Attachment 6: Rev. 4 to Diablo Canyon Power Plant Units 1 & 2, Process Protection System (PPS) Replacement Conceptual Design Document.

ML15099A065
Person / Time
Site:	Diablo Canyon
Issue date:	10/26/2011
From:	Altran Solutions Corp, Pacific Gas & Electric Co
To:	Office of Nuclear Reactor Regulation
Shared Package
ML113070457	List: DCL-11-104, Attachment 10: Revision 1 to Diablo Canyon Power Plant Units 1 & 2 Human System Interface (Hsi) Development Guidelines. DCL-11-104, Attachment 11: Revision 8 to Procedure CF2, Computer Hardware, Software and Database Control. DCL-11-104, Attachment 12: Revision 10 to CF2.ID2, Software Configuration Management for Plant Operations and Operations Support. DCL-11-104, Attachment 13: Inter-Departmental Administrative Procedure CF2.ID9, Rev. 2, Software Quality Assurance for Software Development. DCL-11-104, Attachment 1: List of Regulatory Commitments DCL-11-104, Attachment 8: Revision 4 to Diablo Canyon Power Plant Units 1 & 2, Process Protection System (PPS) Replacement Interface Requirements Specification, Nuclear Safety-Related. DCL-11-104, Attachment 9: Revision 1 to 10115-J-NPG, Diablo Canyon Power Plant Units 1 & 2 Process Protection System Replacement Controller Transfer Function Specification. DCL-11-104, Diablo Canyon Units 1 and 2, License Amendment Request 11-07 Process Protection System Replacement ML11307A332 ML11307A333 ML13308B830 ML13308B832 ML13308B834 ML13308B835 ML13308B837 ML13308B839 ML15099A061 ML15099A062 ML15099A063 ML15099A064 ML15099A065
References
DCL-11-104
Download: ML15099A065 (60)
v • d • e

Text

Enclosure Attachment 6 PG&E Letter DCL-1 1-104 Diablo Canyon Power Plant Units I & 2 Process Protection System Replacement Conceptual Design Document (CDD), Revision 4 (LAR Reference 27)

Pacific Gas & Electric Company Diablo Canyon Power Plant 70ý .1 Units I & 2 Process Protection System (PPS) Replacement Conceptual Design Document Rev 4 Prepared Sig. 1 z - Date -0 1/goc/II Print Last Name Hefl r'% User ID JWH3 Sin Revewe A § *nt*

Print Last Name Lint User ID RAL4 Coord Sig/Org. Date Print Last Name _________ ____, ___ User ID  ?-/d Coord SiglOrg. *V* /J.---Qo-CO-Ute Print Last Name w 6"R-F, A-User ID Cc-0 1'-

Coord SgOrg __ -" __ Date Print Last Name ___ _____ User ID Aproval Sig. Date Print Last Name - User ID aLTRar SOLUTION ý

REVISION HISTORY Revision Affected Reason for Revision Number Item 1 All Initial Issue Figure 2-3 Updated 2.3 Updated Replacement Scope description Figure 2-6 Revised per Westinghouse comment 2.2.1 Updated 2.2.2 Deleted - Information not conceptual.

2.2.3 Updated items 1-5; added new item 10 2.2.4 Added discussion of alternative Thot averaging schemes.

Figure 2-8 Added new figure; renumbered remaining figures in section Figure 2-9 Updated 2.2.4.2 Updated Section Title 2.3.1 2.3.2 Updated Rack assignments and physical modifications 2.3.2.2 Added description of Feedwater Flow signals and Steam Flow/Feedwater Flow Mismatch alarm functions and field wiring to be deleted from PPS.

2.3.3 Added new section to describe external interfaces; renumbered remaining sections.

2 2.3.4 Deleted non conceptual information; updated sections; ALS data link isolation is through performed by fiber optic media converters.

2.3.11 Figure 2-9 Revised per Westinghouse comment Figure 2-14 Added new Figure 2-14 (Diversity Architecture), Figure 2-15 (OOS Switches),

through updated and renumbered remaining figures Figure 2-20 Table 2-1 Added new table 2.4 Revised entire section Added references; updated titles Deleted Westinghouse/CSI Proprietary references 4.1 Added new section for Tricon Configuration Items; renumbered remaining sections 4.2 Added new section for ALS Configuration Items; renumbered remaining sections Entire Document Clarified safety-related and non-safety-related classifications Entire Document Changed MVDU to Maintenance Workstation Clarified Electrical Class 1E (IEEE 308) vs. Instrument Class IA, IB, II per DCM T-19 and T-24. Clarified Protection Set numbering 2.2.3.4 Initial values for m, b constants 2.3.3.2 Clarified PS description to conform to FRS and IRS 2.3.3.4, 2.3.3.6 Corrected typo 2.3.3.7, 2.3.3.9 Change Tricon energize to trip outputs to 24 VDC for SDO Clarified Tricon Communication Module (TCM); clarified NRC approval of Net Optics 4port aggregator tap 2.3.5 Revised testing features description per current concept 2.3.6 Clarified that qualified isolators are provided by PG&E 3 Table 2-1 New table clarifies failed RTD detection concept DCPP D3 Topical Report has received USNRC Safety Evaluation Report; Table clarified per SER Deleted DTTA alarms from ALS; Tricon function only Figure 2-9 Updated ALS communications links per Topical Report Figure 2-10 Added new figure to illustrate trip output loopback Figure 2-13, Figure 2-14, Figure 2-16 thrbugh Updated Figures per current OOS concept; added new Figure 2-21 Figure 2-21 3.1.30, 3.1.36 Updated references 3.2.3, 3.2.4 4 Updated scope

REVISION HISTORY, continued Revision Affected Reason for Revision Number Item I 2.1 Misc. editorial chanqes 2.2 Updated scope description Figure 2-1 Figure 2-2 Updated figures Figure 2-3 Figure 2-4 Added New Figure Table 2-1 Deleted table - more detail than needed in CDD 2.3.2.3 Updated description 2.3.2.4 Added port aggregator communication test 2.3.3.2 Deleted power supply voltage Figure 2-9 Updated figure 2.3.4 0 Misc editorial changes 4 0 Updated per ALS Topical Report 2.3.5 Updated per FRS and Function Block Diagrams 2.3.5.2 Updated per ALS discussions 2.4.1 Deleted non-conceptual information.

Figure Figure 2-11 2-12 Added figures per ALS discussions Figure 2-12 Figure 2-13 Updated Figure Figure 2-14 Updated figure; added explanation 3.1 IEEE STD 603 is 1991 Added IEEE 7-4.3.2 2003 Global (Not marked) Changed Maintenance Video Display unit (MVDU) to Maintenance Workstation (MWS)

Global (Not marked) Deleted proprietary information designations

Process Protection System Replacement Rev 4 Conceptual Design Document Page i of ii CONTENTS 1 INTRODUCTION ................................................................................................................................... I 1 .1 B A C KG RO UND................................................................................................................................... 1 1 .2 D EFINITIONS ..................................................................................................................................... 1 2 PROCESS PROTECTION SYSTEM REPLACEMENT CONCEPT ...................................................... 3 2 .1 E x IST ING S YS TE M............................................................................................................................. 3 REPLACEMENT SCOPE .......................................................................................................................... 5 2 .2 .............................................................................................................................................................. 5 2.3 REPLACEMENT SYSTEM DESIGN ................................................................................................. 12 2.4 DIVERSITY AND DEFENSE-IN-DEPTH (D3) .................................................................................... 24 3 REFERENCES .................................................................................................................................... 34 3.1 INDUSTRY STANDARDS AND REGULATORY GUIDANCE .................................................................... 34 3.2 PG&E DOCUMENTS ........................................................................................................................ 36 3.3 PRIMARY (DESIGN BASIS) DRAWING REFERENCES ....................................................................... 36 4 PPS RACKS AND CHANNELS .......................................................................................................... 40 4.1 TRICON HARDWARE CONFIGURATION ITEMS ................................................................................ 40 4.2 ALS CONFIGURATION ITEMS ........................................................................................................ 41 4.3 PG&E CONFIGURATION ITEMS .................................................................................................... 41 4.4 PROTECTION SET I FUNCTIONS AND INSTRUMENT CLASSES .............................................................. 42 4.5 PROTECTION SET II FUNCTIONS AND INSTRUMENT CLASSES ............................................................. 45 4.6 PROTECTION SET III FUNCTIONS AND INSTRUMENT CLASSES ....................................................... 48 4.7 PROTECTION SET IV FUNCTIONS AND INSTRUMENT CLASSES ....................................................... 51 TABLES Table 2-1 RTD Input Conditions vs. Current Output Behavior .......................................................... 10 Table 2-2 Primary Protection System Functions Performed by ALS Sub-System ............................ 26 Table 4-1 Protection Set I Analog Output Functions ............................................................................. 42 Table 4-2 Protection Set I Discrete Output Functions ...................................................................... 43 Table 4-3 Protection Set II Analog Output Functions ...................................................................... 45 Table 4-4 Protection Set II Discrete Output Functions ................................................................... 46 Table 4-5 Protection Set III Analog Output Functions ...................................................................... 48 Table 4-6 Protection Set III Discrete Output Functions .................................................................... 49 Table 4-7 Protection Set IVAnalog Output Functions ...................................................................... 51 Table 4-8 Protection Set IV Discrete Output Functions .................................................................... 52

Process Protection System Replacement Rev 4 Conceptual Design Document Page ii of ii FIGURES Figure 1-1 Westinghouse PWR Protection Scheme ........................................................................... 1 Figure 2-1 Existing DCPP Reactor Protection System Concept with Eagle 21 PPS .......................... 3 Figure 2-2 Simplified Existing PPS Archittecture with Eagle 21 ............................................................... 4 Figure 2-3 PPS Replacement Design Concept ................................................................................... 5 Figure 2-4 Simplified PPS Replacement Architecture ........................................................................ 6 Figure 2-5 Tricon Triple Modular Redundant Architecture ................................................................ 7 Figure 2-6 G eneric A LS A rchitecture .................................................................................................. 7 Figure 2-7 Typical PPS Safety Functions ........................................................................................... 8 Figure 2-8 PPS Equipment Rack Assignment Concept ................................................................... 12 Figure 2-9 PPS Replacement Architecture Concept ........................................................................ 16 Figure 2-10 Triconex Trip Loopback Concept (Typical for Deenergize to Trip Outputs) .................. 19 Figure 2-11 ALS-A and ALS-B Deenergize to Trip OR Configuration Concept ............................... 20 Figure 2-12 ALS-A and ALS-B Energize to Trip OR Configuration Concept .................................. 21 Figure 2-13 Eagle 21 Replacement PPS Class II Communications Architecture ........................... 23 Figure 2-14 ALS Built In Diversity Architecture ............................................................................... 25 Figure 2-15 O ut of S ervice Sw itches ...................................................................................................... 27 Figure 2-16 Typical PPS Replacement Loop Pseudo Function Block Diagram - Loop in Service ...... 28 Figure 2-17 Loop Out of Service - No Request from MWS ............................................................ 29 Figure 2-18 Analog Output in Test from MWS ................................................................................. 30 Figure 2-19 Discrete Output Test in Trip from MWS ........................................................................ 31 Figure 2-20 Discrete Output Test in Bypass from MWS ................................................................. 32 Figure 2-21 Parameter Update from MWS .................................................................................... 33

Process Protection System Replacement Rev 4 Conceptual Design Document Page 1 of 54 1 Introduction

1.1 BACKGROUND

This document describes the concept for replacement of the Eagle 21 Process Protection System (E21 PPS) equipment for Diablo Canyon Power Plant Units 1 and 2. The project will replace the Westinghouse Eagle 21 protection sets currently housed in Protection Racks 1 - 16 in the Cable Spreading Room.

The scope of the replacement concept is illustrated by the shaded area in Figure 1-1:

Figure 1-1 Westinghouse PWR Protection Scheme PWR Protection Concept e ffl 1.2 DEFINITIONS The following definitions apply for this document:

TERM DEFINITION An arrangement of components, modules, and software as Channel required to generate a single protective action signal when required by a generating station condition. A channel loses its identity where single action signals are combined.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 2 of 54 TERM DEFINITION Any assembly of interconnected components that constitutes an identifiable device, instrument, or piece of equipment. A module can be disconnected, removed as a unit, and replaced Module with a spare. It has definable performance characteristics that permit it to be tested as a unit. A module can be a card or other subassembly of a larger device, provided it meets the requirements of this definition.

Items from which the system is assembled (such as resistors, Components capacitors, wires, connectors, transistors, tubes, switches, and springs).

A protection set is a physical grouping of process channels with the same Class I electrical channel designation (I, II, III, or IV).

Each of the four redundant protection sets is provided with Protection Set separate and independent power feeds and process instrumentation transmitters. Thus, each of the four redundant protection sets is physically and electrically independent of the other sets.

A protective function is the sensing of one or more variables Protective Function associated with a particular generating station condition, signal processing, and the initiation and completion of the protective action at values established in the design bases.

Tests made on one or more units to verify adequacy of design of that type of unit.

Requirement imposed on the Protection System design to ensure that required protective actions will occur to protect Diversity and Defense-In- against Anticipated Operational Occurrences and Design Basis Depth (D&D-in-D or D3) Accidents (as described in the FSARU) concurrent with a common cause failure (usually assumed to be software) that disables one or more echelons of defense.

Design Class I electrical systems, components and equipment Electrical Class 1E perform safety-related functions. Instrument Class IA and IB Category 1 devices below are considered to serve Class 1E

[3.2.3] functions. All other instrument classes are considered to serve non-Class 1E functions.

Instrument Class IA instruments and controls are those that Instrument Class IA initiate and maintain safe shutdown of the reactor, mitigate the

[3.2.4] consequences of an accident, or prevent exceeding 10 CFR 100 off-site dose limits.

Instrument Class IB instruments and controls are those that are Instrument Class IB required for post-accident monitoring of Category I and 2

[3.2.4] variables in accordance with Regulatory Guide 1.97, Revision 3

[3.1.21].

