuous air samplers. Procedures have been developed to measure the iodine activity entrained on the silver zeolites or carbon filter units. Personnel will be trained to operate the equipment. The counting rooms will have background activity low enough to permit counting; however, shielding materials will be available to facilitate the counting operation as necessary.

The filter units are counted by a high resolution detector and a multichannel analyzer or similar device, thereby eliminating the need for purging noble gases.

STPEGS UFSAR 7A-122 Revision 1 8 III.D.3.4 CONTROL ROOM HABITABILITY REQUIREMENTS Position In accordance with Task Action Plan Item III.D.3.4 and control room habitability, licensees shall assure that control room operators will be adequately protected against the effects of accidental release of toxic and radioactive gases, and that the nuclear power plant can be safely operated or shut down under design basis accident conditions (Criterion 19, "Control Room", of Appendix A, General Design Criteria for Nuclear Power Plants", to 10CFR50).

Clarification (1) All licensees must make a submittal to the NRC regardless of whether or not they met the criteria of the referenced SRP sections. The new clarification specifies that licensees that meet the criteria of the SRPs should provide the basis for their conclusion that SRP 6.4 requirements are met. Licensees may establish this basis by referencing past submittals to the NRC and/or providing new or additional information to supplement past submittals.

(2) All licensees with control rooms that meet the criteria of SRP sections 2.2.1 through 2.2.2 Identification of Potential Hazards in Site Vicinity, 2.2.3 Evaluation of Potential Accidents, and 6.4 Habitability of Systems, shall report their findings regarding the specific SRP sections, as explained below. The following documents should be used for guidance:

(a) RG 1.78, "Assumptions for Evaluating the Habitability of Regulatory Power Plant Control Room During a Postulated Hazardous Chemical Release";

(b) RG 1.95, "Protection of Nuclear Power Plant Control Room Operators Against an

Accident Chlorine Release"; and, (c) K. G. Murphy and K. M. Campe, "Nuclear Power Plant Control Room Ventilation System Design for Meeting General Design Criterion 19", 13th AEC Air Cleaning Conference, August 1974.

Licensees shall submit the results of their findings, as well as the basis for those findings, by January 1, 1981. In providing the basis for the habitability finding, licensees may reference their past submittals. Licensees should, however, ensure that these submittals reflect the current facility design and that the information requested in Attachment 1 is provided.

(3) All licensees with control rooms that do not meet the criteria of the above

-listed references, SRPs, RGs, and other references shall perform the necessary evaluations and identify appropriate modifications.

Each licensee submittal shall include the results of the analyses of control room concentrations from postulated accidental release of toxic gases, control room operator radiation exposures from airborne radioactive material, and direct radiation resulting from design basis accidents. The toxic gas accident analysis should be performed for all potential hazardous chemical releases occurring either on the site or within 5 miles of the plant

-site boundary. RG 1.78 lists the chemicals most commonly encountered in the evaluation of control room habitability, but is not all inclusive.

The design basis accident (DBA) radiation source term should be for the LOCA Containment leakage and ESF leakage contribution outside Containment, as described in Appendices A and B of SRP Chapter 15.6.5. In addition, BWR facility evaluations should add any leakage from the main steam STPEGS UFSAR 7A-123 Revision 1 8 isolation valves (MSIV) (i.e., valve

-stem leakage, valve seat leakage, MSIV leakage control system release) to the Containment leakage and ESF leakage following a LOCA. This should not be construed as altering the staff recommendations in Section D of RG 1.96, Rev. 2 regarding MSIV leakage-control systems. Other DBAs should be reviewed to determine whether they might constitute a more severe control room hazard than the LOCA.

In addition to the accident analysis results, which should either identify the possible need for control room modifications or provide assurance that the habitability systems will operate under all postulated conditions, permitting the control room operators to remain in the control room to take appropriate actions required by GDC 19, the licensee should submit sufficient information needed for an independent evaluation of the adequacy of the habitability systems. Attachment 1 lists the information that should be provided along with the licensee's evaluation.

STPEGS UFSAR 7A-124 Revision 1 8 III.D.3.4 ATTACHMENT 1, INFORMATION REQUIRED FOR CONTROL

-ROOM HABITABILITY EVALUATION (1) Control-room mode of operation, i.e., pressurization and filter recirculation for radiological accident isolation or chlorine release (2) Control-room characteristics (a) air volume control room (b) control-room emergency zone (control room, critical files, kitchen, washroom, computer room, etc.

) (c) control-room ventilation system schematic with normal and emergency air

-flow rates (d) infiltration leakage rate (e) HEPA filter and charcoal absorber efficiencies (f) closest distance between Containment and air intake (g) layout of control room, air intakes, Containment building, and chlorine, or other chemical storage facility with dimensions (h) control-room shielding including radiation streaming from penetrations, doors, ducts, stairways, etc.

(i) automatic isolation capability

-damper closing time, damper leakage, and area (j) chlorine detectors or toxic gas (local or remote)

(k) self-contained breathing apparatus availability (number)

(l) bottled air supply (hours supply)

(m) emergency food and potable water supply (how many days and how many people)

(n) control-room personnel capacity (normal and emergency)

(o) potassium iodide drug supply (3) Onsite storage of chlorine and other hazardous chemicals (a) total amount and size of container (b) closest distance from control

-room air intake (4) Offsite manufacturing, storage, or transportation facilities of hazardous chemicals (a) identify facilities within a 5

-mile radius (b) distance from control room

STPEGS UFSAR 7A-125 Revision 1 8 (c) quantity of hazardous chemicals in one container (d) frequency of hazardous chemical transportation traffic (truck, rail, and barge)

(5) Technical specifications (refer to standard technical specifications)

(a) chlorine detection system (b) control-room emergency filtration system including the capability to maintain the control-room pressurization at 1/8

-inch water gauge, verification of isolation by test signals and damper closure times, and filter testing requirements.

STPEGS Response The safety design basis for the habitability system for the control room is defined in Section 6.4. The design of the habitability system meets the appropriate recommendations of RGs 1.78 and 1.95 and the requirements of GDC 19.

The results of dose calculations for the design basis accidents (except small line break outside containment) are presented in the respective accident descriptions in Chapter 15.

The information requested by Item III.D.3.4, Attachment 1, is provided as indicated below:

Attachment 1 STPEGS UFSAR Item No. Section (1),(2), (b) 6.4 (g),(k)-(o) (2),(a), (d), (e), (f)

Appendix 15.D (2)(c) 9.4 (2)(h) 12.3 (2)(i) 9.4, 6.4 (2)(j) 2.2, 6.4 (3)(a),(b) 2.2, 6.4 (4)(a)-(d) 2.2 (5) Technical Specifications

- STP does not use a chlorine detection system CN-3137 CN-3137 CN-3137 STPEGS UFSAR 7A-126 Revision 1 8 Supplement 1 to NUR EG-0737 Emergency Response Capability

STPEGS UFSAR 7A-127 Revision 1 8 S.1 INTRODUCTION This supplement was prepared as a result of a review by the Committee to Review Generic Requirements (CRGR). The supplement represents the staff's attempt to distill the fundamental requirements for nuclear plant Emergency Response Capability from the wide range of guidance documents that the NRC has issued. It is not intended that these guidance documents (NUREG reports and Regulatory Guides) be implemented as written; rather, they should be regarded as useful sources of guidance for licensees and NRC staff regarding acceptable means for meeting the fundamental requirements contained in this document. It is also not intended that either the guidance documents or the fundamental requirements are t o be considered binding legal requirements at this time. As indicated below, however, the fundamental requirements will be translated into binding legal requirements in the manner specified.

These requirements are a further delineation of the general guidance issued previously by the Commission in its regulations, orders and policy statements on emergency planning and TMI issues. It is intended that these requirements would be applicable to licensees of operating nuclear power plants. For applicants for a construction permit (CP) or manufacturing license (ML), the requirements described in this document must be supplemented with the specific provisions in the rule specifying licensing requirements for pending CP and ML applications. Thus, compliance with requirements in this document may not be sufficient to meet the related requirements in 10 CFR 50.34(f) and Appendix E. In this regard, it is expected that the staff would review CP and ML applications against the guidance in the current Standard Review Plan (which includes the provisions of NUREG

-07l8) and this might lead to more detailed requirements than prescribed in this document in order to satisfy the requirements of 50.34(f) and Appendix E.

Based on discussions with licensees, the staff has learned that many of the Commission

-

approved schedules for emergency response facilities probably will not be met. In recognition of this fact and the difficulty of implementing generic deadlines, plant

-specific schedules will be established which take into account the unique status of each plant. The following sequence for developing implementation schedules will be used.

The requirements for emergency response capabilities and facilities are being transmitted to licensees by this supplement and are being promulgated to NRC staff. The letter which forwards this supplement requests that licensees submit a proposed schedule for completing actions to comply with the requirements.

Each licensee's proposed schedule will then be reviewed by the assigned NRC Project Manager, who will discuss the subject with the licensee and mutually agree on schedules and completion dates. The implementation dates will then be formalized into an enforceable document.

The requirements in this document do not alter previously issued guidance, which remains in effect. This document does attempt to place that guidance in perspective by identifying the elements that the NRC staff believes to be essential to upgrade emergency response

STPEGS UFSAR 7A-128 Revision 1 8 S.1 (Continued) capabilities. The proposal to formalize implementation dates in an enforceable document reflects the level of importance which the NRC staff attributes to these requirements. The Commission does not believe that existing guidance should be imposed in this manner, but rather that it be used as guidance to be considered in upgrading emergency response capabilities. This indicates the distinction which the staff believes should be made between the requirements and guidance.

The following sections describe the requirements, their interrelation

- ships, and NRC actions to improve management of emergency response regulations. Reference documents are cited with a description of content as it relates to specific initiatives.

The requirements set forth in this document have been reviewed by the Commission and, at a meeting held July 16, 1982, were approved by the Commission as appropriately clarifying and providing greater detail with respect to related TMI Action Plan requirements contained in NUREG-0737 for all operating license applicants. These requirements are, therefore, to be accorded the status of approved NUREG

-0737 items as set forth in the Commission's "Statement of Policy: Further Commission Guidance for Power Reactor Operating Licenses" (45 FR 85236, December 24, 1980).

In this connection, the provisions for scheduling set forth herein supersede any schedules with respect to such items contained in NUREG

-0737. Accordingly, the requirements should be used by the staff and by adjudicatory boards as appropriate clarifications and interpretation of the related NUREG

-0737 items.

The requirements set forth in this document are believed to be consistent with the requirements regarding related items for construction permits and manufacturing licenses contained in 10 CFR 50.34(f) and 10 CFR Part 50, Appendix E. Accordingly, no changes to these regulations are required.

STPEGS Response The requirements and guidance of Supplement 1 to NUREG

-0737 have been considered during the various activities related to developing the STPEGS Emergency Response Capabilities. Specific STPEGS responses to items identified in the supplement are presented in the sections that follow.

The STPEGS response to Generic Letter 82

-33, which transmitted Supplement 1 to NUREG

-0737, was provided by ST

-HL-AE-944, Mr. J. H. Goldberg of Houston Lighting & Power to Mr. Darrell G. Eisenhut, U. S. Nuclear Regulatory Commission, dated April 14, 1983.

STPEGS UFSAR 7A-129 Revision 1 8 S.2 USE OF EXISTING DOCUMENTATION The following NUREG documents are intended to be used as sources of guidance and information, and the RGs are to be considered as guidance or as an acceptable approach to meeting formal requirements. The items by virtue of their inclusion in these documents shall not be misconstrued as requirements to be levied on licensees or as inflexible criteria to be used by NRC staff reviewers.

NUREG Report Titles 0696 Functional Criteria for Emergency Response Facilities 0700 Guidelines for Control Room Design Reviews 0799 Draft Criteria for Preparation of Emergency Operatin g Procedures (to be superseded by NUREG

-0899) 0801 Evaluation Criteria for Detailed Control Room Design Reviews 0814 Methodology for Evaluation of Emergency Response Facilities 0818 Emergency Action Levels for Light Water Reactors 0835 Human Factors Acceptance Criteria for SPDS 0899 Guidelines for the Preparation of Emergency Operating Procedures: Resolution of Comments on NUREG

-0799 Regulatory Guides Titles 1.23 Meteorological Measurement Program for Nuclear Power (Rev. l) Plants 1.97 Instrumentation for Light

-Water Cooled Nuclear Power (Rev. 2) Plants to Assess Plant and Environs Conditions During and Following an Accident 1.101 Emergency Planning for Nuclear Power Plants (Rev. 2) 1.47 Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems STPEGS Response The above NUREG documents and RGs were used by STPEGS as guidance in developing the STPEGS Emergency Response Capabilities.

STPEGS UFSAR 7A-130 Revision 1 8 S.3 COORDINATION AND INTEGRATION OF INITIATIVES S.3.1 The design of the SPDS, design of instrument displays based upon RG 1.97 guidance, CRDR, development of function

-oriented emergency operating procedures, and operating staff training should be integrated with respect to the overall enhancement of operator ability to comprehend plant conditions and cope with emergencies. Assessment of information needs and display formats and locations should be performed by individual licensees. The SPDS could affect other control room improvements that licensees may consider. In some cases, a good SPDS may obviate the need for large

-scale control room modifications. Installation of the SPDS should not be delayed by slower progress on other initiatives, and should not be contingent upon completion of the control room design review. Nor should other initiatives, such as upgraded emergency operating procedures, be impacted by delays in SPDS procurement. While the NRC does not plan to impose additional requirements upon licensees regarding SPDS, the NRC will work with the industry to assure the development of appropriate industry standards for SPDS systems. S.3.2 Implementation of part or all of RG 1.97 (Rev. 2) represents a control room improvement. The implementation of control room improvements is not contingent upon implementing TSC and EOF requirements.

