: 1. CR-3 to NRC letter dated June 15, 2011, "Crystal River Unit 3 - License Amendment Request #309, Revision 0, Extended Power Uprate" (Accession No. ML112070659)

: 2. NRC to CR-3 letter dated February 8, 2012, "Crystal River Unit 3 Nuclear Generating Plant - Request for Additional Information for Extended Power Uprate License Amendment Request (TAC No. ME6527)" (Accession No. ML12003A217)

: 3. CR-3 to NRC letter dated January 5, 2012, "Crystal River Unit 3 - Response to Request for Additional Information to Support NRC Instrumentation and Controls Branch Technical Review of the CR-3 Extended Power Uprate LAR (TAC No. ME6527)" (Accession No. ML12030A209)

 

By letter dated June 15, 2011, Florida Power Corporation, doing business as Progress Energy Florida, Inc., requested a license amendment to increase the rated thermal power level of Crystal River Unit 3 (CR-3) from 2609 megawatts (MWt) to 3014 MWt (Reference 1). On February 8, 2012, the NRC provided a second request for additional information (RAI) required to support the EICB technical review of the CR-3 Extended Power Uprate (EPU) License Amendment Request (LAR) (Reference 2).

an Inadequate Core Cooling Mitigation System failure mode and effects analysis, summary of the test results associated with electromagnetic and radio frequency interference emissions and Progress Energy Florida, Inc.                                                                   Z     0o (

U.S. Nuclear Regulatory Commission                                                   Page 2 of 3 3F0312-02 susceptibility, and a reliability report by November 9, 2012; and an Inadequate Core Cooling Mitigation System testing summary report by February 28, 2013. , "Updated FCS and ICCMS Annunciator Drawing," to Attachment A provides a revised drawing that supersedes the annunciator drawing provided in a letter from CR-3 to the NRC dated January 5, 2012 (Reference 3). Enclosure 2, "Fast Cooldown System Failure Mode and Effects Analysis," to Attachment A is provided in support of the EICB technical review RAI response.

A.     Response to Second Request for Additional Information to Support NRC Instrumentation and Controls Branch (EICB) Technical Review of the CR-3 EPU LAR B.     List of Regulatory Commitments

: 1. Updated FCS and ICCMS Annunciator Drawing

: 2.     Fast Cooldown System Failure Mode and Effects Analysis xc:   NRR Project Manager Regional Administrator, Region II Senior Resident Inspector State Contact

U.S. Nuclear Regulatory Commission                                                           Page 3 of 3 3F0312-02 STATE OF FLORIDA COUNTY OF CITRUS Jon A. Franke states that he is the Vice President, Crystal River Nuclear Plant for Florida Power Corporation, doing business as Progress Energy Florida, Inc.; that he is authorized on the part of said company to sign and file with the Nuclear Regulatory Commission the information attached hereto; and that all such statements made and matters set forth therein are true and correct to the best of his knowledge, information, and belief.

J   A. Franke ice President Crystal River Nuclear Plant The   foregoing   document was     acknowledged       before     me this             day of

                    .,_2012, by Jon A. Franke.

Signature of Notary Public State of Florida f--."  N...CAROLYN E.PORTMANN

* Commission # DD 937553 SExpires         March 1,2014 (Print, type, or stamp Commissioned Name of Notary Public)

Personally       7             Produced Known                   -OR-   Identification

U. S. Nuclear Regulatory Commission                                                 Attachment A 3F0312-02                                                                             Page 1 of 8 RESPONSE TO SECOND REQUEST FOR ADDITIONAL INFORMATION TO SUPPORT NRC INSTRUMENTATION AND CONTROLS BRANCH (EICB) TECHNICAL REVIEW OF THE CR-3 EPU LAR By letter (Reference 1) dated June 15, 2011, Florida Power Corporation (FPC), doing business as Progress Energy Florida, Inc., requested a license amendment to increase the rated thermal power level of Crystal River Unit 3 (CR-3) from 2609 megawatts (MWt) to 3014 MWt. On February 8, 2012, the NRC provided a second request for additional information (RAI) required to support the EICB technical review of the CR-3 Extended Power Uprate (EPU) License Amendment Request (LAR).

U. S. Nuclear Regulatory Commission                                                   Attachment A 3F0312-02                                                                                 Page 2 of 8 ADV/FCS The fundamental function of the ADV/FCS modification is to enhance thermal-hydraulic capabilities during plant transients and accidents at EPU conditions. Thus, much of the ADV/FCS EC package is related to the replacement of the ADVs (e.g., larger ADVs and associated piping and supports) and therefore, is mechanical in nature. However, the ADV/FCS EC modification does include associated controls and support system enhancements. The FCS portion of the modification provides an alternate safety-related controller that rapidly depressurizes the secondary system by opening the ADVs until the specified lower pressure is reached and subsequently controlling at the specified lower pressure. The ADV/FCS EC package is nearly complete; however, many of the instrumentation and controls (I&C) components associated with this EC package have not been procured. A FAT report is not being generated in support of this EC package. Also, in lieu of a reliability report, an FMEA has been performed to qualitatively assess reliability and is provided in Enclosure 2 to this attachment.

(Reference 1, Attachments 5 and7), the FCS control switches will be placed in the "BYP" position during a station blackout (SBO) event with a loss of subcooling margin allowing the operators to perform the required cooldown in accordance with existing procedure guidance with the normal ADV controls. Consistent with Section 7.1, "Protection Systems," of the Final Safety Analysis Report (FSAR), the FCS bypass function is operated during abnormal or emergency operating conditions (e.g., a SBO event) and is not considered an "operating bypass" within the context of Section 4.12 of IEEE 279-1971. Once the FCS is manually bypassed, it remains bypassed until manually restored. Enclosure 1, "Updated FCS and ICCMS Annunciator Drawing," shows the proposed FCS annunciator which alerts the operator when an FCS control switch is in the "BYP" position consistent with the guidance of Regulatory Guide 1.47, Revision 1, "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems." This updated drawing also shows the current proposed location of other new FCS and ICCMS annunciators and supersedes the annunciator drawing provided in the letter from CR-3 to the NRC dated January 5, 2012 (Reference 2). Note that the precise annunciator locations and labeling may change as the ICCMS and FCS modifications are finalized.

U. S. Nuclear Regulatory Commission                                                   Attachment A 3F0312-02                                                                               Page 3 of 8 operated isolation valves in each safety-related EFW pump recirculation line. The EFW pump recirculation flow control modification does not interface with the existing EFIC System. The components for this modification will be procured as safety-related and qualified as appropriate.

: 21.     (EICB 2-1)

In response to EICB acceptance review RAI question 3, the licensee submitted Enclosure 3 "IEEE [Institute of Electrical and Electronics Engineers] 603-1991 and IEEE 279-1971 Compliance Matrix" on August 18, 2011 (ADAMS Accession No. ML11234A427), which provides a summary of how the inadequate core cooling monitoring system (ICCMS), FCS, ADVs and the affected portions of emergency feedwater initiation and control (EFIC) system will meet applicable clauses of IEEE 603-1991 and IEEE 279-1971. The licensee lists the system specification statements for each requirement criterion of IEEE 603-1991 and IEEE 279-1971, but does not demonstrate (e.g., through the analysis or test) how the equipment meets the requirements in IEEE 603-1991 and IEEE 279-1971.

U. S. Nuclear Regulatory Commission                                                 Attachment A 3F0312-02                                                                               Page 4 of 8

ICCMS The I&C portion of ICCMS is predominantly contained in a set of stand-alone instrument cabinets which will be subjected to a FAT prior to shipment from the vendor. The ICCMS FAT is scheduled for late 2012 and the FAT summary report will be available the first quarter of 2013. As indicated in Attachment B, "List of Regulatory Commitments," FPC will provide an ICCMS testing summary report, which includes a summary of the FAT results, to the NRC staff by February 28, 2013. In addition, FPC will provide an FMEA and a reliability report, which includes overall availability results, for the ICCMS by November 9, 2012 as indicated in Attachment B. Further, post-modification and in-situ integrated testing for this modification is described in Section 2.12, "Power Ascension and Testing Plan," of the EPU TR (Reference 1, Attachments 5 and 7).

ADV/FCS There is no integrated FAT planned for the ADV/FCS plant modification. Similarly, an overall availability report and reliability report are not discrete parts of the ADV/FCS EC package; but, are integral to the package. However, the ADV/FCS components are conservatively designed to operate over the operating range of service conditions. Post-modification and integrated in-situ testing will be performed as described in Section 2.12 of the EPU TR (Reference 1, Attachments 5 and 7) to test the ADV/FCS and associated components prior to operation at EPU conditions.

Enclosure 2, "Fast Cooldown System Failure Mode and Effects Analysis," provides the current FMEA for the ADV/FCS modification. However, the FMEA may change further as the design is finalized and issued. The FMEA was prepared in accordance with the general guidelines of IEEE 352-1987, "IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Safety Systems." The FCS FMEA concludes that there is no credible single failure of any FCS component that will result in: the failure of a channel of FCS pressure control or an ADV; concurrent with a degradation of high pressure injection (HPI) line flow. Thus, the capability to mitigate a small break loss-of-coolant accident (SBLOCA) remains available in the event of a single failure of either the FCS or an HPI train. This FMEA also concludes that there is no failure of an FCS component that will migrate into the EFIC cabinets or impact the capability of EFW System initiation, EFW System vector valve control, main steam line isolation, and main feedwater isolation functions.

U. S. Nuclear Regulatory Commission                                               Attachment A 3F0312-02                                                                             Page 5 of 8 therefore are not qualified in accordance with Regulatory Guide 1.89, "Environmental Qualification of Certain Electric Equipment Important to Safety for Nuclear Power Plants,"

or 10CFR50.49(f) as allowed by 10CFR50.49(c)(3).                   The new ICCMS input instrumentation, located in a harsh environment (i.e., RCS pressure transmitters, incore thermocouple assembly connectors, and HPI flow differential pressure transmitters), are the same as the instruments currently used to sense these parameters and will be added to the revised vendor qualification packages as applicable.         No additional environmental qualification (EQ) testing is required for the ICCMS.

ICCMS testing will be conducted to confirm the ICCMS meets the requirements related to equipment seismic qualification per Regulatory Guide 1.100, "Seismic Qualification of Electrical and Active Mechanical Equipment and Functional Qualification of Active Mechanical Equipment for Nuclear Power Plants," electromagnetic and radio frequency interference (EMI/RFI) emissions and susceptibility per Regulatory Guide 1.180, "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems," and qualified isolation between nonsafety-related circuits per Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." As indicated in Attachment B, "List of Regulatory Commitments," FPC will provide a summary of the testing results related to seismic qualification, EMI/RFI emissions and susceptibility, and isolation between nonsafety-related RCP trip circuits and ICCMS.

: 22.     (EICB 2-2)

As noted in the EICB RAI Background Section above, the ADVs are addressed in the same EC package as the FCS. The EFW pump recirculation flow control modification is addressed in a separate EC package. Additionally, the I&C portions of the FCS/ADVs and EFW pump recirculation flow control modifications meet the CLB requirements of IEEE 279-1971 instead of IEEE 603-1991. The ADV/FCS and EFW pump recirculation flow control modifications and associated components are designed, procured, purchased, inspected, and tested in accordance with the CR-3 Quality Program as described in Section 1.7, "Quality Program (Operational)," of the FSAR. The Progress Energy Quality Assurance Program Manual and associated procedures promulgates compliance with 10CFR50, Appendix B and ensures maintenance and modifications affecting safety-related structures, systems, and components (SSCs) are performed

U. S. Nuclear Regulatory Commission                                                     Attachment A 3F0312-02                                                                                 Page 6 of 8 in a manner to assure quality requirements, material specifications, and inspection requirements are met and conform to applicable codes, standards, specifications, and criteria.

Single Failure - the FCS is designed such that any single failure in the FCS electrical power supply, pressure control circuitry, or transfer relay will affect only the FCS control of a single ADV or the EFIC control of a single ADV. An FMEA was performed to determine component failure effect and potential failures including those due to interfacing or support systems such as control complex Heating, Ventilation, and Air Conditioning (HVAC). Refer to Enclosure 2 of this attachment for the FCS FMEA.

Equipment Qualification - the FCS equipment enclosures and subcomponents, battery banks, FCS pressure control transmitters and ADVs are seismically qualified per IEEE 344-1975, "IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations." ADV/FCS equipment important to safety that is located in harsh EQ zones will be qualified in accordance with 10 CFR 50.49(f) and Regulatory Guide 1.89. However, electrical equipment important to safety located in a mild environment are not qualified in accordance with 10 CFR 50.49(f) or Regulatory Guide 1.89 as allowed by 10 CFR 50.49(c)(3).

Capability is provided for testing and calibrating channels and the devices used to derive the final FCS output signal from the various channel signals. Periodic testing duplicates, as closely as practical, the overall performance required of the FCS and confirms Operability of both the automatic and manual circuitry. The FCS design does include test circuitry and switches which could be used for troubleshooting/functional testing of the transfer relays and of the pressure controllers with the reactor at power. Manual isolation valves and test connections are included in the design to allow testing of the ADVs and accessories with the reactor at power.

U. S. Nuclear Regulatory Commission                                                 Attachment A 3F0312-02                                                                               Page 7 of 8 EFW Pump Recirculation Flow Control The EFW Pump Recirculation Flow Control modification and associated components are designed, procured, purchased, inspected, and tested in accordance with the CR-3 Quality Program as described in Section 1.7 of the FSAR.

Equipment Qualification - the recirculation control valves, differential pressure switches, terminal blocks, and cables associated with the turbine driven EFW pump (EFP-2) are located in a harsh environment. Therefore, these components will be qualified in accordance with 10 CFR 50.49(f) and Regulatory Guide 1.89. The diesel driven EFW pump (EPF-3) components and all other EFW Pump Recirculation Flow Control components are located in a mild environment. Therefore, these components are not qualified in accordance with 10 CFR 50.49(f) or Regulatory Guide 1.89 as allowed by 10 CFR 50.49(c)(3).

Reliability - the EFW Pump Recirculation Flow Control modification does not adversely affect existing redundancy, diversity, or separation of the EFW System. For each EFW train, there will be three differential pressure switches arranged in a two-out-of-three logic and one main control room switch. There are no separation criteria issues as each component is installed in its respective EFW train duty area and fed from its respective train power supply. The three pressure switches, installed in a two-out-of-three logic for each train of EFW, is not required but desired for system reliability and to allow testing and maintenance of an individual switch.