Instrument Class II components are Design Class II devices Instrument Class II with non-safety-related functions. However, certain Class II

[3.2.4] components are subjected to some graded quality assurance requirements.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 3 of 54 2 Process Protection System Replacement Concept 2.1 EXISTING SYSTEM The Process Protection System (PPS) monitors plant parameters, compares them against setpoints and provides signals to the Solid State Protection System (SSPS) if the setpoints are exceeded.

The SSPS evaluates the signals and performs Reactor Trip System (RTS) and Engineered Safety Feature Actuation (ESFAS) functions to mitigate the event that is in progress.

There are four separate PPS rack sets. Separation of redundant process channels begins at the process sensors and is maintained in the field wiring, containment penetrations, and process protection racks to the two redundant trains in the SSPS logic racks. Redundant process channels are separated by locating the electronics in different PPS rack sets.

A process channel is defined as an arrangement of components, modules and software as required to generate a single protective action signal when required by a generating station condition.

[FSAR Section 7.1]

The original Westinghouse/Hagen 7100 analog protection sets were replaced in 1R6 and 2R6 with the existing Westinghouse Eagle 21 PPS. A conceptual depiction of the Eagle 21 PPS is provided in Figure 2-1.

The functional relationship of Eagle 21 with the other components of the overall Reactor Protection System (RPS) is illustrated in Figure 2-2.

Figure 2-1 Existing DCPP Reactor Protection System Concept with Eagle 21 PPS Typ of 2 Trains Solid State Protection System NIS (SSPS)

Eagle 21 Typ of 4 Process Protection System (PPS) Dependent isoed Class I r-.PW-,, OrU=A t

• outputs to control systems osowtt class It outputs to AMSAC

Process Protection System Replacement Rev 4 Conceptual Design Document Page 4 of 54 Figure 2-2 Simplified Existing PPS Archittecture with Eagle 21 ENO*21 VVM"

-OWV4**"-W 40 A*

Ano 94%0 skosi ow.W ý AIMAC*A*A~hM AMAC-r AdLAIi.-

TLAbiTeo T"MA,.Td O.,.A EBYA

Process Protection System Replacement Rev 4 Conceptual Design Document Page 5 of 54 2.2 REPLACEMENT SCOPE The proposed replacement PPS concept shown in Figure 2-3 implements the Diversity and Defense-in-Depth strategy described in Section 2.4 and the PPS Replacement Diversity and Defense in Depth Topical Report [3.2.1]. The project will replace the Westinghouse Eagle 21 protection sets currently housed in Protection Racks 1 - 16 shown in the shaded portion of Figure 2-4.

Replacement PPS protective functions will be implemented in four (4) redundant protection sets, each using a software-based Triconex Tricon processor [Figure 2-5] to mitigate events where existing safety analysis [3.1.18] has determined that diverse and independent automatic mitigating functions are available to mitigate the effects of postulated Common Cause Failure (CCF) concurrent with FSAR Chapter 15 events. For the events where existing analyses credit manual mitigative action, automatic protective functions will be performed in a diverse safety-related Westinghouse CS Innovations, LLC Advanced Logic System (ALS) [Figure 2-6].

Figure 2-3 PPS Replacement Design Concept Typ of2 MS Solid State Protection System Note:

(SSPS)

S exu systern NIS, SSPSy and sAMSAC not affected are tyy

- X ftheReplacement PPS project it oputattTio I Isolated Independent Class 11PAM Boounenteton Class I Temperate

$WW ESF e Nwnmw PW. 71%TC

_ _wd

• WdeRange Th T"

• PZR Va, Space

Process Protection System Replacement Rev 4 Conceptual Design Document Page 6 of 54 Figure 2-4 Simplified PPS Replacement Architecture Pn~flPMl Be 11 Pý ot trI S- S-R..de Trip B-ekeý RTB UVcop Bypn~

B-k BYA UVcoo

Process Protection System Replacement Rev 4 Conceptual Design Document Page 7 of 54 Figure 2-5 Tricon Triple Modular Redundant Architecture Input Termination Figure 2-6 Generic ALS Architecture POWER SUPPLY BOARD

Process Protection System Replacement Rev 4 Conceptual Design Document Page 8 of 54 2.2.1. Replacement PPS Functions Typical replacement PPS Functions are illustrated in the following figure. Input and output details are provided in Section 4. The functions performed by the replacement PPS are identical to those of the existing Eagle 21 PPS.

Figure 2-7 Typical PPS Safety Functions Typical Protection Protection System Analog Inputs Set

_ Overpower Delta T RT -p.-

Turbine Impulse Pressure-- -p. - Overtemperature Delta T RT----

Pressurizer Level -p. Steam Generator Level High-High P14 ESF-N-o

-__Pressurizer Vapor Space Temp (from ALS)-- -p. - Steamline Pressure-Low ESF -

Bistable NI Flux- -p. -Steamline Pressure Rate-High ESF-NO Outputs to

-RCS Narrow Range Temperatures (from ALS)- -p. Existing SSPS PZR Level-High RT - I.

Tricon

-RCS Wide Range Temperatures (from ALS)- -p. -Steam Generator Level Low-Low RT-------

.RCS Wide Range Pressure~ -p. ___ Low Turbine Power P13

- NR Steam Generator Level - -p. -_ Cold Leg Temp-Low (LTOPS) -N Bistable Steamline Pressure- -p. -WR RCS Pressure-High (LTOPS)----

Outputs to Pressurizer Pressure - -p. -WR RCS Pressure-Low (RHR Interlock))--.- Auxiliary Safeguards

-PZR Pressure-High (PORV)-pN-

_ PZR Pressure-High RT-.- -

PZR Pressure-Low RT---

Pressurizer Pressure -PZR Pressure Low-Low ESF -

• RCS Flo v -PZR Pressure-Low P11 ESF Block---- Bistable Outputs to Existing SSPS

- - Containment Pressur RCS Flow-Low RT - go

- Containment Pressure-High ESF---

ALS

-Containment Pressure High-High ESF-p- -

-Pressurizer Vapor Space Temp- - Pressurizer Vapor Space Temp--------.

4-20 mA Temperature

- RCS Narrow Range Temperatures--- -RCS Narrow Range Temperatures -Do Outputs to Tricon

.RCS Wide Range Temperatures- -RCS Wide Range Temperatures--- -

2.2.2. Deleted

Process Protection System Replacement Rev 4 Conceptual Design Document Page 9 of 54 2.2.3. Enhancements

1. In the existing Eagle 21 PPS, the operator must take manual action to mitigate certain FSARU Chapter 15 events should the event occur with a concurrent Common Cause Failure (CCF). In the replacement PPS, these events will be mitigated automatically.

Refer to Section 2.4 for details.

2. The replacement PPS provides a Supervised Digital Output (SDO) that enables the PPS to monitor the external circuit for continuity. If the external circuit is broken, the PPS will generate an alarm.

3. The ALS subsystem in the replacement PPS provides built-in diversity by utilizing diverse "A" and "B" logic groups, such that a command output from either logic group will initiate the safety function. Additional details are provided in the ALS Topical Report [3.1.30].

4. All PPS analog inputs will be provided with a mx+b function to enable on-line rescaling.

Initial values will be m=1.0, b=0.0, unless specified otherwise.

5. Analog outputs from the replacement PPS to critical control systems (Main Turbine Control System, Pressurizer Pressure Control, Pressurizer Level Control, and Digital Feedwater Control System) will be isolated at the front end of the replacement PPS

[Figure 2-3 and Figure 2-9] to improve diversity as discussed in the D3 Topical Report

[3.2.1]. The DFWCS application must be modified to provide the Steam Flow pressure compensation [2.3.3.3].

6. Analog outputs from the replacement PPS to Reg. Guide 1.97 Post Accident Monitoring recorders and indicators will be independent from the replacement PPS as determined to be necessary by the D3 evaluation. Independence will be implemented either (1) by dedicated qualified isolation devices; or (2) by obtaining the signal directly off the transmitter loop as discussed in the next item.

7. Figure 2-3 and Figure 2-9 illustrate the concept in which certain Post Accident Monitoring (PAM) functions obtain their signals directly from the input loop. No isolation is necessary because the input loop is the correct classification. The signals to which this concept. is applicable are listed in Section 4.

8. In the existing system, the Thot and Tcold signals are processed in separate racks for the DTTA trip functions and the Steam Generator Low-Low Level Trip Time Delay (TTD) functions. In the replacement system, the calculation will be performed only once to be utilized for both functions.

9. The DCPP RCS contains three thermo-wells in each hot leg that are radially spaced 1200 apart. Each thermowell contains two redundant narrow range RTD's. The RTD signals are processed by the PPS to determine a group average hot leg bulk temperature value (Thot) for the loop. In the existing Eagle 21 PPS, one of the elements in each hot leg thermowell is an installed spare. A wiring change is required if the spare RTD is to be used. In the replacement PPS, all six (6) hot leg RTD's in a loop will be permanently wired into the PPS.

The Eagle 21 methodology uses streaming factors to normalize the three loop Thot input values to the loop average Thot. The streaming factors are updated manually on a quarterly basis. Following normalization, the Eagle 21PPS calculates the Thot group

Process Protection System Replacement Rev 4 Conceptual Design Document Page 10 of 54 value based on the available number of good input values. Invalid input signals1 are removed automatically from the group average. If more than one input signal is invalid, the loop average Thot is considered inoperable.

The sensor validation scheme for Thot RTD sensors will be updated to use both RTD's in each thermowell to take advantage of the accuracy improvement obtained from using additional sensors and to make the Thot determination more fault-tolerant. Streaming is a manifestation of physical hot-leg stratification, and not an electrical phenomenon; therefore, the streaming factors will continue to be calculated per thermowell and applied to both "A" and "B" RTD signals in the well. Thus, three streaming factors per RCS loop will be calculated similarly to the Eagle 21 streaming factors.

The "A" and "B" RTD's in each thermowell are processed by the "A" and "B"ALS groups to provide diverse input processing. The ALS transmits processed 4-20 mA "A" and "B" temperature information to the protection set Tricons. The Tricons calculate the average ThotA of the three "A" RTD's in a loop using methodology similar to that used by Eagle 21 that automatically identifies and rejects invalid values or values that deviate excessively from ThotA. The average ThotB of the three "B"RTD's in the loop will be calculated similarly. The loop average Thot Is the average of valid ThotA and ThotB.

The streaming factors will be updated semi-automatically, with manual action required to confirm that the constants to be updated are correct. Reduction of maintenance effort and potential for human error during update are minimized by the semi-automatic process.

This methodology is more accurate than the existing scheme because it uses more RTD's to calculate the average. It is also more fault tolerant than the existing scheme, which allows one failed RTD ina loop. In the proposed scheme, all "B" ("A") RTD's could fail *(whichwould cause the ThotB (ThotA) to be automatically removed from the average) in addition to one failed "A" ("B") RTD. The loop Thot would then be based on two valid "A" ("B") RTD signals, equivalent to the existing Eagle 21 scheme.

10. Open RTD Detection The ALS will provide down-scale open RTD protection. If the ALS detects an open or failed RTD, it will output an analog signal which is less than the Tricon signal failure threshold. If the actual temperature is below the low scale value the ALS shall output the low scale value (4 mA). If the actual temperature is above the high scale value the ALS shall output the high scale value (20 mA).

This allows the Tricon to provide an alarm on RTD failure and ensures that the Tricon does not indicate RTD failure when the temperature is below low scale but still functioning correctly, a condition that exists during plant shutdown. In the latter case, the actual temperature will be available from the ALS via the Gateway computer. This feature allows RTD cross-calibration to be performed during startup using data obtained directly from the PPC, without the need to lift leads and connect external instrumentation.

Invalid signals are those (1) that have been disabled; or (2) for which the signal processing electronics has detected a failure; or (3) deviate excessively from the average or from each other.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 11 of 54

11. Feedwater Flow Signals The Feedwater Flow signals and the Steam Flow/Feedwater Flow Mismatch alarms will be removed from the PPS. The flow signals are non-safety-related and will be input to the Digital Feedwater System (DFWCS), which will then generate the Steam Flow/Feedwater Flow Mismatch alarms.

2.2.4. Discussed but Omitted from PPS Replacement Scope

1. Calculate the average of all six (6) (two per well) Thot RTD's as inputs, eliminating the Eagle 21 streaming factors. This option reduces the maintenance effort required to track and maintain the streaming factors and the potential for human error when updating the streaming constants manually. However, this arrangement does not automatically remove a deviating input signal from the group average Thot and is thus less fault-tolerant than the existing system.

2. Another averaging arrangement was proposed that would input all six values to a single averaging/validation algorithm using streaming factors to normalize the input values to the average Thot. Invalid or deviating values would be rejected automatically. After discussion, this arrangement was not pursued further because the complexity of the algorithm and the effort required to validate it do not appear to be justified by the additional degree of fault tolerance to be gained over the proposed configuration.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 12 of 54 2.3 REPLACEMENT SYSTEM DESIGN 2.3.1. PPS Rack assignments and electrical location codes are listed below:

Protection Set I (Racks 1-5):

RNP1A, RNP1B, RNP1C, RNP1D, RNP1E Protection Set II (Racks 6-10):

RNP2A, RNP2B, RNP2C, RNP2D, RNP2E Protection Set III (Racks 11-13)

RNP3A, RNP3B, RNP3C Protection Set IV (Racks 14-16)

RNP4A, RNP4B, RNP4C Physical equipment will be assigned to specific PPS racks during detailed design.

The existing Eagle 21 HMI units are located in Racks 5 (RNP1E), 9 (RNP2D), 12 (RNP3B) and 14 (RNP4A). These racks are expected to house the replacement PPS Maintenance Workstation and communications equipment:

Figure 2-8 PPS Equipment Rack Assignment Concept Protection Set 1 Protection Set 2 Rack 1 2 3 4 5 Rack 6 7 8 9 10 class I class I class II class Iclass I Class 11 Tricon ALS-A MWS Tricon ALS-A MWS Term Term Term Term Area Area Area Area Class I Class I Class 11 classI classiIClass 1 PRXM ALS-B RRXM PRXM ALS-B RRXM Protection Set 3 Protection Set 4 Rack 11 12 13 Rock 14 15 16 Class I CIassi Class I class11 ChmsI Classt I Tncon MWS ALS-A MVS Tricon ALS-A Chm I ClassII CaohI Class U ClasI Class1 PRM RRXU ALS-8 RRXM PRXM ALS-Note: Equipment distribution subject to change per detailed design

Process Protection System Replacement Rev 4 Conceptual Design Document Page 13 of 54 2.3.2. Physical Modifications

1. Protection Racks 1-16

" Remove all equipment

• Rework structure of existing cabinets to support new Tricon and ALS chasses and field termination panels and to satisfy the seismic requirements

• Install new protection set electronics and I/O power supplies

" Install isolators for signals that require independence from the replacement PPS (See Section 2.2.3)

• Install network switches, media converters, Net Optics port aggregator network taps, hubs, gateway computers and maintenance terminals/system printers

• Install Maintenance Workstation (MWS) in each Protection Set

• Remove Main Annunciator System ac/dc converters from PPS alarm outputs.