S.3.3 The TSC and EOF are dependent upon control room improvements in terms of communication and instrumentation needs among the TSC, EOF, and control room. TSC and EOF facilities are not necessarily dependent upon each other. The Operational Support Center (OSC) is independent of TSC and EOF.

S.3.4 The three groups of initiatives

- SPDS, control room improvements, and emergency response facilities (TSC, EOF, OSC)

- have the following interrelationships:

a. The SPDS is an improvement because it enhances operator ability to comprehend plant conditions and interact in situations that require human intervention. The SPDS could affect other control room improvements that licensees may consider. In some cases, a good SPDS could obviate the need for extensive modifications to control rooms.

b. New instrumentation that may be added to the control room should be considered a requirement for inclusion in the design of the TSC and EOF only to the extent that such instrumentation is essential to the performance of TSC and EOF functions.

c. The SPDS and control room improvements are essential elements in operator training programs and the upgraded plant

-specific emergency operating procedures.

STPEGS UFSAR 7A-131 Revision 1 8 S.3 (Continued)

d. Acquisition, processing, and management of data for SPDS, control room improvements, and emergency response facilities should be coordinated.

S.3.5 Specific implementation plans and reasonable, achievable schedules for improvements that will satisfy the requirements will be established by agreement between the NRC Project Manager and each individual licensee. The NRC office responsible for implementing each requirement will develop procedures identifying the following.

a. The respective roles of NRR, IE, and Regional Offices in managing implementation, checking licensee rate of progress, and verifying compliance, including the extent to which NRC review and inspection is necessary during implementation.

b. Procedural methods and enforcement measures that could be used to ensure NRC staff and licensee attention to meeting mutually agreed upon schedules without significant delays and extensions.

S.3.6 The NRC Project Manager for each nuclear power plant is assigned program management responsibility for NRC staff actions associated with implementing emergency response initiatives. The NRC Project Manager is the principal contact for the licensee regarding these initiatives.

S.3.7 The NRC will make allowances for work already done by licensees in a good

-faith effort to meet requirements as they understand them. For each case in which a licensee would have to remove or rip out emergency response facilities or equipment that was installed in good faith to meet previous guidance in order to meet the basic requirements described in this document, the Director of the Office of Nuclear Reactor Regulation or Inspection and Enforcement will review the circumstances and determine whether removal is necessary or existing facilities or equipment represent an acceptable alternative. Any regulatory position that would require the removal or major modification of existing emergency response facilities or equipment requires the specific approval of the responsible Office Director.

S.3.8 The NRC recognizes that acceptable alternative methods of phasing and integrating emergency response activities may be developed. Each licensee needs flexibility in integrating these activities, taking into account the varying degree to which the licensee has implemented past requirements and guidance. An example of a way in which these activities could be integrated is discussed below.

Other methods of integration proposed by licensees would be reviewed considering licensees' progress on each initiative.

a. SPDS (1) Review the functions of the nuclear power plant operating staff that are necessary to recognize and cope with rare events that (a) pose significant contributions to risk, b) could cause operators to make cognitive errors in diagnosing them, and (c) are not included in routine operator training programs.

STPEGS UFSAR 7A-132 Revision 1 8 (2) Combine the results of this review with accepted human factors principles to select parameters, data display, and functions to be incorporated in the SPDS.

(3) Design, build, and install the SPDS in the control room and train its users. b. To be done in parallel without delaying SPDS, complete emergency operating procedure technical guidelines that will be used to develop plant

-specific emergency operating procedures.

c. Using these EOP technical guidelines, the SPDS design, and accepted human factors principles, conduct a review of the control room design. Apply the results of this review to:

(1) Verify SPDS parameter selection, data display, and functions.

(2) Develop plant

-specific EOPs.

(3) Design control room modifications that correct conditions adverse to safety (reduce significant contributions to risk), and add additional instrumentation that may be necessary to implement RG 1.97.

(4) Train and qualify plant operating staff regarding upgraded EOPs and modifications.

d. Verify, prior to finalization of designs for modifications and of procedures and training, that the functions of control room operators in emergencies can be accomplished (i.e., that the individual initiatives have been integrated sufficiently to meet the needs of control room operators and provide adequate emergency response capabilities).

e. Implement EOPs and install control room modifications coincident with scheduled outages as necessary, and train operators in advance of these changes as they are phased into operation.

STPEGS Response The various aspects of developing the STPEGS Emergency Response Capabilities were coordinated and integrated to provide plant facilities and procedures that enhance the operator's ability to comprehend plant conditions and cope with emergencies.

The SPDS for STPEGS is implemented by the ERFDADS.

The design of the ERFDADS, the design of the control room, and the incorporation of RG 1.97 recommendations were integrated via the CRDR process and implementation of RG 1.97. The WOG ERGs were reviewed to determine appropriate instrumentation and displays for the control room and the ERFDADS.

S.3 (Continued)

STPEGS UFSAR 7A-133 Revision 1 8 The WOG ERGs, the results of the CRDR and the implementation of RG 1.97, Rev. 2, was used to develop the STPEGS Emergency Operating Procedures (EOPs).

The STPEGS operator training is based upon the plant design and EOPs that result from the integrated process described above and in the following sections of this Appendix.

STPEGS UFSAR 7A-134 Revision 1 8 S.4. SAFETY PARAMETER DISPLAY SYSTEM (SPDS)

S.4.1 Requirements

a. The SPDS should provide a concise display of critical plant variables to the control room operators to aid them in rapidly and reliably determining the safety status of the plant. Although the SPDS will be operated during normal operations as well as during abnormal conditions, the principal purpose and function of the SPDS is to aid the control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid a degraded core. This can be particularly important during anticipated transients and the initial phase of an accident.

b. Each operating reactor shall be provided with an SPDS that is located convenient to the control room operators. This system will continuously display information from which the plant safety status can be readily and reliably assessed by control room personnel who are responsible for the avoidance of degraded and damaged core events.

c. The control room instrumentation required (see GDC 13 and 19 of Appendix A to 10 CFR 50) provides the operators with the information necessary for safe reactor operation under normal, transient, and accident conditions. The SPDS is used in addition to the basic components and serves to aid and augment these components. Thus, requirements applicable to control room instrumentation are not needed for this augmentation (e.g., GDC 2, 3, 4 in Appendix A; 10 CFR Part 100; single

-failure requirements). The SPDS need not meet requirements of the single

-failure criteria and it need not be qualified to meet Class 1E requirements. The SPDS shall be suitably isolated from electrical or electronic interference with equipment and sensors that are in use for safety systems. The SPDS need not be seismically qualified, and additional seismically qualified indication is not required for the sole purpose of being a backup for SPDS. Procedures which describe the timely and correct safety status assessment when the SPDS is and is not available, will be developed by the licensee in parallel with the SPDS. Furthermore, operators should be trained to respond to accident conditions both with and without the SPDS available. d. There is a wide range of useful information that can be provided by various systems. This information is reflected in such staff documents as NUREG

-0696, NUREG

-0835, and RG 1.97. Prompt implementation of an SPDS can provide an important contribution to plant safety. The selection of specific information that should be provided for a particular plant shall be based upon engineering judgment of individual plant licensees, taking into account the importance of prompt implementation.

e. The SPDS display shall be designed to incorporate accepted human factors principles so that the displayed information can be readily perceived and comprehended by SPDS users.

STPEGS UFSAR 7A-135 Revision 1 8 f. The minimum information to be provided shall be sufficient to provide information to plant operators about:

(i) Reactivity control (ii) Reactor core cooling and heat removal from the primary system (iii) Reactor coolant system integrity (iv) Radioactivity control (v) Containment conditions The specific parameters to be displayed shall be determined by the licensee.

S.4.2 Documentation and NRC Review a. The licensee shall prepare a written safety analysis describing the basis on which the selected parameters are sufficient to assess the safety status of each identified function for a wide range of events, which include symptoms of severe accidents. Such analysis, along with the specific implementation plan for SPDS, shall be reviewed as described below.

b. The licensee's proposed implementation of an SPDS system shall be reviewed in accordance with the licensee's Technical Specifications to determine whether the changes involve an unreviewed safety question or change of Technical Specifications. If they do, they shall be processed in the normal fashion with prior NRC review. If the changes do not involve an unreviewed safety question or a change in the Technical Specifications, the licensee may implement such changes without prior approval by NRC or may request a pre

-implementation review and approval. If the changes are to be implemented without prior NRC approval, the licensee's analysis shall be submitted to NRC promptly upon completion of review by the licensee's offsite safety review committee. Based on the results of NRC review, the Director of IE or the Director of NRR may request or direct the licensee to cease implementation if a serious safety question is posed by the licensee's proposed system, or if the licensee's analysis is seriously inadequate.

S.4.3 Integration Prompt implementation of an SPDS is a design goal and of primary importance. The schedule for implementing SPDS should not be impacted by schedules for the CRDR and development of function

-oriented emergency operating procedures. For this reason, licensees should develop and propose an integrated schedule for implementation in which the SPDS design is an input to the other initiatives. If reasonable, this schedule will be accepted by NRC.

S.4.4 Reference Documents STPEGS UFSAR 7A-136 Revision 1 8 NUREG-0660 - Need for SPDS identified NUREG-0737 - Specified SPDS NUREG-0696 - Functional Criteria for SPDS NUREG-0835 - Specific acceptance criteria keyed to NUREG

-0696 RG 1.97

- Instrumentation for Light

-Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident (Rev. 2).

STPEGS Response An SPDS, as described above, has been implemented via the ERFDADS, as described in Section 7.5.7. The design of the ERFDADS is integrated with the implementation of RG 1.97 (Section S.6 of this Supplement and Appendix 7B) and the CRDR (Section S.5 of this Supplement).

The STPEGS Safety Parameter Display System Safety Analysis Report was provided to the NRC by letter ST-HL-AE-1861, from Mr. M. R. Wisenburg of HL&P to Mr. Vincent S. Noonan, U.S. NRC, dated December 23, 1986.

The following correspondence from M. A. McBurnett, HL&P to the NRC, responds to the staff's concerns identified during the SPDS Audit and documented in Section 18.2 of the STPEGS Safety Evaluation Report (SER) Supplements 4 and 6:

a. S T-HL-AE-2589, dated March 18, 1988.

b. ST-HL-AE-2962, dated February 2, 1989.

STPEGS UFSAR 7A-137 Revision 1 8 S.5. DETAILED CONTROL ROOM DESIGN REVIEW S.5.1 Requirements

a. The objective of the control room design review is to "improve the ability of nuclear power plant control room operators to prevent accidents or cope with accidents if they occur by improving the information provided to them" (from NUREG-0660, Item I.D.1). As a complement to improvements of plant operating staff capabilities in response to transients and other abnormal conditions that will result from implementation of the SPDS and from upgraded emergency operating procedures, this design review will identify any modifications of control room configurations that would contribute to a significant reduction of risk and enhancement in the safety of operation. Decisions to modify the control room would include consideration of long

-

term risk reduction and any potential temporary decline in safety after modifications resulting from the need to relearn maintenance and operating procedures. This should be carefully reviewed by persons competent in human factors engineering and risk analysis.

b. Conduct a control room design review to identify human engineering discrepancies. The review shall consist of:

(i) The establishment of a qualified multidisciplinary review team and a review program incorporating accepted human engineering principles.

(ii) The use of function and task analysis (that had been used as the basis for developing emergency operating procedures, Technical Guidelines, and plant specific emergency operating procedures) to identify control room operator tasks and information and control requirements during emergency operations. This analysis has multiple purposes and should also serve as the basis for developing training and staffing needs and verifying SPDS parameters.

(iii) A comparison of the display and control requirements with control room inventory to identify missing displays and controls.

(iv) A control room survey to identify deviations from accepted human factors principles. This survey will include, among other things, an assessment of the control room layout, the usefulness of audible and visual alarm systems, the information recording and recall capability, and the control room environment.

c. Assess which human engineering discrepancies are significant and should be corrected. Select design improvements that will correct those discrepancies. Improvements that can be accomplished with an enhancement program (paint

-tape-label) should be done promptly.

d. Verify that each selected design improvement will provide the necessary correction, and can be introduced in the control room without creating any unacceptable human engineering discrepancies because of significant contribution to increased risk, unreviewed safety questions, or situations in STPEGS UFSAR 7A-138 Revision 1 8 which a temporary reduction in safety could occur. Improvements that are introduced should be coordinated with changes resulting from other improvement programs such as SPDS, operator training, new instrumentation (RG 1.97, Rev. 2), and upgraded EOPs.

S.5.2 Documentation and NRC Review a. All licensees shall submit a program plan within two months of the start of the control room review that describes how items A, B and C above will be accomplished. The staff will review the program plans as licensees conduct their reviews, and selected licensees will undergo an in

-progress audit by the NRR human factors staff based on the program plans and advice from resident inspectors and Project Managers.

b. All licensees shall submit a summary report of the completed review outlining proposed control room changes, including their proposed schedules for implementation. The report will also provide a summary justification for human engineering discrepancies with safety significance to be left uncorrected or partially corrected.

c. The staff will review the summary reports, and within two weeks after receipt of the licensee's summary report, will inform licensees whether a pre

-implementation onsite audit will be conducted. The decision will be based upon the content of the program plan, the summary report, and the results of NRR in-progress audits, if any. The licensee selection for pre

-implementation audit may or may not include licensees selected for in

-progress audits under paragraph 1.

d. For control rooms selected for pre

-implementation onsite audit, within one month after receipt of the summary report, the NRC will conduct:

(i) A pre-implementation audit of proposed modifications (e.g., equipment additions, deletions and relocations, and proposed modifications).

