Revision 36 to Final Safety Analysis Report, Chapter 7, Instruments and Controls

ML18247A269
Person / Time
Site:	Millstone
Issue date:	06/18/2018
From:	Dominion Energy Nuclear Connecticut
To:	Office of Nuclear Reactor Regulation
Shared Package
ML18199A125	List: ML18199A110 ML18247A221 ML18247A222 ML18247A223 ML18247A227 ML18247A231 ML18247A232 ML18247A233 ML18247A234 ML18247A237 ML18247A238 ML18247A239 ML18247A240 ML18247A242 ML18247A248 ML18247A251 ML18247A252 ML18247A253 ML18247A254 ML18247A255 ML18247A256 ML18247A258 ML18247A259 ML18247A260 ML18247A261 ML18247A262 ML18247A263 ML18247A265 ML18247A269 ML18247A270 ML18247A271 ML18247A272 ML18247A273 ML18247A275
References
18-225
Download: ML18247A269 (347)
v • d • e

Text

Millstone Power Station Unit 3 Safety Analysis Report Chapter 7: Instruments and Controls

Table of Contents tion Title Page INTRODUCTION ...................................................................................... 7.1-1 1 Identification of Safety Related Systems.................................................... 7.1-3 1.1 Safety Related Systems............................................................................... 7.1-3 1.1.1 Reactor Trip System ................................................................................... 7.1-4 1.1.2 Engineered Safety Features Actuation System ........................................... 7.1-4 1.1.3 Instrumentation and Control Power Supply System................................... 7.1-4 1.2 Safety Related Display Instrumentation ..................................................... 7.1-4 1.3 Instrumentation and Control System Designers ......................................... 7.1-4 1.4 Plant Comparison........................................................................................ 7.1-4 1.5 Alarms......................................................................................................... 7.1-4 1.6 Communication Systems ............................................................................ 7.1-5 2 Identification of Safety Criteria .................................................................. 7.1-5 2.1 Design Bases............................................................................................... 7.1-5 2.1.1 Reactor Trip System ................................................................................... 7.1-5 2.1.2 Engineered Safety Features Actuation System ........................................... 7.1-6 2.1.3 Instrumentation and Control Power Supply System................................... 7.1-7 2.1.4 Emergency Power ....................................................................................... 7.1-7 2.1.5 Interlocks .................................................................................................... 7.1-7 2.1.6 Bypasses...................................................................................................... 7.1-7 2.1.7 Equipment Protection ................................................................................. 7.1-8 2.1.8 Diversity...................................................................................................... 7.1-8 2.1.9 Bistable Trip Set Points .............................................................................. 7.1-8 2.1.10 Engineered Safety Features Motor Specifications.................................... 7.1-10 2.2 Independence of Redundant Safety Related Systems............................... 7.1-10 2.2.1 General (Include Regulatory Guide 1.75 and IEEE Standard 384-1974).................................................................................................. 7.1-10 2.2.2 Specific Systems ....................................................................................... 7.1-11 2.2.3 Fire Protection........................................................................................... 7.1-13 2.3 Physical Identification of Safety Related Equipment ............................... 7.1-13 2.4 Conformance to Criteria ........................................................................... 7.1-14 2.5 Conformance to Regulatory Guide 1.22 ................................................... 7.1-14 2.6 Conformance to Regulatory Guide 1.47 ................................................... 7.1-19 2.7 Conformance to Regulatory Guide 1.53 and IEEE Standard 379-1972 ... 7.1-19 2.8 Conformance to Regulatory Guide 1.63 ................................................... 7.1-19 28/18 7-i Rev. 31