2. PPS Field Wiring 0 Remove Feedwater Flow signals from PPS. These signals are non-safety-related and will be input to the Digital Feedwater System (DFWCS) to provide the Steam Flow/Feedwater Flow Mismatch alarms.

• Remove Steam Flow/Feedwater Flow Mismatch alarms from PPS. These alarms will be generated in the non-safety-related DFWCS.

• Bistable wiring to SSPS Train A and Train B Input cabinets 1-4 will not be changed.

0 120 Vac power wiring to Racks 1-16 will not be changed

• Install other 120 Vac power wiring as needed

• Install Ethernet Cable from port aggregator media converter to Gateway computer network hub

3. Operator Interface

• PPS uses existing hardwired devices located on the Main Control Room Vertical Boards and Control Console.

0 The PPS will share a Maintenance Workstation (MWS) on CC4 that will be installed by the Process Control System (PCS) replacement project for system health displays.

4. Special Tests

" During SAT, verify that information flowing between NetOptics port aggregator network tap Ports A and B are copied to Port 1 and that no communications are permitted to take place from Port 1 to either Port A or Port B.

• During PMT, measure as-found and as-left Total Harmonic Distortion (THD) on power supply at the PPS 120 Vac power supply input terminals before and after installation of equipment powered from the vital busses. Refer to USNRC Reg.

Guide 1.180 for guidance [3.1.26].

Process Protection System Replacement Rev 4 Conceptual Design Document Page 14 of 54 2.3.3. External System Interfaces

1. Power Supply

• Each PPS Protection Set will be powered from a separate 120 VAC vital bus via a Class 1E uninterruptible power supply.

• Each PPS Protection. Set will be provided with a 120 VAC control grade (non-vital) utility power source.

2. I/O Power Supplies

" Each PPS Protection Set will be provided with adjustable redundant loop power supplies capable of powering all 4-20 mA instrument input loops associated with that Protection Set. Operating voltage will be selected to power instrument loops without exceeding voltage limitations of instrument loop sensors (transmitters) being utilized for the higher loop resistances resulting from addition of isolators and input signal taps.

" Analog 4-20 mA output loops will be powered by redundant 24 Vdc power supplies.

• All Discrete inputs and outputs will be powered by redundant 24 Vdc power supplies separate from those used for analog output loops.

• Failure of any power supply will be alarmed

3. Digital Feedwater Control System (DFWCS)

• The existing PPS provides a pressure-compensated Steam Flow signal to the DFWCS. The replacement PPS will provide an isolated, uncompensated steam flow signal to the DFWCS directly from the PPS transmitter input loop. The DFWCS application must be modified to provide Steam Flow pressure compensation.

4. Main Annunciator System Interface

• The Main Annunciator provides non-vital 125 VDC for interrogation of alarm output contacts.

• Existing PPS outputs to the MAS will be modified to dry contacts. The existing ac/dc converters on the PPS outputs to the MAS will be deleted.

• Additional outputs to the MAS will be provided as described in the FRS and IRS

5. Operator Interface

• The existing operator interface using control panel mounted switches and indicators will be maintained.

6. Maintenance Interface Each safety division is provided with a dedicated non-safety-related Maintenance Workstation (MWS) for this purpose. Details regarding safety-related/non-safety-related communications are provided in Section 2.3.4.

7. Solid State Protection System Interface As determined by the detailed design change process, certain 120 Vac SSPS input relays (including, but not limited to Turbine Impulse Pressure Interlock P13 and input relays fed from the ALS) may be replaced with 24 VDC devices.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 15 of 54

8. Nuclear Instrumentation System Interface Existing interfaces with the Nuclear Instrumentation System are unaffected by this change.

9. Auxiliary Safeguards Cabinets (RNASA/RNASB) Interface Existing interfaces with the Auxiliary Safeguards Cabinets are unaffected by this change except that it may be necessary to replace 120 VAC energize to trip relays with 24 VDC devices for Triconex outputs because Triconex does not provide a 120 VAC supervised digital output (SDO) module.

10. Auxiliary Relay Cabinets (RNARA/RNARB) Interface Existing interfaces with the Auxiliary Relay Cabinets are unaffected by this change.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 16 of 54 Figure 2-9 PPS Replacement Architecture Concept P.* A-kd.4 Mor-

• C.*d 6o-d R.odM & W.0-o

• SJGL"~.

T.W kW.

h P-SIL.W.

Bf

• T.biW.MV~pi P - 1..

P-

• Wd. fr.Q.

ALS TRCON  ;

Nola t: SOPS is w"ira *quipmwnt No* 2- OlaifqM.isoiatiosi dioc. Is b toed~ Intunnmnt clu m. as shown on lineumst Sch am~

NorSewal. Clame 10PAM ftmonsf obtain thak signals **oty from the Ciess t iVu loop. No isolabon tonoose* because 11hvyst lowp Vis ftc~ cleawksibtaon DOWISM marPrgikda in the IRS.

Note 4: The hardwira4 TAB Enabl switchr prwevt the A4S Spin. Vnit lAito) ton (perlonnd inthe PPS roplaosamnt MM~d) from cornminicating w* the ALS expelpt when S. awiklvisI, tivatecl.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 17 of 54 2.3.4. PPS Data Communications USNRC DI&C ISG 4 [3.1.16] defines interdivisional communications as communications among different safety divisions or between a safety division and a non-safety entity such as the MWS. Bidirectional communications among safety divisions and between safety and non-safety equipment is acceptable provided certain restrictions are enforced to ensure that there will be no adverse impact on safety systems.

Figure 2-13 illustrates a communications architecture that meets the intent of USNRC DI&C ISG 4 Staff Position 1, Interdivisional Communications. When used with the typical function block logic in Figure 2-16, the proposed architecture ensures that communications between a safety division and non-safety equipment that resides within the division adhere to the guidance described in the ISG 4 Staff Position. No data is communicated between redundant safety divisions. The non-safety-related Maintenance Workstation (MWS) within a redundant safety division communicates only with the safety-related controllers within that division.

The Tricon is isolated from the Gateway computer by the qualified safety-related Triconex Communications Module (TCM). Fiber optic cable electrically isolates the Tricons from external non-safety-related devices. An additional data isolation device such as a NetOptics network port aggregator tap permits two-way communications between the Maintenance Workstation belonging to a specific protection set and the Tricon in that protection set, and ensures only one-way communication to the Gateway computer. Additional details are provided in the Triconex Topical Report [3.1.33].

The NetOptics port aggregator device shown in Figure 2-13 isolates the Gateway computer from the Tricon controllers. The NRC approved the device previously for a similar application in the Oconee RPS [3.1.34]. The device acts as a "data diode" or one-way tap that copies all traffic between its bidirectional ports to the read-only output port and prevents the flow of information from the output port back to either input ports. The Gateway computer is a server that reads the information so copied, reformats it, and makes it available to the PPC.

The TxB1 ALS communication channel to the Gateway computer is serial, one-way and isolated by the CLB. It broadcasts data to the non-safety-related Gateway computer, which is common to all four protection sets, and does not receive any data, handshaking, or instructions from the Gateway computer. The TxB2 communication channel that transmits data to the non-safety-related Maintenance Workstation is also serial, one-way with no handshaking, and isolated at the CLB. A third serial communications channel enables Test ALS Bus (TAB) functions between Auxiliary Service Unit (ASU) maintenance software in the Maintenance Workstation and the ALS controller. This communication path is normally one-way, with two-way communications permitted only when a hardwired switch is activated to complete the communications circuit between the Maintenance Workstation and the ALS-A or ALS-B chassis. Additional details are provided in the ALS Topical Report [3.1.30].

2.3.5. Bypass and Test Features The Process Protection System will permit any channel to be maintained in a bypassed condition, and when required, tested during power operation without initiating a protective action at the system level. This is accomplished without lifting electrical leads or installing temporary jumpers. The PPS will permit periodic testing during reactor power operation without initiating a protective action from the channel under test.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 18 of 54 External trip switches are provided on PPS trip and actuation outputs per the detailed design.

The switches may be used for SSPS input relay testing or to trip or actuate the channel manually if needed. Activation of the external trip switches is indicated in the control room through the SSPS partial trip indicators.

1. Tricon Features On-line testing is controlled by safety processor logic enabled via an external safety-related hardwired Out of Service (OOS) switch. When the switch is activated, the safety-related function processor allows the associated instrument channel to be taken out of service while maintaining the remainder of the safety division operable. Features to limit inadvertent modification include, but are not limited to:

" Approved procedures are required to perform testing operations.

• Operation of the hardware switch alone will not place the channel out of service. At least two specific actions are also required at the Maintenance Workstation to perform the maintenance functions. In order to perform any test operation from the maintenance workstation, the user must:

- Activate the OOS switch for the specific loop to be tested

- Log in as a maintenance user on the maintenance workstation

- Open the maintenance screen for the specific loop being tested

- On the maintenance screen, request the action to be taken

- On the maintenance screen, confirm the requested action (Loop is placed OOS only after the requested action is confirmed)

• Feedback is provided to the user on the maintenance workstation that the hardware OOS switch for the loop to be tested has been activated.

" Continuous indication is provided in the control room that a loop is OOS.

• If the safety-related hardware out of service switch is not activated, non-safety-related actions or failures can not adversely affect the safety-related function.

" An instrument loop is not permitted to be bypassed if external trip switch is in the trip position. The user may test in trip in this condition following request and confirmation as described above..

The block diagrams in Figure 2-15 through Figure 2-20 illustrate implementation of the Triconex test and bypass features described above.

The above methodology may be used to update parameters such as tuning constants that require periodic adjustment. Refer to Figure 2-21 for an example of the proposed parameter update logic.

• The parameter values to be updated are limited by the software application to pre-determined ranges.

• The Maintenance Workstation software application will request operator confirmation that the parameter update process is complete prior to saving the new tuning constant.

Tricon trip setpoints may be changed following this procedure but with a different login priority Figure 2-10 illustrates a DO loopback feature implemented in the Triconex portion of the PPS replacement, which enables the PPS to determine if the external trip switch is open, or if the DO channel is producing an erroneous output.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 19 of 54

• A PPS trouble alarm is generated if the comparator output is true (commanding an energized output) and the de-energize to trip DO loopback is sensed as de-energized unless the instrument loop is OOS.

• A PPS failure alarm is generated if the de-energize to trip DO loopback is sensed as energized and the comparator output is false (commanding a de-energized output),

whether or not the instrument loop is OOS.

Figure 2-10 Triconex Trip Loopback Concept (Typical for Deenergize to Trip Outputs)

Alarm Signals to MAS.

,, 1. Trip Switch Open (Output deenergized with energize I~. command)

• 2. Bistable Fault (Output energized with deenergize command)

PPS Set Trip Output Looipback Li (Tricon Only)

SSPS Input Relay Darc - KO 1- RESET

~0 0- TRIP ManuaI 0 TRIP Switch

2. ALS Features ALS bypass and test functions are accomplished through ALS Service Unit (ASU) software implemented in the MWS. The Test ALS Bus (TAB) Enable switch shown in Figure 2-13 must be activated to allow two-way communications on the TAB between the ALS chassis and the MWS.

External bypass switches are provided for the ALS-A and ALS-B partial trip outputs to enable one ALS diversity group to be bypassed for maintenance or testing without initiating a false trip or actuation, yet allowing the other ALS diversity group to initiate the trip or actuation if it is required while the other diversity group is bypassed.

The partial trip outputs from the ALS-A and ALS-B chassis are logically OR'd to drive the SSPS input relays. An external Line Sense Module (LSM) is used by the ALS logic to perform continuous error check for detecting the following conditions:

• Failure to Trip on Demand

• Trip without Demand

" Failure to Bypass

• Illegal Bypass Configuration of the LSM for use in an Energize to Trip (ETT) or Deenergize to Trip (DTT) circuit is done through field wiring terminations on the LSM and does not require any

Process Protection System Replacement Rev 4 Conceptual Design Document Page 20 of 54 modification of any electrical properties of the LSM itself. Thus, a single LSM can be used in an ETT or DTT circuit without the need to electrically configure the module for the trip circuit type before use. This allows a single part number to be used to provide spares for both ETT and DTT circuit configurations.

Figure 2-11 illustrates a DTT Configuration concept using LSM, and Figure 2-12 provides an overview of how the LSM is used in an ETT circuit configuration.

The manual bypass switches allow one ALS diversity Group (ALS-A or ALS-B) to be bypassed and removed from service without tripping the channel. The manual trip switch is used to trip the channel in the unlikely event that both ALS diversity groups are inoperable.

Figure 2-11 ALS-A and ALS-B Deenergize to Trip OR Configuration Concept De-energize-To-Trip Configuration

Process Protection System Replacement Rev 4 Conceptual Design Document Page 21 of 54 Figure 2-12 ALS-A and ALS-B Energize to Trip OR Configuration Concept NOTES:

1. Nornmally Open,Open to Alarm 2 rNormally Open0ClowetoActuate SSPS RELAYS Note: Manual Trip switch as required by detailed design 2.3.6. System Classification The Plant Protection System is classified as safety-related Instrument Class IA, PG&E Design Class I, Diablo Canyon Quality Class Q per DCM S-38A [3.2.2] and DCM T-24 [3.2.4].

The PPS provides outputs to non-safety-related control systems and indication instruments through qualified isolators to be provided by PG&E. Class IA instruments are analogous to electrical devices designated as Electrical Class 1E per IEEE-308-1971.