(ii) An audit of the justification for those human engineering discrepancies of safety significance to be left uncorrected or only partially corrected. The audit will consist of a review of the licensee's record of the control room reviews, discussions with the licensee review team, and usually a control room visit. Within a month after this onsite audit, NRC will issue its safety evaluation report (SER).

e. For control rooms for which NRC does not perform a pre

-implementation onsite audit, NRC will conduct a review and issue its SER within two months after receipt of the licensee's summary report. The review shall be similar to that conducted for pre

-implementation plants under paragraph 4 above, except that it does not include a specific audit. The SER shall indicate whether, based upon the review carried out, changes in the licensee's modification plan are needed to assure operational safety. Flexibility is considered in the control room review, because certain control board discrepancies can be overcome by techniques not involving control board changes. These techniques could include improved procedures, improved training, or the SPDS.

STPEGS UFSAR 7A-139 Revision 1 8 f. The following approach will be used for operating license (OL) review. For OL applications with Safety Evaluation Report Supplement (SSER) dates prior to June l983, licensing may be based on either a Preliminary Design Assessment or a CRDR at the applicant's option. However, applicants who choose the Preliminary Design Assessment option are required to perform a CRDR after licensing. For applications with SSER dated after June 1983, CRDR will be required prior to licensing.

g. After the staff has issued an SER and licensees have addressed any open issues, they may begin their upgrade according to an approved schedule that has been negotiated with the staff.

S.5.3 Reference Documents NUREG-0585 - States that licensees should conduct review.

NUREG-0660 - States that NRR will require reviews for (Rev. 1) operating reactors and operating licensee applicants.

NUREG-0700 - Final guidelines for CRDR.

NUREG-0737 - States that requirement was issued June 1980, final guidance not yet issued.

NUREG-0801 - Staff evaluation criteria.

STPEGS Response The STPEGS CRDR represents a comprehensive effort to comply with NUREG

-0700, NUREG-0801, and NUREG

-0737, Supplement 1.

The various aspects of the CRDR are described in the documentation listed below:

a. Program Plan - Defines the plan for performing the CRDR.

b. Criteria Report

- Provides the detailed guidelines and basis for the CRDR and describes the interface between the control room and plant systems. This report also includes review procedures, plant conventions, and human factors data developed during the CRDR that will facilitate future control room modifications.

c. Operating Experience Review (OER) Report

- Describes the operations personnel review process, results, conclusions, and recommendations of this task defined in the Program Plan.

a. System Function and Task Analysis (SFTA) Report

- Describes the methodology, results, conclusions, and recommendations for this SFTA effort defined in the Program Plan.

S.5 (Continued)

STPEGS UFSAR 7A-140 Revision 1 8 e. Control Room Survey (CRS) Report - Describes the review process, results, conclusions, and recommendations of this task defined in the Program Plan. This report also includes the final results and dispositions for the human factors observations obtained from the OER and SFTA.

f. Annunciator Report

- Describes the review process, results, conclusions, and recommendations of the annunciator review task defined in the Program Plan, and the annunciator study guide.

g. Special Studies Report

- Describes details of miscellaneous studies performed as part of the CRDR. This includes the anthropometric study, the hierarchical labeling study, the demarcation study, evaluation of specified parameters, and many minor studies to resolve NRC audit comments.

h. Implementation Plan Report

- Summarizes the control panel design changes resulting from the implementation of RG 1.97 requirements, engineering design requirements, and preliminary observation of the CRDR design review team. It describes the reasons for major changes to the control panel layouts.

i. SFTA Validation Report

- Summarizes the second review required because of the extensive revisions made to the control panel layouts and also includes walk

-through/talk

-through exercises performed in the mock

-up area. j. OER Validation Repor t - Summarizes the review made by operators to determine if the redesigned panels corrected reported operator concerns and evaluate if any new problems were created as a result of the corrective measures taken.

k. CRS Validation Report

- Summarizes the review made to determine if the Category A and representative samples of the Category B HEDs were satisfactorily corrected and if any new problems were created.

l. Executive Summary

- Summarizes the CRDR results, conclusions, recommendations, and schedules for remaining work. Technical details are in the Operating Experience Review Report, the System Function and Task Analysis Report, the Annunciator Report, the Control Room Survey Report, the Special Studies Report, the Implementation Plan Report, and various validation reports.

The above documentation was provided to the NRC by letter ST

-HL-AE-1080, Mr. J. H. Goldberg of Houston Lighting & Power Company to Mr. Darrell G. Eisenhut, U. S. Nuclear Regulatory Commission, dated April 12, 1984.

The following documentation was provided to the NRC by letter ST

-HL-AE-1228, from Mr. M. R. Wisenburg of Houston Lighting and Power Company to Mr. George W. Knighton, U. S. Nuclear Regulatory Commission, dated April 15, 1985:

m. Executive Summary Addendum 1

- Updates the schedule of remaining CRDR activities following the submittal of the Executive Summary Report.

n. Human Engineering Discrepancy Resolution Report

- Summarizes all category A, B, C, and D HED resolutions.

STPEGS UFSAR 7A-141 Revision 1 8 The following documentation was provided to the NRC by Letter ST

-HL-AE-1290; M. R. Wisenburg, HL&P to George W. Knighton, NRC; dated July 9, 1985.

o. Revised Appendix L of the CRDR Criteria Report. Provided standard abbreviations list for all STPEGS labeling.

Revised pages of the Human Engineering Discrepancy Resolution Report, to clarify wording, were provided to the NRC by letter ST

-HL-AE-1342, from Mr. M. R. Wisenburg of Houston Lighting and Power Company to Mr. George W. Knighton, U.S. Nuclear Regulatory Commission, dated September 4, 1985.

The following documentation was provided to the NRC via letters ST

-HL-AE-1860, dated December 23, 1986, and ST

-HL-AE-1864, dated December 26, 1986, each from Mr. M. R. Wisenburg of Houston Lighting and Power Company to Mr. Vincent S. Noonan, U.S. Nuclear Regulatory Commission:

p. Criteria Report revised pages

- Updates CRDR criteria for the Safety Parameter Display System, process computer guidelines, guidelines specific to CRT displays, and the standard abbreviations and acronyms for STPEGS labeling.

q. Emergency Operating Procedures Validation Report

- Summarizes the validation process used for the Emergency Operating Procedures and the results as they involve the control panels.

r. Human Engineering Discrepancy Resolution Report Addendum 1

- Summarizes all Category A, B, C and D HED resolutions for HEDs identified after January 1, 1986.

s. Executive Summary Addendum 2

- Summarizes the methodology and results of CRDR activities conducted since submittal of the Executive Summary Report and provides an updated schedule. Correspondence listed below, from M. R. Wisenburg, HL&P to the NRC, was provided in response to specific NRC Human Factors Engineering Branch (HFEB) concerns:

t. ST-HL-AE-1942, dated March 13, 1987.

u. ST-HL-AE-2171, dated May 8, 1987.

v. ST-HL-AE-2191, dated June 4, 1987.

w. ST-HL-AE-2270, dated June 22, 1987.

The following documentation was provided to the NRC via letter ST

-HL-AE-2421, from Mr. M. R. Wisenburg of Houston Lighting and Power Company to U.S. Nuclear Regulatory Commission, dated November 23, 1987:

x. Executive Summary Addendum 3

- Summarizes the methodology and results of CRDR activities conducted since Addendum 2 and provides an updated schedule.

y. Human Engineering Discrepancy Resolution Report Addendum 2

- Summarizes all Category A, B, C and D HED resolutions for HEDs identified after January 1, 1986.

STPEGS UFSAR 7A-142 Revision 1 8 The following documentation was provided to the NRC via letter ST

-HL-AE-2793, from Mr. M. A. McBurnett of Houston Lighting and Power Company to U.S. Nuclear Regulatory Commission, dated October 18, 1988:

z. Executive Summary Addendum 4

- Summarizes results of CRDR activities conducted since Addendum 3 and provides an updated schedule.

aa. Human Engineering Discrepancy Resolution Report Addendum 3

- Summarizes all Category A, B, C and D HED resolutions for HEDs identified after January 1, 1986.

The correspondence listed below, from M A. McBurnett, HL&P to the NRC, provided a revised schedule for the implementation of Category C HEDs:

bb. ST-HL-AE-3074, dated May 11, 1989.

The preceding sections of this response describe the Detailed Control Room Design Review activities required by NUREG 0737, Supplement 1 for initial licensing of STP. Control of the operational phase CRDR Program has been established in plant procedures governing Human Factors Engineering Reviews.

The CRDR Criteria Report requires periodic revision to maintain it current with accepted industry practices and revised regulatory guidance. Revision 6 of the Criteria Report was the final NRC submittal required for the Detailed Control Room Design Review developed under NUREG 700 Rev. 0. Subsequent revisions are associated with the operational phase of the CRDR at STP and are developed using the applicable guidance from NUREG 700 Rev. 1 or later, which addresses reviews for changes to plants after completion of the Detailed Control Room Design Review.

Revision control of the Criteria Report has been established in the plant procedures governing the CRDR operational phase. Changes to the CRDR Criteria Report are reviewed in accordance with the STP procedures implementing 10CFR50.59.

STPEGS UFSAR 7A-143 Revision 1 8 S.6. REGULATORY GUIDE 1.97

- APPLICATION TO EMERGENCY RESPONSE FACILITIES S.6.1 Requirements

a. Functional Statement Regulatory Guide 1.97 provides data to assist control room operators in preventing and mitigating the consequences of reactor accidents.

b. Control Room Provide measurements and indication of Type A, B, C, D, and E variables listed in RG 1.97, Rev. 2. Individual licensees may take exceptions based on plant-specific design features. BWR incore thermocouples and continuous offsite dose monitors are not required pending their further development and consideration as requirements. It is acceptable to rely upon currently installed equipment if it will measure over the range indicated in RG 1.97, Rev. 2, even if the equipment is presently not environmentally qualified. Eventually, all the equipment required to monitor the course of an accident would be environmentally qualified in accordance with the pending Commission rule on environmental qualification.

Provide reliable indication of the meteorological variables (wind direction, wind speed, and atmospheric stability) specified in RG 1.97, Rev. 2, for site meteorology. No changes in existing meteorological monitoring systems are necessary if they have historically provided reliable indication of these variables that are representative of meteorological conditions in the vicinity (up to about 10 miles) of the plant site. Information on meteorological conditions for the region in which the site is located shall be available via communication with the National Weather Service. These requirements supersede the clarification of NUREG

-0737, Item III.A.2.2.

c. Technical Support Center (TSC) The Type A, B, C, D, and E variables that are essential for performance of TSC functions shall be available in the TSC.

(i) BWR incore thermocouples and continuous offsite dose monitors are not required pending their further development and consideration as requirements. (ii) The indicators and associated circuitry shall be of reliable design but need not meet Class 1E, single

-failure or seismic qualification requirements.

STPEGS UFSAR 7A-144 Revision 1 8 S.6 (Continued)

d. Emergency Operations Facility (EOF) (i) Those primary indicators needed to monitor Containment conditions and releases of radioactivity from the plant shall be available in the EOF. (ii) The EOF data indications and associated circuitry shall be of reliable design but need not meet Class 1E, single

-failure or seismic qualification requirements.

S.6.2 Documentation and NRC Review NRC review is not a prerequisite for implementation. Staff review will be in the form of an audit that will include a review of the licensee's method of implementing RG 1.97, Rev. 2 guidance and the licensee's supporting technical justification of any proposed alternatives.

The licensee shall submit a report describing how it meets these requirements. The submittal should include documentation which may be in the form of a table that includes the following information for each Type A, B, C, D, and E variable shown in RG 1.97, Rev. 2.

(a) instrument range (b) environmental qualification (as stipulated in Guide or State criteria)

(c) seismic qualification (as stipulated in Guide or State criteria)

(d) quality assurance (as stipulated in Guide or State criteria)

(e) redundance and sensor(s) location(s)

(f) power supply (e.g., Class 1E, non

-Class 1E, battery backed)

(g) location of display (e.g., control room board, SPDS, chemical laboratory)

(h) schedule (for installation or upgrade)

Deviations from the guidance in RG 1.97, Rev. 2 should be explicitly shown, and supporting justification or alternatives should be presented.

STPEGS Response STPEGS has performed an extensive analysis to respond to RG 1.97, Rev. 2. This analysis identified the appropriate variables and established appropriate design bases and qualification criteria for instrumentation to be employed by the control room operator during and following an accident.

The selection of variables was integrated with the WOG ERGs in accordance with Section S.3 of

STPEGS UFSAR 7A-145 Revision 1 8 S.6 (Continued) this Supplement. The display methodology development was coordinated with the CRDR as described in Section S.5 of this Supplement. The results of this analysis are summarized in Table 7.5-1. The analysis is presented in Appendix 7B.

The RG 1.97 variables are provided in the control room as described in Section 7.5.1 and presented in Table 7.5-1. The variables are provided in the TSC and the EOF via the ERFDADS. The ERFDADS is described in Section 7.5.7.

STPEGS UFSAR 7A-146 Revision 1 8 S.7. UPGRADE EMERGENCY OPERATING PROCEDURES (EOPs)

S.7.1 Requirements

a. The use of human

-factored, function

-oriented, emergency operating procedures will improve human reliability and the ability to mitigate the consequences of a broad range of initiating events and subsequent multiple failures or operator errors, without the need to diagnose specific events.

b. In accordance with NUREG

-0737, Item I.C.1, reanalyze transients and accidents and prepare Technical Guidelines. These analyses will identify operator tasks, and information and control needs. The analyses also serve as the basis for integrating upgraded emergency operating procedures and the control room design review and verifying the SPDS design.

c. Upgrade EOPs to be consistent with Technical Guidelines and an appropriate procedure Writer's Guide.

d. Provide appropriate training of operating personnel on the use of upgraded EOPs prior to implementation of the EOPs.

e. Implement upgraded EOPs.