: 23.     (EICB 2-3)

U. S. Nuclear Regulatory Commission                                                   Attachment A 3F0312-02                                                                                 Page 8 of 8

: 24.     (EICB 2-4)

ICCMS Initiation Channel 1 and Actuation Train A are powered from the Train A 120VAC vital bus (VBDP-3). ICCMS Initiation Channel 2 and Actuation Train B are powered from the Train B 120VAC vital bus (VBDP-4). These vital buses are powered by the associated station battery or emergency diesel generator. ICCMS Initiation Channel 3 is powered from new dedicated uninterruptible power supply (UPS) units. Each UPS unit is powered from a 480VAC motor control center (3AB) which can be powered from either emergency diesel generator. Each initiation channel and actuation train has dual auctioneered power supplies that are powered via separate breakers from the associated vital bus/UPS.

: 1. CR-3 to NRC letter dated June 15, 2011, "Crystal River Unit 3 - License Amendment Request #309, Revision 0, Extended Power Uprate." (Accession No. ML112070659)

: 2. CR-3 to NRC letter dated January 5, 2012, "Crystal River Unit 3 - Response to Request for Additional Information to Support NRC Instrumentation and Controls Branch Technical Review of the CR-3 Extended Power Uprate LAR (TAC No. ME6527)." (Accession No. ML12030A209)

: 3. CR-3 to NRC letter dated August 11, 2011, "Crystal River Unit 3 - Response to Request for Additional Information to Support NRC Balance of Plant Branch Acceptance Review of the CR-3 Extended Power Uprate LAR (TAC No. ME6527)."                     (Accession No. ML11228A032)

EC 71855       X64R0 FMEA for EC71855 Fast Cooldown Systems Components Scope This FMEA is developed using the guidelines of EGR-NGGC-0154, Single Failure Analysis and IEEE 352-1987, IEEE guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Safety systems.

: a. two HPI pumps and their associated valves and piping are adequate to mitigate SBLOCAs during a LSCM condition or

: a. Control Complex HVAC for maintaining temperatures within various control complex rooms within the component rated temperatures.

: b. Control Complex HVAC for circulating air flow through the battery rooms for hydrogen removal.

: c. EFIC auxiliary equipment cabinets for interface with transfer relays that can transfer ADV control from EFIC to the fast cooldown pressure controllers

: d. Instrument air system for normal air supply to ADV control air components and actuators Page 1 of 70

EC 71855       X64R0

: e. Main steam system piping for new ADV valve bodies and new (manual) isolation valves and interface with EFIC pressure transmitter tubing for MS-106, l08, 111, 113-PT due to sharing common pressure sensor tubing

: g. Interface with Remote Shutdown Relays

: h. Interface with HPI low range flow indication loops of MU-23-dpt5, dpt6. Dpt7, dpt8

: i. Interface with RECALL/EM systems for new RECALL points EC 71855 does provide additional RECALL point input and provides algorithm for SPDS curve of RCS pressure versus HPI total low range flow (from four injection lines). However, SPDS internal programming changes are not part of EC 71855 but are installed and tested with EC 75574.

e.2 . Evaluation of root valve for potential impact of new fast cooldown pressure transmitters with creating failure of EFIC pressure transmitters MS-106, 108, 111, 113-PY due to sharing common pressure sensor tubing

EC 71855     X64R0 h.Failure impact of MU-23-FY5-3 and MU-23-FY7-4 on MU-23-dpt5, dpt6, dpt7, dpt8 indication in control room

EC 71855     X64R0 HPI low range differential pressure transmitters (MU-23-dpt5, dpt6, dpt7, dpt8, dpt9, dptl0, dptl, and dpt12) that provide ICCM input (EC 76340) for auto actuation of FCS and input to SPDS for determining adequate HPI flow per the HPI required flow curve.

Instrument air system- This system normally supply control air for the ADVs. Failure evaluation is based on total loss of all air compressors in a LOOP or SBO event The interface with EFIC Aux. Equipment cabinets are evaluated only from the impact that a transfer relay contact failure will have on the EFIC signal demand to the ADVs and for the isolation function of the Aux. Equipment Cabinet V/I and I/V modules to protect any relay failure from migrating into the EFIC cabinets or into the VBDP power supply to the EFIC Aux. Equipment Cabinets. This evaluation is documented under the transfer relay failure modes.

: 1. Fast Cooldown System Automatic Actuation

: 2. Fast Cooldown System Manual Actuation

: 3. EFIC Auto Pressure Control of ADV

: 4. Main Control Board (MCB) Manual Control of ADV position (through MCB Hand/Auto station control which goes through EFIC Control Module

: 5. Remote Shutdown Panel (RSP) Manual control of ADV position (through RSP Hand/Auto Station control which goes through EFIC Control Module

: 6. Manual local handwheel positioning of ADV The impact of component failures whether fast cooldown system has been actuated automatically through the ICCM cabinets or manually with selector switch is identical since both modes must utilize the DC bus voltage supply and utilize the fast cooldown transfer relay and the fast cooldown pressure control circuitry. The only difference is whether one actuation is provided by the ICCM and one is provided by operator manual action using the control board selector switch. Failure of the control board selector switch contacts is included in the FMEA worksheets. Failure of an ICCM cabinet to actuate fast cooldown would be bounded by the impact of a failed transfer relay that would not energize and which is included in the FMEA worksheets.

EC 71855       X64R0 The impact of component failures in the fast cooldown system is identical for the three various sources of ADV demand signal when not selected for fast cooldown control (i.e. whether EFIC is providing auto pressure control, or whether MCB Hand/Auto station is in manual control for generating ADV demand signal, or whether the Remote Shutdown Panel is providing the ADV demand signal). These three methods of producing an ADV demand signal all are routed to the ADV through the existing EFIC control module, through the existing Foxboro isolation modules and through the same set of contacts of the new fast cooldown transfer relay. Any failure of the fast cooldown transfer relay will affect all three sources of demand signal identically.

EC 71855       X64R0 Ground Rules and Assumptions

: 1. Loss of offsite power will have no impact on operability or failure modes of components being installed by the fast cooldown system since they are powered from separate independent DC buses backed by fast cooldown system battery banks with the exception of the two relays being installed in the Remote Shutdown Aux. Equipment Cabinets. In the case of these two relays being installed in the Remote Shutdown Aux. Equipment Cabinets, these are powered by VBDP sources that are diesel and station battery backed and will not lose power in a LOOP.

: 2. The fire dampers supplying and exhausting control complex HVAC ventilation air to the battery rooms and battery charger rooms are fusible link dampers. The fusible links design function is to hold the dampers open during non-fire conditions and to melt/fail only with high temperatures that would occur in a fire event. For these dampers to fail closed and block hydrogen purging from battery rooms and block HVAC cooling from battery rooms and battery charger rooms, the fusible links would have structurally break/fail in a non-fire condition. DBD92 definition of a passive failure is as follows: "A passive failure is a failure of an electrical or mechanical component to maintain its structural integrity or stability or the blockage of a process flow path such that it cannot provide its intended safety function upon demand ..... Single passive failures of mechanical components (e.g. pipe breaks, separation of a valve disc from its stem, etc.) are not part of CR-3 design basis and are not assumed in the design of fluid mechanical systems at CR-3." The fusible link fire dampers meet several criteria of this definition. Failure of fusible link fire dampers are evaluated as passive failures in this FMEA.

: 3. The control complex HVAC provides cooling and ventilation purging of hydrogen from the battery rooms. The control complex HVAC is being evaluated since the station batteries that provide DC power for diesel flashing and switchgear closure for diesel and HPI pumps are in the same control complex rooms as the fast cooldown batteries. The HVAC failures are evaluated to insure that a single failure will not create one inoperable HPI train simultaneous with one FCS channel.

: a. Fire dampers in battery room supply and return/exhaust duct These are fusible link dampers. The failure that could (if credible) affect both DC power for HPI and DC power for fast cooldown would be a failure such that the damper would fail closed and block HVAC flow for battery room cooling and hydrogen purging. As noted above, this would be a passive mechanical failure. This failure is not applicable or credible for evaluation per CR3 design basis. Even though the failure of the fusible link dampers is evaluated as not a credible failure as per CR3 design basis, such a failure would be detectable. Each battery room has a low flow switch on its exhaust damper that will provide control room annunciator alarms if exhaust flow from the room has failed. Evaluation of calculation M92-0008 with FCS and station batteries installed and during maximum charging current conditions are such that without HVAC ventilation, the battery rooms would reach 1% hydrogen concentration (25% of the 4% explosive limit) in 15.56 hours. Evaluation in calculation H97-0004 for several case events denotes that with loss of HVAC supply to the battery rooms due to specific fire locations, it would take a time period of a little less than Page 6 of 70

EC 71855       X64R0 72 hours (without any doors opened for cooling) for either of the battery room temperatures to reach 97F° on loss of HVAC to the battery rooms during certain fire events.

: b. Control Complex HVAC fans and chillers in normal plant conditions as well as LOOP or LOCA The existing control complex HVAC fans and chillers have redundant components that are diesel backed. Failure of one fan or chiller will not inhibit control complex cooling and ventilation. The normal duty supply fans, return fans, and chillers will have to be restarted on a LOOP. In the case of a single diesel failure or DC train failure that will not allow diesel to flash field or close breaker, there will be a redundant set of fans and chillers available for cooling the control complex rooms and for purging hydrogen from the battery rooms.

: c. Control Complex HVAC during SBO CR3 design basis does not postulate an accident concurrent with an SBO event and thus fast cooldown is not required in an SBO event. However, if fast cooldown batteries were required during SBO, which they are not, the following evaluation shows the fast cooldown batteries would be operable in a SBO.

There would be no control complex HVAC during SBO to cool the battery rooms or purge hydrogen. However, the CR3 design basis for an SBO is 4 hours. There would be no battery charging occurring (which is when hydrogen would be released from batteries) during the SBO so any hydrogen buildup would be significantly more than the above mentioned 15.56 hours for loss of ventilation flow to the battery rooms. Revised calculations E89-0084 and E89-0085 with FCS batteries and station batteries installed in the battery rooms denote       TDAC temperatures of 106.45F0 and 106.65F0 for battery rooms A and B respectively for SBO conditions with no control complex HVAC.

: 4. The intermediate building supply and exhaust fans are powered from diesel backed ES MCC 3A1 and ES MCC3B2 are would be operable during a LOOP. Their associated pneumatic dampers AHD-67, 68, 69, 70 have accumulators that provide air in the event of loss of instrument air to ensure operability of intermediate building dampers in a LOOP. (Reference DBD 627, Appendix B) In the event of a SBO, the ADV components are rated for temperatures higher than the calculated TDAC temperature of the intermediate building.

EC 71855       X64R0

: 5. The instrument analog isolators installed by the fast cooldown system that provide new RECALL points for the MU-23-dpt5, dpt6, dpt7, and dpt8 instrument loops will retain power during a LOOP since they are powered by the fast cooldown DC bus. The instrument loop power will be retained since the instrument loop power is supplied by the Remote Shutdown Aux. Equipment Cabinets which are powered by VBDP sources that are diesel and station battery backed and will not lose power in a LOOP.

: 6. This FMEA assumes no failures due to operator error or mispositioning of selector or test switches. However, the impact of the selector switch or test switch contacts mechanically failing open or closed (the same as if mispositioned by operator error) is included in the FMEA worksheets.

: 7. This FMEA assumes no failures due to maintenance error in calibration or setup of instrumentation since calibration data sheets are provided.

: 8. This FMEA assumes no failures due to maintenance error in surveillance testing and mispositioning of test switches during testing since surveillance procedures are being developed.

: 9. This FMEA assumes no failures due to maintenance error in equipment component maintenance since procedures are being developed.

EC 71855       X64R0 these components have also been selected for temperature ratings in excess of the     TOAC temperatures during an SBO.

: 16. As noted above for the main steam piping, failure due to pipe breaks is not evaluated in this FMEA. As per DBD Section 1.2 Definitions- Passive Failure- ..."Single passive failure of mechanical components (e.g. pipe breaks, separation of valve disc from its stem, etc) are not part of CR-3 design basis and are not assumed in the design of fluid mechanical systems at CR-3."

EC 71855       X64R0 EC 71855 FMEA Worksheet Notes:

Number           Name                 Failure Mode             Cause                 Symptoms and Local Effects             Method of Detection           Inherent Compensating         Effect on ECCS                     Remarks and Other Provision                                                         Effects 1.0             MSV-25               Valve fails to stroke   Mechanical failure of MSV-25 will not be operable for plant   24 month surveillance test     Other ADV still functional     One ADV is inoperable for Fast   Very low probability valve internal       trip or accident includingnot operable   Valve stroke test using AOV                                   Cooldown.

components           usinghandwheel.                         diagnostics                                                   Both HPI pumps will remain operable and HPI system is capable of mitigating SB LOCA and LSCM T. . I         MSV-25 actuator     Actuator fails with valve Mechanical failure     MSV-25 will remain closed and will     24 month surveillance test     Other ADV still functional     One ADV is inoperable for Fast   Very low probability in closed position                             not be operable for plant trip or       Valve stroke test using AOV   Depending on failure of       Cooldoswn.

accident                                 diagnostics                   actuator, valve may be capable Both HPI pumps will remain ofbeing stroked open with     operable and HPI system is handwwheel.                   capable of mitigating SBLOCA and LSCM 1.1.2           MSV-25 actuator     Actuator fails with valve Mechanical failure   MSV-25 will spuriously open and             I. ROTSG pressure       Other ADV still functional. Both HPI pumps will remain       For failure duringa in open position                               OTSG "A" will blow down to zero                   indication on control EFIC will respond with EF     operable and HPI system is       SBLOCA. this is very low psig pressure. MSV-25 will not be                 board and RECALL     actuation. MSLI, MFWl and     capable ofmitigating SBLOCA       probability ofa specific operable for plant trip or accident,             points               FOGG logic to isolate main     and LSCM                         component failure

: 2. ADV valve not           feedwaterand emergency         EFIC will actuate on lowOTSG     happeningduring a closed annunciator   feedwateron "faulted"         pressure for EF actuation, MSLI, specific unrelated accident alarm                 ROTSG                         MFWI, and FOGG logic,             event in which the

: 3. Rooftop camera         Depending on failure of       Transientwill be boundedby       accident would not create indication           actuator, valve may be capable main steam line break analysis if the component failure.

: 4. EFICactuationsof       of being stroked closed with   failure does not occur duringa   This is not a new failure EF. MSLI, MFWI       handwheel.                     SBLOCA or LSCM event,             mode as this could occur Evaluation of valve failing open with existing l/P, during a SBLOCAor LSCM           positioner, actuator, EFIC event has not been specifically   control module or EFIC modeled for all EPU changes.     pressure transmitter.

EC 71855     X64R0 including ADV failing open during SB LOCA with uncontrolled blowdown is such that fuel cladding temperature will remain acceptable and that resulting tube to shell delta temperatures will not create tube failure or create loss of tube integrity.