2.3.7. Software Integrity Level (SIL)

The replacement PPS application software is assigned Software Integrity Level (SIL) 4 [IEEE 1012-1998 Reference 3.1.4] because it is directly associated with nuclear-safety-related Reactor Trip and Engineered Safety Features functions.

2.3.8. Application Software Development and Configuration Management PPS application software will be developed by the subsystem suppliers, Invensys/Triconex and Westinghouse/CSI under their approved QA programs. Software configuration management during development will be performed according to their approved procedures.

Details are provided in the respective Topical Reports [3.1.30] and [3.1.31].

2.3.9. Seismic and Environmental Qualification The Triconex Tricon Programmable Logic Controller (PLC) will be qualified per the Topical Report [3.1.31] issued in September 2009 that was updated for the Version 10 Tricon as well as addressing current regulatory issues. The Topical Report is currently under NRC review.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 22 of 54 The Westinghouse/CSI Advanced Logic System (ALS) will be qualified per the Topical Report

[3.1.30], which describes generic qualification of the ALS for safety-related applications in nuclear power plants. The ALS Topical Report is currently under NRC review.

PG&E will design the installation to ensure that the response spectra to which the equipment is subjected do not exceed seismic qualification levels.

2.3.10. Electromagnetic Compatibility The Tricon and Westinghouse/CSI portions of the replacement PPS will be qualified for the electromagnetic environment (Emissions and susceptibility, including grounding methods) as described in the respective Topical Reports.

2.3.11. Secure Development Environment PPS application software will be developed by the subsystem suppliers, Invensys/Triconex and Westinghouse/CSI under their approved QA programs. Maintenance of a secure development environment is described in the respective Topical Reports.

Safety division software is protected from alteration while the safety division is in operation as discussed in the Triconex and ALS Topical Reports.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 23 of 54 Figure 2-13 Eagle 21 Replacement PPS Class II Communications Architecture To Control RoormHMI (CC4) To PDN/PPC 4 4 RS-422 Cu from ALS

./

---

. Prot Set I ALS A"

/ Prot Set 11ALS"A"

./

...... Prot Set III ALSWA

.... --- Prot Set IV ALS -A-

./

...... Prot Set I ALS B'

....... ./ Prot Set II ALS-B-

....... / Prot SetIII ALS"-8

...... Prot Set IV ALS W From Prot Set IV Port Agg*egator Tap 10OBaseT i

Prot Set Class 1l RS-422 Cu to Gateway Computer (Typ for ALS A and ALS 'Bj Triplicated RS-485 Class I IO Bus (Copper)

ALS Legend Class I Multi-Mode Optical Fiber

............ RS-422/RS-485 Serial or 10OBaseT Copper Prot Set 1 Classet 4-20 mA Analog Copper Remote RXM Triptroted I Optical Fiber a aJa Ld1II

Process Protection System Replacement Rev 4 Conceptual Design Document Page 24 of 54 2.4 DIVERSITY AND DEFENSE-IN-DEPTH (D3) 2.4.1. Diversity & Defense-in-Depth Strategy The PPS Replacement Diversity and Defense in Depth Topical Report (TR) [3.2.1]

reevaluated DCPP FSAR Chapter 15 events where the Eagle 21 SER took credit for the Eagle 21 PPS for both primary and backup protection. The D3 Topical Report identified sufficient available automatic means to prevent software CCF from adversely affecting the mitigation of all concurrent FSAR Chapter 15 accidents or events were identified, with three exceptions. These events required manual action by the operator to mitigate the event

[3.1.18]. The exceptions are:

1. Loss of forced reactor coolant flow in a single loop above P-8 as indicated by two out of three (2oo3) reactor coolant flow channels indicating low;

2. RCS depressurization, including Steam Generator Tube Rupture (SGTR), Steam Line Break (SLB) and Loss of Coolant Accident (LOCA) indicated by low Pressurizer pressure; and

3. Large Break LOCA and SLB indicated by high containment pressure.

The USNRC position regarding D3 is documented in BTP HICB-19 [3.1.12]. Digital I&C (DI&C) Interim Staff Guidance (ISG) document DI&C-ISG-02 [3.1.151 discusses acceptable methods for implementing diversity and defense-in-depth in digital I&C system designs involving the reactor protection system. Staff Position 1 in ISG-02 states that the use of automation for protective actions is considered to provide a high-level of licensing certainty, compared to reliance on manual operator actions.

For each event that the Eagle 21 SER credited manual operator actions for accident mitigation in the presence of a concurrent CCF, Table 2-1 identifies the PPS functions that will be performed automatically by the ALS subsystem. The built-in diversity of the ALS subsystem ensures that the replacement PPS will perform these functions automatically in the presence of a postulated CCF without an adverse impact on the operator's ability to diagnose the event or perform previously credited manual actuation activities.

Each protection set in the proposed PPS provides two complete and diverse execution paths "A"and "B" comprised of the Core Logic Boards (CLB), input boards and output boards shown in Figure 2-14. The paths are developed by independent design teams and verified and validated by independent V&V teams.

The "A"and "B"execution path outputs are combined in hardwired logic as shown in Figure 2-14 to ensure that the protective action is taken ifdirected by either path. A single failed path cannot prevent a protective action. Either CLB will identify itself as failed and sets its outputs to a fail-safe state before halting operation if it detects a mismatch between the outputs of its diverse logic cores. Refer to the ALS Topical Report [3.1.30] for additional information.

NRC approved the above approach in the SER for the Diablo Canyon D3 Topical report,

[3.1.36]. The SER identifies some additional areas that PG&E should address in its related license amendment request to support the digital upgrade of the DCPP PPS.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 25 of 54 Figure 2-14 ALS Built In Diversity Architecture De-energize to Trip Configuration ALS Chassis A" Energize to Trip Configuration Byps Switch Note: Manual Trip switch as required by detailed design The figures above illustrate how the partial trip outputs from the ALS-A and ALS-B chassis are logically OR'd to drive the SSPS input relays. Section 2.3.5 provides information regarding the external Line Sense Module (LSM) used in the ALS subsystem to simplify field wiring, perform continuous error checks, and to facilitate maintenance and testing functions.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 26 of 54 Table 2-1 Primary Protection System Functions Performed by ALS Sub-System DCPP Event Low PZR High PZR SI/RT High Cont. Cont. Cont. Cont. RCS FSARU Pressure Pressure Pressure SI Isolation Isolation Spray Low Section SI RT (Note 1) A B Flow RT 15.2.5 Loss of Forced RCS Flow X 15.2.13 RCS Depressurization X 15.3.1 SBLOCA/

15.4.1 LBLOCA x x 15.4.2.1 Steam Line Break X X X X 15.4.2.2 Main Feed Pipe Rupture _ ___

15.4.3 SG Tube Rupture X X Notel: Automatic Reactor Trip occurs on safety injection due to low pressurizer pressure or higqh containment pressure 2.4.2. Elimination of Potential Protection/Control Interaction The proposed replacement PPS utilizes separate qualified isolation devices that are independent from the PPS for post-accident monitoring and inputs to the non-safety-related control systems to prevent a common cause failure in the software-based replacement PPS from causing a control system excursion that requires mitigation from the failed protection system. Refer to Figure 2-3 and Figure 2-9. These measures improve defense-in-depth and minimize likelihood that failure in one system could affect other systems.

The four loop Tavg signals are exceptions to the prohibition against digital processing of signals in the replacement PPS prior to their being used in a control system. The Thot and Tcold RTD signals are processed by the ALS because Triconex does not supply a qualified RTD input board. The ALS provides self-diagnostic functions as well as more stable and accurate signal processing than is available with stand-alone signal converter modules.

Isolated analog Thot and Tcold signals are transmitted from the ALS to the Tricon by 4-20 mAdc analog signals. The Tricon uses these signals internally for the DTTA trip functions and also distributes them through qualified isolation devices to the reactor control system.

In accordance with 10 CFR 50.62 [3.1.19], inputs to the AMSAC are independent of any digital signal processing prior to their being used by the AMSAC. When the AMSAC is replaced, the replacement system will be diverse from the proposed replacement PPS in accordance with the requirements of 10OCFR50.62 [3.1.19].

Process Protection System Replacement Rev 4 Conceptual Design Document Page 27 of 54 Figure 2-15 Out of Service Switches Note: The switches shown are for the prototype Process Control System. The switches in the production systems will be provided with protective covers to prevent inadvertent operation.

Process Protection System Replacement Rev 4 Conceptual Design Document Page 28 of 54 Figure 2-16 Typical PPS Replacement Loop Pseudo Function Block Diagram - Loop in Service (Not applicable to ALS subsystem) 1- RESET 0 -TRIP t TRIP' sp Input Relay

-4 00S - out Of Serice Note 1: Input I Wicks Output when Input 0 is selected (bunipless transfer to test mode).

QoQt - Out Of Rmtge

Process Protection System Replacement Rev 4 Conceptual Design Document Page 29 of 54 Figure 2-17 Loop Out of Service - No Request from MWS (Not applicable to ALS subsystem)

OQS 0M 01w,6Wi Note 1: Input I "&cs Output when Input 0 is selected (bunpless transfer to test mode)

QQR-Qw*0Rwwp

Process Protection System Replacement Rev 4 Conceptual Design Document Page 30 of 54 Figure 2-18 Analog Output in Test from MWS (Not applicable to ALS subsystem)

QOO- Ou Of SerVic Note 1: Input I tracks Output when Input 0 is selected (butrnpess transfer to test mode).

00R- ow 01Rin

Process Protection System Replacement Rev 4 Conceptual Design Document Page 31 of 54 Figure 2-19 Discrete Output Test in Trip from MWS (Not applicable to ALS subsystem) 7-wv 00's Note 1: Input I traft Output when Input 0 Is selected (bunptess transferto test mode).

QQS-0 Wf 6Wi

Process Protection System Replacement Rev 4 Conceptual Design Document Page 32 of 54 Figure 2-20 Discrete Output Test in Bypass from MWS (Not applicable to ALS subsystem) 006

-01f SWVioe OMI - Oul Of Range Note 1: Input I tracks Output when Input 0 is selected (burnpless transfer to test mode).

Process Protection System Replacement Rev 4 Conceptual Design Document Page 33 of 54 Figure 2-21 Parameter Update from MWS (Not applicable to ALS subsystem) 7-006 0e$ -Outofsevinc Note 1: Input I tacks Output when Input 0 is selected (bumpless transfer to test mode).

OQRt-OiOfRehg

Process Protection System Replacement Rev 4 Conceptual Design Document Page 34 of 54 3 References 3.1 INDUSTRY STANDARDS AND REGULATORY GUIDANCE 3.1.1. 10 CFR 50 Appendix B Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants 3.1.2. IEEE STD 279-1971 Criteria for Protection Systems for Nuclear Power Generating Stations 3.1.3. IEEE STD 603-1991 IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations 3.1.4. IEEE STD 1012-1998 Standard for Software Verification and Validation 3.1.5. IEEE STD 1050-1996 Guide for Instrumentation and Control Equipment Grounding in Generating Stations 3.1.6. IEEE STD 7-4.3.2-2003 Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations 3.1.7. NUREG 0800 Appendix 7.1-C, "Guidance for Evaluation of Conformance to IEEE Std. 603" 3.1.8. NUREG 0800, HICB-1 1 Isolation Devices 3.1.9. NUREG 0800, HICB-14 Software Reviews 3.1.10. NUREG 0800, HICB-17, Self-Test and Surveillance Test Provisions 3.1.11. NUREG 0800, HICB-18, Programmable Logic Controllers 3.1.12. NUREG 0800, HICB-19, "Guidance for Evaluation of Defense-in-Depth and Diversity in Digital Computer-Based Instrumentation and Control Systems" 3.1.13. NUREG 0800, HICB-21, Real-Time Performance 3.1.14. NUREG/CR-6303 Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems 3.1.15. NRC DI&C ISG-02 United States Nuclear Regulatory Commission (USNRC) Digital Instrumentation and Controls Task Working Group #2, "Diversity and Defense-in-Depth Issues Interim Staff Guidance," (2008).

3.1.16. NRC DI&C ISG-04 United States Nuclear Regulatory Commission (USNRC) Digital Instrumentation and Controls Task Working Group #4, "Highly Integrated Control Rooms Digital Communications Systems (HICRc), Rev 1, March 2009 3.1.17. WCAP 7306 Westinghouse Electric Corporation, "Reactor Protection System Diversity in Westinghouse Pressurized Reactors," (1969) Non-Proprietary Class 3

3.1.18. USNRC Safety Evaluation Report Eagle 21 Reactor Protection System Modification With Bypass Manifold Elimination, PG&E, Diablo Canyon Power Plant, (October 7, 1993)

Process Protection System Replacement Rev 4 Conceptual Design Document Page 35 of 54 3.1.19. 10 CFR 50.62 Requirements for Reduction of Risk from Anticipated Transients without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants 3.1.20. USNRC Safety Evaluation Report for Wolf Creek Nuclear Operating Company (WCNOC) Main Steam and Feedwater Isolation System (MSFIS), Accession Number ML090610317 3.1.21. USNRC, Regulatory Instrumentation for Light-Water-Cooled Nuclear Guide 1.97, Rev. 3 Power Plants to Assess Plant and Environs Conditions During and Following an Accident 3.1.22. EPRI, TR-107330 Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants, February 1998 3.1.23. EPRI, TR-1000799 Generic Qualification of the Triconex Corporation Tricon Triple Modular Redundant Programmable Logic Control System for Safety-Related Application s in Nuclear Power Plants, November 2000 3.1.24. EPRI, TR-1003114 Safety Evaluation Report, issued by Nuclear Regulatory Commission to Triconex on the Triconex Platform, December 12, 2001 3.1.25. USNRC, RG 1.152 Criteria for Digital Computers in Safety Systems of Nuclear Power Plants 3.1.26. USNRC, RG 1.180, Rev 1 Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems 3.1.27. USNRC, RG 1.168 Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants 3.1.28. USNRC, RG 1.169 Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants 3.1.29. USNRC, RG 1.171 Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants 3.1.30. CS Innovations 6002-00301, CS Innovations ALS Topical Report and Supporting Documents Submittal, July 29, 2010 (ADAMS Accession No. ML102160471) 3.1.31. Triconex Corporation Topical Reports 7286-545, "Qualification Summary Report" and 7286-546, "Amendment 1 to Qualification Summary Report," Revision 1 published as EPRI TR-1 000799, "Generic Qualification of the Triconex Corporation TRICON Triple Modular Redundant Programmable Logic Controller System for Safety-Related Applications in Nuclear Power Plants," November 2000

Process Protection System Replacement Rev 4 Conceptual Design Document Page 36 of 54 3.1.32. USNRC Letter from Stuart A. Richards (NRC) to Troy Martel (Triconex Corporation), "Review of Triconex Corporation Topical Reports 7286-545, "Qualification Summary Report" and 7286-546, "Amendment 1 to Qualification Summary Report," Revision 1" December 11, 2001 published as EPRI TR-1003114 ADAMS Accession Number ML013470433 3.1.33. Invensys/Triconex "Nuclear Safety-Related Qualification of the Tricon TMR Programmable Logic Controller (PLC) - Update to Qualification Summary Report Submittal and "Application for withholding Proprietary Information from Public Disclosure," September, 2009 3.1.34. USNRC Oconee, Units 1, 2 & 3, Issuance of Amendment Nos. 366, 368, and 367, Reactor Protective System and Engineered Safeguard Protection System Digital Upgrade.