S.7.2 Documentation and NRC Review a. Submit Technical Guidelines to NRC for review. NRC will perform a pre

-implementation review of the Technical Guidelines. Within two months of receipt of the Technical Guidelines, NRC will advise the licensees of their accept- ability. b. Each licensee shall submit to NRC a procedures generation package at least three months prior to the date it plans to begin formal operator training on the upgraded procedures. NRC approval of the submittal is not necessary prior to upgrading and implementing the EOPs. The procedures generation package shall include:

(i) Plant-Specific Technical Guidelines

- plant-specific guidelines for plants not using generic technical guidelines. For plants using generic technical guidelines, a description of the planned method for developing plant

-specific EOPs from the generic guidelines, including plant-specific information.

(ii) A Writer's Guide that details the specific human factors methods to be used by the licensee in preparing EOPs based on the Technical Guidelines.

(iii) A description of the program for verification and validation of EOPs.

(iv) A brief description of the training program for the upgraded EOPs.

c. All procedure generation packages will be reviewed by the staff. On an audit basis for selected facilities, upgraded EOPs will be reviewed. The details and STPEGS UFSAR 7A-147 Revision 1 8 extent of this review will be based upon the quality of the procedures generation packages submitted to NRC. A sampling of upgraded EOPs will be reviewed for technical adequacy in conjunction with the NRC Reactor Inspection Program.

S.7.3 Reference Documents NUREG-0600, Item I.C.1, I.C.8, I.C.9 NUREG-0799 - (Superseded by NUREG

-0899) STPEGS Response The Technical Guidelines required by NUREG

-0737, Item I.C.1 have been developed by the WOG and submitted to the NRC.

The guidelines, titled "Emergency Response Guidelines", are used in conjunction with the results of the CRDR (see Section S.5 of this Supplement) and the implementation of RG 1.97 (see Appendix 7B) to develop STPEGS EOPs that are human

-factored, function

-oriented, and well integrated with the plant design.

The STPEGS schedule for procedure development was transmitted by ST

-HL-AE-944, Mr. J. H. Goldberg of Houston Lighting & Power Company to Mr. Darrell G. Eisenhut, U.S. Nuclear Regulatory Commission, dated April 14, 1983. Per that schedule, a copy of the STPEGS Procedures Generation Package was transmitted by ST

-HL-AE-1266, Mr. J. G. Dewease of Houston Lighting &

Power Company to Mr. H. L. Thompson, U. S. Nuclear Regulatory Commission, dated June 14, 1985.

STPEGS UFSAR 7A-148 Revision 1 8 S.8. EMERGENCY RESPONSE FACILITIES S.8.1 Regulations 10 CFR 50.47(b)(6) (for Operating License applicants)

- Requirement for prompt communications among principal response organizations and to emergency personnel and to the public.

10 CFR 50.47(b)(8)

- Requirement for emergency facilities and equipment to support emergency response.

10 CFR 50.47(b)(9)

- Requirement that adequate methods, systems and equipment for assessing and monitoring actual or potential offsite consequences of a radiological emergency condition are in use.

10 CFR 50.54(q) (for Operating Reactors)

- Same requirement as 10 CFR 50.47(b) plus 10 CFR 50, Appendix E.

10 CFR 50, Appendix E, Paragraph IV.E Requirement for:

"1. Equipment at the site for personnel monitoring";

"2. Equipment for determining the magnitude of and for continuously assessing the impact of the release of radioactive materials to the environment";

" 3. Facilities and supplies at the site for decontamination of onsite individuals";

"4. Facilities and medical supplies at the site for appropriate emergency first aid treatment";

"5. Arrangements for the services of physicians and other medical personnel qualified to handle radiation emergencies onsite";

"6. Arrangements for transportation of contaminated injured individuals from the site to specifically identified treatment facilities outside the site boundary";

"7. Arrangements for treatment of individuals injured in support of licensed activities on the site at treatment facilities outside the site boundary";

"8. A licensee onsite technical support center and a licensee near

-site emergency operations facility from which effective direction can be given and effective control can be exercised during an emergency";

"9. At least one onsite and one offsite communications system; each system shall have a backup power source".

STPEGS UFSAR 7A-149 Revision 1 8 S.8 (Continued)

All communication plans shall have arrangements for emergencies, including titles and alternates for those in charge at both ends of the communication links and the primary and backup means of communication. Where consistent with the function of the governmental agency, these arrangements will include:

"a. Provision for communications with contiguous state/local governments within the plume exposure pathway EPZ. Such communications shall be tested monthly".

"b. Provisions for communication with Federal emergency response organizations. Such communication systems shall be tested annually".

"c. Provision for communications among the nuclear power reactor control room, the onsite technical support center, and the near

-site emergency operations facility; and among the nuclear facility, the principal State and local emergency operations centers, and the field assessment teams. Such communications systems shall be tested annually".

"d. Provisions for communication by the licensee with NRC Headquarters and the appropriate NRC Regional Office Operations Center from the nuclear power reactor control room, the onsite technical support center, and the near

-site emergency operations facility. Such communications shall be tested monthly".

Within this section on emergency response facilities, the TSC, OSC, and EOF are addressed separately in terms of their functional statements and recommended requirements. The subsections on Documentation and NRC Review and Reference Documents that follow the EOF discussion apply to this entire section on ERFs.

STPEGS UFSAR 7A-150 Revision 1 8 TABLE S.8-1 EMERGENCY OPERATION FACILITY Option 1 Option 2 Two Facilities One Facility Close-in Primary: Reduce Habitability(1) At or Beyond 10 miles(2) Within 10 miles No special protection factor Protection factor = 5 Ventilation isolation required by the Commission, and some with HEPA (no charcoal) provision for NRC site team closer to site Strongly recommended location be coordinated with offsite authorities Backup EOF Between 10

-20 miles No separate, dedicated facility Arrangements for portable backup equipment Strongly recommended location be coordinated with offsite authorities Continuity of dose projection and decision making capability For both Options:

Located outside security boundary Space for about 10 NRC employ ees None designated for severe phenomena, e.g, earthquakes

1. Habitability requirements are only for the part of the EOF in which dose assessments communication and decision making take place.

2. If a utility has begun construction of a new building for an EOF that is located within 6 miles, that new facility is acceptable (with less than protection factor of 5 and ventilation and HEPA) provided a backup EOF similar to the one described in Option 1 is provided.

STPEGS UFSAR 7A-151 Revision 1 8 S.8 (Continued)

S.8.2 Technical Support Center (TSC) S.8.2.1 Requirements

a. The TSC is the onsite technical support center for emergency response. When activated, the TSC is staffed by predesignated technical, engineering, senior management, and other licensee personnel, and five pre-designated NRC personnel. During periods of activation, the TSC will operate uninterrupted to provide plant management and technical support to plant operations personnel, and to relieve the reactor operators of peripheral duties and communications not directly related to reactor system manipulations. The TSC will perform EOF functions for the Alert Emergency class and for the Site Area Emergency class and General Emergency class until the EOF is functional.

The TSC will be

b. Located within the site protected area so as to facilitate necessary interaction with control room, OSC, EOF, and other personnel involved with the emergency.

c. Sufficient to accommodate and support NRC and licensee predesignated personnel, equipment, and documentation in the center.

d. Structurally built in accordance with the Uniform Building Code.

e. Environmentally controlled to provide room air temperature, humidity, and cleanliness appropriate for personnel and equipment.

f. Provided with radiological protection and monitoring equipment necessary to assure that radiation exposure to any person working in the TSC would not exceed 5 rem whole body, or its equivalent to any part of the body for the duration of the accident.

g. Provided with reliable voice and data communications with the control room and EOF and reliable voice communications with the OSC, NRC Operations Centers, and State and local operations centers.

h. Capable of reliable data collection, storage, analysis, display, and communication sufficient to determine site and regional status and take appropriate actions. The following variables shall be available in the TSC: (i) the variables in the appropriate Table 1 or 2 of RG 1.97, Rev. 2 that are essential for performance of TSC functions: and (ii) the meteorological variables in RG 1.97, Rev. 2 for site vicinity and National Weather Service data available by voice communication for the region in which the plant is located.

STPEGS UFSAR 7A-152 Revision 1 8 S.8 (Continued)

Principally, those data must be available that would enable evaluating incident sequence, determining mitigating actions, evaluating damages, and determining plant status during recovery operations.

i. Provided with accurate, complete, and current plant records (drawings, schematic diagrams, etc.) essential for evaluations of the plant under accident conditions.

j. Staffed by sufficient technical, engineering, and senior designated licensee officials to provide needed support, and be fully operational within approximately 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after activation.

k. Designed taking into account good human factors engineering principles.

7A-153 Revision 1 8 STPEGS UFSAR TABLE S.8-2 MINIMUM STAFFING REQUIREMENTS FOR NRC LICENSEES FOR NUCLEAR POWER PLANT EMERGENCIES Capability for Additions Position Title on Major Functional Area Major Tasks or Expertise Shift(1) 30 min. 60 min. Plant Operations and Assessment o f Shift Manager (SRO) 1 - - - - Operational Aspects Shift foreman (SRO) 1 - - - - Control-room operators 2 - - - - Auxiliary operators 2 - - - - Emergency Direction and Control Shift technical advisor, 1(2) - - - - (Emergency Coordinator)(3) shift supervisor, or designated facility manager Notification/ Communication(4) Notify licensee, state, local, and federal 1 1 2 personnel & maintain communication Radiological Accident Emergency operations facility (EOF) director Senior manager

- - - - 1 Assessment and Support of Operational Accident Assessment Offsite dose assessment Senior health physics

- - (HP) expertise

1. For each unaffected nuclear unit in operation, maintain at least one shift foreman, one control

-room operator, and one auxiliary operator, except that units sharing a control room may share a shift foreman if all functions are covered.

2. May be provided by shift personnel assigned other functions.

3. Overall direction of facility response to be assumed by EOF director when all centers are fully manned. Direction of minute

-to-minute facility operations remains with senior manager in the Technical Support Center or the control room.

4. May be performed by engineering aide to shift supervisor.

TABLE S.8-2 (Continued)

7A-154 Revision 1 8 STPEGS UFSAR MINIMUM STAFFING REQUIREMENTS FOR NRC LICENSEES FOR NUCLEAR POWER PLANT EMERGENCIES Capability for Additions Position Title On Major Functional Area Major Tasks or Expertise Shift(1) 30 min. 60 min. Offsite surveys

- - 2 2 onsite (out

-of-plant) - - 1 1 Inplant surveys HP technicians 1 1 1 Chemistry/radio

-chemistry Rad/chem technicians 1 - - 1 Plant System Technical support Shift technical advisor 1 - - - - Engineering, Repair, and Core/thermal Hydraulics

- - Corrective Actions Electrical

- - - - 1 Mechanical

- - - - 1 Repair and corrective actions Mechanical maintenance/

Radwaste operator 1(2) - - 1 1 Electrical maintenance/

instrument and control 1(2) 1 1 (I & C) technician

- - - - Protective Actions (In

-Plant) Radiation protection:

HP technician 2(2) 2 2 a. Access control b. HP Coverage for repair, corrective actions, search and rescue first

-aid, & firefighting

c. Personnel monitoring

d. Dosimetry 1. For each unaffected nuclear unit in operation, maintain at least one shift foreman, one control

-room operator, and one auxiliary operator, except that units sharing a control room may share a shift foreman if all functions are covered.

2. May be provided by shift personnel assigned other functions.

7A-155 Revision 1 8 STPEGS UFSAR TABLE S.8-2 (Continued)

MINIMUM STAFFING REQUIREMENTS FOR NRC LICENSEES FOR NUCLEAR POWER PLANT EMERGENCIES Capability for Additions Position Title on Major Functional Area Major Tasks or Expertise Shift(1) 30 min. 60 min. Firefighting

- - - - Fire brigade Local technical support specification Rescue Operations and First

-Aid - - - - 2(2) Local Support Site Access Control and Personnel Security, firefighting, communications, Security personnel All per Accountability personnel accountability Security Plan Total 10 11 15 1. For each unaffected nuclear unit in operation, maintain at least one shift foreman, one control

-room operator, and one auxiliary operator, except that units sharing a control room may share a shift foreman if all functions are covered.

2. May be provided by shift personnel assigned other functions.

STPEGS UFSAR 7A-156 Revision 1 8 S.8 (Continued)

S.8.3 Operational Support Center (OSC) S.8.3.1 Requirements

a. When activated, the OSC will be the onsite area separate from the control room where predesignated operations support personnel will assemble. A predesignated licensee official shall be responsible for coordinating and assigning the personnel to tasks designated by control room, TSC, and EOF personnel.

The OSC will be:

b. Located onsite to serve as an assembly point for support personnel and to facilitate performance of support functions and tasks. c. Capable of reliable voice communications with the control room, TSC, and EOF.

STPEGS UFSAR 7A-157 Revision 1 8 S.8.4 Emergency Operations Facility (EOF) S.8.4.1 Requirements

a. The EOF is a licensee

-controlled and operated facility. The EOF provides for management of overall licensee emergency response, coordination of radiological and environmental assessment, development of recommendations for public protective actions, and coordination of emergency response activities with Federal, State, and local agencies.

When the EOF is activated, it will be staffed by predesignated emergency personnel identified in the emergency plan. A designated senior licensee official will manage licensee activities in the EOF.

Facilities shall be provided in the EOF for the acquisition, display, and evaluation of radiological and meteorological data and Containment conditions necessary to determine protective measures. These facilities will be used to evaluate the magnitude and effects of actual or potential radioactive releases from the plant and to determine dose projections.

The EOF will be:

b. Located and provided with radiation protection features as described in Table 1 (previous guidance approved by the Commission) and with appropriate radiological monitoring systems. c. Sufficient to accommodate and support Federal, State, local, and licensee predesignated personnel, equipment and

documentation in the EOF.

d. Structurally built in accordance with the Uniform Building Code. e. Environmentally controlled to provide room air temperature, humidity, and cleanliness appropriate for personnel and equipment.

f. Provided with reliable voice and data communications facilities to the TSC and control room, and reliable voice communication facilities to OSC and to NRC, State, and local emergency operations centers.