1.2 MSV-25A-FL Fusible ball valve fails   Mechanical failure MSV-25 will become inoperable after       I. 24 month                 Other ADV still functional     One ADV is inoperable for Fast   Very low probability MSV-25B-FL closed to isolate air from                   air downstream of valve bleeds off         surveillance test of       Valve will be capable of being Cooldown.                         With fusible link, this is a valve air supply                             due to control air I/P and positioner     valve stroke using EFIC   stroked open with handwheel. Both HPI pumps will remain       mechanical component normal air usage and then remain           or Fast Cooldown                                         operable and HPI system is       and a passive component closed and will not be operable for       demand signal                                             capable of mitigating SBLOCA     and failure is not within plant trip or accident except with         2. Supply air pressure                                 and LSCM                         CR3 design basis manual handwheel                             gauge on Positioner would read zero psig 1.3 MSV-25C-FL Fusible ball valve fails   Mechanical Failure MSV-25 will remain closed and will         1. 24 month               Other ADV still functional     One ADV is inoperable for Fast   Very low probability MSV-25D-FL and ports air off valve                       not be operable for plant trip or               surveillance test ofl Valve will be capable of being Cooldown.                         With fusible link, this is a air supply                                   accident except with manual                     valve stroke using   stroked open with handwheel   Both HPI pumps will remain       mechanical component handwheel                                       EFIC or Fast                                         operable and HPI system is       and a passive component Cooldown demand                                     capable of mitigating SBLOCA     and failure is not within signal                                               and LSCM                         CR3 design basis

: 2. Positioner supply air pressure gauge would read low abnormal psig

: 3. Normal operator building walkdown may detect air blowdown Page 11 of 70

EC 71855         X64R0 MSV-25 will spuriously open and            I  I. ROTSG pressure        Other ADV still functional. I Both HPI pumps will remain        For failure duringa 1.4.1 MSV-25-1/P I/P tails high       Mechanical tailure OTSG "A7 will blow down to zero                   indication on control  EFIC will respond with EF        operable and HPI system is        SBLOCA, this is very low psig pressure. MSV-25 will not be                 board and RECALL      actuation, MSLI, MFWI and        capable of mitigating SBLOCA      probability of a specific operable for plant trip or accident.             points               FOGG logic to isolate main        and LSCM.                        component failure

: 2. ADV valve not         feed water and emergency           EFIC will actuate on lowOTSG     happening during a closed annunciator    feedwateron "faulted" OTSG        pressure   for EF actuation, MSLI, specific unrelated accident alarm                  Valve will be capable of being    MFWI, and FOGG logic.             event in which the

: 3. Rooftop camera        stroked closed with manual        Transient will be bounded by       accident would not create indication            handwheel after control air is    main steam line break analysis if the component failure.

: 4. EFIC actuations of    isolated.                        failure does not occur during a   This is not a new failure EF, MSLI, MFWI                                          SBLOCA or LSCM event.             mode asthis could occur Evaluation of valve failing open with existing VP.

during a SBLOCA or LSCM           positioner actuator, or event has not been specifically   EFIC control module or modeled for all EPU changes.      EFIC pressure transmitter.

1.4.2 MSV-25-I/P I/P fails low       Mechanical failure or MSV-25 will fail closed and cannot             I. 24 month             Other ADV still functional       One ADV is inoperable for Fast     Lowprobability Electrical failure   open other than manual handwheel.                 surveillance test of Valve will be capable of being   Cooldown.                         This is not a new failure MSV-25 will not be operable for plant             valve stroke using   stroked open with manual         Both HPI pumps will remain         mode as this could occur trip or accident                                 EFIC or Fast         handwheel                         operable and HPI system is         with existing UP.

Cooldown demand                                         capable of mitigating SB LOCA signal                                                 and LSCM

: 2. Periodic calibration of /P 1.5.1 MSV-25-FRI Regulator fails high Mechanical failure   If instrument air is over 85 psig, relief     I. 24 month             Other ADV still functional       One ADV is inoperable for Fast     Very low probability valve MSV-189/190 will lift and                   surveillance test of Valve will be capable of being   Cooldown if instrument air blowdown air. MSV-25 will not be                 valve stroke using   stroked with manual               supply is over 100 psig operable for plant trip or accident               EFIC or Fast         handwheel after control air is   Both HPI pumps will remain Cooldown demand       isolated.                         operable and HPI system is signal                                                 capable of mitigating SB LOCA

: 2. With relief valves                                       and LSCM Page 12 of 70

EC 71855       X64R0 MSV-1 89/190 open, the positioner supply air pressure gauge would read abnormally low.

: 3. Periodic calibration of filter regulator 1.5.2 MSV-25-FRI   Regulatorfails low     Mechanical failure MSV-25 will fail closed and cannot           I. 24 month               Other ADV still functional     One ADV is inoperable for Fast Very low probability open other than manual handwheel                   surveillance test of Valve will be capable of being Cooldosn.                     This is not a new failure MSV-25 will not be operable for plant             valve stroke using   stroked open with manual       Both HPI pumps will remain     mode asthis could occur trip or accident                                   EFIC or Fast         handwheel.                     operable and HPI system is     with existing pressure Cooldown demand                                       capable of mitigating SBLOCA   regulator.

signal                                               and LSCM

: 2. Positioner supply air pressure gauge wouldread abnormally low

: 3. Periodic calibration of filter regulator 1.6.1 MSV-25       Limit switch contacts   Mechanical failure ADV open annunciator alarm will         ADV open annunciator alarm       Both ADV still functional     No impact on Fast Cooldown     Low probability Limit switch A-B fails in closed                         alarm when valve is closed,             for valve NOT CLOSED will                                       capability or ADV operability position                                   Annunciator alarm will not alarm       annunciate with valve closed                                   Both HPI pumps will remain when valve opens. TBV bias may be                                                                       operable and HPI system is applied when ADV is not closed,                                                                         capable of mitigating SBLOCA May add bias to TBV control setpoint                                                                   and LSCM with ADV partially open.

1.6.2 MSV-25       Limit switch contacts   Mechanical failure Annunciator alarm will not alarm             I. 24 month               Both ADV still functional     No impact on Fast Cooldown     Lowprobability Limit switch A-B fails in open                           when valve opens.                                 surveillance test of                                 capability or ADV operability position                                                                                     valve stroke                                         Both HPI pumps will remain

: 2. Intermediate Building                                 operable and HPI system is Rooftop camera will                                   capable of mitigating SBLOCA indicate valve not                                   and LSCM closed with steam flow indication

.7.1I MSV-25       Limit switch contacts   Mechanical failure TBV bias will be applied when ADV       Turbine bypass valve control     Both ADV still functional     No impact on Fast Cooldown     Lowprobability Limit switch C-D fails in closed                         is not closed. Will add bias to TBV     setpoint for steam pressure                                     capability or ADV operability position                                   control setpoint with ADV partially     will be incorrect                                               Both HPI pumps will remain open.                                                                                                   operable and HPI system is capable of mitigating SBLOCA and LSCM 1.7.2 MSV-25       Limit contacts C-D fail Mechanical failure TBV bias will not be applied when                                       Both ADV still functional     No impact on Fast Cooldown     Lowprobability Limit switch in open position                           ADV is closed. Will not add bias to     Turbine bypass valve control                                   capability or ADV operability TBV setpoint when TBVs and ADVs         setpoint for steam pressure                                     Both HPI pumps will remain are closed                             will be incorrect                                               operable and HPI system is capable of mitigating SBLOCA and LSCM 1.8.1 MSV-25-POS   Positioner fails to low Mechanical Failure MSV-25 will fail closed and cannot     24 month surveillance test of   Other ADV still functional     One ADV is inoperable for Fast Low probability pressure output                             open other than manual handwheel.       valve stroke using EFIC or       Valve will be capable of being Cooldowa.                     This is not a new failure MSV-25 will not be operable for plant   Fast Cooldown demand signal     stroked open with manual       Both HPI pumps will remain     mode as this could occur trip or accident                                                         handwheel.                     operable and HPI system is     with existing positione2.

capable of mitigating SBLOCA and LSCM 1.8.2 MSV-25-POS   Positioner fails to high Mechanical Failure MSV-25 will fail open and blow               1. ROTSG pressure           Other ADV still functional. Both HPI pumps will remain     For failure during a pressure output                             down associated ROTSG to zero psig.               indication on control EFIC will respond with EF     operable and HPI system is     SBLOCA, this is very low Page 13 of 70

EC 71855       X64R0 board and RECALL   actuation, MSLI, MFWI and       capable of mitigating SBLOCA    probability of a specific points              FOGG logic to isolate main     and LSCM.                       component failure

: 2. ADV valve not        feedwater and emergency          EFIC will actuate on lowOTSG   happening during a closed annunciator  feedwater on "faulted" OTSG    pressure for EF actuation. MSLI, specific unrelated accident alarm                Valve will be capable of being  MFWI, and FOGG logic.           event in which the

: 3. Rooftop camera      stroked with manual            Transientwill be bounded by       accident would not create indication          handwheel afier control air is  main steam line break analysis if the component failure.

: 4. EFICactuationsof    isolated.                        failure does not occur duringa   This is not a new failure EF, MSLI, MFWI                                      SBLOCA or LSCM event.             mode as this could occur Evaluntion of valve failing open with existing lIP, during a SBLOCA or LSCM           positioner actuator, or event has not been specifically   EFIC control module or modeled for all EPU changes.      EFIC pressure transmitter.

1.9   MSS62         Short circuit or open Electrical Failure MSV-25 or MSV-26 ADV control             24 month surveillance test of One ADV is available for       One ADV is inoperable for Fast MSS66 circuits circuit                                 signal fails to zero                     valve stroke using EFIC or   redundant functions of plant   Cooldown control.

Fast Cooldown                 trip or shutdown from EFIC. Wiring does not affect HPI power or controls.

Both HPI pumps will remain operable and HPI system is capable of mitigating SBLOCA and LSCM 1.10.1 MSV-25-FR2     Regulatorfails high   Mechanical Failure Supply pressure to I/P fails much                   I. ROTSG pressure Other ADV still functional.     Both HPI pumps will remain       For failure duringa higher than design supply air pressure                 indication on EFIC will respond with EF       operable and HPI system is       SBLOCA, this is very low for L/Pcontrol. MSV-25-1/P is                           control board actuation, MSLI. MFWland       capable of mitigating SBLOCA     probability ofa specific inoperable,                                             and RECALL     FOGG logic to isolate main     and LSCM.                         component failure MSV-25-1/P cannot maintain 3 psig                       points         feedwater and emergency           EFIC will actuate on low OTSG   happening during a closed signal. ADV will open.                     2. ADV valve not   feedwater on "faulted" OTSG     pressure for EF actuation, MSLI, specific unrelated accident Conservative assumption is that ADV                     closed         Valve will be capable of being MFWI, and FOGG logic,             event in which the will fully open.                                       annunciator   stroked with manual             Transient will be bounded by     accident ,ould not create alarm         handwheel after control air is main steam line break analysis if the component failure.

EC 71855       X64R0

: 3. Rooftop camera isolated.                       failure does not occur during a   This is not a new failure indication                                    SBLOCA or LSCM event.             mode as this could occur

: 4. EFIC actuations                                Evaluation of valve failing open with existing UP, ofEF, MSLI,                                    during a SBLOCA or LSCM           positioner actuator, or MFWI                                          event has not been specifically   EFIC control module or modeled for all EPU changes.      EFIC pressure transmitter.

1.10.2 MSV-25-FR2       Regulator fails low     Mechanical Failure   Supply pressure to I/P fails low. I/P         I. 24 month               One ADV is available for       One ADV is inoperable for Fast output to positioned will fail low.               surveillance test of redundant finctions of plant   Cooldown control.

MSV-25 will fail closed,                         valve stroke using   trip or shutdown from EFIC. Both HPI pumps will remain EFIC or Fast                                       operable and HPI system is Cooldown                                             capable of mitigating SBLOCA

: 2. Periodic calibration                                   and LSCM of filter regulator 2.0   MSV-26           Valve fails to stroke   Mechanical failure of MSV-25 will not be operable for plant     24 month surveillance test     Other ADV still functional                                       Very lowprobability valve internal       trip or accident including not operable   Valve stroke test using AOV components           using handwheel.                         diagnostics 2.1.1 MSV-26 actuator Actuator fails with valve Mechanical failure   MSV-26 will remain closed and will       24month surveillance test     Other ADV still functional     One ADV is inoperable for Fast   Very low probability in closed position                             not be operable for plant trip or         Valve stroke test using AOV   Depending on failure of       Cooldown.

accident                                 diagnostics                   actuator, valve may be capable Both HPI pumps will remain ofbeing stroked open with     operable and HPI system is handwheel.                     capable of mitigating SBLOCA and LSCM 2.1.2 MSV-26 actuator Actuator fails with valve Mechanical failure   MSV-26 will spuriously open and               I. ROTSG pressure         Other ADV still functional. Both HPI pumps will remain       For failure during a in open position                               OTSG "B" will blow down to zero                   indication on control EFIC will respond with EF     operable and I-WIsystem is       SBLOCA, this is very low psig pressure. MSV-26 will not be                 board and RECALL     actuationMSLI. MFWland         capable ofmitigating SBLOCA       probability ofa specific operable for plant trip or accident,               points               FOGG logic to isolate main     and LSCM                         component failure

: 2. ADV valve not           feedwaterand emergency         EFIC will actuate on low OTSG     happening during a closed annunciator   feedwater on "faulted" OTSG   pressure for EF actuation. MSLI, specific unrelated accident alarm                 Depending on failure of       MFWI, and FOGG logic,             event in which the

: 3. Rooftop camera         actuator, valve may be capable Transient will be bounded by     accident would not create indication           ofbeing stroked closed with   main steam line break analysis if the component failure.

EC 71855       X64R0 handwheel.                     failure does not occur during a This is not a new failure SBLOCA or LSCM event.           mode as this could occur Evaluation of valve failing open with existing l/P, during a SBLOCA or LSCM           positioner actuator, or event has not been specifically   EFIC control module or modeled for all EPU changes.      EFIC pressure transmitter.