tion Title Page 2.9 Conformance to IEEE Standard 317-1972 ............................................... 7.1-19 2.10 Conformance to IEEE Standard 336-1971 ............................................... 7.1-19 2.11 Conformance to IEEE Standard 338-1971 ............................................... 7.1-20 3 Reference for Section 7.1.......................................................................... 7.1-21 REACTOR TRIP SYSTEM ....................................................................... 7.2-1 1 Description.................................................................................................. 7.2-1 1.1 System Description ..................................................................................... 7.2-1 1.1.1 Functional Performance Requirements....................................................... 7.2-2 1.1.2 Reactor Trips............................................................................................... 7.2-2 1.1.3 Reactor Trip System Interlocks ................................................................ 7.2-10 1.1.4 Coolant Temperature Sensor Arrangement .............................................. 7.2-12 1.1.5 Pressurizer Water Level Reference Leg Arrangement ............................. 7.2-12 1.1.6 Analog System .......................................................................................... 7.2-12 1.1.7 Solid State Logic Protection System ........................................................ 7.2-13 1.1.8 Isolators..................................................................................................... 7.2-14 1.1.9 Energy Supply and Environmental Variations ......................................... 7.2-14 1.1.10 Setpoints.................................................................................................... 7.2-14 1.1.11 Seismic Design ......................................................................................... 7.2-15 1.2 Design Bases Information......................................................................... 7.2-15 1.2.1 Generating Station Conditions.................................................................. 7.2-15 1.2.2 Generating Station Variables .................................................................... 7.2-15 1.2.3 Spatially Dependent Variables.................................................................. 7.2-16 1.2.4 Limits, Margins, and Setpoints ................................................................. 7.2-16 1.2.5 Abnormal Events ...................................................................................... 7.2-17 1.2.6 Minimum Performance Requirements...................................................... 7.2-17 1.3 Final Systems Drawings ........................................................................... 7.2-18 2 Analyses.................................................................................................... 7.2-18 2.1 Failure Mode and Effects Analyses .......................................................... 7.2-18 2.2 Evaluation of Design Limits ..................................................................... 7.2-18 2.2.1 Trip Setpoint Discussion........................................................................... 7.2-18 2.2.2 Reactor Coolant Flow Measurement ........................................................ 7.2-20 2.2.3 Evaluation of Compliance to Applicable Codes and Standards................................................................................................... 7.2-20 2.3 Specific Control and Protection Interactions ............................................ 7.2-29 2.3.1 Neutron Flux ............................................................................................. 7.2-29 2.3.2 Reactor Coolant Temperature ................................................................... 7.2-30 28/18 7-ii Rev. 31

tion Title Page 2.3.3 Pressurizer Pressure .................................................................................. 7.2-30 2.3.4 Pressurizer Water Level............................................................................ 7.2-31 2.3.5 Steam Generator Water Level................................................................... 7.2-31 2.4 Additional Postulated Accidents............................................................... 7.2-32 3 Tests and Inspections ................................................................................ 7.2-33 4 References for Section 7.2 ........................................................................ 7.2-33 ENGINEERED SAFETY FEATURES SYSTEM ..................................... 7.3-1 1 Description.................................................................................................. 7.3-1 1.1 System Description ..................................................................................... 7.3-1 1.1.1 Function Initiation....................................................................................... 7.3-2 1.1.2 Analog Circuitry ......................................................................................... 7.3-4 1.1.3 Digital Circuitry .......................................................................................... 7.3-4 1.1.4 Final Actuation Circuitry ............................................................................ 7.3-5 1.1.5 ESF and Essential Auxiliary Support Systems ........................................... 7.3-5 1.2 Design Bases Information......................................................................... 7.3-58 1.2.1 Generating Station Conditions.................................................................. 7.3-58 1.2.2 Generating Station Variables .................................................................... 7.3-58 1.2.3 Spatially Dependent Variables.................................................................. 7.3-59 1.2.4 Limits, Margins, and Set points ................................................................ 7.3-59 1.2.5 Abnormal Events ...................................................................................... 7.3-59 1.2.6 Minimum Performance Requirements...................................................... 7.3-60 1.3 Final System Drawings ............................................................................. 7.3-60 2 Analysis .................................................................................................... 7.3-60 2.1 Failure Modes and Effects Analysis ......................................................... 7.3-61 2.2 Compliance with Standards and Design Criteria ...................................... 7.3-62 2.2.1 Single Failure Criteria............................................................................... 7.3-62 2.2.2 Equipment Qualification........................................................................... 7.3-62 2.2.3 Channel Independence .............................................................................. 7.3-62 2.2.4 Control and Protection System Interaction ............................................... 7.3-62 2.2.5 Capability for Sensor Checks and Equipment Test Calibration ................................................................................................ 7.3-63 2.2.6 Manual Resets and Blocking Features...................................................... 7.3-70 2.2.7 Manual Initiation of Protective Actions (Regulatory Guide 1.62) .......................................................................................................... 7.3-71 2.3 Further Considerations.............................................................................. 7.3-71 2.3.1 Instrument Air and Component Cooling .................................................. 7.3-71 28/18 7-iii Rev. 31