3.1.35. 10 CFR 100 Reactor Site Criteria 3.1.36. USNRC Diablo Canyon Power Plant, Unit Nos. 1 and 2 -

Safety Evaluation for Topical Report, "Process Protection System Replacement Diversity &

Defense-In-Depth Assessment" (TAC Nos. ME4094 And ME4095), dated April 19, 2011 (ADAMS Accession No. ML110480845) 3.2 PG&E DOCUMENTS 3.2.1. PG&E Topical Report Process Protection System Replacement Diversity &

Defense-in-Depth Assessment, Rev 1, August, 2010 3.2.2. PG&E DCM S-38A Plant Protection System 3.2.3. PG&E DCM T-19 Design Criteria for Electrical Separation and Isolation 3.2.4. PG&E DCM T-24 Design Criteria for DCPP Instrumentation and Controls 3.3 PRIMARY (DESIGN BASIS) DRAWING REFERENCES Protection Set I Existing Unit 1 Existing Unit 2 Instr. No. Description Instr. Schematic Instr. Schematic FT-414 Reactor Coolant Flow Loop 1 102032-17A 108032-17A FT-424 Reactor Coolant Flow Loop 2 102032-17D 108032-17D FT-434 Reactor Coolant Flow Loop 3 102032-17G 108032-17G FT-444 Reactor Coolant Flow Loop 4 102032-17J 108032-17J FT-510 Loop 1 Feedflow 102036-3D 108036-3D FT-512 Loop 1 Steamflow 102036-3S 108036-3S

Process Protection System Replacement Rev 4 Conceptual Design Document Page 37 of 54 Protection Set I Existing Unit 1 Existing Unit 2 Instr. No. Description Instr. Schematic Instr. Schematic FT-520 Loop 2 Feedflow 102036-3E 108036-3E FT-522 Loop 2 Steamflow 102036-3T 108036-3T FT-530 Loop 3 Feedflow 102036-3F 108036-3F FT-532 Loop 3 Steamflow 102036-3U 108036-3U FT-540 Loop4 Feedflow 102036-3G 108036-3G FT-542 Loop 4 Steamflow 102036-3V 108036-3V LT-459 PZR Level 102036-7C 108036-7C LT-529 S/G 2 Level 102036-4P 108036-4P LT-539 S/G 3 Level 102036-4Q 108036-4Q NE-41A DTTA Loop 1 Upper (Neutron) Flux 102036-29G 108036-29G NE-41B DTTA Loop 1 Lower (Neutron) Flux 102036-29G 108036-29G PT-455 Loop 1 PZR Pressure 102036-7 108036-7 PT-505 Turbine Impulse Pressure 102036-4U 108036-4U PT-514 Loop 1 Steamline Pressure 102036-3S 108036-3S PT-524 Loop 2 Steamline Pressure 102036-3T 108036-3T PT-534 Loop 3 Steamline Pressure 102036-3U 108036-3U PT-544 Loop 4 Steamline Pressure 102036-3V 108036-3V PT-937 Containment Pressure 102034-12B 108034-12B TE-410A DTTA Loop 1 Thot-lA 102036-7L 108036-7L TE-41 OB DTTA Loop 1 Tcold-1 102036-7L 108036-7L TE-410C DTTA Loop 1 Thot-1 B 102036-7L 108036-7L TE-411A DTTA Loop 1 Thot-2A 102036-7L 108036-7L TE-411 B, DTTA Loop 1 Tcold-2 102036-7L 108036-7L TE-411C DTTA Loop 1 Thot-2B 102036-7L 108036-7L TE-412A DTTA Loop 1 Thot-3A 102036-7L 108036-7L TE-412C DTTA Loop 1 Thot-3B 102036-7L 108036-7L TE-413A WR Temperature Loop 1 Hot Leg 102035-6D 108035-6D TE-413B WR Temperature Loop 1 Cold Leg 102035-6D (1) 108035-6D TE-423A WR Temperature Loop 2 Hot Leg 102035-6E 108035-6E TE-423B WR Temperature Loop 2 Cold Leg 102035-6E 108035-6E Notes:

(1) per T-MOD 50229619 Protection Set II Existing Unit I Existing Unit 2 Instr. No. Description Instr. Schematic Instr. Schematic FT-415 Reactor Coolant Flow Loop 1 102032-17B 108032-17B FT-425 Reactor Coolant Flow Loop 2 102032-17E 108032-17E FT-435 Reactor Coolant Flow Loop 3 102032-17H 108032-17H FT-445 Reactor Coolant Flow Loop 4 102032-17K 108032-17K FT-511 Loop 1 Feedflow 102036-3H 108036-31H FT-513 Loop 1 Steamflow 102036-3W 108036-3W

Process Protection System Replacement Rev 4 Conceptual Design Document Page 38 of 54 Protection Set II Existing Unit 1 Existing Unit 2 Instr. No. Description Instr. Schematic Instr. Schematic FT-521 Loop 2 Feedflow 102036-31 108036-31 FT-523 Loop 2 Steamflow 102036-3X 108036-3X FT-531 Loop 3 Feedflow 102036-3J 108036-3J FT-533 Loop 3 Steamflow 102036-3Y 108036-3Y FT-541 Loop4 Feedflow 102036-3K 108036-3K FT-543 Loop 4 Steamflow 102036-3Z 108036-3Z LT-460 PZR Level 102036-7G 108036-7G LT-519 S/G 1 Level 102036-40 108036-40 LT-549 S/G 4 Level 102036-4R 108036-4R NE-42A DTTA Loop 2 Upper (Neutron) Flux 102036-291 108036-291 NE-42B DTTA Loop 2 Lower (Neutron) Flux 102036-291 108036-291 PT-456 Loop 2 PZR Pressure 102036-7H 108036-7H PT-506 Turbine Impulse Pressure 102036-4V 108036-4V PT-515 Loop 1 Steamline Pressure 102036-3W 108036-3W PT-525 Loop 2 Steamline Pressure 102036-3X 108036-3X PT-535 Loop 3 Steamline Pressure 102036-3Y 108036-3Y PT-545 Loop 4 Steamline Pressure 102036-3Z 108036-3Z PT-936 Containment Pressure 102034-12C 108034-12C TE-420A DTTA Loop 2 Thot-lA 102036-7P 108036-7P TE-420B DTTA Loop 2 Tcold-1 102036-7P 108036-7P TE-420C DTTA Loop 2 Thot-1 B 102036-7P 108036-7P TE-421A DTTA Loop 2 Thot-2A 102036-7P 108036-7P TE-421B DTTA Loop 2 Tcold-2 102036-7P 108036-7P TE-421C DTTA Loop 2 Thot-2B 102036-7P 108036-7P TE-422A DTTA Loop 2 Thot-3A 102036-7P 108036-7P TE-422C DTTA Loop 2 Thot-3B 102036-7P 108036-7P TE-433A WR Temperature Loop 3 Hot Leg 102035-6F 108035-6F TE-433B WR Temperature Loop 3 Cold Leg 102035-6F 108035-6F TE-443A WR Temperature Loop 4 Hot Leg 102035-6G 108035-6G TE-443B WR Temperature Loop 4 Cold Leg 102035-6G 108035-6G Protection Siet III Existing Unit I Existing Unit 2 Instr. No. Description Instr. Schematic Instr. Schematic FT-416 Reactor Coolant Flow Loop 1 102032-17C 108032-17C FT-426 Reactor Coolant Flow Loop 2 102032-17F 108032-17F FT-436 Reactor Coolant Flow Loop 3 102032-171 108032-171 FT-446 Reactor Coolant Flow Loop 4 102032-17L 108032-17L LT-461 PZR Level 102036-7J 108036-7J LT-518 S/G 1 Level 102036-4 108036-4 LT-528 S/G 2 Level 102036-4A 108036-4A LT-538 S/G 3 Level 102036-4B 108036-4B LT-548 S/G 4 Level 102036-4C 108036-4C NE-43A DTTA Loop 3 Upper (Neutron) Flux 102036-29K 108036-29K NE-43B DTTA Loop 3 Lower (Neutron) Flux 102036-29K 108036-29K

Process Protection System Replacement Rev 4 Conceptual Design Document Page 39 of 54 Protection Set III Existing Unit 1 Existing Unit 2 Instr. No. Description Instr. Schematic Instr. Schematic PT-403 Wide Range Pressure Loop 4 102034-7A 108034-7A PT-403A Wide Range Pressure Loop 4 102034-7C 108034-7C PT-457 Loop 3 PZR Pressure 102036-71 108036-71 PT-526 Loop 2 Steamline Pressure 102036-5F 108036-5F PT-536 Loop 3 Steamline Pressure 102036-5G 108036-5G PT-935 Containment Pressure 102034-12D 108034-12D TE-430A DTTA Loop 3 Thot-lA 102036-7T 108036-7T TE-430B DTTA Loop 3 Tcold-1 102036-7T 108036-7T TE-430C DTTA Loop 3 Thot-1 B 102036-7T 108036-7T TE-431A DTTA Loop 3 Thot-2A 102036-7T 108036-7T TE-431B DTTA Loop 3 Tcold-2 102036-7T 108036-7T TE-431C DTTA Loop 3 Thot-2B 102036-7T 108036-7T TE-432A DTTA Loop 3 Thot-3A 102036-7T 108036-7T TE-432C DTTA Loop 3 Thot-3B 102036-7T 108036-7T Protection Siet IV Existing Unit 1 Existing Unit 2 Instr No. Description Instr Schematic Instr Schematic LT-517 S/G 1 Level 102036-41 108036-41 LT-527 S/G 2 Level 102036-4J 108036-4J LT-537 S/G 3 Level 102036-4K 108036-4K LT-547 S/G 4 Level 102036-4L 108036-4L NE-44A DTTA Loop 4 Upper (Neutron) Flux 102036-29M 108036-29M NE-44B DTTA Loop 4 Lower (Neutron) Flux 102036-29M 108036-29M PT-405 Wide Range Pressure Loop 3 102034-7B 108034-7B PT-405A Wide Range Pressure Loop 4 102034-7D 108034-7D PT-474 Loop 4 PZR Pressure 102036-7B 108036-7B PT-516 Loop 1 Steamline Pressure 102036-5E 108036-5E PT-546 Loop 4 Steamline Pressure 102036-5H 108036-5H PT-934 Containment Pressure 102034-12E 108034-12E TE-440A DTTA Loop 4 Thot-lA 102036-7X 108036-7X TE-440B DTTA Loop 4 Tcold-1 102036-7X 108036-7X TE-440C DTTA Loop 4 Thot-1 B 102036-7X 108036-7X TE-441A DTTA Loop 4 Thot-2A 102036-7X 108036-7X TE-441 B DTTA Loop 4 Tcold-2 102036-7X 108036-7X TE-441C DTTA Loop 4 Thot-2B 102036-7X 108036-7X TE-442A DTTA Loop 4 Thot-3A 102036-7X 108036-7X TE-442C DTTA Loop 4 Thot-3B 102036-7X 108036-7X TE-454 Pressurizer Vapor Temperature 102035-7B 108035-7B

Process Protection System Replacement Rev 4 Conceptual Design Document Page 40 of 54 4 PPS Racks and Channels 4.1 TRICON HARDWARE CONFIGURATION ITEMS 4.1.1. Safety-Related Triconex Configuration Items

1. Main Chassis

2. Deleted

3. RXM Chassis

4. MRXM, Primary Module

5. Main Processor Module

6. Power Supply Module (120 VDC/1 15 VAC)

7. Communications Module (TCM-FO)

8. Discrete Input Module 115VAC/DC

9. Discrete Input Module 24 VAC/DC

10. Discrete Output Module 115 VAC, Unsupervised

11. Deleted

12. Analog Input Module, Isolated

13. Analog Input Module, Differential

14. Analog Output Module

15. Deleted

16. Supervised Discrete Output Module, 24 VDC (Energize to trip outputs only)

17. External Termination Panels (ETP) and interconnection cables for above I/O Modules

18. AC power line filters 4.1.2. Non-Safety-Related Triconex Configuration Items

1. RXM Chassis

2. MRXM Remote Module

3. Power Supply Module (120VDC/1 15 VAC)

4. Deleted

5. Discrete Output Module 115 VAC, Unsupervised

6. Deleted

7. Analog Output Module

8. Relay Output Module

9. Discrete Input Module 115VAC/DC

10. Discrete Input Module 24 VAC/DC

11. External Termination Panels (ETP) for above I/O Modules

12. Media converter (TCM output to port aggregator tap)

13. AC power line filters

Process Protection System Replacement Rev 4 Conceptual Design Document Page 41 of 54 4.2 ALS CONFIGURATION ITEMS 4.2.1. Safety-Related ALS Configuration Items (Typical for Logic Path A & B)

1. ALS CLB - Core Logic Board

2. ALS IPB - Input Board

3. ALS OPB - Output Board

4. ALS Rack and Cables 4.2.2. Non-Safety-Related ALS Configuration Items

1. ASU Software 4.3 PG&E CONFIGURATION ITEMS

1. Maintenance Video Display Unit and Software (Except ASU software provided by ALS)

2. Net Optics Port Aggregator Network Taps

3. 0OS Toggle Switches

4. Manual Trip Toggle Switches

5. Bypass Toggle Switches 9

6. Media Converters (except Tricon TCM output to port aggregator tap by IOM)

7. Nominal 24 Vdc adjustable power supply for Tricon DI and DO loops

8. Nominal 24 Vdc adjustable power supply for Tricon AO loops

9. Nominal 40 Vdc adjustable power supply for Tricon Al loops

10. Nominal 24 Vdc adjustable 24-45 Vdc I/O power supply for ALS Al loops (except Pressurizer pressure, which is shared with the Tricon and powered by the Tricon loop PS). The ALS loops may use a combination of power supplies such as Items 8 and/or 9 as determined by the detailed design.