STPEGS UFSAR 7A-158 Revision 1 8 S.8 (Continued)

g. Capable of reliable collection, storage, analysis, display, and communication of information on Containment conditions, radiological releases and meteorology sufficient to determine site and regional status, forecast status, and take appropriate actions. Variables from the following categories that are essential to EOF functions shall be available in the EOF:

(i) variables from the appropriate Table 1 or 2 of RG 1.97, Rev. 2, and (ii) the meteorological variables in RG 1.97, Rev. 2 for site vicinity and regional data available via communication from the National Weather Service.

h. Provided with up

-to-date plant records (drawings, schematic diagrams, etc.), procedures, emergency plans, and environmental information (such as geophysical data) needed to perform EOF functions.

i. Staffed using Table 2 (previous guidance approved by the Commission) as a goal. Reasonable exceptions to goals for the number of additional staff personnel and response times for their arrival should be justified and will be considered by NRC staff. j. Provided with industrial security when it is activated to exclude unauthorized personnel and when it is idle to maintain its readiness.

k. Designed taking into account good human factors engineering principles.

S.8.4.2 Documentation and NRC Review The conceptual designs for emergency response facilities (TSC, OSC, and EOF) have been submitted to NRC for review. In many cases, the lack of detail in these submittals has precluded an NRC decision of acceptability. Some designs have been disapproved because they clearly did not meet the intent of the applicable regulations. NRC does not intend to approve each design prior to implementation, but rather has provided in this document those requirements which should be satisfied. These requirements provide a degree of flexibility within which licensees can exercise management prerogatives in designing and building emergency response facilities (ERF) that satisfy specific STPEGS UFSAR 7A-159 Revision 1 8 needs of each licensee. The foremost consideration regarding ERFs is that they provide adequate capabilities of licensees to respond to emergencies. NUREG guidance on ERFs has been intended to address specific issues which the Commission believes should be considered in achieving improved capabilities.

Licensees should assure that the design of ERFs satisfies these requirements. Exemptions from or alternative methods of implementing these requirements should be discussed with NRC staff and in some cases could require Commission approval. Licensees should continue work on ERFs to complete them according to schedules that will be negotiated on a plant

-specific basis. NRC will conduct appraisals of completed facilities to verify that these requirements have been satisfied and that ERFs are capable of performing their intended functions. Licensees need not document their actions on each specific item contained in NUREG

-0696 or 08l4.

S.8.4.3 Reference Documents (Emergency Response Facilities) 10 CFR 50.47(b)

- Requirements for Emergency Facilities and Equipment for OLs.

10 CFR 50.54(q) and Appendix E, Paragraph IV.E

- Requirements for Emergency Facilities and Equipment for ORs.

NUREG-0660 - Description of and Implementation Schedule for TSC, OSC, and EOF.

Eisenhut letter to power reactor licensees September 13, 1979 - Request for commitment to meet requirements.

Denton letter to power reactor licensees October 30, 1979

- Clarification of requirements.

NUREG-0654 - Radiological Emergency Response Plans NUREG-0696 - Functional Criteria for Emergency Response Facilities.

NUREG-0737 - Guidance on Meteorological Monitoring and Dose Assessment.

Eisenhut letter to power reactor license February 18, 1981

- Commission approved guidance on location, habitability, and staff for emergency facilities.

Request and deadline for submittal of conceptual design of facilities.

NUREG-0814 (Draft Report for Comment)

- Methodology for Evaluation of Emergency Response Facilities.

STPEGS UFSAR 7A-160 Revision 1 8 S.8 (Continued)

NUREG-0818 (Draft Report for Comment)

- Emergency Action Levels RG 1.97, Rev. 2

- Guidance for Variables to be Used in Selected Emergency Response Facilities.

COMJA-80-37, January 21, 1981

- Commission approval guidance on EOF location and habitability.

Secretary memorandum S8l

-19, February 19, 1981

- Commission approval of NUREG

-0696 as general guidance only.

STPEGS Response TECHNICAL SUPPORT CENTER (TSC) The TSC is the onsite technical support facility for emergency response. When activated, the TSC is staffed by predesignated technical, engineering, senior management, and other licensee personnel, and predesignated NRC personnel. During periods of activation, the TSC is staffed continuously to provide plant management and technical support to plant operations personnel, and to relieve the reactor operators of peripheral duties and communications not directly related to reactor system manipulations. The TSC performs the EOF functions for the Alert Emergency class and for the Site Area Emergency class and General Emergency class if activation of the EOF is delayed.

Further discussion of the TSC and the TSC staffing requirements is provided in the STPEGS Emergency Plan.

Safety Design Bases

The equipment and facilities comprising the TSC perform no safety

-related functions. The design ensures that any fault or malfunction of the TSC equipment does not compromise any safety

-related equipment, components, or structures.

Power Generation Design Bases

1. Location and Structural Integrity A. The TSC is located in the Electrical Auxiliary Building (EAB), at elevation 72 feet, within a 2

-minute walking distance of the Control Room (CR) (see Figures 7A.S.8

-1 to 7A.S.8-4). B. The TSC is structurally designed in accordance with the Uniform Building Code (UBC). C. Personnel access to the TSC is controlled.

STPEGS UFSAR 7A-161 Revision 1 8 S.8 (Continued)

2. Size and Space Allocation A working space of approximately 75 ft 2 per person is provided in the TSC. Human factors engineering standards are considered in the TSC design. Areas other than those specifically designated work area may be used to contribute to the working space.

3. Habitability A. The TSC is provided with sufficient radiological protection and monitoring equipment to assure that radiation exposure to any person working in the TSC will not exceed 5 rem, TEDE for the duration of an accident.

B. The HVAC for the TSC is designed to provide a suitable environment during normal and post-accident operation, including protection from post

-accident radiological releases. For further discussion of the TSC HVAC design see Section 9.4.1.

The TSC HVAC system is normally powered from a non

-Class 1E MCC which provides power at 480 V +/-10 percent. When normal power is lost, a backup power supply from a non

-Class 1E diesel generator is provided.

C. Radiation monitoring and smoke detection capability are provided in the HVAC supply duct to the TSC. Alarm and indication are provided.

D. High airborne radiation level in the intake to the TSC HVAC system switches the system to the filtration/recirculation mode of operation. Detection of high smoke level in the intake to the TSC HVAC system causes automatic isolation of the system.

E. The following emergency items are available:

1. Portable air breathing apparatus: 18 individual units

2. Anticontamination clothing: 18 individual sets

4. Communications A. The TSC is provided with continuous communication with the following areas:

1. Control Room

2. Operations Support Center

3. Emergency Operations Facility CN-3137 STPEGS UFSAR 7A-162 Revision 1 8 S.8 (Continued)

4. Auxiliary Shutdown Panel area

5. NRC Emergency Notification System

6. NRC Health Physics Network telephone system

7. State and Local Emergency Operations Centers

5. Plant Records Storage Plant records necessary to perform the TSC functions are available in the TSC. The records available include:

A. Plant design documents such as piping and instrumentation diagrams, control logic diagrams, and electrical elementary diagrams.

B. Radiation Zone drawings C. UFSAR D. Emergency Operating Procedures E. Emergency Plan F. Maps of the Emergency Planning Zone

6. Data Acquisition and Display The ERFDADS, which is capable of reliable data collection, storage, analysis, display, and communications sufficient to determine plant status, determine changes in status, forecast status, and take appropriate actions, is provided (Section S.4 of this Appendix). The SPDS, required by NUREG

-0737, is implemented by the ERFDADS.

The Dose Assessment System provides reliable data collection, storage, analysis, display, and communications sufficient to determine site and regional status, determine changes in status, forecast status, and take appropriate actions in accordance with the STPEGS Emergency Plan.

The ERFDADS and Dose Assessment System equipment located in the TSC are powered from a non

-Class 1E, uninterruptable power supply (UPS) capable of maintaining system operation for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . Normal AC power to the UPS is supplied from a non

-Class lE diesel generator-backed bus.

7. TSC Operational Requirements The TSC is designed to be fully functional within one hour of activation. The TSC is designed with an availability goal of 99 percent during all plant pressure and temperature conditions exceeding cold shutdown conditions. Activation of the TSC is required as shown

STPEGS UFSAR 7A-163 Revision 1 8 below: Plant Status Activation Usual Event Alert Optional Required Plant Status Activation Site Area Emergency General Emergency Other Required Required As directed by plant management OPERATIONS SUPPORT CENTER (OSC) When activated, the OSC is the onsite area separate from the control room where predesignated operations support personnel assemble.

The OSC is located in the MEAB (see Figures 7A.S.8

-1 and 7A.S.8

-5) to facilitate support functions and tasks.

The OSC is provided with continuous voice communications with the control room, TSC, and EOF. Adequate staffing is provided by STPEGS and is identified in the Emergency Plan.

EMERGENCY OPERATIONS FACILITY The EOF is a licensee

-controlled and operated facility. The EOF provides for management of overall licensee emergency response, coordination of radiological and environmental assessment, determination of recommended public protective actions, and coordination of emergency response activities with federal, State, and local agencies.

When the EOF is activated, it will be staffed by predesignated personnel. A designated senior licensee official will manage licensee activities in the EOF.

Facilities are provided in the EOF for the acquisition, display, and evaluation of radiological and meteorological data and Containment conditions necessary to determine protective measures. These facilities can be used to evaluate the magnitude and effects of actual or potential radioactive releases from the plant and to determine dose projections.

STPEGS UFSAR 7A-164 Revision 1 8 S.8 (Continued)

Safety Design Bases The EOF performs no safety

-related function. The design ensures that any fault or malfunction of the EOF equipment does not compromise any safety

-related equipment, components, or structures.

Power Generation Design Ba ses 1. Location and Structural Integrity A. The EOF is a separate facility located in Bay City, Texas approximately 12.5 air miles north north

-east of the Station, in the South Texas Project Center for Energy Development building.

(Figures 7A.S.8

-5). B. The EOF is structurally designed in accordance with the UBC and is designed to withstand the most adverse conditions reasonably expected during the design life of the plant, including high winds or floods of a 100 year recurrence frequency.

2. Size and Sp ace Allocation A working space of approximately 75 ft² per person is provided in the EOF. Areas other than those specifically designated as work areas may be used to contribute to the working space. The EOF provides for an occupancy of 9 NRC, 1 FEMA, 10 State, 2 County, 1 American Nuclear Insurers, and 25 licensee and owner personnel.

3. Habitability A. Deleted B. Deleted C. Deleted D. The EOF ventilation system is designed to maintain area temperature at 75 +/-5 F in occupied areas, storage, and equipment rooms.

The EOF HVAC system is powered from non-Class lE , building distribution panels. When normal power is lost, backup power is supplied from the EOF natural gas generators

. E. Protective clothing and respiratory equipment are readily available to all required EOF personnel.

STPEGS UFSAR 7A-165 Revision 1 8 S.8 (Continued)

4. Communications The EOF is provided with continuous voice communications with the following:

A. Control room B. OSC C. TSC D. NRC Emergency Notification System E. NRC Health Physics Network F. State and Local Emergency Operations Centers G. Media Information Center Radio and telephone equipment used in the EOF is powered from non-Class 1E building distribution panels, and backed up by a natural gas generator with an automatic transfer switch. 5. Plant Records Storage Plant records available in the EOF include:

A. Plant design documents such as piping and instrumentation diagrams, control logic diagrams, and electrical diagrams B. Radiation Zone drawings C. Emergency Operating Procedures D. Emergency Plan and Procedures E. Demographic information F. Maps of the Emergency Planning Zone

6. Data Acquisition and Display The ERFDADS (see Section S.4 of this Appendix), is capable of reliable data collection, storage analysis, display, and communications sufficient to determine plant status, determine changes in status, forecast status, and provides ERF data acquisition and display in the EOF. The Dose Assessment system provides reliable data collection, storage, analysis, display, and communications sufficient to determine site and regional radiological status, determine changes in status, forecast status, and determine appropriate actions in accordance with the STPEGS Emergency Plan.

The ERFDADS and Dose Assessment System equipment located in the EOF is powered from non-Class lE building distribution panels, and backed up by a natural gas generator with an automatic transfer system.

7. Natural Gas Generator

STPEGS UFSAR 7A-166 Revision 1 8 A non-Class IE natural gas generator, located adjacent to the building provides backup power to the EOF. Natural gas is piped directly to the generator for continuous operation.

The generator is inside a chain linked fence for security and safety of the public.

STPEGS UFSAR 7A-167 Revision 1 8 S.8 (Continued)

8. EOF Operational Requirements The EOF is designed to be fully functional within one hour of activation. The EOF is designed with an availability goal of 99 percent during plant pressure and temperature conditions exceeding cold shutdown conditions. Activation of the EOF is required as shown below: Plant Status Activation Unusual Event Optional Alert Optional Site Area Emergency Required General Emergency Required Other As directed by plant management STPEGS UFSAR 7B-1 Revision 16 Appendix 7B

South Texas Project Compliance With Regulatory Guide 1.97, Revision 2

Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plan t and Environs Conditions During and Following an Accident STPEGS UFSAR 7B-2 Revision 16 APPENDIX 7B 7B.1 DISCUSSION An analysis was conducted to develop a response to Regulatory Guide (RG) 1.97, Rev. 2. This analysis identified the appropriate variables and established appropr iate design bases and qualification criteria for instrumentation employed by the control room oper ator during and following an accident.

This design basis establishes the key and preferred backup variables to be monitored by the control room operating staff of the South Texas Project Electric Generating Station (STPEGS) following the initiation of an accident. The design basis recognizes the variables essential to the control room staff up to the time other emergency response facilities are manned, as well as the information essential to the control room staff in subsequently controlling the plant and proceeding to safe shutdown

conditions. Also included, to aid the system designer, are criteria for determining the requirements for the instruments used to monitor these variables.