2.2 MSV-26A-FL Fusible ball valve fails   Mechanical failure MSV-26 will become inoperable after         I. 24 month             Other ADV still functional     One ADV is inoperable for Fast   Very lowprobability MSV-26B-FL closed to isolate air from                   air downstream of valve bleeds offdue         surveillance test of Valve will be capable of being Cooldown                         With fusible link, this is a valve air supply                             to control air UIPand positioner normal       valve stroke suing   stroked open with handwheel. Both HPI pumps will remain       mechanical component air usage MSV-26 will then remain             EFIC or Fast                                         operable and HPI system is       and a passive component closed and will not be operable for           Cooldown demand                                     capable of mitigating SBLOCA     and failure is not within plant trip or accident except with             signal                                               and LSCM                         CR3 design basis manual handwheel                           2. Positionersupplyair pressure gauge would show zero psig 2.3 MSV-26C-FL Fusible ball valve fails   Mechanical failure MSV-26 will remainclosed and will           I. 24 month             Other ADV still functional     One ADV is inoperable for Fast   Very low probability MSV-26D-FL open and ports air off                       not be operable for plant trip or             surveillance test of                                 Cooldown                         With fusible link, this is a valve air supply                             accident except with manual                   valve stroke using                                   Both HPI pumps will remain       mechanical component handwheel                                     EFIC or Fast                                         operable and HPI system is       and a passive component Cooldown demand                                     capable of mitigating SB LOCA     and failure is not within signal                                               and LSCM                         CR3 design basis

: 2. Positioner supply air pressure gauge would showlow abnormal psig

: 3. Normal operator building walkdown may detect air blowdown Page 16 of 7O

EC 71855         X64R0 2.4.1 MSV-26-1/P I/P fails high       Mechanical failure MSV-26 will spuriously open and               I. ROTSG pressure        Other ADV still functional      Both HPI pumps will remain      For failure during a blow down OTSG "B" to low                        indication on control EFIC will respond on MFWI      operable and HPI system is        SBLOCA, this is very low pressure. MSV-26 will not be operable             board and RECALL     and FOGG logic to isolate     capable of mitigating SBLOCA      probability ofa specific for plant trip or accident.                      points                main feedwater and emergency   and LSCM.                        component failure

: 2. ADVvalvenot            feedwater on "faulted" OTSG     EFIC will actuate on low OTSG   happening during a closed annunciator    After control air is isolated, pressure for EF actuation, MSLI, specific unrelated accident alarm                valve will be capable ofbeing  MFWI, and FOGG logic.             event in which the

: 3. Rooftop  camera      stroked closed with manual    Transient will be bounded by     accident would not create indication            handwheel                      main steam line break analysis if the component failure.

: 4. EFIC actuations of                                    failure does not occur during a   This is not a new failure EF, MSLI, MFWI                                      SBLOCA or LSCM event.             mode as this could occur Evaluation of valve failing open with existing lI/P, during a SBLOCA or LSCM           positioner actuator, or event has not been specifically   EFIC control module or modeled for all EPU changes.      EFIC pressure transmitter.

2.4.2 MSV-26-I/P /P fails low       Mechanical failure MSV-26 will fail close and will not           I. 24 month             Other ADV still functional     One ADV is inoperable for Fast   Very low probability open without manual bandwheel.                   surveillance test of valve will be capable of being Cooldown                         This is not a new failure valve stroke using   stroked open with manual       Both HPI pumps will remain       mode as this could occur EFIC or Fast         handwheel                     operable                         with existing ADV UP, Cooldown demand                                                                       ADV positioner, EFIC signal                                                                                 control module or EFIC

: 2. Periodic calibration                                                                   pressure controller.

of L/P 2.5.1 MSV-26-FRI Regulator fails high Mechanical failure If instrument air is over 85 psig. relief     I. 24 month             Other ADV still functional     One ADV is inoperable for Fast   Very low probability valve MSV-189/190 will lift and                   surveillance test of Valve will be capable of being Cooldown if instrument air blowdown air. MSV-25 will not be                 valve stroke using   stroked with manual           supply is over 100 psig operable for plant trip or accident               EFIC or               handwheel after control air is Both HPI pumps will remain Fast Cooldown         isolated,                     operable and HPI system is demand signal                                       capable of mitigating SB LOCA

: 2. With relief valves                                   and LSCM Page 17 of 70

EC 71855       X64R0 MSV-1 89/190 open, the positioner supply air pressure gauge would read abnormally low.

: 3. Periodic calibration offilter regulator 2.5.2 MSV-26-FRI   Regulator fails low   Mechanical failure   MSV-26 will fail closed and cannot           I. 24 month               Other ADV still finctional     One ADV is inoperable for Fast Very low probability open without manual handwheel.                     surveillance test of Valve will be capable of being Cooldown MSV-26 will not be operable for plant             valve stroke using   stroked open with manual       Both HPI pumps must remain trip or accident                                   EFIC or Fast         handwheel.                     operational Cooldown demand signal

: 3. Periodic calibration offilter regulator 2.6.1 MSV-26       Limit switch contacts Mechanical failure ADV open annunciator alarm will         ADV open annunciator alarm       Both ADV still functional     No impact on Fast Cooldown     Low probability Limit switch A-B fails in closed                       alarm when valve is closed,             for valve NOT CLOSED will                                       capability or ADV operability position                                   Annunciator alarm will not alarm         annunciate with valve closed                                   Both HPI pumps will remain when valve opens. TBV bias maybe                                                                         operable and HPI system is applied when ADV is not closed,                                                                         capable of mitigating SBLOCA May add bias to TBV control setpoint                                                                     and LSCM with ADV partiallyopen.

2.6.2 MSV-26       Limit switch contacts   Mechanical failure Annunciator alarm will not alarm               I. 24 month               Both ADV still functional     No impact on Fast Cooldown     Lowprobability Limit switch A-B fails in open                           when valve opens.                                 surveillance test of                                 capability or ADV operability position                                                                                       valve stroke                                         Both HPI pumps will remain

: 2. Intermediate Building                                   operable and HPI system is rooftop camera will                                   capable of mitigating SB LOCA indicate valve not                                   and LSCM closed with steam indication 2.7.1 MSV-26       Limit switch contacts   Mechanical failure TBV bias will be applied when ADV       Turbine bypass valve control     Both ADV still functional     No inpact on Fast Cooldown     Lowprobability Limit switch C-D fails in closed                         is not closed. Will add bias to TBV     setpoint for steam pressure                                     capability or ADV operability position                                   control setpoint with ADV partially     will be incorrect                                               Both HPI pumps will remain open.                                                                                                   operable and HPI system is capable of mitigating SB LOCA and LSCM 2.7.2 MSV-26       Limit contacts C-D fail Mechanical failure . TBV bias will not be applied when                                       Both ADV still functional     No impact on Fast Cooldown     Low probability Limit switch in open position                           ADV is closed. Will not add bias to     Turbine bypass valve control                                   capability or ADV operability TBV setpoint when TBVs and ADVs         setpoint for steam pressure                                     Both HPI pumps will remain are closed                               will be incorrect                                               operable and HPI system is capable of mitigating SBLOCA and LSCM 2.8.1 MSV-26-POS   Positioner fails low   Mechanical Failure MSV-26 will fail closed and cannot       24 month surveillance test of   Other ADV still functional     One ADV is inoperable for Fast Very low probability pressure output                             open other than manual handwheel.       valve stroke using EFIC or       Valve will be capable of being Cooldown                       This is not a new failure MSV-26 will not be operable for plant   Fast Cooldown Pressure           stroked open with manual       Both HPI pumps will remain     mode as this could occur trip or accident                         Control demand signal           handwheel                     operable and HPI system is     with existing positioned.

capable of mitigating SBLOCA and LSCM 2.8.2 MSV-26-POS   Positioner fails high   Mechanical Failure MSV-26 will fail open and blow               1. ROTSG pressure           Other ADV still functional. Both HPI pumps will remain     For failure during a pressure output                             down associated ROTSG to zero psig.               indication on control EFIC will respond with EF     operable and HPI system is     SBLOCA, this is very low Sboard                                                     and RECALL     actuation MSLI, MFWI and       capable of mitigating SBLOCA   probability ofa specific Page 18 of 70

EC 71855       X64R0 points             FOGG logic to isolate main      and LSCM.                        I component failure

: 2. ADV valve not       feedwater and emergency         EFIC will actuate on lowOTSG happening during a closed annunciator  feedwateron "faulted" OTSG      pressure for EF actuation, MSLI. specific unrelated accident alarm              Valve will be capable of being  MFWI, and FOGG logic.               event in which the accident

: 3. Rooftop camera      stroked closed with manual      Transient will be bounded by       would not create the indication          handwheel after air is isolated main steam line break analysis if component failure. This is

: 4. EFIC actuations of                                  failure does not occur during a     not a new failure mode as EF, MSLI. MFWl                                      SBLOCA or LSCM event.               this could occur with Evaluation of valve failing open   existing UIP,positioner during a SBLOCA or LSCM             actuator, or EFIC control event has not been specifically     module or EFIC pressure modeled for all EPU changes.        transmitter.

2.9. I MSV-26-FR2 Regulator tails high Mechanical Failure Supply pressure to I/P fails much       I .ROTSG pressure indication Other ADV still functional. Both HPI pumps will remain          For failure duringa higher than design supply air pressure           on control board and EFIC will respond with EF      operable and HPI system is        SBLOCA, this is very low for I/P control. MSV-26-1/P is                   RECALL points        actuationMSLI, MFWI and        capable of mitigating SBLOCA      probability of a specific inoperable.                             valve not closed annunciator FOGG logic to isolate main      and LSCM.                          component failure MSV-26-1/P cannot maintain 3 psig               alarm                feedwaterand emergency          EFIC will actuate on low OTSG    happening during a closed signal. ADV will open.                 3. Rooftop camera       feedwateron "faulted" OTSG     pressure for EF actuation, MSLI,   specific unrelated accident Conservative assumption is that ADV              indication          Valve will be capable of being  MFWI, and FOGG logic.             event in which the will fully open.                              4. EFIC actuations of  stroked with manual            Transient will be bounded by       accident would not create EF, MSLI. MFWI      handwheel after control air is  main steam line break analysis if the component failure.

isolated.                      failure does not occur during a   This is not a new failure SBLOCA or LSCM event.             mode as this could occur Evaluation of valve failing open   with existing I/P, during a SBLOCA or LSCM           positioner actuator, or event has not been specifically     EFIC control module or modeled for all EPU changes.        EFIC pressure transmitter.

However, evaluation of AREVA SBLOCA analysis performed including ADV failingopen during SBLOCA with uncontrolled blowdown is such Page 19 of 70

EC 71855       X64R0 that fuel cladding temperature will remain acceptable and that resulting tube to shell delta temperatures will not create tube failure or create loss of tube integrity.

2.9.2 MSV-26-FR2 Regulator fails low Mechanical Failure Supply pressure to I/P fails low. I/P         I. 24 month             One ADV is available for     One ADV is inoperable for Fast output to positioned will fail low,               surveillance test of redundant functions of plant Cooldown control.

MSV-25 will fail closed,                         valve stroke using   trip or shutdown from EFIC. Both HPI pumps will remain EFIC or Fast                                     operable and HPI system is Cooldowvn                                         capable of mitigating SBLOCA

: 2. Periodic calibration                               and LSCM of filter regulator 3.0   IAV-663   Regulator fails high Mechanical failure Reliefvalves IAV-1084 and IAV-                 1. SP-300 surveillance Redundant MSV-26 will be     One ADV not operable in SBO       Lowprobability 1085 will open to protect system                 Operator logs       available in SBO or LOOP     or LOOP.

components. MSV-25 will lose its                   back-up air system                               Both HPI pumps will remain backup air supply and not be operable             pressure low on IA-                             operable and HPI system is in a SBO or LOOP                                   195-PI                                           capable of mitigating SBLOCA

: 2. Normal operator                                     and LSCM.

walkdown may                                     For SBO or other design detect air blowdown                               function, redundant MSV-26 will be operable.

MSV-25 will be operable with handwheel in an Appendix R fire 3.1   IAV-663   Regulator fails low Mechanical failure MSV-25 will lose its backup air         SP-300 surveillance           Redundant MSV-26 will be   One ADV not operable in SBO       Lowprobability supplyand not be operable in a SBO       Operator logs backup air     available in SBO or LOOP     or LOOP or LOOP                                 system pressure low on IA-                                 Both HPI pumps will remain 196-PI                                                     operable and HPI system is capable of mitigating SBLOCA and LSCM.

MSV-25 will be operable with handwheel in an Appendix R fire 3.2   IAV-672   Regulator fails high Mechanical failure Reliefvalves IAV-1088 and IAV-               I. SP-300 surveillance   Redundant MSV-25 will be   One ADV not operable in SBO       Lowprobability 1089 will open to protect system       Operator logs back-up air     available in SBO or LOOP     or LOOP components. MSV-26 will lose its         system pressure lowon IA-                                 Both HPI pumps will remain back-up air supply and not be operable   197-PI                                                     operable and HPI system is in a SBO or LOOP                             2. Normal operator                                     capable of mitigating SBLOCA walkdown may                                     and LSCM.

detect air blowdown.                               For SBO or other design function, redundant MSV-25 Page 20 of 70

EC 71855       X64R0 will be operable.

MSV-26 will be operable with handwheel in an Appendix R fire 3.3 IAV-672   Regulator fails low     Mechanical failure MSV-26 will lose its backup air         SP-300 surveillance             Redundant MSV-25 will be     One ADV not operable in SBO           Lowprobability supply and not be operable in a SBO     Operator logs backup air       available in SBO or LOOP     or LOOP or LOOP                                 system pressure low on IA-                                   Both HPI pumps will remain 198-PI                                                     operable and HPI system is capable of mitigating SBLOCA and LSCM.

MSV-26 will be operable with handwheel in an Appendix R fire 3.4 IAV-662   Relief Valves fail open Mechanical failure Per DBD 92 criteria, this is a passive   Although not a credible       This would impact onlyone of Both HPI pumps will remain IAV-671                                               failure and outside CR3 design basis,   failure per CR3 design basis, two ADV backup air supplies   operable and HPI system is If credible it would bleed and deplete   this failure would be detected and not impactany HPI         capable ofmitigating SBLOCA back-up air bottle bank                 by [A-I97-PI or IA-195-PI     operability,                 and LSCM.

with SP-300                                                 For SBO or other design Normal operator walkdown                                     function, redundantADV will be may detect air blowdown                                     operable.

Both ADVs will be operable with handwheel in an Appendix R fire 3.5 IAV-1084   ReliefValves fail open Mechanical failure Per DBD92 criteria, this is a passive   Although not a credible       This would impact only one of Both HPI pumps will remain IAV-1085                                             failure and outside CR3 design basis. failure per CR3 design basis, two ADV backup air supplies   operable and HPI system is IAV-1088                                             If credible it would bleed and deplete   this failure would be detected and not impact any HPI       capable of mitigating SBLOCA IAV-1089                                             backup air bottle bank                   by IA-196-PI or IA-198-PI     operability,                 and LSCM.

with SP-300                                                   For SBO or other design Normal operator walkdown                                     function, redundant ADV will be may detect air blowdown                                     operable.