tion Title Page 2.4 Summary ................................................................................................... 7.3-72 2.4.1 Loss-of-Coolant Protection....................................................................... 7.3-72 2.4.2 Steam Line Break Protection .................................................................... 7.3-73 3 References for Section 7.3 ........................................................................ 7.3-74 SYSTEMS REQUIRED FOR SAFE SHUTDOWN.................................. 7.4-1 1 Description.................................................................................................. 7.4-2 1.1 Monitoring Indicators ................................................................................. 7.4-2 1.2 Controls....................................................................................................... 7.4-3 1.2.1 General Considerations............................................................................... 7.4-3 1.2.2 Pumps and Fans .......................................................................................... 7.4-3 1.2.3 Emergency Generators................................................................................ 7.4-4 1.2.4 Valves and Heaters ..................................................................................... 7.4-4 1.3 Control Room Evacuation .......................................................................... 7.4-5 1.4 Equipment and Systems Necessary for Cold Shutdown............................. 7.4-5 1.5 Other Considerations .................................................................................. 7.4-6 2 Analysis ...................................................................................................... 7.4-7 SAFETY RELATED DISPLAY INSTRUMENTATION ......................... 7.5-1 1 Description.................................................................................................. 7.5-1 1.1 Safety Parameter Display System............................................................... 7.5-2 1.2 Emergency Response Facilities .................................................................. 7.5-2 2 Analysis ...................................................................................................... 7.5-2 3 Compliance with other Regulatory Requirements...................................... 7.5-2 PENDIX 7.5A MILLSTONE UNIT 3 DEVIATIONS TO REGULATORY GUIDE 1.97 REVISION 2 Table of Contents.............................................................................................. ii ALL OTHER SYSTEMS REQUIRED FOR SAFETY ............................. 7.6-1 1 Instrumentation and Control Power Supply System................................... 7.6-1 2 Residual Heat Removal Isolation Valves ................................................... 7.6-1 2.1 Description.................................................................................................. 7.6-1 2.2 Analysis ...................................................................................................... 7.6-2 28/18 7-iv Rev. 31

tion Title Page 3 Refueling interlocks .................................................................................... 7.6-2 4 Accumulator Motor-Operated Valves ........................................................ 7.6-2 5 Reactor Coolant System Loop Isolation Valve Interlocks.......................... 7.6-3 6 Fuel Pool Cooling and Purification System................................................ 7.6-4 6.1 Description.................................................................................................. 7.6-4 6.2 Analysis of Fuel Pool Cooling and Purification System ............................ 7.6-5 7 Containment Leakage Monitoring System (Containment Atmosphere Pressure and Temperature Monitoring Instrumentation) .......................................... 7.6-6 7.1 Description.................................................................................................. 7.6-6 7.2 Analysis ...................................................................................................... 7.6-7 8 Interlocks for RCS Pressure Control during Low-Temperature Operation.7.6-8 8.1 Description.................................................................................................. 7.6-8 8.2 Analysis of Interlock................................................................................... 7.6-8 8.3 Pressurizer Pressure Relief System............................................................. 7.6-9 9 Heat Tracing of Safety-Related Systems .................................................. 7.6-10 10 Shutdown Margin Monitor ....................................................................... 7.6-11 10.1 Description................................................................................................ 7.6-11 10.2 Function .................................................................................................... 7.6-11 11 References for Section 7.6 ........................................................................ 7.6-12 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY ....................... 7.7-1 1 Description.................................................................................................. 7.7-1 1.1 Reactor Control System .............................................................................. 7.7-3 1.2 Rod Control System.................................................................................... 7.7-4 1.2.1 Full Length Rod Control System ................................................................ 7.7-4 1.3 Plant Control Signals for Monitoring and Indicating ................................. 7.7-5 1.3.1 Monitoring Functions Provided by the Nuclear Instrumentation System......................................................................................................... 7.7-5 1.3.2 Rod Position Monitoring of Full Length Rods ........................................... 7.7-6 1.3.3 Control Bank Rod Insertion Monitoring..................................................... 7.7-7 1.3.4 Rod Deviation Alarm.................................................................................. 7.7-9 1.3.5 Rod Bottom Alarm...................................................................................... 7.7-9 1.4 Plant Control System Interlocks ................................................................. 7.7-9 28/18 7-v Rev. 31