The selection of variables was integrated with the Westinghouse Owners Group (WOG) Emergency Response Guidelines (ERGs) in accordance with the guidance on integration of emergency response capability elements outlined in NUREG-0737, Supplement 1 (Appendix 7A, Item S.3).

This was accomplished by performing a task analys is based upon the WOG ERGs to identify those variables necessary for implementation of the guidelines. The Optimal Recovery Guidelines (ORGs) were reviewed to determine those Type A variables necessary to (a) perform diagnosis, (b) take preplanned manually controlled actions, and (c) take actions necessary to reach and maintain a controlled condition. The Critical Safety Function (CSF) Status Trees were reviewed to determine

those Type B variables necessary for the operator to determine if a Functional Restoration Guideline (FRG) should be implemented. Furthermore, the FRGs were reviewed to determine those Type B variables necessary to assess the process of accomplishing or maintaining CSFs, i.e., subcriticality, reactor core cooling, heat sink maintenance, RCS integrity, Containment environment and Reactor Coolant System (RCS) inventory. The ERGs were also reviewed to determine those Type D variables necessary for (a) monitoring those plant safety systems employed for mitigating the consequences of an accident and subsequent plant recovery and (b) other systems normally employed for attaining a cold shutdown condition. Finally, the ERGs were reviewed to determine those Type E variables necessary to (a) determine the accessability of areas at the plant following an accident and (b) continually assess the release of radioactive materials due to the accident.

Utilization of this task analysis process ensures that the plant information utilized by the plant operators following an accident to implement the STPEGS Emergency Operat ing Procedures (EOPs) is obtained from specially designed and qualified instrumentation as defined in this design basis.

The WOG ERGs, the results of the Control Room Design Review (CRDR) (Appendix 7A, Item I.D.1), and the interpretation of RG 1.97, Rev. 2, as described in this Appendix, are used to develop STPEGS EOPs that are human- f actored, function-oriented, and in tegrated with the plant design.

The detailed methodology for the handling of displays was addressed in the design of the Qualified Display Processing System (QDPS) and in conjunction with the CRDR programs to address NUREG-0696 and NUREG-0700 (See Appendix 7A, Item S.5). Section 7B.3 describes interface STPEGS UFSAR 7B-3 Revision 16 criteria which must be satisfied for the display methodology to meet the intent of RG 1.97, Rev. 2 and this design basis.

7B.1.1 Planned Versus Unpl anned Operator Actions The plant safety analyses and evaluations define the design basis accident (DBA) event scenarios for which preplanned operator actions are required. Accident monitoring instrumentation is necessary to permit the operator to take required actions to address these analyzed situations. However, instrumentation is also necessary for unplanned situat ions; i.e., to ensure that , should plant conditions evolve differently than predicted by the safety analyses, the operator has sufficient information to monitor the course of the event. Additional instrumentation is also needed to indicate to the operator whether the integrity of the fuel clad, the RCS pressure boundary, or the reactor Containment has degraded beyond the prescribed limits defined as a result of the plant safe ty analyses and other evaluations. Such additional requirements are considered by this design basis.

7B.1.2 Variables Types Five classifications of variable s have been identified. Operator manual actions identified in the operating procedures, associated with DBA events, are preplanned.

Those variables that provide information needed by the operator to perform these manual actions are designated Type A. The basis for selecting Type A variables is given in Section 7B.2.2.1.

Those variables needed to assess that the plant critical safety functions are being accomplished or maintained, as identified in the plant safety anal ysis and other evaluations , are designated Type B.

Variables used to monitor for the significant breach or the potential signifi cant breach of fuel clad, the RCS pressure boundary, or the reactor Containment, are designated Type C. Type C variables used to monitor the potential breach of Containment have an arbitrarily-determined, extended range. The extended range is chosen to minimize the probability of instrument saturation even if conditions exceed those predicted by the safety analysis. The response characteristics of Type C information display channels allow the control room operator to detect conditions indicative of significant failure of any of the three fission product barriers or the potential for significant failure of these barriers.

Although variables selected to fulfill Type C functions may rapidly appr oach the values that indicate an actual significant failure, it is the final steady-state value reached that is important. Therefore, a high degree of accuracy and a rapid response time are not necessary for Type C information display channels.

Those variables needed to assess the operation of individual safety systems and systems normally

used to attain cold shutdown are designated Type D.

The variables that are required for use in determining the magnitude of release and continually assessing any releases of radioactive materials are designated Type E.

The five classifications are not mutually exclusive in that a given variable (or instrument) may be included in one or more types.

The cross-referencing of variable to type is given in Table 7.5-1.

STPEGS UFSAR 7B-4 Revision 16 Table 7B.1-1 identifies the instruments utilized at STPEGS which address the recommendations of both NUREG-0737 and RG 1.97, Rev. 2. The instruments identified meet the intent of the guidance provided in NUREG-0737.

7B.1.3 Design and Qua lification Criteria Three categories of design and qualification criteria have been identified. Th e differentiation is made in order that an importance of information hierar chy can be recognized in specifying post-accident monitoring instrumentation. Category 1 instrument ation has the highest pe digree and should be utilized for primary information which the operator should use for preplanned manual actions and determining the state of the plant. Category 2 and 3 instruments are of lesser importance in determining the status of the plant and do not require the same level of operational assurance.

The primary differences between category requirements are in qualific ation, application of the single failure criterion, power supply, and display requirements. Category 1 requires seismic and environmental qualification, the application of a si ngle failure criterion, utilization of emergency standby power, and an immediat ely accessible display. Cate gory 2 requires qualification commensurate with the required function but does not require the single failure criterion, emergency standby power, or an immediately accessible display. Category 2 requires, in effect, a rigorous performance verification for a single instrument channel. Category 3 does not require qualification, single failure criterion, emergency standby pow er, or an immediately accessible display.

7B.2 DEFINITION OF VARIABLE TYPES 7B.2.1 Definitions 7B.2.1.1 Design Basis Accident Events. DBA events are those events, any one of which may occur during the lifetime of a particular plant, and those events not expected to occur but postulated because their consequenc es would include the potential for release of significant amounts of radioactive gaseous, liquid, or particulate material to the environment. Excluded are those events (defined as "normal" and "anticipated operational occurrences" in 10CFR50) expected to occur more frequently than once during the lifetime of a particular plant. The limiting accidents that were used to determine instrument functions are: 1) Loss-of-C oolant Accident (LOCA), 2) Steamline Break, 3) Feedwater (FW) Line Break, and 4) Steam Generato r (SG) Tube Rupture.

7B.2.1.2 Safe Shutdown (Hot Standby). The state of the plant in which the reactor is subcritical such that Keff is less than or equal to 0.99 and the RCS temperature is greater than or equal to 350 F.

7B.2.1.3 Cold Shutdown. The state of the plant in wh ich the reactor is subcritical such that K eff is less than or equal to 0.99, the RCS temperature is less than 200 F, and the RCS pressure is less than or equal to 10CFR50 Appendix G limits.

7B.2.1.4 Controlled Condition. The condition that is achieved when the plant has been stabilized using the ORGs, the recovery procedures are being implemented, and the critical safety functions are being accomplished or maintained by the control room operator.

STPEGS UFSAR 7B-5 Revision 16 7B.2.1.5 Critical Safety Functions. Those safety functions that are essential to prevent a direct and immediate th reat to the health and safety of the public. These are the accomplishing or maintaining of:

1. Subcriticality

2. Reactor core cooling

3. Heat sink maintenance

4. RCS integrity

5. Containment environment

6. RCS inventory

7B.2.1.6 Immediately Accessible Information. Information that is visually available to the control room operator, or is accessible through the execution of the EOPs.

7B.2.1.7 Primary Information. Information that is essential for the direct accomplishment of the preplanned manual actions specified in the ERGs; it does not include those variables that are associated with contingency actions.

7B.2.1.8 Key Variables. Those variables which provide the most direct measure of the information required.

7B.2.1.9 Backup Information. Backup information is that information, made up of additional variables beyond those classified as key, that provides supplemental and/or confirmatory information to the operator. Backup variables do not provide an indication wh ich is as reliable or complete as that provided by primary variables, and they should not be relied upon as the sole source of information. Those backup variables which should be first consulted by the operator are

designated as preferred backup variables.

7B.2.2 Variable Functions The accident monitoring variables and information display channels are those that are required to enable the control room operating st aff to perform the functions defined by Types A, B, C, D, and E below.

7B.2.2.1 Type A. Type A variables are those that provide the primary information required to permit the control room operating staff to:

Perform the diagnosis specified in WOG ERGs Take the specified preplanned, manually controlled actions for which no automatic control is provided that are required for safety systems to accomplish their safety function in order to recover from the DBA event, and STPEGS UFSAR 7B-6 Revision 16 Reach and maintain a safe shutdown condition.

The verification of the actuation of safety systems has been excluded from the definition of Type A.

The variables which provide this verification are included in the definition of Type D.

Variables in Type A are restricted to preplanned actions for DBA events.

7B.2.2.2 Type B. Type B variables are those variables that provide to the control room operating staff information to assess the process of accomplishing or maintaining critical safety functions; i.e., subcriticality, reactor core cooling, heat sink ma intenance, RCS integrity, Containment environment, and RCS inventory. The WOG contingency guidelines which go beyond the design basis were reviewed for additional variables which may be utilized as variable types B, C, D, and E.

7B.2.2.3 Type C. Type C variables are those vari ables that provide the control room operating staff information (1) to monitor the extent to which variables which indicate the potential for causing a significant breach of a fission product barrier have exceeded the design basis values and (2) that the fuel clad, the reactor coolant system pressure boundary (RCPB), or the reactor Containment may have been subject to significant breach. Excluded are those associated with monitoring of radiological release from the plant which are included in Type E.

Type C variables used to monitor the potential for breach of a fission pr oduct barrier have an arbitrarily-determined, extended range. The extended range is chosen to minimize the probability of instrument saturation even if conditions exceed those predicted by the safety analyses.

7B.2.2.4 Type D. Type D variables are those variables that provide to the control room operating staff sufficient information to monitor the performance of:

1. Plant safety systems employed for mitigating the consequences of an accident and subsequent plant recovery to attain a safe shutdown condition. (These include verification of the automatic actuation of safety systems).

2. Systems normally employed for attaining a cold shutdown condition.

7B.2.2.5 Type E. Type E variables are those variables that provide to the control room operating staff information to:

1. Monitor the habitability of the control room,

2. Monitor plant areas where access may be required to service equipment necessary to monitor the progress of, or mitigate the consequences of, an accident,

3. Estimate the magnitude of release of radioactive materials through identified pathways, and continually assess such releases, and

4. Monitor radiation levels and radioactivity in the environment surrounding the plant (via portable monitors).

STPEGS UFSAR 7B-7 Revision 16 7B.3 CRITERIA 7B.3.1 General Requirements The following design and qualification criteria are applied to instrumentation for Type A, B, C, D, and E variables. These are summar ized in Tables 7B.3-1 and 7B.3-2.

7B.3.2 Equipment Design and Qualification Criteria. The qualification requirements of the Type A, B, C, D, and E accident monitoring instrumentation are subdivided into three categories (1, 2, 3). Descriptions of the three categories are given below. Table 7B.3-2 briefly summarizes the design and qualification requirements of the three designated categories.

7B.3.2.1 Design and Qualificatio n Criteria - Category 1.

7B.3.2.1.1 Selection Criteria - Category 1: The selection criteria for Category 1 variables have been subdivided according to the variable type. For Type A, those key variables used for diagnosis or providing information for necessary operator action have been designated Category 1. For Type B, those key variables which are used for monitoring the process of accomplishing or maintaining critical safety functions have been designated Category 1. For Type C, those key variables which are used for monitoring the potential for breach of a fission product barrier have been designated Category 1.

7B.3.2.1.2 Qualification Criteria - Category 1: The instrumentation is seismically and environmentally qualified as discussed in Sect ions 3.10 and 3.11, respectively. Instrumentation continues to read within the required accuracy following but not necessarily during a seismic event. At least one instrumentation channel is qualified from sensor to display. For the balance of instrumentation channels, qualifica tion applies up to and including the channel isolation device. (Refer to Section 7B.3.3 in regard to extended range in strumentation qualification).

7B.3.2.1.3 Design Criteria - Category 1

1. No single failure within either the accident monitoring instrumentation, its auxiliary supporting features, or its power sources, concurrent with the fa ilures that are a condition of or result from a specific accident, prevents the operator from being presented the required information. Where failure of one accident monitoring channel results in information ambiguity (e.g., the redundant disp lays disagree), additional information is provided to allow the operator to analyze the actual conditions in the plant. This is accomplished by providing additional independent channels of information of the same variable (addition of an identical channel), or by providing independent channels which monitor di fferent variables which bear known relationships to the multiple channels (addition of a diverse channel(s)). Redundant or diverse channels are elec trically independent and physically separated from each other, to the extent practicable with train separation, and from equipment not cl assified as safety-related in accordance with RG 1.75.

For situations such as isolation valves in series, the intent is generally to verify the isolation function. In such a situation a single indication on each valve is sufficient to satisfy the single STPEGS UFSAR 7B-8 Revision 16 failure criterion if those indications are from different trains (i.e., unambiguous indication of isolation).

If ambiguity does not result from failure of th e channel, then a third redundant or diverse channel is not required.

2. The instrumentation is energized from station emergency standby power sources, battery backed where momentary interruption is not tolerable, as required by RG 1.32.

3. The out-of-service interval is based on normal Technical Specification requirements on out-of-service for the system it serves, where applicable or where specified by other requirements.

4. Servicing, testing, and calibration programs are specified to maintain the capability of the monitoring instrumentation. For those instruments where th e required inte rval between testing is less than the normal time inte rval between generating station shutdowns, a capability for testing during power operation is provided.