Both ADVs will be operable with handwheel in an Appendix R fire 3.6 MSV-189   ReliefValves fail open Mechanical failure Per DBD92 criteria, this is a passive   Although not a credible       This would impact operability Both HPI pumps will remain MSV-190                                               failure and outside CR3 design basis,   failure per CR3 design basis, ofone oftwo ADV backup air   operable and HPI system is If credible it would bleed and deplete   this failure could be detected supplies and not impact any   capable of mitigating SBLOCA backup air bottle bank in the event of   by any one of several periodic HPI operability,             and LSCM.

a LOOP or SBO                           air line leak test methods.                                 For SBO or other design Normal operator walkdown                                     function, redundant ADV will be may detect air blowdown                                     operable.

Both ADVs will be operable with handwheel in an Appendix R fire 4.1 MSV-25-TRI Contact set 6-5 fails   Mechanical failure EFIC demand for one ADV will be               I. Two year interval     Redundant ADV will be         One ADV is inoperable for EFIC       This is low probability MSV-26-TRI open for normal EFIC                       isolated from associated ADV. ADV                   periodic test using available and is sized       control of ADV.                       created by mechanical demand to ADV I/P                         will remain closed in normal operation             EFIC demand to     adequately for all events in Redundant ADV design (for             damage to relay. This with no impact on normal plant                     stroke ADV         which EFIC valve demand is   events that do Cooldown)      not requireto Fast is degraded      single  would not be new failure operation. One ADV will not be                 2. Valve does not open   used for ADVs.               ADV. CR3 could cooldown with         mode as an existing operable for plant trip or accident                 on plant abnormal                                 one ADV with 1025 psig               electronic component mitigation that uses EFIC control of               response to control ADV is operable with         setpoint or with manual control.     (low) failure would have ADV                                                 steam pressure at   handwheel for Appendix R     No effect on HPI system. Both       identical effect and event                         HPI pump/trains will remain operable for mitigation of Page 21 of 70

EC 71855       X64R0 1025 psig                                             SBLOCA and LSCM.                 method of detection Fast Cooldown system for both ADVs is operable if only contacts 6-5 are defective and no other contract sets of relay.

4.2 MSV-25-TRI Relay contacts 6-7 fail Mechanical failure EFIC demand for one ADV will be               I. Two year interval         Redundant ADV will be         One ADV is inoperable for       This is low probability MSV-26-TRI closed during EFIC                           isolated from ADV. ADV will remain                 periodic test using     available and is sized       EFIC control of ADV.             created by mechanical control of ADV                             closed in normal operation with no                   EFIC demand to           adequately for all events in Redundant ADV design (for         damage to relay. This impact on normal plant operation. One               stroke ADV               which EFIC control valve     events that do not require Fast   would not be new failure ADV will not be operable for plant                                           demand is used.               Cooldown) is degraded to one     mode as an existing trip or accident mitigation                     2. Valve does not open     ADV is operable with         ADV.                             electronic component There will be no current from Foxbor                 on plant abnormal       handwheel for Appendix R     Redundant ADV design (for         (low) failure would have V/I module since contacts 9-10 will                 response to control     event                         events that do not require Fast   identical effect and open.                                               steam pressure at                                     Cooldown) is degraded to single   method of detection 1025 psig                                             ADV.

4.3 MSV-25-TRI Relay contacts 6-7 fail Mechanical failure EFIC demand will produce no current       If only this contact fails in this Fast Cooldown system is       Fast Cooldown system control is   This is low probability MSV-26-TR I open during Fast                           for "feedback" circuit since circuit is   mode, no impact on EFIC or         operable. Both HPI pumps will operable for both ADVs           created by mechanical Cooldown energization                       open. Fast Cooldown operability is not   Fast Cooldown demand signal         remain operable for Fast     assuming no other relay contact   damage to relay.

of relay                                   affected.                                 to ADV operability.                 Cooldown                     failures.

Two year periodic testing of                                     HPI pump/trains are not affected valve stroke using both EFIC                                     by this transfer relay. Both HPI and Fast Cooldown detmand                                         pump/trains are operable for signals sequentially will                                         mitigation of SBLOCA and detect any operability issues.                                   LSCM.

4.4 MSV-25-TRI Contact set 8-9 fails   Mechanical failure EFIC signal return will be interpreted         1. Two year interval         Redundant ADV will be         One ADV is inoperable from       This is low probability MSV-26-TRI open for normal EFIC                       and current loop will be open with no               periodic test using     available and is sized       EFIC Control. Redundant ADV       created by mechanical current loop return from                   current to ADV 1/P.One ADV will                     EFIC demand to           adequately for all events in design (for events that do not   damage to relay. This ADV I/P                                     remain closed in normal operation                   stroke ADV               which EFIC control valve     require Fast Cooldown) is         would not be new failure with no impact on normal plant                                               demand is used               degraded to one ADV.             mode as an existing operation. One ADV will not be                 2. Valve does not open                                     CR3 could cooldown with one       electronic component Page 22 of 70

EC 71855       X64R0 operable for plant trip or accident               on plant abnormal                                   ADV with 1025 psig setpoint or   (low) failure would have mitigation                                         response to control                                 with manual control,             identical effect and There will be no current from Foxboro             steam pressure at                                   Relay failure does not affect HPI method of detection V/I module since contacts 8-9 will be             1025 psig                                         system. Both HPI pump/trains open.                                                                                                 will remain operable for mitigation of SBLOCA and LSCM.

4.5 MSV-25-TR I Relay contacts 9-10 fail   Mechanical failure     EFIC demand for ADV will be open             I. Two year interval     Redundant ADV will be         Fast Cooldown system is           This is low probability MSV-26-TRI   closed during EFIC                               circuit with no current to ADV. One               periodic test using available and is sized         operable for both ADVs           created by mechanical control of ADV                                   ADV will remain closed in normal                   EFIC demand to       adequately for events in which assuming no other relay contact   damage to relay. This operation with no impact on normal                 stroke ADV           EFIC control valve demand is   failures. Redundant ADV design   would not be new failure plant operation. One ADV will not be           1 Valve does not open   used                           (for events that do not require   mode as an existing operable for plant trip or accident               o"                                                 Fast Cooldown) is degraded to     electronic component mitigation from EFIC                               on plant abnormal                                   one ADV.                         (low) failure would have There will be no current from Foxhoro             response to control                                 CR3 could cooldown with one       identical effect and V/I module since contacts 8-9 will be             steam pressure at                                   ADV with 1025 psig setpoint or   method of detection open while contacts 6-5 are closed.                 1025 psig                                         with manual control.

Relay failure does not affect HPI system. Both HPI pump/trains will remain operable for mitigation of SBLOCA and LSCM 4.6 MSV-25-TRI Relay contacts 9-10 fail   Mechanical failure     EFIC demand will produce no current       If onlythis contact fails in No impact on Fast Cooldown     Fast Cooldown system is           This is low probability MSV-26-TRI open during Fast                                   for "feedback" circuit since circuit is this mode, no impact on EFIC system operability.             operable for both ADVs           created by mechanical Cooldown energization                             open. Fast Cooldown operability is not   or Fast Cooldowo demand       Fast Cooldown system is         assuming no other contact         damage to relay.

of relay                                           affected,                               signal to ADV operability,   operable for both ADVs         failures on relay. Relay failure Two year periodic testing of assuming no other contact       has no effect on HPI system valve stroke using both EFIC failures on relay. Both HPI     Both HPI pump/trains will and Fast Cooldowndemand       pumps will remain operable     remain operable for mitigation signals sequentially will     for Fast Cooldown               ofSBLOCA and LSCM.

detect any operability issues 4.7 MSV-25-TRI Contact set 12-13 does       Mechanical failure   FCS controller signal demand will be     Periodic testing of Fast     This single failure would not   Fast Cooldown function for one   This is low probability MSV-26-TR I not close (fails open) in                         interrupted and current loop will be     Cooldowo system on refuel     affect the HPI pump motor       ADV is not operable,             created by mechanical Fast Cooldown demand                               open.                                   interval using Fast Cooldown poswer or switchgear control   This single failure is limited to damage to relay.

to ADV upon relay                                 This single failure would result in     demand signal to stroke valve power sources. It would not     relay and ADV. It does not affect energization                                       either MSV-25 or 26 Fast Cooldown                                     affect HPI pump flow           HPI pump or HPI motor voltage capability being inoperable,                                           injection trains or any         or HPI or diesel switchgear DC One ADV will remain closed with                                         125VDC plant station control   voltage control. Both HPI EFIC current loop transferred (from                                   power buses for HPI pump       pump/trains are operable for relay energization) and FCS                                           switchgear or associated train mitigation of SBLOCA and controller current loop open and not                                   diesel..                       LSCM.

4.8 MSV-25-TRI Contact set 12-I1 does     Mechanical failure     FCS controller signal demand will be     Periodic testing of Fast       This single failure would not Fast Cooldown function for one   This is low probability MSV-26-TRI   not open (fails closed) in                       interrupted and current loop will be     Cooldowo system on refuel     affect the HPI pump motor     ADV is not operable.             created by mechanical Fast Cooldown demand                             open.                                   interval using Fast Cooldown   power or switchgear control   This single failure is limited to damage to relay.

to ADV upon relay                               I This single failure would result in     demand signal to stroke valve power sources. It would not   relay and ADV. It does not affect Page 23 of 70

EC 71855       X64R0 energization                                   either MSV-25 or 26 Fast Cooldown                                       affect HPI pump flow           HPI pump or HPI motor voltage capability being inoperable,                                             injection trains or any         or HPI or diesel switchgear DC One ADV will remain closed with                                           125VDC plant station control   voltage control. Both HPI EFIC current loop transferred (from                                     power buses for HPI pump       pump/trains are operable for relay energization) and FCS                                             switchgear or associated train mitigation of SB LOCA and controller current loop open and not                                     diesel..                       LSCM.

4.9 MSV-25-TRI   Contactset 12-1l fails     Mechanicalfailure   FCScontrollerfeedbackloopwillnot         Ifonlythiscontactfailsinthis   Thissingle failurewouldaffect   Thissinglefailurewouldnot         Thisis lowprobability MSV-26-TRI   open with relay de-                           produce current loop since loop is       mode, no impact on EFIC or     only the Fast Cooldown         affect the HPI pump motor         created by mechanical energized                                     open circuit.                             Fast Cooldown demand signal   "feedback" loop This single     power or switchgear control       damage to relay.

Normal EFIC control is not affected,     to ADV operability,             failure does not affect the     power sources. Two HPI Two year periodic testing of   EFIC signal to ADV.             pump/trains are operable for valve stroke using both EFIC                                   SBLOCA and LSCM and Fast Cooldown demand                                       mitigation.

signals sequentially will detect any operability issues 4.10 MSV-25-TR I Contact set 15-16 does     Mechanical failure FCS controller current loop signal       Periodic testing of Fast       This single failure would not   Fast Cooldown function for one   This is low probability MSV-26-TRI   not close (fails open) in                     return is open and current loop will be Cooldown system on refuel       affect the HPI pump motor       ADV is not operable.             created by mechanical Fast Cooldown demand                           open.                                   interval using Fast Cooldown   power or switchgear control     This single failure is limited to damage to relay.

to ADV upon relay                             This single failure would result in     demand signal to stroke valve   power sources. It would not     relay and ADV. It does not affect energization                                   either MSV-25 or 26 Fast Cooldown                                       affect HPI pump flow           HPI pump or HPI motor voltage capability being inoperable,                                             injection trains or any         or HPI or diesel switchgear DC One ADV will remain closed with                                           125VDC plant station control   voltage control. Two HPI EFIC current loop transferred                                           power buses for HPI pump       pump/trains are operable for (from relay energization) and FCS                                       switchgearor associated train   mitigation of SBLOCA and controller current loop open and not                                     diesel..                       LSCM.

4.11 MSV-25-TRI Contact set 15-14 does     Mechanical failure   FCS controller current loop signal       Periodic testing of Fast     This single failure would not   Fast Cooldown function for one   This is low probability MSV-26-TRI not open (fails closed) in                     return is open and current loop will be Cooldown system on refuel     affect the HPI pump motor       ADVis not operable.               created by mechanical Fast Cooldown demand                           open.                                     interval using Fast Cooldown power or switchgear control     This single failure is limited to damage to relay.

to ADV upon relay                               This single failure would result in     demand signal to stroke valve power sources. It would not     relay and ADV. It does not affect energization                                   either MSV-25 or 26 Fast Cooldown                                       affect HPI pump flow             HPI pump or HPI motor voltage capability being inoperable,                                           injection trains or any         or HPI or diesel switchgear DC One ADV will remain closed with                                         125VDC plant station control   voltage control. Two HPI EFIC current loop transferred                                           power buses for HPI pump         pump/trains are operable for (from relay energization) and FCS                                       switchgear or associated train   mitigation of SBLOCA and controller current loop open and not                                   diesel..                         LSCM.

4.12 MSV-25-TR I Contact set 15-14 fails   Mechanical failure   FCS controller feedback loop will not     If only this contact fails in This single failure would affect This single failure would not     This is lowprobability MSV-26-TRI open with relay de-                             produce current loop since loop is       this mode, no impact on EFIC   only the Fast Cooldown           affect the HPI pump motor         created by mechanical energized                                       open circuit on return loop to           or Fast Cooldown demand       "feedback" loop This single     power or switchgear control       damage to relay.

controller,                             signal to ADV operability,     failure does not affect the     power sources. Two HPI Normal EFIC control is not affected. Two year periodic testing of   EFIC signal to ADV.             pump/trains are operable to valve stroke using both EFIC                                   mitigate SBLOCA and LSCM.

and Fast Cooldown demand signals sequentially will detect any operability issues 4.13 MSV-25-TRI   Contact 12-13 fails       Mechanical failure   Fast Cooldown system demand and         Periodic testing of Fast       .                                                                This is low probability MSV-26-TR I closed during EFIC                             EFIC demand from Foxboro V/I             Cooldown system using EFIC     Redundant opposite train ADV   Redundant ADV for non Fast       created by mechanical control of ADV                                 isolator will be connected,             demand signal and               will be available and is sized Cooldown functions is operable,   damage to relay.

Fast Cooldown controller current loop   sequentially Fast Cooldown     adequately for all events in   This single failure is limited to is powered by 36 VDC and Foxboro         demand signal to stroke ADV     which EFIC control valve       relay and failure of Fast V/I isolation module current loops are                                   demand is used                 Cooldown/EFIC interface. It Page 24 of 70

EC 71855       X64R0 controlled at nominal 24 VDC. These                                                                   does not affect HPI pump or HPI loops are semi-connected.                                              With design of Foxboro V/l,    motor voltage or control circuit.