11. 48 Vdc ALS logic power supplies

Process Protection System Replacement Rev 4 Conceptual Design Document Page 42 of 54 4.4 PROTECTION SET I FUNCTIONS AND INSTRUMENT CLASSES Table 4-1 Protection Set I Analog Output Functions PROTECTION SET I ANALOG OUTPUT FUNCTIONS INST.

INST. NO. CLASS PROCESSOR DESCRIPTION LT-459 Input IB,A,1 Note (1) PZR Level to LI-459A (VB2), LI-459B (HSP)

PT-514 Input IB,A,1 Note (1) LP 1 Steamline Press to PI-514A (VB3), PI-514B (HSP), ERFDS (/B4)

PT-524 Input IB,A,1 Note (1) LP 2 Steamline Press to PI-524A (VB3), PI-524B (HSP), ERFDS (VB4)

PT-534 Input IB,A,1 Note (1) LP 3 Steamline Press to PI-534A (VB3), PI-534B (HSP), ERFDS (VI/4)

PT-544 Input IB,A,1 Note (1) LP 4 Steamline Press to PI-544A (VB3), PI-544B (HSP), ERFDS (VB4)

PT-937 Input IB,A,1 Note (1) Containment Pressure to PI-937 0VB10 TE-410A IA ALS-A DTTA Loop 1 Thot-lA (to PS I Tricon)

TE-410B IA ALS-A DTTA Loop 1 Tcold-1 (to PS I Tricon)

TE-411A IA ALS-A DTTA Loop 1 Thot-2A (to PS I Tricon)

TE-412A IA ALS-A DTTA Loop 1 Thot-3A (to PS I Tricon)

TE-413A IB,A,1 ALS-A Loop 1 Hot Leg Temp (to PS I Tricon)

TE-413B IB,A,1 ALS-A Loop 1 Cold Leg Temp (to PS I Tricon)

FM-414B II ALS-A Reactor Coolant Flow Loop 1 to FI-414 (VB2)

FM-424B II ALS-A Reactor Coolant Flow Loop 2 to FI-424 (VB2)

TE-410C IA ALS-B DTTA Loop 1 Thot-1B (to PSI Tricon)

TE-41 1B IA ALS-B DTTA Loop 1 Tcold-2 (to PS I Tricon)

TE-41 1C IA ALS-B DTTA Loop I Thot-2B (to PS I Tricon)

TE-412C IA ALS-B DTTA Loop 1 Thot-3B (to PS I Tricon)

TE-423A IB,A,1 ALS-B Loop 2 Hot Leg Temp (to PS I Tricon)

TE-423B IA ALS-B Loop 2 Cold Leg Temp (to PS I Tricon)

FM-434B II ALS-B Reactor Coolant Flow Loop 3 to FI-434 (VB2)

FM-444B II ALS-B Reactor Coolant Flow Loop 4 to FI-444 (VB2)

FM-512 1 II Isolator Out Loop 1 Steamflow to DFWCS FM-512 2 lB, D, 2 Isolator Out Loop 1 Steamflow to FI-512 (VB3) & ERFDS (VB1)

FM-522 1 II Isolator Out Loop 2 Steamflow to DFWCS FM-522 2 IB, D, 2 Isolator Out Loop 2 Steamflow to FI-522 (VB3) & ERFDS (VB1)

FM-532 1 II Isolator Out Loop 3 Steamflow to DFWCS FM-532 2 1B, D, 2 Isolator Out Loop 3 Steamflow to FI-532 (VB3) & ERFDS (VB4)

FM-542 1 II Isolator Out Loop 4 Steamflow to DFWCS FM-542 2 1B, D, 2 Isolator Out Loop 4 Steamflow to FI-542 (VB3) & ERFDS (VB4)

LM-459 1 II Isolator Out PZR Level to PZR Level Control (Control Set 1, Control Set 2)

LM-529 1 II Isolator Out S/G 2 Level to LI-529 (VB3), DFWCS, AFW LM-539 1 II Isolator Out S/G 3 Level to LI-539 (VB3), DFWCS, AFW LM-539 2 II Isolator Out S/G 3 Level to AMSAC PM-455 1 II Isolator Out PZR Pressure to PZR Pressure Control Set 1, PI-455A (\VB2), PI-455B (HSP)

PM-505 1 II Isolator Out Turbine Impulse Pressure to AMSAC PM-514 1 II Isolator Out Loop 1 Steamline Pressure to DFWCS

Process Protection System Replacement Rev 4 Conceptual Design Document Page 43 of 54 PROTECTION SET I ANALOG OUTPUT FUNCTIONS INST.

INST. NO. CLASS PROCESSOR DESCRIPTION PM-524 1 II Isolator Out Loop 2 Steamline Pressure to DFWCS PM-534 1 II Isolator Out Loop 3 Steamline Pressure to DFWCS PM-544 1 II Isolator Out Loop 4 Steamline Pressure to DFWCS TM-413A IB,A,1 Tricon Loop 1 Hot Leg Temp to TR-413 (VB2) & RVLIS (PAM4)

TM-413B IB,A,1 Tricon Loop 1 Cold Leg Temp to TR-413 (VB2)

TM-423A IB,A,1 Tricon Loop 2 Hot Leg Temp to TR-423 (VB2) & RVLIS (PAM4)

TM-423B IB,A,1 Tricon Loop 2 Cold Leg Temp to TR-423 (VB2)

FM-512D IA Tricon Loop 1 Steamflow to FM-512 2 (Isolator)

FM-522D IA Tricon Loop 2 Steamflow to FM-522 2 (Isolator)

FM-532D IA Tricon Loop 3 Steamflow to FM-532 2 (Isolator)

FM-542D IA Tricon Loop 4 Steamflow to FM-542 2 (Isolator)

PM-505A I Tricon Turbine Impulse Pressure to PI-505 (VB3)

TM-41 1E II Tricon Delta-T to TI-41 1A (VB2) & TM-41 1Q/R (R31)

TM-411F II Tricon Overpower Setpoint to T/411A (CC1) & TI-411B (VB2)

TM-411G II Tricon Overtemperature Setpoint to T/411A (CC1) & TI-411C (VB2)

TM-412F II Tricon Tavg to TI-412 (VB2) & TM-412G/R, TC-412A-H/R (R31)

Deleted Deleted Deleted Deleted Note:

(1) From analog sensor input loop, isolation not required [Section 2.3.3]

Table 4-2 Protection Set I Discrete Output Functions PROTECTION SET I DISCRETE OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION FC-414 A IA ALS-A Loop 1 Low Flow Rx Trip (SSPS)

FC-424 A IA ALS-A Loop 2 Low Flow Rx Trip (SSPS)

FC-434 A IA ALS-A Loop 3 Low Flow Rx Trip (SSPS)

FC-444 A IA ALS-A Loop 4 Low Flow Rx Trip (SSPS)

PC-455A A IA ALS-A PZR Pressure High Rx Trip (SSPS)

PC-455B A IA ALS-A Unblock SI, Pl1 (SSPS)

PC-455C A IA ALS-A PZR Pressure Low Rx Trip (SSPS)

PC-455D A IA ALS-A PZR Pressure Low-Low SI (SSPS)

PC-455E A IA ALS-A PZR Pressure High - PORV (RNASA)

PC-937B A IA ALS-A Containment Press High-High Containment Spray, Ph B Isolation (SSPS)

Deleted UY-PS1A DIV-A II ALS-A PS I Trouble Alarm (MAS)

UY-PS1B DIV-A II ALS-A PS I Channel in Bypass Alarm (MAS)

UY-PS1C DIV-A II ALS-A PS I Failure Alarm (MAS)

Process Protection System Replacement Rev 4 Conceptual Design Document Page 44 of 54 PROTECTION SET I DISCRETE OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION YC-937 A II ALS-A Containment Press High-High Channel in Test Alarm (MAS)

FC-414 B IA ALS-B Loop 1 Low Flow Rx Trip (SSPS)

FC-424 B IA ALS-B Loop 2 Low Flow Rx Trip (SSPS)

FC-434 B IA ALS-B Loop 3 Low Flow Rx Trip (SSPS)

FC-444 B IA ALS-B Loop 4 Low Flow Rx Trip (SSPS)

PC-455A B IA ALS-B PZR Pressure High Rx Trip (SSPS)

PC-455B B IA ALS-B Unblock SI, P11 (SSPS)

PC-455C B IA ALS-B PZR Pressure Low Rx Trip (SSPS)

PC-455D B IA ALS-B PZR Pressure Low-Low SI (SSPS)

PC-455E B IA ALS-B PZR Pressure High - PORV (RNASA)

PC-937B B IA ALS-B Containment Press High-High Containment Spray, Ph B Isolation (SSPS)

Deleted UY-PS1A DIV-B II ALS-B PS I Trouble Alarm (MAS)

UY-PS1B DIV-B II ALS-B PS I Channel in Bypass Alarm (MAS)

UY-PS1C DIV-B II ALS-B PSI Failure Alarm (MAS)

YC-937 B II ALS-B Containment Press High-High Channel in Test Alarm (MAS)

LC-459A IA Tricon PZR Level High Rx Trip (SSPS)

LC-529A IA Tricon S/G 2 High-High Level Turbine Trip, FW Isolation P14 (SSPS)

LC-529B IA Tricon S/G 2 Low-Low Level Rx Trip & AFW Pump Start (SSPS)

LC-539A IA Tricon S/G 3 High-High Level Turbine Trip, FW Isolation P14 (SSPS)

LC-539B IA Tricon S/G 3 Low-Low Level Rx Trip & AFW Pump Start (SSPS)

PC-505A IA Tricon Turbine Impulse Pressure High to P13 (SSPS)

PC-514A IA Tricon Loop 1 Low Steamline Press SI & Steamline Isolation (SSPS)

PC-514C IA Tricon Loop 1 Steamline Press High Negative Rate Steamline Isolation (SSPS)

PC-524A IA Tricon Loop 2 Low Steamline Press SI & Steamline Isolation (SSPS)

PC-524C IA Tricon Loop 2 Steamline Press High Negative Rate Steamline Isolation (SSPS)

PC-534A IA Tricon Loop 3 Low Steamline Press SI & Steamline Isolation (SSPS)

PC-534C IA Tricon Loop 3 Steamline Press High Negative Rate Steamline Isolation (SSPS)

PC-544A IA Tricon Loop 4 Low Steamline Press SI & Steamline Isolation (SSPS)

PC-544C IA Tricon Loop 4 Steamline Press High Negative Rate Steamline Isolation (SSPS)

TC-41 1C IA Tricon OTDT Rx Trip (SSPS)

TC-41 1G IA Tricon OPDT Rx Trip (SSPS)

TC-412D IA Tricon Tavg Low-Low P12 (SSPS)

TC-412G IA Tricon Tavg Low Feedwater Isolation (SSPS)

TC-423A IA Tricon Loop 2 Cold Leg Temp. Low - LTOPS (RNASA)

Deleted Deleted Deleted Deleted LY-529H II Tricon PS I S/G Low-Low Level TTD Timer Actuated Alarm (MAS)

Deleted PC-505C II Tricon Turbine Low Power Interlock C5 (RNARA)

Process Protection System Replacement Rev 4 Conceptual Design Document Page 45 of 54 PROTECTION SET I DISCRETE OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION TC-41 1D II Tricon OTDT Interlock C3 (RNARA)

TC-411 H II Tricon OPDT Interlock C4 (RNARA)

TY-411 TRICON II Tricon PS I DTTA RTD Failure Alarm (MAS)

UY-PSIA TRICON II Tricon PS I Trouble Alarm (MAS)

UY-PSI B TRICON II Tricon PS I Channel in Bypass Alarm (MAS)

UY-PSIC TRICON II Tricon PSI Failure Alarm (MAS) 4.5 PROTECTION SET II FUNCTIONS AND INSTRUMENT CLASSES Table 4-3 Protection Set II Analog Output Functions PROTECTION SET IIANALOG OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION LT-460 Input IB,A,1 Note (1) PZR Level to LI-460A (VB2), LI-460B (HSP)

PT-515 Input IB,A,1 Note (1) Loop 1 Steamline Pressure to PI-515 (VB3), ERFDS (VB4)

PT-525 Input IB,A,1 Note (1) Loop 2 Steamline Pressure to PI-525 (VB3), ERFDS (VB1)

PT-535 Input IB,A,1 Note (1) Loop 3 Steamline Pressure to PI-535 (VB3), ERFDS (VB1)

PT-545 Input IB,A,1 Note (1) Loop 4 Steamline Pressure to PI-545 (VB3), ERFDS (VB1)

PT-936 Input IB,A,1 Note (1) Containment Pressure to PI-936 (VB1), ERFDS (VB1)

TE-420A IA ALS-A DTTA Loop 2 Thot-lA (to PS II Tricon)

TE-420B IA ALS-A DTTA Loop 2 Tcold-1 (to PS II Tricon)

TE-421A IA ALS-A DTTA Loop 2 Thot-2A (to PS II Tricon)

TE-422A IA ALS-A DTTA Loop 2 Thot-3A (to PS II Tricon)

TE-433A IB,A,1 ALS-A Loop 3 Hot Leg Temp (to PS II Tricon)

TE-433B IA ALS-A Loop 3 Cold Leg Temp (to PS II Tricon)