5. Whenever means for removing channels from service are included in the design, the design facilitates administrative control of the access to such removal means.

6. The design facilitates administrative control of the access to setpoint adjustments, module calibration adjustments, and test points.

7. The monitoring instrumentation design utilizes human-factored displays to minimize indications potentially c onfusing to the operator.

8. The instrumentation is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules.

9. To the extent practicable, monitoring instrumentation inputs are from sensors that directly measure the desired variables. An indirect measurement is made only when it can be shown by analysis to provide unambiguous information.

10. Periodic checking, testing, calibra tion, and calibration verificati on are in accordance with the applicable portions of RG 1.118.

11. The range selected for the instrumentation en compasses the expected operating range of the variable being monitore d to the extent that saturation doe s not negate the required action of the instrument in accordance with the applicable portions of RG 1.105.

7B.3.2.1.4 Information Processing and Display Interface Criteria - Category 1

The interface criteria specified here provide requirements implemented in the establishment of the design basis for processing and displaying of the information.

1. The operator has immediate access to the information from redundant or diverse channels in the units familiar to the operator (e.g., for a temperature reading degrees, not volts). Where two or more instruments are needed to cover a particular range, overlapping of instrument spans are provided.

STPEGS UFSAR 7B-9 Revision 16 2. The QDPS provides control room indication via plasma display units which meet the Category 1 qualification requirements. Displays of Category 1 variables are immediately accessible to the operator via a single pushbutton action on the QDPS plasma display units.

These variables will be displayed when n eeded by the operator th rough execution of the EOPs. The information displayed on the plasma display units is the single "most probable value" based on automated signal limit checks and redundant sensor algorithms, which relieve the operator of the burden of valid data selection. Individual sensor values are available on lower level displays.

3. In addition to the QDPS plasma display units, seismically qualified recorders provide continuous indication and an hist orical record for at least one channel of each Category 1 variable. These recorders are located in the control room. A recorded pre-event history for these channels is required for a minimum of one hour and continuous recording of these channels is required following an accident until such time as continuous recording of such information is no longer deemed necessary. This recording is available when required, but need not be immediately accessible. One hour was selected based on a representative slow transient which is bounded by this time requireme nt. A one-half inch equivalent break area LOCA was selected since trip occurs at approximately 50 minutes after break initiation. Where direct and immediate trend or transient information is essential for operator information or action, the recording is immediately accessible.

7B.3.2.2 Design and Qualificatio n Criteria - Category 2.

7B.3.2.2.1 Selection Criteria - Category 2: The selection criteria for Category 2 variables are subdivided according to the variable type. For Types A, B, and C, those variables which provide preferred backup information are designated Category 2. For Type D, those key variables that are used for monitoring the performance of safety systems are designated Category 2. For Type E, those key variables to be monitored for use in determining the magnitude of the release of radioactive materials and fo r continuously assessing such rel eases are designated Category 2.

7B.3.2.2.2 Qualification Criteria - Category 2: Category 2 instrumentation is qualified from the sensor up to a nd including the channel isolation device for at least the environment (seismic and/or environmental) in which it must operate to serve its intended function. The instrumentation is seismically and environmenta lly qualified as discussed in Section 3.10 and 3.11 respectively. Instrumentation associated with those safety-related systems that are required to operate following a Safe Shutdown Earthquake (SSE) to mitigate a consequential plant incident are seismically qualified in accordance with Institute of Electrical and Electronics Engineers (IEEE) 344-1975.

7B.3.2.2.3 Design Criteria - Category 2

1. Category 2 instrumentation associated with those safety-related systems that are required to operate following an SSE to mitigate a consequential plant incident are energized from a

highly reliable power source, not necessarily the emergency standby power, which is battery-backed where momentary interr uption is not tolerable.

STPEGS UFSAR 7B-10 Revision 16 2. The out-of-service interval is based on normal Technical Specification requirements on out-of-service for the system it serves, where applicable or where specified by other requirements.

3. Servicing, testing, and calibration programs are specified to maintain the capability of the monitoring instrumentation. For those instruments where th e required inte rval between testing is less than the normal time inte rval between generating station shutdowns, a capability for testing during power operation is provided.

4. Whenever means for removing channels from service are included in the design, the design facilitates administrative control of the access to such removal means.

5. The design facilitates administrative control of the access to setpoint adjustments, module calibration adjustments, and test points.

6. The monitoring instrumentation design utilizes human-factored displays to minimize indications potentially c onfusing to the operator.

7. The instrumentation is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules.

8. To the extent practicable, monitoring instrumentation inputs are from sensors that directly measure the desired variables. An indirect measurement is made only when it can be shown by analysis to provide unambiguous information.

9. Periodic checking, testing, calibration, and calibration verification are in accordance with applicable portions of RG 1.118.

10. The range selected for the instrumentation en compasses the expected operating range of the variable being monitore d to the extent that saturation doe s not negate the required action of the instrument in accordance with the applicable portions of RG 1.105.

7B.3.2.2.4 Information Processing and Display, Interface Criteria - Category 2

The interface criteria specified here provide requirements considered in the establishment of the design basis for processing and displaying of the information.

The instrumentation signal is, as a minimum, processed for display on demand. Recording requirements are variable specific and are determined on a case-by-case basis.

7B.3.2.3 Design and Qualificatio n Criteria - Category 3.

7B.3.2.3.1 Selection Criteria - Category 3: The selection criteria for Category 3 variables have been subdivided according to the variable type. Fo r Types B and C, those variables which provide backup information are designated Ca tegory 3. For Types D and E, those variables which provide preferred backup informati on have been designated Category 3.

7B.3.2.3.2 Qualification Criteria - Category 3: The instrumentation is high quality commercial grade which is not required to provide information when exposed to a post-accident STPEGS UFSAR 7B-11 Revision 16 adverse environment. Only normal and abnormal environments, as defined in Section 3.11, are applicable.

7B.3.2.3.3 Design Criteria - Category 3

1. Servicing, testing, and calibration programs are specified to maintain the capability of the monitoring instrumentation. For those instruments where th e required inte rval between testing is less than the normal time inte rval between generating station shutdowns, a capability for testing during power operation is provided.

2. Whenever means for removing channels from service are included in the design, the design facilitates administrative control of the access to such removal means.

3. The design facilitates administrative control of the access to setpoint adjustments, module calibration adjustments, and test points.

4. The monitoring instrumentation utilizes human-factored displays to minimize indications potentially confusing to the operator.

5. The instrumentation is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules.

6. To the extent practicable, monitoring instrumentation inputs are from sensors that directly measure the desired variables. An indirect measurement is made only when it can be shown by analysis to provide unambiguous information.

7B.3.2.3.4 Information Processing Display, Interface Criteria - Category 3

The interface criteria specified here provide requirements considered in the establishment of the design basis for processing and displaying of the information.

The instrumentation signal is, as a minimum, processed for display on demand. Recording requirements are variable specific and are determined on a case-by-case basis.

7B.3.3 Extended Range Instrument ation Qualification Criteria The qualification environment for extended range information display channel components are based on the DBA events, except the assumed maximum of the value of the monitored variable is the value equal to the specified maximum range for the variable. The monitored variable is assumed to approach this peak by extrapolating the most severe initial ramp associated with the DBA events. The decay for this variable is considered proportional to the decay for this variable associated with the DBA events. No additional qualification margin needs to be added to the extended range variable. The environmental envelopes, except those pertaining to the variable measured by the information display channel, are those associated with the DBA events. The environmental qualification requirement for extended range equipment does not account for steady-state elevated levels that may occur in other environmental parameters associated with the extended range variable. For example, a sensor measuring Containment pressure must be qualified for the measured process variable range (i.e., 3 times design pressure for concrete Containments

), but the corresponding ambient temperature is not mechanistically linked to that pressure. Rather, the ambient temperature STPEGS UFSAR 7B-12 Revision 16 value is the bounding value for DBA events analyzed in Chapter 15. The extended range requirement is to ensure that the equipmen t will continue to provide information if conditions degrade beyond those postulated in the safety analysis. Since extended variable ranges are nonmechanistically determined, extension of associated parameter levels is not justifiable and is therefore not required.

7B.4 TYPE A VARIABLES 7B.4.1 Introduction Type A variables are defined in Section 7B.2.2.1. They are the variables which provide primary information required to permit the control room operating staff to:

1. Perform the diagnosis specified in the WOG ERGs

2. Take specified preplanned manually controlled actions for which no automatic control is provided, that are required for safety systems to accomplish their safety function to recover from the DBA event (Verification of actuation of safety systems is excluded from Type A and is included as Type D)

3. Reach and maintain a safe shutdown condition

Key Type A variables have been designated Categor y 1. These are the vari ables which provide the most direct measure of the information required.

No Type A variables have been designated Category 2 or 3.

The Type A variables are listed in Table 7B.4-1.

7B.5 TYPE B VARIABLES 7B.5.1 Introduction Type B variables are defined in Section 7B.2.2.2. They are the variables that provide to the control room operating staff information to assess the process of accomplishing or maintaining critical safety functions, i.e.,

1. Subcriticality

2. Reactor Core Cooling

3. Heat Sink Maintenance

4. Reactor Coolant System Integrity

5. Containment Environment

6. Reactor Coolant System Inventory STPEGS UFSAR 7B-13 Revision 16 Variables which provide the most direct indication (i.e

., key variables) to assess each of the 6 critical safety functions have been desi gnated Category 1. Preferred backup variables have been designated Category 2. These are listed in Table 7B.5-1.

All other backup variable s have been designated Category 3.

7B.6 TYPE C VARIABLES 7B.6.1 Introduction Type C variables are defined in Section 7B.2.2.3. Basi cally, they are the variab les that provide to the control room operating staff information to monitor the potential fo r breach or actual significant breach of:

1. Fuel Clad

2. Reactor Coolant System Boundary

3. Containment Boundary

(Variables associated with monitoring of radiological release from the plant are included in Type E.)

Those Type C key variables which provide the most direct measure of the potential for breach of one of the 3 fission product boundaries have been designated Category 1. Backup information indicating potential for breach is designated Category 2. Variables which indicate actual breach have been designated as preferred backup information and ha ve been designated Category 2. All other backup variables have been designated Category 3.

Table 7B.6-1 summarizes the sele ction of Type C variables.

7B.7 TYPE D VARIABLES 7B.7.1 Introduction Type D variables are defined in Section 7B.2.2.4. Ba sically, they are those variables that provide sufficient information to the control room operating staff to monitor the performance of:

1. Plant safety systems employed for mitigating the consequences of an accident and subsequent plant recovery to attain a safe shutdown condition, including verification of the automatic actuation of safety systems

2. Other systems normally employed for attaining a cold shutdown condition

Type D key variables are designate d Category 2. Preferred backup information is designated Type D Category 3.

The following systems have been identified as requiring Type D information to be monitored:

STPEGS UFSAR 7B-14 Revision 16 1. Pressurizer Level and Pressure Control (asse ss status of RCS followi ng return to normal pressure and level control under certain post-accident conditions)

2. Chemical and Volume Control System (CVCS) (normally employed for attaining a safe shutdown under certain pos t-accident conditions)

3. Secondary Pressure and Level Control (employed for restoring/maintaining a secondary heat sink under post-accident conditions)

4. Emergency Core Cooling System (ECCS)

5. Auxiliary Feedwater System (AFWS)

6. Containment Systems

7. Component Cooling Water System (CCWS)

8. Essential Cooling Water System (ECWS)

9. Residual Heat Removal System (RHR) (normally employed for attaining a cold shutdown condition)

10. Heating, ventilation, and air c onditioning (HVAC) if required for Engineered Safety Features (ESF) operation

11. Electric power to vital safety systems

12. Verification of automatic actuation of safety systems

Table 7B.7-1 lists the key variables identified for each system listed above. Table 7.5-1 specifies the seismic and environmental qualification for each variable.

For purposes of specifying seismic qualification for T ype D Category 2 variables, it is assumed that a seismic event and a break in Category I piping will not occur concurrently. As a result, the limiting event is an unisolated break in non-Category I main steam piping (single failure of main steam isolaton valve (MSIV)). Instrumentation associated with the safety systems which are required to mitigate and monitor this event should be seismically qualified instrumentation. Similarly, the environmental qualification for Type D Category 2 variables depends on whether the instrumentation is subject to a high energy line break (HELB) when required to provide information.

7B.8 TYPE E VARIABLES 7B.8.1 Introduction Type E variables are defined in Section 7B.2.2.5. Th ey are those variables that provide the control room operating staff with information to:

STPEGS UFSAR 7B-15 Revision 16 1. Monitor the habitability of control room

2. Monitor plant areas where access may be required to service equipment necessary to monitor or mitigate the consequences of an accident

3. Estimate the magnitude of release of radioactive materials through identified pathways and continually assess such releases

4. Monitor radiation levels and radioactivity in the environment su rrounding the plant (via portable monitors)

Key Type E variables are qualified to Category 2 requirements. Pr eferred backup Type E variables are qualified to Category 3 requirements.

Table 7B.8-1 lists the Type E variables.

STPEGS UFSAR 7B-16 Revision 16 TABLE 7B.1-1 NUREG-0737 CONFORMANCE Applicable Section of NUREG-0737 Variable I.D.2 Emergency Response Facilities Data Acquisition and Display System (ERFDADS)

II.D.3 Pressurizer Power-Operated Relief Valves and Safety Valve Status

I.E.1.2 Auxiliary Feedwater Flow

II.F.1 Attachment 1 Unit Vent Steamline Radiation

II.F.1 Attachment 2 Unit Vent Sample

II.F.1 Attachment 3 Containment Radiation

II.F.1 Attachment 4 Containment Pressure (Extended Range)

II.F.1 Attachment 5 Containment Water Level (Wide Range and Narrow Range)

II.F.1 Attachment 6 Containment H 2 Concentration

II.F.2 Core Exit Temperature Reactor Vessel Water Level RCS Subcooling

II.K.1.5 Emergency Core Cooling System and Other Systems Valve Status 7B-17 Revision 16

TABLE 7B.3-1

SUMMARY

OF SELECTION CRITERIA Type Category 1 Category 2 Category 3 A KEY variables that are used for diagnois or providing information for necessary

operator action.