With contact 12-13 (only) closed, there                                 Fast Cooldown signal cannot    Two HPI punrp/trains are is no return current loop path for Fast                                 propagate back into EFIC      operable for SBLOCA and Cooldown pressure controller demand                                     control module. Field bus fuse  LSCM mitigation.

signal back to controller since contacts                               is 1/4 amp for Foxboro 15-16 are open. There is no current                                   controller so impact on VBDP produced by FCS controller since                                       power for Foxboro controller Foxboro module and FCS controller                                       is negligible.

return circuitry are not grounded and are not connected. Impact on EFIC demand signal from Foxboro isolation module is indeterminate but current from Foxboro module is limited to 59.7 ma by 402 ohm resistors and Foxboro module has 1/4 amp fuse so VBDP power source for module is protected from adverse effect. (see 2AO-VAI document in VTMA 01283-000) 4.14 MSV-25-TRI Contact 15-16 fails     Mechanical ailaure Fast Cooldown system signal return       Periodic testing of Fast      Redundant opposite train ADV  One ADV is not operable for      This is low probability MSV-26-TRI closed during EFIC                          and EFIC signal return to Foxboro V/I     Cooldown system using EFIC  will be available and is sized  EFIC control. Redundant ADV      created by mechanical control ofADV                                isolator will be connected. Fast         demand signal and            adequately for all events in    for all events in which EFIC      damage to relay.

Cooldown controller current loop is      sequentially Fast Cooldown  which EFIC control valve        control valve demand is used is powered by 36 VDC and Foxboro V/1         demand signal to stroke ADV  demand is used                  operable. This single failure is isolation module current loops are                                     With design of Foxboro V/I,    limited to relay and failure of controlled at nominal 24 VDC. These                                     Fast Cooldown signal cannot    Fast Cooldown/EFIC interface.

loops are semi-connected. With                                         propagate back into EFIC        It does not affect HPI pump or contact 15-16 (only) closed, there is                                 control module. Field bus fuse  HPI motor voltage or control no current loop path for controller                                     is 1/4amp for Foxboro            circuit.

demand signal since contacts 12-13 are                                controller so impact on VBDP    Two HPI pump/trains are open and since Foxboro module and                                      power for Foxboro controller    operable for SBLOCA and FCS controller return circuitry are                                   is negligible.                  LSCM mitigation.

grounded and are not connected, Impact on EFIC demand signal from Foxboro isolation module is indeterminate but current from Foxboro module is limited to 59.7 ma by 402 ohm resistors and Foxboro module has A amp fuse so VBDP power source for module is protected from adverse effect (see 2AO-VAI document in VTMA 01283-000) 4.15 MSV-25-TRI Contact 6-5 fails closed Mechanical failure Fast Cooldown system demand and           Two year interval periodic   With design of Foxboro V/I,     Relay degradation may affect     This is low probability MSV-26-TR1 (does not open) during                     EFIC demand from Foxboro V/I               test using EFIC demand       Fast Cooldown signal cannot     one channel of Fast Cooldown     created by mechanical relay energization and                     isolator will be connected. Fast           signal and sequentially Fast propagate back into EFIC       pressure control for one ADV. damage to relay.

Fast Cooldown control                       Cooldown controllercurrent loop is         Cooldown demand signal to   control module. Field bus fuse Redundant ADV is not affected.

of ADV                                     powered by 36 VDC and Foxboro V/I         stroke ADV                   is 1/4 amp for Foxboro           This single failure of transfer Page 25 of 70

EC 71855       X64R0 isolation module current loops are                                     controller so impact on VBDP     relay contacts does not affect controlled at nominal 24 VDC. These                                     for Foxboro controller is       HPI system. With single failure loops are semi-connected. With                                         negligible,                     criteria, two HPI pumps/trains contact 5-6 (only) closed, there is no                                 This single failure would not   are operable to mitigate return current loop path for EFIC                                       affect the functionally         SBLOCA and LSCM.

demand to Foxboro V/I since contacts                                   redundant two HPI pump 9-8 will be open. There is no current                                   motor power sources or HPI produced by Foxboro module since                                       pump flow injection trains or Foxboro module and FCS controller                                     any 125VDC plant station return circuitry are not grounded and                                   control power buses for HPI are not connected. Impact on FCS                                       pump switchgear or associated pressure controller is indeterminate but                               train diesel..

EFIC demand for ADV is inoperable 4.16 MSV-25-TRI Contact 9-8 fails closed Mechanical failure Fast Cooldown system signal return       Two year interval periodic                                   Potential relay degradation Relay This is low probability MSV-26-TR I (does not open)during                       and EFIC signal return from Foxboro       test using EFIC demand       With design of Foxboro V/I,     degradation may affect one       created by mechanical relay energization and                       V/I isolator will be connected. Fast     signal and sequentially Fast Fast Cooldownsignal cannot       channel of Fast Cooldown         damage to relay.

Fast Cooldown control                       Cooldown controller current loop is       Cooldown demand signal to   propagate back into EFIC         pressure control for one ADV.

of ADV                                     powered by 36 VDC and Foxboro V/I         stroke ADV                   control module. Field bus fuse   Redundant ADV is not affected.

isolation module current loops are                                     is 1/4 amp for Foxboro             This single failure of transfer controlled at nominal 24 VDC. These                                     controller so impact on VBDP     relay contacts does not affect loops are semi-connected. With                                         for Foxboro controller is       HPI system. With single failure contact 9-8 (only) closed, there is no                                 negligible,                     criteria, two HPI pumps/trains completed current loop path for EFIC                                                                     are operable to mitigate demand to Foxboro V/1 since contacts                                   This single failure would not   SBLOCA and LSCM 6-5 will be open. No current will be                                   affect the functionally produced by Foxboro module since                                       redundant two HPI pump Foxboro module and FCS controller                                       motorpowersourcesor HPI return circuitry are not grounded and                                   pump flow injection trains or are not connected. EFIC demand for                                     any 125VDC plant station ADV is inoperable                                                       control power buses for HPI Impact on FCS pressure controller is                                   pump switchgear or associated indeterminate but current draw is                                       train diesel.

limited to I amp from controller fusing (VTMA 02681-000, Attachment X76 of EC 71855) 4.17 MSV-25-TRI Contacts arc between     Mechanical Defect   IFthis occurred, potentially EFIC         Two year interval periodic   Two Foxboro modules provide     Single channel ofFast Cooldown   This is not considereda MSV-26-TRI separated contact blocks                   and/or Fast Cooldown pressure control     testing using EFIC demand   isolation ofrelay from EFIC     system and EFIC control ofone     credible event since the or between contact                         and/or Fast Cooldown actuation of         signal and sequentially Fast control module which in turn     ADV is inoperable.               Tyco dielectric strength is blocks and coil                             ADVs would become inoperable               Cooldown demand signal to   has a D/A converter at its ADV   With single failure criteria, two listed at 500 Vrms dependingon location of arcing inside     stroke ADV                   signal output so design protects HPI trains are functionally       (equivalent to 500VDC) relay,                                                                 against nigrationof failure into redundant to one HPI and both     with Fast Cooldown Current from Foxboro module is                                         EFIC Cabinet and protects       FCS channels,                     system voltage at limited to 59.7 ma by 402 ohm                                           against adverse impact on EFIC   Two punup/trains of HPI system   controller is resistors and Foxboro module has %.                                     Cabinet functions. This single   are operable for SBLOCA and       approximately 36VDC, amp fuse so VBDP power source for                                       failure would not affect the     LSCM mitigation.                 Fast Cooldown actuation module is protected from adverse                                       functionally redundant two HPI                                     voltage at nominal 25 effect,                                                                 pump                                                               VDC. And Foxboro motor power sources or HPI                                         regulated power set at pump flow injection trains or                                     24VDC., Circuitry is used any 125VDC plant station                                           in a low energy 4-20 ma control power buses for HPI                                       circuit and a 25VDC pump switchgear or associated                                     circuit for coil actuation.

EC 71855     X64R0 train diesel..                                                     Note that Foxboro module has a current limiting resistor of402 ohm which will limit output current to 24/403 = 59.6 m. The Fast Cooldown pressure controller has I amp fusing.

4.18 MSV-25-TRI Relay fails to energized Mechanical Failure     Initial Demand to one ADV would be           I. ROTSG pressure        EFIC capability to actuate        No impact on HPI system. Two    The open contact sets 5-6 MSV-25-TRI  state. Contact sets 12-13                      20 rna and ADV valve initially would               indication on control  MSLI, MFWI, or FOGG logic        pump/trains of HPI are available  and 8-9 willisolatethe and 15-16 go closed                            spuriously open to full open.                     board and RECALL      is operable.                      for mitigation of SBLOCA.        Fast Cooldown pressure during plant normal                            Associated ROTSG would blow down                   points                Two Foxboro isolation modules    One ADV will be controlled by    controller signal from operation or during                            to 325 psig and Fast Cooldown would         2. ADV valve not           (I/V and V/I) with design of       Fast Cooldown pressure control  EFIC demand signal.

EFIC control of ADVs                            control affected OTSG to 325 psig.                closed annunciator    transformers, rectifiers, and    circuit and open one ADV to full Additionally, The Foxboro EFIC would actuate EF. MSLI,                      alarm                buffer amplifiers will isolate    open until ROTSG pressure is     module isolation design MFWI, and FOGG.                              3. Rooftop camera          transfer relay signals from      decreased to 325 psig and then   with the transfer relay indication            EFIC modules. Failure cannot      control main steam pressure at   and Fast Cooldo wn

: 4. EFIC actuations of      propagate to affect EFIC.        affected ROTSG to 325 psig.       interface downstream of EF. MSLI, MFWI                                          Would create EFIC actuation of   the Foxboro modules low OTSG pressure, MS LI,         would prevent any IEEE MFWI. and FOGG logic. Both       279, Section 4.7.3 single EFIC A and B would be capable     random failure of relay or of mitigation as per design for   Fast Cooldown controller main steam line break event.     from affecting EFIC If this occurred during normal   design/capability to plant operation, this would be   mitigate main steam line bounded in accident analysis by   break.

Turbine Bypass Valve full open failure and by Main Steam Line Break.

4.19 MSV-25-TR I Relay fails to energize   Electrical Failure   ADV control remains from EFIC           I.Periodic testing of relay     Failure is limited to relay only. Single channel of Fast Cooldown MSV-26-TRI                           Coil leads shorted or control at 1025 psig.                 transfer and using Fast           This single failure of relay to   system is inoperable.

open fuse blown       Fast Cooldown system for affected     Cooldown demand signal to         energize would not affect the     With single failure criteria, two ADV is inoperable.                     stroke ADV                       functionally redundant two       HPI train flow is operable for 2, actuation annunciator alarm   HPI pump motor power             SBLOCA mitigation.

is not activated. 3. OTSG       sources or HPI pump flow main steam pressure             injection trains or any indication reveals that OTSG     125VDC plant station control is not being depressurized.     power buses for HPI pump switchgear or associated train diesel.

EC 71855     X64R0 4.20 MSV-25-TR I Relay fails to energize DC power fuse to relay ADV control remains from EFIC           I.Periodic testing of relay     Failure is limited to relay only. Single channel of Fast Cooldown MSV-26-TRI                           failed open/blown       control at 1025 psig.                   transfer and using Fast         This single failure of relay to     system is inoperable.

Fast Cooldown system for affected       Cooldown demand signal to       energize would not affect the       With single failure criteria, two ADV is inoperable,                     stroke ADV                       functionally redundant two         HPI train flow is operable for 2, actuation annunciator alarm   HPI pump motor power               SBLOCA mitigation.

is not activated. 3. OTSG       sources or HPI pump flow main steam pressure             injection trains or any indication reveals that OTSG     125VDC plant station control is not being depressurized.. power buses for HPI pump switchgear or associated train diesel.

4.21 MSV-25-TRI   Relay fails to energize Electrical Failure     MSV-25-TRI                                   I. FCS (common)           With Fast Cooldown DC               Single channel of Fast Cooldown MSV-26-TRI                           DC Bus supply voltage   MSV-26-TRI                                       Trouble alarms         power being totally separate       system is inoperable fails low                                                                 actuate due to         from station DC power and           With single failure criteria, two undervoltage alarms   VBDP power. this single             HPI train flow is operable for at DPCP-IE or         failure would not affect the       SBLOCA mitigation.

DPCP-IF or low         functionally redundant two process signal at     HPI pump motor power MSV-25-PC2 (or         sourcesor HP[ pump flow MSV-26-PC2)           injection trains or any

: 2. Periodic testing of       125VDC plant station control relay transfer and     power buses for HPI pump using Fast Cooldown   switchgear or associated train demand signal to       diesel.

stroke ADV 3.OTSG main steam pressure indication reveals that OTSG is not being depressurized 4.22 MSV-25-TR I Relay chatters upon     Electrical or         ADV control could cycle between               I. Periodic testing of     Impact is limited to Fast           Fast Cooldown for affected MSV-26-TR I relay energization with Mechanical             EFIC control at 1025 psig to fast cool             relay actuation and   Cooldown DC power minor             ADV is inoperable and normal contacts not completing Failure               down control at 325 psig. ADV could               using Fast Cooldown   surges and to cyclingof             EFIC control ofone ADV is transfer                                       oscillate in position. Fast Cooldown               demand signal to     control signal to ADV between       inoperable.

for affected ADV is inoperable,                   stroke ADV,           EFIC and Fast Cooldown             ROTSG pressure will oscillate as Current from Foxboro module is                 2. ROTSG pressure         pressure controller. With Fast     ADV cycles.

limited to 59.7 ma by 402 ohm                     indication on control Cooldown DC power totally           With relay chatter, pressure may resistors and Foxboro module has 1/4                 board and RECALL     separate from station DC           not degrade to 600 psig for amp fuse so VBDP power source for                 points may be         power and VBDP power, this         affected ROTSG.

Foxboro module is protected from                   oscillating           single failure would not affect     If pressure degrades to below adverse effect,                                   significantly         the functionally redundant two     600 psig, EFIC will actuate EF, HPI pump motor power               MSLI, MFWI, and FOGG.

sources or HPI pump flow injection trains or any 125VDC     This single failure would be plant station control power         bounded in safety analysis by buses for HPI pump                 failure of turbine bypass valve switchgear or associated train     and by main steam line break as diesel,                             to steam release mass flow.

EC 71855     X64R0 HPI train flow is operable for SBLOCA mitigation.

4           I-                           4                                                         4       -    ----              4.                     -        4..   .                        -  4....

4.23   MSV-25-TRI   Relay chatters upon         Electrical Failure ADV control could cycle between              I. Periodic testing of  Impact is limited to Fast        No impact on HPI systemnTwo          This is not considered a MSV-26-TRI    relay energizalion due to   Long term Relay   EFIC control at 1025 psig to Fast                 relay actuation and  Cooldown DC power minor          pump/trains of HPI are available    credible failure due to EMF or RFI                  degradation        Cooldown control at 325 psig. ADV                 using Fast Cooldown  surges and to cycling of        for mitigation of SBLOCA.            relay being qualified to could oscillate in position. Fast                demand signal to      control signal to ADV between    Fast Cooldown for affected           IEEE 323 EMF standards Cooldown for affected ADV is                      stroke ADV,          EFIC and Fast Cooldown          ADV is inoperable and normal         and due to relay mounted inoperable and normal EFIC control of  2. ROTSG pressure              pressure controller. With Fast  EFIC control of one ADV is           in steel enclosure with one ADV is inoperable                  indication on control board    Cooldown DC power totally        inoperable.                          wiring installed in conduit.