tion Title Page 1.4.1 Rod Stops .................................................................................................... 7.7-9 1.4.2 Automatic Turbine Load Runback ........................................................... 7.7-10 1.4.3 Turbine Loading Stop ............................................................................... 7.7-10 1.5 Pressurizer Pressure Control ..................................................................... 7.7-10 1.6 Pressurizer Water Level Control............................................................... 7.7-11 1.7 Steam Generator Water Level Control ..................................................... 7.7-12 1.8 Steam Dump Control ................................................................................ 7.7-12 1.8.1 Load Rejection Steam Dump Controller .................................................. 7.7-13 1.8.2 Plant Trip Steam Dump Controller ........................................................... 7.7-13 1.8.3 Steam Header Pressure Controller ............................................................ 7.7-13 1.9 Incore Instrumentation .............................................................................. 7.7-13 1.9.1 Thermocouples.......................................................................................... 7.7-14 1.9.2 Movable Neutron Flux Detector Drive System ........................................ 7.7-14 1.9.3 Control and Readout Description ............................................................. 7.7-14 2 Analysis .................................................................................................... 7.7-15 2.1 Separation of Protection and Control System........................................... 7.7-16 2.2 Response Considerations of Reactivity .................................................... 7.7-17 2.3 Step Load Changes without Steam Dump ................................................ 7.7-19 2.4 Loading and Unloading ............................................................................ 7.7-19 2.5 Load Rejection Furnished by Steam Dump System ................................. 7.7-20 2.6 Turbine-Generator Trip With Reactor Trip .............................................. 7.7-21 2.7 Operational Transient Analysis ................................................................ 7.7-22 3 Reference for Section 7.7.......................................................................... 7.7-23 ANTICIPATED TRANSIENTS WITHOUT SCRAM MITIGATION SYSTEM ACTUATION CIRCUITRY............................. 7.8-1 1 Description.................................................................................................. 7.8-1 1.1 System Description ..................................................................................... 7.8-1 1.2 Equipment Description ............................................................................... 7.8-1 1.3 Functional Performance Requirements....................................................... 7.8-3 1.4 AMSAC Interlocks ..................................................................................... 7.8-3 1.5 Trip System................................................................................................. 7.8-3 1.6 Isolation Devices......................................................................................... 7.8-3 28/18 7-vi Rev. 31

tion Title Page 1.7 AMSAC Diversity From the Reactor Protection Systems.......................... 7.8-4 1.8 Power Supply .............................................................................................. 7.8-4 1.9 Environmental Variations ........................................................................... 7.8-4 1.10 Set Points .................................................................................................... 7.8-4 2 Analysis ...................................................................................................... 7.8-5 2.1 Safety Classification/Safety Related Interface ........................................... 7.8-5 2.2 Redundancy ................................................................................................ 7.8-5 2.3 Diversity From the Existing Trip System ................................................... 7.8-5 2.4 Electrical Independence .............................................................................. 7.8-5 2.5 Physical Separation From the RTS and ESFAS ......................................... 7.8-6 2.6 Environmental Qualification....................................................................... 7.8-6 2.7 Seismic Qualification.................................................................................. 7.8-6 2.8 Test, Maintenance, and Surveillance Quality Assurance ........................... 7.8-6 2.9 Power Supply .............................................................................................. 7.8-7 2.10 Testability at Power .................................................................................... 7.8-7 2.11 Inadvertent Actuation ................................................................................. 7.8-7 2.12 Bypass ......................................................................................................... 7.8-7 2.12.1 Maintenance Bypasses ................................................................................ 7.8-7 2.12.2 Operating Bypasses..................................................................................... 7.8-7 2.12.3 Indication of Bypasses ................................................................................ 7.8-8 2.12.4 Means for Bypassing .................................................................................. 7.8-8 2.13 Completion of Mitigative Actions Once Initiated ...................................... 7.8-8 2.14 Manual Initiation......................................................................................... 7.8-8 2.15 Information Readout ................................................................................... 7.8-8 2.16 Compliance With Standards and Design Criteria ....................................... 7.8-8 28/18 7-vii Rev. 31

List of Tables mber Title 1 Listing of Applicable Criteria 1 List of Reactor Trips 2 Protection System Interlocks 3 Reactor Trip System Instrumentation 4 Reactor Trip Correlation 1 Interlocks for Engineered Safety Features Actuation System 2 Engineered Safety Features Actuation System Instrumentation 3 Safety Injection Signal 4 Containment Isolation Phase A 5 Steam Line Isolation 6 Feedwater Isolation 7 Control Building Isolation 8 Containment Depressurization Actuation 9 Containment Isolation Phase B 10 Instrumentation and Control Systems for Engineered Safety Features and Essential Auxiliary Supporting Systems 1 Instruments and Controls Outside Control Room for Cold Shutdown 1 Accident Monitoring Instrumentation List 1 Plant Control System Interlocks 28/18 7-viii Rev. 31