Variables which provide PREFERRED BACKUP information.

None B KEY variables that are used for monitoring the process of accomplishing or maintaining

critical safety functions.

Variables which provide PREFERRED BACKUP information.

Variables which provide BACKUP information.

STPEGS UFSAR C Key variables that are used for monitoring the potential breach

of a fission product barrier.

Variables which provide PREFERRED BACKUP information.

Variables which provide BACKUP information.

D None KEY variables which are used for monitoring the performance of plant systems used to attain a

controlled plant condition or a safe shutdown condition.

Variables which provide PREFERRED BACKUP information for use in monitoring the performance of plant systems used to attain a

controlled plant condition or a safe shutdown condition.

E None KEY variables to be monitored for use in determining the magnitude of the release of radioactive materials and for

continuously assessing such

releases. Variables to be monitored which

provide PREFERRED BACKUP information for use in determining the magnitude of the release of radioactive materials and for continuously assessing such releases.

STPEGS UFSAR 7B-18 Revision 16 TABLE 7B.3-2

SUMMARY

OF DESIGN, QUALIFICATION, AND INTERFACE REQUIREMENTS Qualification Category 1 Category 2 Category 3 Environmental Yes As appropriate(1) No Siesmic Yes As appropriate(1) No Design Single Failure Yes No No Power Supply Emergency Standby Reliable As Required Channel out of Service Technical Specifications Technical Specifications No Testability Yes Yes As Required Interface Minimum Indication Immediately Accessible Demand Demand Recording Yes As Required As Required Quality Assurance Program Requirements 10CFR50 Appendix B Note 2 Not Applicable

1. Category 2 instrumentation shall be qualified from the sensor up to and including the channel isolation device for at least the environment (seismic and/or environmental) in which it must operate to serve its intended function. (See Seismic and environmental qualification discussed in Section 3.10 and 3.11 respectively).

2. The quality assurance requirements that are implemented should provide control over activities affecting quality to an extent consistent with the importance to safety of the instrumentation.

STPEGS UFSAR 7B-19 Revision 16 TABLE 7B.4-1

SUMMARY

OF TYPE A VARIABLES Category 1. RCS Pressure (Wide Range)

A1 2 Hot Leg Reactor Coolant Temperature (Wide Range T hot) A1 3 Cold Leg Reactor Coolant Temperature (Wide Range T cold) A1 4. Wide Range Steam Generator Water Level A1 5. Narrow Range Steam Generator Water Level A1 6. Pressurizer Water Level A1 7. Containment Pressure A1 8. Steamline Pressure A1 9. Refueling Water Storage Tank Water Level A1 10. Containment Water Level (Wide Range)

A1 11. Containment Water Level (Narrow Range)

A1 12. Auxiliary Feedwater Storage Tank Water Level A1 13. Auxiliary Feedwater Flow A1 14. High Range Containmen t Radiation Level A1 15. Reactor Coolant System Pressure (Extended Range)

A1 16. Steam Generator Blowdown Radiation Level A1 17. Steamline Radiation Level A1 18. Core Exit Temperature A1 19. Reactor Coolant System Subcooling A1 STPEGS UFSAR 7B-20 Revision 16 TABLE 7B.5-1

SUMMARY

OF TYPE B VARIABLES Subcriticality Key: a. Ne utron Flux (Extended Range)

b. Neutron Flux Startup Rate B1 B1 Preferred a. Wide Range T hot Backup: b. Wide Range T cold B2 B2 c. RCS Soluble Boron Concentration B3 Reactor Core Cooling Key: a. Core Exit Temperature

b. Reactor Vessel Water Level

c. RCS Subcooling

d. AFST Water Level

e. RWST Water Level B1 B1 B1 B1 B1 Preferred a. Wide Range T hot Backup: b. Wide Range T cold c. RCS Pressure (Wide Range)

B2 B2 B2 Heat Sink Maintenance Key: a. Narrow Range SG Water Level b. Wide Range SG Water Level c. Auxiliary Feedwater Flow

d. AFST Water Level

e. Steamline Pressure

f. Core Exit Temperature

g. Wide Range T hot h. Wide Range T cold B1 B1 B1 B1 B1 B1 B1 B1 Preferred a. Main Steamline Isolation Valve Backup: Status b. Main Steamline Bypass Valve Status B2 B2 Reactor Coolant System Integrity Key: a. RCS Pressure (Wide Range)

b. RCS Pressure (Extended Range)

B1 B1 Preferred a. Containment Pressure Backup: b. High Range Containment Radiation Level B2 B2 c. Narrow Range SG Water Level

d. SG Blowdown Radiation Level

e. Steamline Radiation Level

f. Pressurizer PORV Status

g. Pressurizer Safety Valve Status B2 B2 B2 B2 B2 STPEGS UFSAR 7B-21 Revision 16 TABLE 7B.5-1 (Continued)

SUMMARY

OF TYPE B VARIABLES Category Containment Environment Key: a. Containment Pressure b. High Range Containment Radiation Level

c. Containment Water Level (Wide Range)

B1 B1 B1 Preferred None Backup:

Backup a. Containment Hydrogen Concentration

B3 CN-3003 Reactor Coolant System

Inventory Key: a. Pressurizer Water Level

b. Reactor Vessel Water Level B1 B1 Preferred a. Containment Water Level Backup: (Wide Range)

b. Containment Water Level (Narrow Range) c. Wide Range Steam Generator Water Level B2 B2 B2

Note:

Per Reference 7.5-2, the hydrogen monitors can be classified as Category 3.

7B-22 Revision 16

TABLE 7B.6-1

SUMMARY

OF TYPE C VARIABLES Potential for Breach Categor y Actual Breach Category Incore Fuel CladKey: Core Exit Temperature C1 Backup: RCS Sampling (Primary Coolant Activity) C3 Preferred Backup: Reactor Vessel Water Level C2 CN-3003 Key: RCS Pressure (Extended Range)

RCS Pressure (Wide Range) C1 C1 Preferred Backup: RCS Pressure (Wide Range)

Containment Pressure Containment Water Level (Wide Range)

Containment Water Level (Narrow Range)

Steamline Radiation Level SG Blowdown Radiation Level High Range Containment Radiation Level Backup: Condenser Vacuum Pump Discharge Radiation Level C2 C2 C2 C2 C2 C2 C2 C3 RCS Boundary STPEGS UFSAR CN-3003 Containment BoundaryKey: Containment Pressure (Extended Range) C1 Preferred Backup: Unit Vent Radiation Level C2 Containment Pressure C1 Fuel Handling Building Exhaust Radiation Level C2 CN-3003 Backup: Containment Hydrogen Concentration C3 Containment Isolation Valve Status C2 7B-23 Revision 16

TABLE 7B.6-1(Continued)

SUMMARY

OF TYPE C VARIABLES Potential for Breach Categor y Actual Breach Category Containment Boundary (Continued)

Containment Pressure (Extended Range) Backup: Site Environmental Radiation Level (Portable Monitoring)

Adjacent Building Area Radiation Level C2 C3 C3 STPEGS UFSAR

Note:

Per letter AE-NOC-04001311, the hydrogen mon itors can be classified as Category 3.

7B-24 Revision 16

TABLE 7B.7-1

SUMMARY

OF TYPE D VARIABLES System Designation Variable Category STPEGS UFSAR

1. Pressurizer Level and Pressure Control Pressurizer PORV Status Pressurizer PORV Block Valve Status Pressurizer Safety Valve Status Pressurizer Spray Valve Status Pressurizer Heater Breaker Position Pressurizer Water Level Reactor Vessel Water Level RCS Pressure (Wide Range) Pressurizer Pressure RCP Status Quench Tank Level Quench Tank Temperature Quench Tank Pressure RCP Motor Current D2 D2 D2 D2 D2 D2 D2 D2 D2 D2 D3 D3 D3 D3 2. Chemical Volume a nd Control Charging Flow Letdown Flow VCT Water Level RCP Seal Injection Flow Valve Status Charging Pump Status BAT Pump Status D2 D2 D2 D2 D2 D2 D2 3. Secondary Pressure and Level Control SG PORV Status Main Steam line Isolation Valve Status Main Steam line Bypass Valve Status SG Safety Valve Status Steamline Pressure MFW Control Valve Status MFW Control Bypass Valve Status MFW Isolation Status MFW Isolation Bypass Status MFW Flow Auxiliary Feedwater Flow SG Water Level (Wide Range and Narrow Range) SG Blowdown Isolation Valve Status SG Blowdown Sample Isolation Valve Status

D2 D2 D2 D2 D2 D2 D2 D2 D2 D3 D2 D2 D2 D2 7B-25 Revision 16

TABLE 7B.7-1 (continued)

SUMMARY

OF TYPE D VARIABLES System Designation Variable Category 4. Emergency Core Coo ling RWST Water Level HHSI Flow LHSI Flow Containment Water Level (Wide Range and Narrow Range)

Pump and Valve Status Accumulator Pressure Accumulator Tank Level Accumulator Isolation Valve Position D2 D2 D2 D2 D2 D2 D3 D2 5. Auxiliary Feedwater Auxiliary Feedwater Flow Pump and Valve Status Auxiliary Feedwater Storage Tank Water Level D2 D2 STPEGS UFSAR D2 6. Containment Systems Containment Spray Flow Containment Water Level (Wide Range and

Narrow Range) Spray System Pump and Valve Status Reactor Containment Fan Cooler Status Fan Status Differential Pressure (Backup)

Containment Pressure Containment Isolation Valve Status Containment Ventilation Valve Status Containment Atmospheric Temperature RHR Heat Exchanger Inlet Temperature D2 D2 D2 D2 D3 D2 D2 D2 D3 D3 7. Component Cooling Water Pump Discharge Pressure Header Temperature Surge Tank Water Level Flow to ESF Components Pump and Valve Status D2 D2 D2 D2 D2 8. Essential Cooling Wate r Flow to ESF Components Pump and Valve Status D2 D2 9. Residual Heat Removal Heat Exchanger Discharge Temperature Flow Pump and Valve Status RCS Pressure (Wide Range)

D2 D2 D2 D2 7B-26 Revision 16

STPEGS UFSAR TABLE 7B.7-1 (continued)

SUMMARY

OF TYPE D VARIABLES System Designation Variable Categor y 10. Heating, Ventilation, and Air Co nditioning ESF Environment Temperature ESF Cubicle Fan/Cooler Status Emergency Ventilation Damper Position D2 D2 D2 11. Electric Power Standby Power and Emergency Source Status Other Safety-Related Energy Sources D2 D2 12. Verification of Automatic Actuation of Safety Systems Reactor Trip Breaker Position Turbine Governor Valve Position Turbine Stop Valve Position Auxiliary Feedwater Pump Status (turbine) Auxiliary Feedwater Pump Status (motor driven)

SI Pump and Valve Status CCW Pump and Valve Status ECW Pump and Valve Status Containment Spray Pump and Valve Status Neutron Flux (Extended Range) Neutron Flux Startup Rate Containment Isolation Valve Status Containment Ventilation Valve Status Reactor Containment Fan Cooler Status Fan Status Differential Pressure (Backup)

SI Actuation Status Containment Isolation Actuation Status Control Rod Position Indication (Backup)

D2 D2 D2 D2 D2 D2 D2 D2 D2 D2 D2 D2 D2 D2 D3 D2 D2 D3

13. Liquid Waste Radioactive Liquid Tank Levels D3 STPEGS UFSAR 7B-27 Revision 16 TABLE 7B.8-1

SUMMARY

OF TYPE E VARIABLES Category 1. Control Room Habitability Control Room Radiation Level Intake Air E2 Area E3 2. Post-Accident Access Area Radiation Post-Accident Sampling Station Technical Support Center Emergency Operations Center Unit Vent Monitoring Station E3*

E3*

E3* 3. Release Pathways High Range Containment Radiation Level Steam Line Radiation Level & Relief Valve Status Unit Vent Raidation Level and Vent Flow E2 E2 E2 FHB Exhaust Radiation Level Containment Sump & Atmospheric Sampling Liquid Radwaste Radiation Level & Valve Status Liquid Radwaste Flow Rate E2 E3 E2 E3 4. Site Environmental Radiation Level Area Monitors (Portable)

Meteorological Parameters E3*

E3*

Category 3 per Regulatory Guide 1.97, Revision 3

ML16207A551: Difference between revisions

Latest revision as of 04:18, 2 February 2019

Text

7.1 INTRODUCTION

7.1.1 Identification

8.3. STPEGS

3.1 STPEGS

7.6.3 Accumulator

7.2.1 Description

Description:

7.2.2 Analyses

2.2.1 Table

2.2.1 Table

2.2.1 Table

2.2.1 Table

2.2.1 Table

2.2.1 Table

2.2.1 Table

2.2.1 Table

2.2.1 Table

2.2.1 Table

2.2.1 Table

2.2.1 Table

2.2.1 Table

2.2.1 Table

2.2.1 Table

System Description

7.4 SYSTEMS

7.4.1 Description

7.4.2 Analysis

Description:

Description:

Description:

7.5.2 Reactor

7.5.4 Engineered

7.5.6 Qualified

Description:

Description:

Description:

7.6.1 Instrumentation

7.6.2 Residual

7.6.3 Accumulator

7.6.4 Switchover

7.6.5 Monitoring

7.6.6 Other

7.7.1 Description

Description:

7.8.1 Description

7.8.2 Analysis

Description:

Description:

Description:

Description:

Description:

Description:

Description:

4.1 General

4.2 Single

4.6 Channel

4.7 Control

Reference:

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search