FM-415B II ALS-A Reactor Coolant Flow Loop 1 to FI-415 (VB2)

FM-425B II ALS-A Reactor Coolant Flow Loop 2 to FI-425 (VB2)

TE-420C IA ALS-B DTTA Loop 2 Thot-1B (to PS II Tricon)

TE-421B IA ALS-B DTTA Loop 2 Tcold-2 (to PS II Tricon)

TE-421C IA ALS-B DTTA Loop 2 Thot-2B (to PS II Tricon)

TE-422C IA ALS-B DTTA Loop 2 Thot-3B (to PS II Tricon)

TE-443A IB,A,1 ALS-B Loop 4 Hot Leg Temp (to PS II Tricon)

TE-443B IB,A,1 ALS-B Loop 4 Cold Leg Temp (to PS II Tricon)

FM-435B II ALS-B Reactor Coolant Flow Loop 3 to FI-435 (VB2)

FM-445B II ALS-B Reactor Coolant Flow Loop 4 to FI-445 (VB2)

FM-513 1 II Isolator Out Loop 1 Steamflow to DFWCS FM-513 2 lB, D, 2 Isolator Out Loop 1 Steamflow to FI-513 (VB3) & ERFDS (VB1)

FM-523 1 II Isolator Out Loop 2 Steamflow to DFWCS FM-523 2 IB, D, 2 Isolator Out Loop 2 Steamflow to FI-523 (VB3) & ERFDS (VB1)

FM-533 1 II Isolator Out Loop 3 Steamflow to DFWCS FM-533 2 lB, D, 2 Isolator Out Loop 3 Steamflow to FI-533 (VB3) & ERFDS (VB4)

Process Protection System Replacement Rev 4 Conceptual Design Document Page 46 of 54 PROTECTION SET II ANALOG OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION FM-543 1 II Isolator Out Loop 4 Steamflow to DFWCS FM-543 2 IB, D, 2 Isolator Out Loop 4 Steamflow to FI-543 (VB3) & ERFDS (VB4)

LM-460 1 II Isolator Out PZR Level to PZR Level Control (Control Set 1, Control Set 2)

LM-519 1 II Isolator Out S/G 1 Level to LI-519 (VB3), DFWCS, AFW LM-549 1 II Isolator Out S/G 4 Level to LI-549 (VB3), DFWCS, AFW LM-549 2 II Isolator Out S/G 4 Level to AMSAC PM-456 1 II Isolator Out PZR Pressure to PI-456 (VB2), PZR Pressure Control (Control Set 1)

PM-506 1 II Isolator Out Turbine Impulse Pressure to AMSAC PM-515 1 II Isolator Out Loop 1 Steamline Pressure to DFWCS PM-525 1 II Isolator Out Loop 2 Steamline Pressure to DFWCS PM-535 1 II Isolator Out Loop 3 Steamline Pressure to DFWCS PM-545 1 II Isolator Out Loop 4 Steamline Pressure to DFWCS TM-433A IB,A,1 Tricon Loop 3 Hot Leg Temp to TR-433 (VB2) & RVLIS (PAM3)

TM-433B IB,A,1 Tricon Loop 3 Cold Leg Temp to TR-433 (VB2)

TM-443A IB,A,1 Tricon Loop 4 Hot Leg Temp to TR-443 (VB2) & RVLIS (PAM3)

TM-443B IB,A,1 Tricon Loop 4 Cold Leg Temp to TR-443 (VB2)

FM-513D IA Tricon Loop 1 Steamflow to FI-513 2 (Isolator)

FM-523D IA Tricon Loop 2 Steamflow to FI-523 2 (Isolator)

FM-533D IA Tricon Loop 3 Steamflow to FI-533 2 (Isolator)

FM-543D IA Tricon Loop 4 Steamflow to FI-543_2 (Isolator)

PM-506A II Tricon Turbine Impulse Pressure to PI-506 (VB3)

TM-421E II Tricon Delta-T to TI-421A (VB2) & TM-41 1Q2/R (R31)

TM-421 F II Tricon Overpower Setpoint to T/41 1A (CC1) & TI-421 B (VB2)

TM-421G II Tricon Overtemperature Setpoint to T/41 1A (CC1) & TI-421C (VB2)

TM-422F II Tricon Tavg to TI-422 (VB2) & TM-422G/R, TC-422A-HIR (R31)

Deleted Deleted Deleted Deleted Note:

(1) From analog sensor input loop, isolation not required [Section 2.3.3]

Table 4-4 Protection Set II Discrete Output Functions PROTECTION SET II DISCRETE OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION FC-415 A IA ALS-A Loop 1 Low Flow Rx Trip (SSPS)

FC-425 A IA ALS-A Loop 2 Low Flow Rx Trip (SSPS)

FC-435 A IA ALS-A Loop 3 Low Flow Rx Trip (SSPS)

FC-445 A IA ALS-A Loop 4 Low Flow Rx Trip (SSPS)

PC-456A A IA ALS-A PZR Pressure High Rx Trip (SSPS)

Process Protection System Replacement Rev 4 Conceptual Design Document Page 47 of 54 PROTECTION SET II DISCRETE OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION PC-456B A IA ALS-A Unblock SI, P11 (SSPS)

PC-456C A IA ALS-A PZR Pressure Low Rx Trip (SSPS)

PC-456D A IA ALS-A PZR Pressure Low-Low SI (SSPS)

PC-456E A IA ALS-A PZR Pressure High - PORV (RNASA)

PC-936A A IA ALS-A Containment Press High SI, Ph A Isolation (SSPS)

PC-936B A IA ALS-A Containment Press High-High Containment Spray, Ph B Isolation (SSPS)

Deleted UY-PS2A DIV-A II ALS-A PS II Trouble Alarm (MAS)

UY-PS2B DIV-A II ALS-A PS II Channel in Bypass Alarm (MAS)

UY-PS2C DIV-A II ALS-A PS II Failure Alarm (MAS)

YC-936 A II ALS-A Containment Press High-High Channel in Test Alarm (MAS)

FC-415 B IA ALS-B Loop 1 Low Flow Rx Trip (SSPS)

FC-425 B IA ALS-B Loop 2 Low Flow Rx Trip (SSPS)

FC-435 B IA ALS-B Loop 3 Low Flow Rx Trip (SSPS)

FC-445 B IA ALS-B Loop 4 Low Flow Rx Trip (SSPS)

PC-456A B IA ALS-B PZR Pressure High Rx Trip (SSPS)

PC-456B B IA ALS-B Unblock SI, P11 (SSPS)

PC-456C B IA ALS-B PZR Pressure Low Rx Trip (SSPS)

PC-456D B IA ALS-B PZR Pressure Low-Low SI (SSPS)

PC-456E B IA ALS-B PZR Pressure High - PORV (RNASA)

PC-936A B IA ALS-B Containment Press High SI, Ph A Isolation (SSPS)

PC-936B B IA ALS-B Containment Press High-High Containment Spray, Ph B Isolation (SSPS)

Deleted UY-PS2A DIV-B II ALS-B PS II Trouble Alarm (MAS)

UY-PS2B DIV-B II ALS-B PS II Channel in Bypass Alarm (MAS)

UY-PS2C DIV-B II ALS-B PS II Failure Alarm (MAS)

YC-936 B II ALS-B Containment Press High-High Channel in Test Alarm (MAS)

LC-460A IA Tricon PZR Level High Rx Trip (SSPS)

LC-519A IA Tricon S/G 1 High-High Level Turbine Trip, FW Isolation P14 (SSPS)

LC-519B IA Tricon S/G 1 Low-Low Level Rx Trip & AFW Pump Start (SSPS)

LC-549A IA Tricon S/G 4 High-High Level Turbine Trip, FW Isolation P14 (SSPS)

LC-549B IA Tricon S/G 4 Low-Low Level Rx Trip & AFW Pump Start (SSPS)

PC-506A IA Tricon Turbine Impulse Pressure High to P13 (SSPS)

PC-515A IA Tricon Loop 1 Low Steamline Press SI & Steamline Isolation (SSPS)

PC-515C IA Tricon Loop 1 Steamline Press High Negative Rate Steamline Isolation (SSPS)

PC-525A IA Tricon Loop 2 Low Steamline Press SI & Steamline Isolation (SSPS)

PC-525C IA Tricon Loop 2 Steamline Press High Negative Rate Steamline Isolation (SSPS)

PC-535A IA Tricon Loop 3 Low Steamline Press SI & Steamline Isolation (SSPS)

PC-535C IA Tricon Loop 3 Steamline Press High Negative Rate Steamline Isolation (SSPS)

PC-545A IA Tricon Loop 4 Low Steamline Press SI & Steamline Isolation (SSPS)

PC-545C IA Tricon Loop 4 Steamline Press High Negative Rate Steamline Isolation (SSPS)

TC-421C IA Tricon OTDT Rx Trip (SSPS)

Process Protection System Replacement Rev 4 Conceptual Design Document Page 48 of 54 PROTECTION SET II DISCRETE OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION TC-421G IA Tricon OPDT Rx Trip (SSPS)

TC-422D IA Tricon Tavg Low-Low P12 (SSPS)

TC-422G IA Tricon Tavg Low Feedwater Isolation (SSPS)

TC-433A IA Tricon Loop 3 Cold Leg Temp. Low - LTOPS (RNASA)

Deleted Deleted Deleted Deleted LY-519H 11 Tricon PS II S/G Low-Low Level TTD Timer Actuated Alarm (MAS)

Deleted TC-421D II Tricon OTDT Interlock C3 (RNARA)

TC-421H II Tricon OPDT Interlock C4 (RNARA)

TY-421 TRICON II Tricon PS2 DTTA RTD Failure Alarm (MAS)

UY-PS2A TRICON II Tricon PS2 Trouble Alarm (MAS)

UY-PS2B TRICON II Tricon PS2 Channel in Bypass Alarm (MAS)

UY-PS2C TRICON II Tricon PS2 Failure Alarm (MAS) 4.6 PROTECTION SET III FUNCTIONS AND INSTRUMENT CLASSES Table 4-5 Protection Set III Analog Output Functions PROTECTION SET III ANALOG OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION LT-461 Input IB,A,1 Note (1) PZR Level to LI-461 (VB2)

LT-518 Input IB,A,1 Note (1) S/G 1 Level to LI-518 (VB3) & ERFDS (VB1)

LT-528 Input IB,A,1 Note (1) S/G 2 Level to LI-528 (VB3) & ERFDS (VB1)

LT-538 Input IB,A,1 Note (1) S/G 3 Level to LI-538 (VB3) & ERFDS (VB1)

LT-548 Input IB,A,1 Note (1) S/G 4 Level to LI-548 (VB3) & ERFDS (VB1)

PT-403 Input IB,A,1 Note (1) Loop 4 WR Press to PR-403 (VB2), RVLIS (PAM 4)

PT-526 Input IB,A,1 Note (1) Loop 2 Steamline Pressure to PI-526 (VB3)

PT-536 Input IB,A,1 Note (1) Loop 3 Steamline Pressure to PI-536 (VB3)

PT-935 Input IB,A,1 Note (1) Containment Pressure to PI-935 (VB1) & ERFDS (VB1)

TE-430A IA ALS-A DTTA Loop 3 Thot-lA (to PS IIITricon)

TE-430B IA ALS-A DTTA Loop 3 Tcold-1 (to PS IIITricon)

TE-431A IA ALS-A DTTA Loop 3 Thot-2A (to PS IIITricon)

TE-432A IA ALS-A DTTA Loop 3 Thot-3A (to PS IIITricon)

FM-416B II ALS-A Reactor Coolant Flow Loop 1 to FI-416 (VB2)

FM-426B II ALS-A Reactor Coolant Flow Loop 2 to FI-426 (VB2)

TE-430C IA ALS-B DTTA Loop 3 Thot-lB (to PS Ill Tricon)

TE-431B IA ALS-B DTTA Loop 3 Tcold-2 (to PS Ill Tricon)

TE-431 C IA ALS-B DTTA Loop 3 Thot-2B (to PS III Tricon)

Process Protection System Replacement Rev 4 Conceptual Design Document Page 49 of 54 PROTECTION SET III ANALOG OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION TE-432C IA ALS-B DTTA Loop 3 Thot-3B (to PS IIITricon)

FM-436B II ALS-B Reactor Coolant Flow Loop 3 to FI-436 (VB2)

FM-446B II ALS-B Reactor Coolant Flow Loop 4 to FI-446 (VB2)

LM-461 1 II Isolator Out PZR Level to PZR Level Control (Control Set 1, Control Set 2)

LM-518 1 II Isolator Out S/G 1 Level to DFWCS, AFW LM-528 1 II Isolator Out S/G 2 Level to DFWCS, AFW LM-528 2 II Isolator Out S/G 2 Level to AM SAC LM-538 1 II Isolator Out S/G 3 Level to DFWCS, AFW LM-548 1 II Isolator Out S/G 4 Level to DFWCS, AFW PM-403A 1 II Isolator Out Loop 4 WR Press to PI-403A (VB2), ERFDS (VB4)

PM-457 1 II Isolator Out PZR Pressure to PZR Pressure Control (Control Set 1), PI-457 (VB2)

PM-526 1 II Isolator Out Loop 2 Steamline Pressure to DFWCS PM-536 1 II Isolator Out Loop 3 Steamline Pressure to DFWCS TM-431 E II Tricon Delta-T to TI-431A (VB2) & TM-41 1Q3/R (R31)

TM-431F II Tricon Overpower Setpoint to T/411A (CC1) & TI-431B (VB2)

TM-431G II Tricon Overtemperature Setpoint to T/411A (CC1) & TI-431C (VB2)

TM-432F II Tricon Tavg to TI-432 (VB2) & TM-432G/R, TC-432A-H/R (R31)

Note:

1) From analog sensor input loop, isolation not required [Section 2.3.3 Table 4-6 Protection Set III Discrete Output Functions PROTECTION SET IIIDISCRETE OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION FC-416 A IA ALS-A Loop 1 Low Flow Rx Trip (SSPS)

FC-426 A IA ALS-A Loop 2 Low Flow Rx Trip (SSPS)

FC-436 A IA ALS-A Loop 3 Low Flow Rx Trip (SSPS)