List of Figures mber Title 1 Solid State Protection System Block Diagram 2 Reactor Trip/ESF Actuation Mechanical Linkage for Dual Train Switches 1 (Sheets 1-19) P&IDs Functional Diagram, Reactor Trip System/Loop Stop Valve Interlocks/Pressurizer Pressure Relief System 2 Setpoint Reduction Function for Overpower and Over-temperature T Trips 1 Failure Modes and Effects Analysis Quench Spray System 2 Fault Tree Diagram Quench Spray System 3 Typical ESF Test Circuits 4 Engineered Safeguards Test Cabinet 1 Logic Diagram for RHS Isolation Valves 2 Functional Block Diagram of Accumulator Isolation Valves 3 Automatic RHS and QSS Pump Shutoff (Sheet 1) 4 Reactor Coolant System Loop with Loop Stop Valves 1 Simplified Block Diagram of Reactor Control System 2 Control Bank Rod Insertion Monitor 3 Rod Deviation Comparator 4 Block Diagram of Pressurizer Pressure Control System 5 Block Diagram of Pressurizer Level Control System 6 Block Diagram of Steam Generator Water Level Control System 7 Block Diagram of Main Feedwater Pump Speed Control System 8 Block Diagram of Steam Dump Control System 9 Basic Flux-Mapping System

-10 Not Used

-11 Not Used

-12 Not Used

-13 Not Used 14 Simplified Block Diagram of Rod Control System 28/18 7-ix Rev. 31

mber Title 15 Control Bank B Partial Simplified Schematic Diagram of Power Cabinets 1 BD and 2 BD 1 Actuation Logic System Architecture 28/18 7-x Rev. 31

INTRODUCTION s chapter presents the various plant instrumentation and control systems by relating the ctional performance requirements, design bases, system descriptions, design evaluations, and s and inspections for each. The information provided in this chapter emphasizes those ruments and associated equipment which constitute the protection system as defined in IEEE ndard 279-1971 IEEE Standard: Criteria for Protection Systems for Nuclear Power erating Stations.

primary purpose of the instrumentation and control systems is to provide automatic ection and exercise proper control against unsafe and improper reactor operation during dy state and transient power operations (ANS Conditions I, II, III) and to provide initiating als to mitigate the consequences of faulted conditions (ANS Condition IV). ANS conditions discussed in Chapter 15. Consequently, the information presented in this chapter emphasizes e instrumentation and control systems which are central to assuring that the reactor can be rated to produce power in a manner that ensures no undue risk to the health and safety of the lic.

shown that the applicable criteria and codes, such as General Design Criteria and IEEE ndards, concerned with the safe generation of nuclear power are met by these systems. See le 7.1-1 for a listing of applicable criteria.

initions minology used in this chapter is based on the definitions given in IEEE Standard 279-1971 ch is listed in Section 7.1.2. In addition, the following definitions apply:

1. Degree of Redundancy - The difference between the number of channels monitoring a variable and the number of channels which when tripped, would cause an automatic system trip.

2. Minimum Degree of Redundancy - The degree of redundancy below which operation is prohibited, or otherwise restricted by the Technical Specifications.

3. Cold Shutdown Condition - A Technical Specifications operational mode where Keff < 0.99 and Tavg is 200°F.

4. Hot Shutdown Condition - A Technical Specifications operational mode where Keff < 0.99 and 350°F > Tavg > 200°F.

5. Phase A Containment Isolation - Closure of all non-essential process lines which penetrate containment initiated manually or by the safety injection signal.

28/18 7.1-1 Rev. 31

engineered safety features lines).

7. System Response Times:

a. Reactor Trip System Response Time The time interval from when the monitored parameter exceeds its trip set point at the channel sensor until loss of stationary gripper coil voltage.

b. Engineered Safety Features System Response Time The time interval from when the monitored parameter exceeds its ESF actuation set point at the channel sensor until the ESF equipment is capable of performing its safety function (i.e., the valves travel to their required positions, pump discharge pressures reach their required values, etc.).

Times shall include diesel generator starting and sequence loading delays where applicable.

8. Reproducibility - This definition is taken from Scientific Apparatus Manufacturers Association (SAMA) Standard PMC-20.1-1973, Process Measurement and Control Terminology: the closeness of agreement among repeated measurements of the output for the same value of input made under the same operating conditions over a period of time, approaching from both directions. It includes drift due to environmental effects, hysteresis, long-term drift, and repeatability. Long-term drift (aging of components, etc.) is not an important factor in accuracy requirements since, in general, the drift is not significant with respect to the time elapsed between testing. Therefore, long-term drift may be eliminated from this definition. Reproducibility, in most cases, is a part of the definition of accuracy (see below).