Current from Foxboro module is         and RECALL points may be        separate from station DC        ROTSG pressure will oscillate as limited to 59.7 ma by 402 ohm           oscillating significantly       power and VBDP power,           ADV cycles.

resistors and Foxboro module has V.                                    this single failure would not   With relay chatter, pressure may amp fuse so VBDP power source for                                      affect the functionally          not degrade to 600 psig for Foxboro module is protected from                                        redundant two HPI pump          affected ROTSG.

adverse effect                                                          motor power sources or HPI      If pressure degrades to below pump flow injection trains or    600 psig, EFIC will actuate EF, any 125VDC plant station        MSLI. MFWI, and FOGG.

control power buses for HPI pump switchgear or associated  This single failure would be train diesel.                    bounded in safety analysis by failure of turbine bypass valve and by main steam line break as to steam release mass flow.

4.24   MSV-25-TRI   Contacts 18-17 fail         Mechanical Failure Main Control Board FCS Actuation       Periodic Testing               For failure ofthese contacts     This affects only one main MSV-26-TRI   closed                                         Status Light would not indicate on an   Annunciator alarm would         only, the annunciator and SER   control board FCS actuation FCS actuation                           actuate if actuation occurred   alarms for FCS actuation are     status light. It does not affect operable from MSV-25-ARI         Fast Cooldown actuation or Fast or MSV-26-AR I relay             Cooldown pressure control..

4.25   MSV-25-TRI   Contacts 18-17 fail open   Mechanical Failure No impact on alarms or actuations       N/A                             No impact on alarms or           This does not affect Fast MSV-26-TRI                                                                                                                           actuations                       Cooldown actuation or Fast Cooldown pressure control..

EC 71855       X64R0 trains of HPI are operable to mitigate SBLOCA.

4.26 MSV-25-TRI Contacts 18-19 fail open MechanicalFailure   MainControlBoardFCSActuation                   I. Periodic Testing         For failure of these contacts   Thisaffectsonlyonemain MSV-26-TRI   upon relay energization                     Status Light would not indicate on an               including status light only, the annunciator and SER   control board FCS actuation FCS actuation                                       indication             alarms for FCS actuation are     status light. It does not affect

: 2. Annunciatoralarm         operable from MSV-25-ARI         Fast Cooldowsactuation or Fast would actuate if       or MSV-26-AR I relay             Cooldown pressure control..

actuation occurred                                     Both trains/channels of Fast Cooldown pressure control are operable to mitigate SBLOCA and LSCM. Failure does not affect any operability of HPI pumps, power, or controls.. Two trains of HPI are operable to mitigate SBLOCA 4.27 MSV-25-TR I Contacts 18-19 fail     Mechanical Failure Main Control Board FCS Actuation         Status Light will illuminate       For failure ofthese contacts   This affects only one main MSV-26-TRI closed                                     Status Light will spuriously illuminate                                     only, the annunciator and SER   control board FCS actuation to give false indication of                                                 alarms will not be in alarm     status light. It does not affect FCS train/channel actuation                                                 state. This would give           Fast Cooldown actuation or Fast indication of failure/abnormal   Cooldown pressure control..

circuit condition.               Both trains/channels of Fast Cooldown pressure control are operable to mitigate SBLOCA and LSCM. Failure does not affect any operability of HPI pumps, power, or controls.. Two trains of HPI are operable to mitigate SB LOCA 4.28 MSV-25-TRI Contacts 21-20 fail     Mechanical Failure This is seal-incontactset for FCS         PeriodicTestingof relay           ICCM has a three channel, two   Thisfailuredoesnotaffectany MSV-26-TRI closed on relay                             auto actuation. If auto actuation         transfer with fast cooldown       train actuation design. Both   operability of HPI pumps, energization                               occurred from the ICCM cabinettrain       selector switch in "auto" and a   ICCM train actuations would     power. or control to mitigate a actuation relay contacts and then auto   momentary closure or             have to fail for auto actuation SBLOCA and LSCM.

actuation relay cleared/de-energized,   jumpering of contacts across       of FCS to fail when needed. Two trains of HPI are operable FCS actuation would drop out if this     TB5-11 and TB5-12                                                 to mitigate SB LOCA contact set failed closed.

4.29 MSV-25-TRI Contacts 21-20 fail open Mechanical Failure No impact ifcontacts2l-22 will close     N/A                               No impact ifcontacts 21-22       Failure does not affect any MSV-26-TR I                                             (see below)                                                                 will close                     operability of HPI pumps, (see below)                     power, or controls to mitigate a SBLOCA and LSCM..

4.30 MSV-25-TRI Contacts21-22 failopen   MechanicalFailure This is seal-in contact set for FCS auto PeriodicTestingofrelay             ICCM has a three channel, two Thisfailuredoesnotaffectany MSV-26-TRI (will not close on relay                   actuation. If auto actuation occurred     transfer with fast cooldown       train actuation design. Both   operability of HPI pumps, energization)                               from the ICCM cabinet train actuation selector switch in "auto" and a       ICCM train actuations would power. or control to mitigate a relay contacts and then auto actuation momentary closure or                 have to fail for auto actuation SBLOCA and LSCM.. Two relay cleared/de-energized, FCS         j umpering of contacts across     ofFCS to fail when needed       trains of HPI are operable to actuation would drop out if this         TB5-1 I and TB5-12                                               mitigate SBLOCA contact set did not close 4.31 MSV-25-TRI Contacts 21-22 fail     Mechanical Failure This would create a spurious FCS               I. ROTSG pressure           Redundant ADV is operable.     No impact on HPI system. Two MSV-26-TRI closed                                     actuation on one oftwo FCS                         indication on control   EFIC is operable and would     pump/trains ofHPI are available trains/channelsandblowdownthe                       board and RECALL       actuateEF, MSLI, MFWI,         for mitigationof SBLOCA.

affected ROTSG to 325 psig.                         points                 FOGG.                           One ADV will be controlled by

: 2. ADV valve not                                             Fast Cooldown pressure control closed annunciator                                     circuit and open one ADV to full alarm                                                   open until ROTSG pressure is

: 3. Rooftop camera                                           decreased to 325 psig and then indication                                             control main steam pressure at

: 4. EFIC actuations of                                     affected ROTSG to 325 psig.

EC 71855     X64R0 EF, MSLI, MFWI                                   Would create EFIC actuation of low OTSG pressure, MSLI, MFWI, and FOGG logic. Both EFIC A and B would be capable of mitigation as per design for main steam line break event.

Per discussion with AREVA safety analysis personnel, evaluation of calculation 32-9129593-000 reveals that if this failure occurred during SBLOCA and LSCM, failure would be beneficial to mitigation and cooldown on primary RC S system.

5.1 MSV-25-ARI Relay fails to energize Electrical or Spurious"FCS Trouble" annunciator       "FCS Trouble" Annunciator   RECL-127/128 would not       None, this relay provides alarm MSV-26-ARI                         Mechanical   alarm will actuate                     window and associated SER   show low pressure indication only. No safety function Failure                                             point will alarm             and controller alarm lights would not be illuminated 5.2 MSV-25-ARI Relay contacts 6-7 fail Mechanical   Spurious"FCS Trouble" annunciator       "FCS Trouble" Annunciator   REC L-127/128 would not       None, this relay provides alarm MSV-26-ARI open/do not close       Failure       alarm will actuate                     window and associated SER   show low pressure indication only. No safety function point will alarm             and controller alarm lights would not be illuminated 5.3 MSV-25-ARI Relay fails to the     Mechanical   No common trouble alarm ifpressure     Periodic testing of Fast     lfprocess signal were lost,   None, this provides alarm only.

MSV-26-AR I energized state         Failure       controller loses process signal       Cooldown circuitry to verify RECALL point                 No safety function relay operability           RECL-l 27/128 would show low pressure indication and controller alarm lights illuminate 5.4 MSV-25-AR 1 Relay contacts 6-7 fail Mechanical   No "FCS Trouble" alarm if pressure     Periodic testing of Fast     If process signal were lost, None, this provides alarm only.

MSV-26-ARI closed                 Failure       controller loses process signal       Cooldowo circuitry to verify RECALL point                 No safety function relay operability           RECL-t 27/128 would show low pressure indication and controller alarm lights illuminate 6.1 MSV-25-AR2 Relay fails to energize Electrical or No 'FCS actuation" annunciator when   Periodic testing of Fast     Status light above selector   None, this provides alarm only.

MSV-26-AR2                         Mechanical   FCS is actuated                       Cooldosvn circuitry         switch would light upon FCS   No safety function Failure                                                                           actuation. Also OTSG pressure signal would display decreasing OTSG pressure 6.2 MSV-25-AR2 Relay contacts 6-7 fail Mechanical   No "FCSactuation" annunciator when     Periodic testing of Fast     Status light above selector   None, this provides alarm only.

MSV-26-AR2 open/do not close       Failure       FCS is actuated                       Cooldown circuitry           switch would light upon FCS   No safety function actuation. Also OTSG pressure Page 31 of 70

EC 71855     X64R0 signal would display decreasina OTSG uressure 6.3 MSV-25-AR2     Relay fails to the       Mechanical Failure Spurious "FCS actuation" alarm when     "FCS actuation" window and   Status light above selector   None, this provides alarm only.

MSV-26-AR2     energized state                             no actuation has occurred               associated SER point alarms   switch will not be lighted. No safety function OTSG pressure indications will not decrease 6.4 MSV-25-AR2     Relay contacts6-7 fail   Mechanical Failure Spurious "FCS actuation" alarm when     "FCS actuation" window and     Status light above selector   None, this provides alarm only.

MSV-26-AR2-   closed                                       no actuation has occurred               associated SER point alarms   switch will not be lighted. No safety function OTSG pressure indications will not decrease 7.1 MSV-25-PC2     Pressure controllerfails Electrical Failure Pressure controller is inoperable and   "FCS Trouble" alarmand         Failure of Fast Cooldown       One channel of Fast Cooldown MSV-26-PC2     low                                         FCS system is inoperable due to a       SER point will alarm due to   pressure controller does not   for one ADV is inoperable.

failed pressure control train,           loss of process signal       affect any of the power or     This failure does not affect any controls of the HPI pumps,     HPI system components, valves, or switchgear. HPI     With this single failure, two HPI pump flow capability is not   pumps and their flowcapability affected,                     will be operable for SBLOCA Failure does not affect the   and LSCM mitigation.

normal EFIC control of ADV 7.2 MSV-25-PC2     Pressure controllerfails Electrical Failure Pressure controlleris inoperable and     Periodictesting including     Failure ofFast Cooldown       With this single failure, two HPI MSV-26-PC2     high                                         FCS system is inoperable due to a       proper response of pressure   pressure controller does not   pumps and their flowcapability failed pressure control train           controller to input signal     affect any of the power or     will be operable for SBLOCA controls of the HPI pumps,     and LSCM mitigation valves, or switchgear. HPI pump flow capability is not affected.

Failure does not affect the normal EFIC control of ADV 8.1 MSV-025-FU-O1 Fuse fails open         Electrical Failure Pressure controller and pressure       "FCS Trouble" alarmon Loss     No effect on HPI pump motor   One channel of Fast Cooldownis MSV-26-FLU-O1                                             transmitter have no power. One train     of process signal             power or control power         inoperable. SBLOCA and of Fast Cooldowvn is inoperable.         RECL-127 and RECL-128 do                                     LSCM can be mitigated with not channel check,                                           two pump HPI flow 8.2 MSV-025-FU-O I Fuse fails to blow at 3 Electrical failure Degraded short circuit protection for   FCS operability would be     No impact on HPI system.       May adversely affect operability This is not a credible MSV-26-FU-01   amps                                         wiring/circuit that supplies power to   determined with periodic                                     of one channel of FCS ifcircuit   failure for evaluation since pressure controller. However, short     testing of fast cooldown                                     is shorted and does not blow     this fuse failure would be a circuit would have to be localized in   actuation and pressure control                               fuse.                             second failure. It would minimal length of wiringsince           circuitry                                                     Degraded short circuit protection take a short circuit (first pressure controller has its own I amp                                                                 may affect current supply         failure) to drawcurrent fuse. No impact on wiring since                                                                       loading capability from the two   above 3 amps.

wiring is minimum of 16AWG and                                                                         redundant DC to DC converters rated for 12.8 amps at 140F wire                                                                       and two redundant DC buses.

temperature.                                                                                           that supply power to the pressure controller if there is a "hard short" Each DC to DC converter is rated at 3 amps at 25VDC with normal DC to DC converter loading at 2.218 amps..

9.1 MSV-025-FU-02 Fuse fails open         Electrical Failure MSV-AR I coil will de-energize. FCS     "FCS Trouble" alarm will       Alarm circuitry only. Does not Both Channelsof Fast Cooldown Page 32 of 70

EC 71855         X64R0 MSV-26-FU-02                                             Trouble Alarm circuit is opened and         actuate with SER point and     affect Fast Cooldown           are operable.

FCS troublealarm is actuated               annunciator                     operability.                   SBLOCA can be mitigated with No impact on HPI system.       two pump HPI flow or two trains of Fast Cooldown.

9.21. MSV-025-FU-02 Fuse fails to blowat 3 Electrical failure Fuse provides power to MSV-ARI                   I. Abnormal               No impact on HPI system       May adversely affect operability   This is not a credible MSV-26-FU-02 amps                                       relay coil through MSV-25-PC2 or                     indications on DC                                   ofone channel of FCS if circuit   failure for evaluation since MSV-26-PC2 process controller low                     bus ammeters DP-                                     is shorted and does not blow     this fuse failure would be a process signal alarm contact.                         45-11 and DP-47-11                                   fuse.                             second failure. It would Degraded short circuit protection.             2. FCS operability                                       Degraded short circuit protection take a short circuit (first However, short circuit would have to                 would be determined                                 may affect current supply         failure) to draw current be localized in minimal length of                     with periodic testing                               loading capability from the two   above 3 amps.

wiring since alarm contact is in series               of pressure control                                 redundant DC to DC converters with 430 ohm relay coil so current is                 circuitry and alarm                                 and two redundant DC buses.

still limited to 58 ma unless short is               functions                                           that supply power to the upstream of relay coil. No impact on                                                                       pressure controller if there is a wiring since wiring is minimum of                                                                         "hard short" 16AWG and rated for 12.8 amps at                                                                         Each DC to DC converter is 140F wire temperature                                                                                     rated at 3 amps at 25VDC with normal DC to DC converter loading at 2.218 amps..