FC-446 A IA ALS-A Loop 4 Low Flow Rx Trip (SSPS)

PC-457A A IA ALS-A PZR Pressure High Rx Trip (SSPS)

PC-457B A IA ALS-A Unblock SI, P1l(SSPS)

PC-457C A IA ALS-A PZR Pressure Low Rx Trip (SSPS)

PC-457D A IA ALS-A PZR Pressure Low-Low SI (SSPS)

PC-457E A IA ALS-A PZR Pressure High - PORV (RNASA)

PC-935A A IA ALS-A Containment Press High SI, Ph A Isolation (SSPS)

PC-935B A IA ALS-A Containment Press High-High Containment Spray, Ph B Isolation (SSPS)

Deleted UY-PS3A DIV-A II ALS-A PS IIITrouble Alarm (MAS)

UY-PS3B DIV-A II ALS-A PS IIIChannel in Bypass Alarm (MAS)

UY-PS3C DIV-A II ALS-A PS IlI Failure Alarm (MAS)

YC-935 A II ALS-A Containment Press High-High Channel in Test Alarm (MAS)

FC-416-B IA ALS-B Loop 1 Low Flow Rx Trip (SSPS)

Process Protection System Replacement Rev 4 Conceptual Design Document Page 50 of 54 PPOTFC.TI1N '~FT III flI~CRFTF 01 JTPI IT F[JNCTI0NS~

INST. NO. INST. CLASS PROCESSOR DESCRIPTION FC-426 B IA ALS-B Loop 2 Low Flow Rx Trip (SSPS)

FC-436 B IA ALS-B Loop 3 Low Flow Rx Trip (SSPS)

FC-446 B IA ALS-B Loop 4 Low Flow Rx Trip (SSPS)

PC-457A B IA ALS-B PZR Pressure High Rx Trip (SSPS)

PC-457B B IA ALS-B Unblock SI, P1I (SSPS)

PC-457C B IA ALS-B PZR Pressure Low Rx Trip (SSPS)

PC-457D B IA ALS-B PZR Pressure Low-Low SI (SSPS)

PC-457E B IA ALS-B PZR Pressure High - PORV (RNASA)

PC-935A B IA ALS-B Containment Press High SI, Ph A Isolation (SSPS)

PC-935B B IA ALS-B Containment Press High-High Containment Spray, Ph B Isolation (SSPS)

Deleted UY-PS3A DIV-B II ALS-B PS IIITrouble Alarm (MAS)

UY-PS3B DIV-B II ALS-B PS III Channel in Bypass Alarm (MAS)

UY-PS3C DIV-B II ALS-B PS IIIFailure Alarm (MAS)

YC-935 B II ALS-B Containment Press High-High Channel in Test Alarm (MAS)

LC-461A IA Tricon PZR Level High Rx Trip (SSPS)

LC-518A IA Tricon S/G 1 High-High Level Turbine Trip, FW Isoiation P14 (SSPS)

LC-518B IA Tricon S/G 1 Low-Low Level Rx Trip & AFW Pump Start (SSPS)

LC-528A IA Tricon S/G 2 High-High Level Turbine Trip, FW Isolation P14 (SSPS)

LC-528B IA Tricon S/G 2 Low-Low Level Rx Trip & AFW Pump Start (SSPS)

LC-538A IA Tricon S/G 3 High-High Level Turbine Trip, FW Isolation P14 (SSPS)

LC-538B IA Tricon S/G 3 Low-Low Level Rx Trip & AFW Pump Start (SSPS)

LC-548A IA Tricon S/G 4 High-High Level Turbine Trip, FW Isolation P14 (SSPS)

LC-548B IA Tricon S/G 4 Low-Low Level Rx Trip & AFW Pump Start (SSPS)

PC-403A IA Tricon Loop 4 WR Pressure Low to RHR V-8702 Open Ckt (RNSIA)

PC-403B IA Tricon Loop 4 WR Pressure High to RHR Not Isolated Alarm Ckt (RNSIA)

PC-403D IA Tricon Loop 4 WR Pressure High to LTOPS (RNASA)

PC-526A IA Tricon Loop 2 Low Steamline Press SI & Steamline Isolation (SSPS)

PC-526C IA Tricon Loop 2 Steamline Press High Negative Rate Steamline Isolation (SSPS)

PC-536A IA Tricon Loop 3 Low Steamline Press SI & Steamline Isolation (SSPS)

PC-536C IA Tricon Loop 3 Steamline Press High Negative Rate Steamline Isolation (SSPS)

TC-431C IA Tricon OTDT Rx Trip (SSPS)

TC-431G IA Tricon OPDT Rx Trip (SSPS)

TC-432D IA Tricon Tavg Low-Low P12 (SSPS)

TC-432G IA Tricon Tavg Low Feedwater Isolation (SSPS)

LY-518H II Tricon PS IIIS/G Low-Low Level TTD Timer Actuated Alarm (MAS)

Deleted Deleted Deleted PC-526B II Tricon Loop 2 Steamline Pressure Low Alarm (MAS)

PC-536B II Tricon Loop 3 Steamline Pressure Low Alarm (MAS)

TC-431 D II Tricon OTDT Interlock C3 (RNARA)

Process Protection System Replacement Rev 4 Conceptual Design Document Page 51 of 54 PROTECTION SET IIIDISCRETE OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION TC-431 H II Tricon OPDT Interlock C4 (RNARA)

TY-431 TRICON II Tricon PS IIIDTTA RTD Failure Alarm (MAS)

UY-PS3A TRICON II Tricon PS IIITrouble Alarm (MAS)

UY-PS3B TRICON II Tricon PS III Channel in Bypass Alarm (MAS)

UY-PS3C TRICON II Tricon PS III Failure Alarm (MAS) 4.7 PROTECTION SET IV FUNCTIONS AND INSTRUMENT CLASSES Table 4-7 Protection Set IV Analog Output Functions PROTECTION SET IV ANALOG OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION LT-517 Input IB,A,1 Note (1) S/G 1 Level to LI-517 (VB3), ERFDS (VB4)

LT-527 Input IB,A,1 Note (1) S/G 2 Level to LI-527 (VB3), ERFDS (VB4)

LT-537 Input IB,A,1 Note (1) S/G 3 Level to LI-537 (VB3), ERFDS (VB4)

LT-547 Input IB,A,1 Note (1) S/G 4 Level to LI-547 (VB3), ERFDS (VB4)

PT-405 Input IB,A,1 Note (1) Loop 3 WR Press to PI-405 (VB2), ERFDS (VB4), RVLIS (PAM 3)

PT-516 Input IB,A,1 Note (1) Loop 1 Steamline Pressure to PI-516 (VB3)

PT-546 Input IBA,1 Note (1) Loop 4 Steamline Pressure to PI-546 (VB3)

PT-934 Input IB,A,1 Note (1) Containment Pressure to PI-934 (VB1)

TE-440A IA ALS-A DTTA Loop 4 Thot-lA (PS IV Tricon)

TE-440B IA ALS-A DTTA Loop 4 Tcold-1 (PS IV Tricon)

TE-441A IA ALS-A DTTA Loop 4 Thot-2A (PS IV Tricon)

TE-442A IA ALS-A DTTA Loop 4 Thot-3A (PS IV Tricon)

TE-454 IA ALS-A PZR Vapor Temperature (PS IV Tricon)

TE-440C IA ALS-B DTTA Loop 4 Thot-1 B (PS IV Tricon)

TE-441 B IA ALS-B DTTA Loop 4 Tcold-2 (PS IV Tricon)

TE-441C IA ALS-B DTTA Loop 4 Thot-2B (PS IV Tricon)

TE-442C IA ALS-B DTTA Loop 4 Thot-3B (PS IV Tricon)

LM-517 1 II Isolator Out S/G 1 Level to DFWCS, AFW LM-517 2 II Isolator Out S/G 1 Level to AMSAC LM-527 1 II Isolator Out S/G 2 Level to DFWCS, AFW LM-537 1 II Isolator Out S/G 3 Level to DFWCS, AFW LM-547 1 II Isolator Out S/G 4 Level to DFWCS, AFW PM-405A 1 II Isolator Out Loop 4 WR Press to PI-405A (VB2), ERFDS (VB4)

PM-474 1 II Isolator Out PZR Pressure to PI-474 (VB2), PZR Pressure Control (Control Set 1)

PM-516 1 II Isolator Out Loop 1 Steamline Pressure to DFWCS PM-546 1 II Isolator Out Loop 4 Steamline Pressure to DFWCS TM-441E II Tricon Delta-T to TI-441A (VB2) & TM-41 1Q4/R (R31)

TM-441 F II Tricon Overpower Setpoint to T/41 1A (CC1) & TI-441 B (VB2)

TM-441G II Tricon Overtemperature Setpoint to T/41 1A (CC1) & TI-441C (VB2)

TM-442F II Tricon Tavg to TI-442 (VB2) & TM-442G/R, TC-442A-H/R (R31)

Process Protection System Replacement Rev 4 Conceptual Design Document Page 52 of 54 PROTECTION SET IV ANALOG OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION TM-454A 11,D,3 Tricon PZR Vapor Ternp to TI-454 (VB2) & TC-454/R (Control Set 2)

Note:

(1) From analog sensor input loop, isolation not required [Section 2.3.3]

Table 4-8 Protection Set IV Discrete Output Functions PROTECTION SET IV DISCRETE OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION PC-474A A IA ALS-A PZR Pressure Low Rx Trip (SSPS)

PC-474B A IA ALS-A PZR Pressure High - PORV (RNASA)

PC-474C A IA ALS-A PZR Pressure High Rx Trip (SSPS)

PC-474D A IA ALS-A PZR Pressure Low-Low SI (SSPS)

PC-934A A IA ALS-A Containment Press High SI, Ph A Isolation (SSPS)

PC-934B A IA ALS-A Containment Press High-High Containment Spray, Ph B Isolation (SSPS)

Deleted UY-PS4A DIV-A II ALS-A PS IVTrouble Alarm (MAS)

UY-PS4B DIV-A II ALS-A PS IV Channel in Bypass Alarm (MAS)

UY-PS4C DIV-A II ALS-A PS IV Failure Alarm (MAS)

YC-934 A II ALS-A Containment Press High-High Channel in Test Alarm (MAS)

PC-474A B IA ALS-B PZR Pressure Low Rx Trip (SSPS)

PC-474B B IA ALS-B PZR Pressure High - PORV (RNASA)

PC-474C B IA ALS-B PZR Pressure High Rx Trip (SSPS)

PC-474D B IA ALS-B PZR Pressure Low-Low SI (SSPS)

PC-934A B IA ALS-B Containment Press High SI, Ph A Isolation (SSPS)

PC-934B B IA ALS-B Containment Press High-High Containment Spray, Ph B Isolation (SSPS)

Deleted UY-PS4A DIV-B II ALS-B PS IVTrouble Alarm (MAS)

UY-PS4B DIV-B II ALS-B PS IV Channel in Bypass Alarm (MAS)

UY-PS4C DIV-B II ALS-B PS IV Failure Alarm (MAS)

YC-934 B II ALS-B Containment Press High-High Channel in Test Alarm (MAS)

LC-517A IA Tricon S/G 1 High-High Level Turbine Trip, FW Isolation P14 (SSPS)

LC-517B IA Tricon S/G 1 Low-Low Level Rx Trip & AFW Pump Start (SSPS)

LC-527A IA Tricon S/G 2 High-High Level Turbine Trip, FW Isolation P14 (SSPS)

LC-527B IA Tricon S/G 2 Low-Low Level Rx Trip & AFW Pump Start (SSPS)

LC-537A IA Tricon S/G 3 High-High Level Turbine Trip, FW Isolation P14 (SSPS)

LC-537B IA Tricon S/G 3 Low-Low Level Rx Trip & AFW Pump Start (SSPS)

LC-547A IA Tricon S/G 4 High-High Level Turbine Trip, FW Isolation P14 (SSPS)

LC-547B IA Tricon S/G 4 Low-Low Level Rx Trip & AFW Pump Start (SSPS)

PC-405A IA Tricon Loop 4 WR Pressure Low to RHR V-8701 Open Ckt (SSPS)

PC-405B IA Tricon Loop 4 WR Pressure High to RHR Not Isolated Alarm Ckt (RNSIB)

PC-405D IA Tricon Loop 4 WR Pressure High to LTOPS (RNASA)

PC-516A IA Tricon Loop 1 Low Steamline Press SI & Steamline Isolation (SSPS)

Process Protection System Replacement Rev 4 Conceptual Design Document Page 53 of 54 PROTECTION SET IV DISCRETE OUTPUT FUNCTIONS INST. NO. INST. CLASS PROCESSOR DESCRIPTION PC-516C IA Tricon Loop I Steamline Press High Negative Rate Steamline Isolation (SSPS)

PC-546A IA Tricon Loop 4 Low Steamline Press SI & Steamline Isolation (SSPS)

PC-546C IA Tricon Loop 4 Steamline Press High Negative Rate Steamline Isolation (SSPS)

TC-441C IA Tricon OTDT Rx Trip (SSPS)

TC-441G IA Tricon OPDT Rx Trip (SSPS)

TC-442D IA Tricon Tavg Low-Low P12 (SSPS)

TC-442G IA Tricon Tavg Low Feedwater Isolation (SSPS)

Deleted LY-517H Tricon PS4 S/G Low-Low Level TTD Timer Actuated Alarm (MAS)

Deleted Deleted Deleted PC-516B II Tricon Loop 1 Steamline Pressure Low Alarm (MAS)

PC-546B II Tricon Loop 4 Steamline Pressure Low Alarm (MAS)

TC-441 D II Tricon OTDT Interlock C3 (RNARA)

TC-441 H II Tricon OPDT Interlock C4 (RNARA)

TY-441 TRICON II Tricon PS4 DTTA RTD Failure Alarm (MAS)

UY-PS4A TRICON II Tricon PS IV Trouble Alarm (MAS)

UY-PS4B TRICON II Tricon PS IV Channel in Bypass Alarm (MAS)

UY-PS4C TRICON II Tricon PS IV Failure Alarm (MAS)

Process Protection System Replacement Rev 4 Conceptual Design Document Page 54 of 54 This page left blank by intent