9. Accuracy - This definition is derived from Scientific Apparatus Manufacturers Association (SAMA) Standard PMC-20.1-1973, Process Measurement and Control Terminology. An accuracy statement for a device falls under Note 2 of the SAMA definition of accuracy, which means reference accuracy or the accuracy of that device at reference operating conditions: reference accuracy includes the combined conformity, hysteresis, and repeatability errors. To adequately define the accuracy of a system, the term reproducibility is useful as it covers normal operating conditions. The following terms, trip accuracy and indicated accuracy etc., would include conformity and reproducibility under normal operating conditions. Where the final result does not have to conform to an actual process variable but is related to another value established by testing, conformity may be eliminated, and the term reproducibility may be substituted for accuracy.

28/18 7.1-2 Rev. 31

around the transmitter and racks. Not included are accuracies under post-accident conditions.

11. Readout Devices - For consistency, the final device of a complete channel is considered a readout device. This includes indicators, recorders, isolators (nonadjustable), and controllers.

12. Channel Accuracy - This definition includes accuracy of primary element, transmitter and rack modules. It does not include readout devices or rack environmental effects, but does include process and environmental effects on field-mounted hardware. Rack environmental effects are included in the next two definitions to avoid duplication due to dual inputs.

13. Indicated and/or Recorded Accuracy - This definition includes channel accuracy, accuracy of readout devices and rack environmental effects.

14. Trip Accuracy - This definition includes comparator accuracy, channel accuracy, for each input, and rack environmental effects. This is the tolerance expressed in process terms (or percent of span) within which the complete channel must perform its intended trip function. This includes all instrument errors but no process effects such as streaming. The term actuation accuracy may be used where the word trip might cause confusion (for example, when starting pumps and other equipment).

15. Control Accuracy - This definition includes channel accuracy, accuracy of readout devices (isolator, controller), and rack environmental effects. Where an isolator separates control and protection signals, the isolator accuracy is added to the channel accuracy to determine control accuracy, but credit is taken for tuning beyond this point; i.e., the accuracy of these modules (excluding controllers) is included in the original channel accuracy. It is simply defined as the accuracy of the control signal in percent of the span of that signal. This would include gain changes where the control span is different from the span of the measured variable.

Where controllers are involved, the control span is the input span of the controller.

No error is included for the time in which the system is in a nonsteady state condition.

1 IDENTIFICATION OF SAFETY RELATED SYSTEMS 1.1 Safety Related Systems instrumentation discussed in Chapter 7 that is required to function to achieve the system onses assumed in the safety evaluations, and those needed to shutdown the plant safely are n in this section.

28/18 7.1-3 Rev. 31

reactor trip system (RTS) is a functionally defined system described in Section 7.2. The ipment which provides the trip functions is identified and discussed in Section 7.2. Design es for the RTS are given in Section 7.1.2.1. Figure 7.1-1 includes a single line diagram of this em.

1.1.2 Engineered Safety Features Actuation System engineered safety features actuation system (ESFAS) is a functionally defined system cribed in Section 7.3. The equipment which provides the actuation functions is identified and ussed in Section 7.3. Design bases for the ESFAS are given in Section 7.1.2.1.

1.1.3 Instrumentation and Control Power Supply System ign bases for the instrumentation and control power supply system are given in tion 7.1.2.1. Further description of this system is provided in Section 7.6.1.

1.2 Safety Related Display Instrumentation play instrumentation provides the operator with information to enable him to monitor the lts of engineered safety features actions following a Condition II, III, or IV event. Section 7.5, le 7.5-1 provides information required to maintain the plant in a hot shutdown condition, or to ceed to cold shutdown.

1.3 Instrumentation and Control System Designers systems discussed in Chapter 7 have definitive functional requirements developed on the basis he Westinghouse NSSS design. Figure 7.2-1, Sheet 8, defines Westinghouse NSSS scope; the aining support systems are balance-of-plant (BOP) scope. Regardless of the supplier, the ctional requirements necessary to assure plant safety and proper control are clearly delineated.

1.4 Plant Comparison tem functions for all systems discussed in Chapter 7 that are similar to those of the th Anna 1 and 2 applications are provided in the comparison table in Section 1.3.