10.! MSV-025-FU-03 Fuse fails open         Electrical Failure Status Light above Fast Cooldown           Periodic testing of fast       FCS actuation alarm and       No impact on safety function of MSV-26-FU-03                                             selector switches is inoperable and         cooldown system actuation,     associated SER point will     FCS.FCS is operable to actuate will not light on FCS actuation             alarrm ,andindication          alarm with power from a       and cooldown RCS and mitigate different fuse.               SBLOCA and LSCM.

No impact on HPI system       Two trainsof HPI are operable to mitigate SBLOCA.

10.2 MSV-025-FU-03 Fuse fails to blow at 3 Electrical failure Fuse provides power for Fast                     I. Abnormal               Does not impact any power or   May adversely affect operability This is not a credible MSV-26-FU-03 amps                                       Cooldown actmutioindicator lamp                       indications on DC     controls of HP! system.       ofone channel of FCS if circuit   failure for evaluation since rated for 28 ma on control board,                   bus ammeters DP-                                     is shorted and does not blow     this fuse failure would be a Degraded short                                       45-I and DP-47-Il                                     fuse.                             second failure. It would circuit protection for status light short       2. FCS operability                                       Degraded short circuit protection take a short circuit (first circuit. No impact on wiring since                   would be determined                                   may affect current supply         failure) to draw current wiring is minimum of 14AWG and                       with periodic testing                                 loading capability from the two   above 3 amps.

rated for 17.8 amps at 140F wire                     ofpressure control                                   redundant DC to DC converters temperature.                                         circuitry and alarm                                   and two redundant DC buses.

functions                                             that supply power to the pressure controller if there is a "hard short" Each DC to DC converter is rated at 3 amps at 25VDC with normal DC to DC converter loading at 2.218 amps..

It1. MSV-025-FU-04 Fuse fails open         Electrical Failure Transfer relay (TR 1)and actuation         Power Available lamp at         EFIC control of two ADVs is   One channel of FCS is MSV-26-FU-04                                             alarm relay(AR2)are inoperable             main control board goes         not affected. HPI pump motor   inoperable.

One train of Fast Cooldown is               out.                           power and control power is not Two pump/trainsof HPI are inoperable                                                                 affected.                     operable to mitigate SBLOCA, Page 33 of 70

EC 71855       X64R0 Fuse provides powerto coils of MSV-    I I. Abnormal                I Does not impact any power or  May adversely affect operability I This is not a credible 11.2   MSV-025-FU-04 Fuse fails to blow at 3 Electrical failure MSV-26-FU-04  amps                                        25-TRI and MSV-25-AR2. Coil                       indications on DC      controls ofHPl system        of one channel of FCS if circuit    failure for evaluation since ratings are for 68 ma each with coil               bus anmmeters DP-                                    is shorted and does not blow      this fuse failure would be a resistance of minimum of 90% of`430               45-11 and DP-47-11                                   fuse.                               second failure. It would ohms (387 ohms)                              2. FCS operability                                        Degraded short circuit protection take a short circuit (first Degraded short circuit protection for              would be determined                                  may affect current supply         failure) to draw current shorted circuit wiring but minimal                with periodic testing                                loading capability from the two   above 3 amps.

impact of wiring since minimum                    of Fast Cooldoswn                                    redundant DC to DC converters wiring size of 16 AWG is rated for                Actuation. alarms.                                  and two redundant DC buses.

12.8 amps at 140F wviretemperature.              and indication                                      that supply power to the pressure controller if there is a "hard short" Each DC to DC converter is rated at 3 amps at 25VDC with normal DC to DC converter loading at 2.218 amps..

12.0.1 MSV-025-FU-05 Fuse fails open         Electrical Failure   Analog Isolator MSV-25-PY3 or           Channel check ofRECL-127         EFIC main steam control     Both channels of FCS are MSV-26-FU-05                                               MSV-26-PY3 will de-energize.             and RECL-128                     board indicationis available operable.

MSV-025-FU-06                                             RECALL point 127 or 128 will fail to                                       for ROTSG pressure           Two trainsof HPI are operable MSV-26-FU-06                                               zero.                                                                                                   to mitigate SBLOCA.

12.0.2 MSV-025-FU-05 Fuse fails to blow at 3 Electrical failure   Degraded short circuit protection for         I. Abnormal                 Does not impact any power or May adversely affect operability   This is not a credible MSV-26-FU-05 amps                                         shorted circuit wiring but minimal                 indications on DC       controls of HPI system       ofone channel of FCS ifcircuit     failure for evaluation since MSV-025-FU-06                                             impact of wiring since minimum                     bus ammeters DP-                                     is shorted and does not blow       this fuse failure would be a MSV-26-FU-06                                               wiring size of 16 AWG is rated for                 45-Il and DP-47-11                                   fuse.                               second failure. It would 12.8 amps at 140F. Analog isolators           2. FCS operability                                       Degraded short circuit protection   take a shortcircuit (first have fusing for 0.75 amps so internal             would be determined                                 may affect current supply           failure) to draw current fault would be limited to 0.75 amps               with periodic testing                               loading capability from the two     above 3 amps.

and fault would have to occur                     of Fast Cooldown                                     redundant DC to DC converters "upstream" of supply to analog                     Actuation, alarms,                                   and two redundant DC buses.

isolators..                                       and indication                                       that supply power to the

: 3.                                                       pressure controller if there is a "hard short" Each DC to DC converter is rated at 3 amps at 25VDC with normal DC to DC converter loading at 2.218 amps..

12.1   MSV-25;SEL   Contacts               Mechanical Failure   Failure of Auto actuation of Fast       Periodic Fast Cooldown           Actuate (manual) position of Single train of Fast Cooldown       Low probability of MSV-25ýSEL   WH--B I and WH-B2                           Cooldown for one ADV                     actuation, alarm, and             switch may be operable,     system will be inoperable.         mechanical failure.

Fail open                                                                             indication testing with switch   Failure does not affect     Mitigation of SBLOCA and           Contacts are rated for as in auto position                 operability oftwo HPI       LSCM cam occur with two           low as I ma current with injection trains             operable HPI trains,               evaluated 136 ma as switch load at actuation 12.2   MSV-25;SEL   Contacts               Mechanical Failure   Spurious Actuation of one train of               1. "FCS actuation"       EFIC will actuate MSLI,     No impact on HPI system. Two       Very lowprobability MSV-25:SEL   BL-B I and BL-B2                           I FCS                                                 windowand             MFWI, and FOGG logic as     pump/trains ofHPI are available Page 34 of 70

EC 71855     X64R0 Fail closed                                   One ADV will spuriously open and                 associated SER    compensating actions.          for mitigation of SB LOCA_

blowdown one OTSG and actuate                     point alarms       Switch may be positioned to     One ADV will be controlled by EFIC functions                                                      "BYPASS"                        Fast Cooldown pressure control

: 2. ROTSG pressure      Failure does not affect HPI    circuit and open one ADV to full indication on      system.                        open until ROTSG pressure is control board and                                  decreased to 325 psig and then RECALL points                                      control main steam pressure at

: 3. ADV valve not                                        affected ROTSG to 325 psig.

closed annunciator                                Would create EFIC actuation of alarm                                              low OTSG pressure, MSLI,

: 4. Rooftop camera                                      MFWI, and FOGG logic. Both indication                                        EFIC A and B would be capable

: 5. EFICactuationsof                                    of mitigation as per design for EF, MSLI, MFWI                                    main steam line break event.

12.3 MSV-25;SEL Contacts B L-B I and       Mechanical         No manual capability for Fast         Periodic testing ofFast       Auto actuation may be         Mitigation of SB LOCA and         Lowprobability MSV-26;SEL BL-B2 fail open (do not   Failure             Cooldown actuation                   Cooldown actuation, alarm,     operable through different set LSCM cam occur with two close on switch                                                                     and indication testing with   of contacts.                   operable HPI trains.

positioning)                                                                         switch in actuate position     Failure does not affect HPI pump operability 12.4 MSV-25;SEL Contacts                   Mechanical Failure "FCS BYPASS" alarm in spuriously     "FCS BYPASS" alarm             These contacts provide alarm   Both channels of Fast Cooldown   Lowprobability MSV-25;SEL WH-AI and WH-A2                               actuated,                             actuates                       function only.                 are operable. Mitigation of Fail closed                                                                                                                                       SBLOCA and LSCM cam occur with two operable HPI trains..

12.5 MSV-25;SEL ContactsWH-AI and         Mechanical Failure FCS BYPASS" alarm will not           Periodic testingofFast         None, this set ofcontacts     Both channelsofFast Cooldown     Lowprobability MSV-26:SEL WH-A2 fail open (do                           actuate.                               Cooldown actuation, alarm. provide alarm function only   are operable. Mitigation of not close on switch                                                                 and indication testing with                                   SBLOCA and LSCM cam positioning)                                                                         switch in actuate                                             occur with two operable HPI trains..

13.1 MSV-25:TSS Normally closed           Mechanical Failure Fast Cooldown Pressure controller     "FCS Trouble" alarm on loss   One oftwo ADVs is operable. One channel ofFCS is MSV-26jTSS contacts at signal to                         inoperable                             of process signal will provide Does not affect EFIC control   inoperable.

controller input fail open                                                           annunciator alarm.             ofADV.                         .SBLOCA and LSCM Failure does not affect HPI   mitigation is available from two motor power or controls       HPI pump trains.

power.                         Does not affect EFIC control of either ADV 13.2 MSV-25:TSS Normally open contacts     Mechanical Failure Fast Cooldown Pressure controller     "FCS Trouble" alarm on loss   One of two ADVs is operable. One channel of FCS is MSV-26:TSS to test resistor R2 fail                     input signal is degraded/incorrect     of process signal. RECALL     Does not affect EFIC control   inoperable.

closed                                                                               point RECL-127 and RECL-       of ADV.                       SBLOCAand LSCM mitigation 128 do not correctly channel   Failure does not affect HPI   is available from two HPI pump check                         motor power or controls       trains.

EC 71855     X64R0 power..                       Does not affect EFIC control of either ADV 13.3 MSV-25:TSS Normally open contacts   Mechanical Failure   Fast Cooldown Pressure controller       "FCS Trouble" alarm on loss   One of two ADVs is operable. One channel of FCS is MSV-26;TSS to test resistor R I fail                     input signal is degraded/incorrect     of process signal.             Does not affect EFIC control inoperable.

closed                                         Fast Cooldown system is inoperable     RECALL point RECL- 127         of ADV.                       \SBLOCA and LSCM and RECL-128 do not           Failure does not affect HPI   mitigation is available from two correctly channel check       motor power or controls       HPI pump trains.

power.                       Does not affect EFIC control of either ADV 13.4 MSV-25:TSS Normally open contacts   Mechanical Failure   Pressure controller test circuitry is   Periodic testing of pressure   No impact on Fast Cooldown   Both channels of Fast Cooldown MSV-26;TSS to test resistor R2 fail                       inoperable but Fast Cooldown           control circuitry including   capability. Failure does not are operable..

open on test switch                           capability is not affected             simulating input to pressure   affect HPI motor power or     SBLOCA and LSCM mitigation selection                                                                             controller                     controls power.               is available from two HPI pump trains Does not affect EFIC control of either ADV 13,5 MSV-25:TSS Normally open contacts   Mechanical Failure   Pressure controller test circuitry is   Periodic testing ofpressure   No impact on Fast Cooldown   Both channels of Fast Cooldown MSV-26;TSS to test resistor R I fail                     inoperable but Fast Cooldown             control circuitry including   capability. Failure does not are operable..

open on test switch                           capability is not affected               simulating input to pressure   affect HPI motor power or     SBLOCA and LSCM mitigation selection                                                                             controller                     controls power.               is available from two HPI pump trains Does not affect EFIC control of either ADV 14.1 DPI3A-IE I Battery cell fails open   Electrical Failure/ Low Battery Bank Voltage               Surveillance Procedure for     Each battery bank has a       DC supply for Fast Cooldown DPI3A-IE2                             Manufacture Defect                                           batuery voltage using DPCP-   redundant bank capable of     control remains operable.

DPBA-IFI                                                                                           ]E test switchesTS3 and TS6   equal voltage and amperage   Both channels of Fast Cooldown DP13A-IF2                                                                                         and DP-46-EI and DP-48-EI     supply. The associated DC     for SBLOCA mitigationremain bus has auctioneering design operable.

14.2 DPI3A-IEI   Battery cell shorts       Electrical Failure/ Low BatteryBank Voltage                 Surveillance Procedure for     Each battery bank has a       DC supply for Fast Cooldown DPI3A-IE2                             Manufacture Defect                                           battery voltage using DPCP-   redundant bank capable of     control remains operable.

DPI3A-IFI                                                                                         IE test switches TS3 and TS6   equal voltage and amperage   Both channels of Fast Cooldown DPI3A-I F2                                                                                         and DP-46-El and DP.48-EI     supplyThe associatedtDCbus   for SBLOCA mitigation remain has auctioneering design     operable.

14.3 DPl3A-I El Battery casing has       Mechanical Failure Low electrolyte level and degraded       Visual Surveillance inspection Each battery hank has a       DC supply for Fast Cooldown DPI3A- IE2 leakage                                       battery                                 of battery condition           redundant bank capable of   control remains operable.

DPBA-IFl                                                                                                                         equal voltage and amperage   Both channels of Fast Cooldown DPBA-lF2                                                                                                                         supplyThe associated DC bus   for SBLOCA mitigation remain has auctioneering design     operable.

14.4 DPI3A-IE I Output voltage fails low   Electrical Failure Low BatteryBank Voltage                 Surveillance Procedure for     Each battery bank has a       DC supply for Fast Cooldown DPB3A-IE2                                                                                         Battery voltage using DPCP-   redundant bank capable of   control remains operable.

DPBA-IFI                                                                                           IE test switchesTS3 andTS6     equal voltage and amperage   Both channels of Fast Cooldown DPBA-IF2                                                                                           and DP-46-EI and DP-48-EI     supply. The associated DC     for SBLOCA mitigationremain bus has auctioneering design operable.

14.5 DPI3A-IEI Output voltage fails high Electrical Failure Battery Bank Voltage High               Surveillance Procedure for     Each battery bank has a     DC supply for Fast Cooldown       This failure is not DPI3A-I E2                                                                                         Battery voltage using DPCP-   redundant bank capable of   control remains operable.         considered a credible DPitA-1FI                                                                                         IE test switches TS3 and TS6   equal voltage and amperage   Both channels ofFast Cooldown     failure DPBA-IF2                                                                                           and DP-46-EI and DP-48-EI     supply. The DC to DC         for SBLOCA mitigation remain Page 36 of 70