1.5 Alarms unciators are provided on the main control board and on local panels. Each local panel has a mon trouble annunciator on the main control board that is alarmed when any annunciator is med on the local panel. The annunciators are nonsafety grade except for the emergency diesel erator and hydrogen recombiner local alarms which are safety grade. The safety grade systems nitored are not degraded by the annunciators since isolators are used to isolate safety grade uits from nonsafety grade circuits. The instrumentation section for each system list the unciators and the parameters monitored. Isolators are discussed in Section 7.2.

28/18 7.1-4 Rev. 31

tion 8.3.1.1.3 for details.

h Hydrogen Recombiner local annunciator system has isolators to prevent these safety grade unciators from being degraded by their connection to a nonsafety grade annunciator in the n control room.

1.6 Communication Systems mmunication systems are discussed in Section 9.5.2.

2 IDENTIFICATION OF SAFETY CRITERIA tion 7.1.2.1 gives design bases for the systems given in Section 7.1.1.1. Design bases for safety related systems are provided in the sections which describe the systems. Conservative siderations for instrument errors are included in the accident analyses presented in Chapter 15.

ctional requirements, developed on the basis of the results of the accident analyses, which e utilized conservative assumptions and parameters are used in designing these systems and a operational testing program verifies the adequacy of the design. Accuracies are given in tions 7.2 and 7.3.

documents listed in Table 7.1-1 were considered in the design of the systems given in tion 7.1.1. In general, the scope of these documents is given in the document itself. This rmines the systems or parts of systems to which the document is applicable. A discussion of pliance with each document for systems in its scope is provided in the referenced sections en in Table 7.1-1 for each criterion. Because some documents were issued after design and ing had been completed, the equipment documentation may not meet the format requirements ome standards. Justification for any exceptions taken to each document for systems in its pe is provided in the referenced sections.

2.1 Design Bases 2.1.1 Reactor Trip System reactor trip system acts to limit the consequences of Condition II events (incidents of derate frequency, such as loss of normal feedwater flow) by, at most, a shutdown of the reactor turbine with the plant capable of returning to operation after corrective action. The reactor trip em features impose a limiting boundary region to plant operation which ensures that the tor safety limits are not exceeded during Condition II events and that these events can be ommodated without developing into more severe conditions. Reactor trip set points are given he Technical Specifications.

design requirements for the reactor trip system are derived by analyses of plant operating and t conditions where automatic rapid control rod insertion is necessary in order to prevent or t core or reactor coolant boundary damage. The design bases addressed in IEEE Standard 28/18 7.1-5 Rev. 31

1. As a result of any anticipated transient or malfunction (Condition II faults), the departure from nucleate boiling ratio (DNBR) shall not be less than the safety analysis limits (see Section 4.4).

2. Power density shall not exceed the rated linear power density for Condition II faults. See Chapter 4 for fuel design limits.

3. The stress limit of the reactor coolant system for the various conditions shall be as specified in Chapter 5.

4. Release of radioactive material shall not be sufficient to interrupt or restrict public use of those areas beyond the exclusion radius as a result of any Condition III fault.

5. For any Condition IV fault, release of radioactive material shall not result in an undue risk to public health and safety.

2.1.2 Engineered Safety Features Actuation System engineered safety features actuation system acts to limit the consequences of Condition III nts (infrequent faults such as primary coolant spillage from a small rupture which exceeds mal charging system makeup and requires actuation of the safety injection system). The ineered safety features actuation system acts to mitigate Condition IV events (limiting faults, ch include the potential for significant release of radioactive material).

design bases for the engineered safety features actuation system are derived from the design es given in Chapter 6 for the engineered safety features. Design bases requirements of IEEE ndard 279-1971 are addressed in Section 7.3.1.2. General design requirements are given w.

1. Automatic Actuation Requirements The primary requirements of the engineered safety features actuation system is to receive input signals (information) from the various on-going processes within the reactor plant and containment and automatically provide, as output, timely and effective signals to actuate the various components and subsystems comprising the engineered safety features system.

2. Manual Actuation Requirements The engineered safety features actuation system must have provisions in the control room for manual initiation.

28/18 7.1-6 Rev. 31

instrumentation and control power supply system provides continuous, reliable, regulated le phase AC power to all instrumentation and control equipment required for plant safety.

ails of this system are provided in Section 7.6. The design bases are given below:

1. Each inverter has the capacity and regulation required for the AC output for proper operation of the equipment supplied.

2. Redundant loads are assigned to different distribution panels which are supplied from different inverters.

3. Auxiliary devices that are required to operate dependent equipment are supplied from the same distribution panel to prevent the loss of electric power in one protection set from causing the loss of equipment in another protection set. No single failure shall cause a loss of power supply to more than one distribution panel.

4. Each of the distribution panels has access only to its respective inverter supply and a standby power supply.

5. The system complies with IEEE Standard 308-1971, Paragraph 5.4.

2.1.4 Emergency Power ign bases and system description for the emergency power supply are provided in Chapter 8.

2.1.5 Interlocks rlocks are discussed in Sections 7.2, 7.3, 7.6, and 7.7. The protection (P) interlocks are given ables 7.2-2 and 7.3-3. The safety analyses demonstrate that even under conservative critical ditions for either postulated or hypothetical accidents, the protective systems ensure that the SS will be put into and maintained in a safe state following an ANS Condition II, III or IV dent commensurate with applicable Technical Specifications and pertinent ANS Criteria.

refore the protective systems have been designed to meet IEEE Standard 279-1971 and are rely redundant and separate, including all permissives and blocks. All blocks of a protective ction are automatically cleared whenever the protective function is required in accordance h General Design Criteria 20, 21, and 22 and Paragraphs 4.11, 4.12, and 4.13 of IEEE Standard

-1971. Control interlocks (C) are identified in Table 7.7-1. Because control interlocks are not ty related, they have not been specifically designed to meet the requirements of IEEE tection System Standards.

2.1.6 Bypasses asses are designed to meet the requirements of IEEE Standard 279-1971, Paragraphs 4.11,

, 4.13, and 4.14. A discussion of bypasses provided is given in Sections 7.2 and 7.3.

28/18 7.1-7 Rev. 31

criteria for equipment protection are given in Chapter 3. Equipment related to safe operation he plant is designed, constructed and installed to protect the plant from damage. This is omplished by working to accepted standards and criteria aimed at providing reliable rumentation which is available under varying conditions. As an example, certain equipment is mically qualified in accordance with IEEE Standard 344-1975. Independence and separation chieved, as required by IEEE Standard 279-1971, IEEE Standard 384-1974 and Regulatory de 1.75, either by barriers, physical separation or demonstration test. This serves to protect inst complete destruction of a system by fires, missiles or other natural hazards.

2.1.8 Diversity ctional diversity has been designed into the system. Functional diversity is discussed in AP-7706-L and WCAP-7706. The extent of diverse system variables has been evaluated for a e variety of postulated accidents.

arding the engineered safety features actuation system for a loss-of-coolant accident, a safety ction signal can be obtained manually or by automatic initiation from two diverse parameter surements:

1. Low pressurizer pressure

2. High containment pressure (Hi-1) a steam break accident, safety injection signal actuation is provided by:

1. Low steamline pressure

2. For a steam break inside containment, high containment pressure (Hi-1) provides an additional parameter for generation of the signal

3. Low pressurizer pressure of the above sets of signals are redundant and physically separated and meet the requirements EEE Standard 279-1971.

2.1.9 Bistable Trip Set Points following parameters are applicable to reactor trip and engineered safety features actuation:

1. Safety limit

2. Allowable value

3. Trip set point 28/18 7.1-8 Rev. 31

ety limits such as those for reactor coolant system pressure are found in Section 2.0 of the hnical Specifications.

accommodate instrument drift which can occur between operational tests and the accuracy to ch set points can be measured and calibrated, allowable values for the reactor trip set points e been specified in the Technical Specifications. Operation with the set points less servative than the reactor trip or engineered safety features trip set point but within the wable value is acceptable since an allowance has been made in the safety analysis to ommodate these uncertainties.

set point limits specified in Technical Specifications are the nominal values at which the tor trips and/or engineered safety features trips are set for each functional unit. The trip set nts have been selected to ensure that the core and reactor coolant system are prevented from eeding their safety limits during normal operation and design basis operational occurrences, to support the mitigation of limiting accidents.

methodology used to derive the trip set points is based upon combining all of the ertainties in the channels. Inherent to the determination of the trip set points are the nitudes of these channel uncertainties. Sensors and other instrumentation utilized in these nnels are expected to be capable of operating within the allowances of these uncertainty nitudes.

urther discussion on set points is found in Sections 7.1.2.2.1 and 7.3.1.2.6.

only requirement on the uncertainty of an instrumentation channel is that over the instrument n, the uncertainty must always be less than or equal to the value allowed in the accident lysis. The instrument does not need to be the most accurate at the set point value as long as it ts the minimum accuracy requirement. The accident analysis accounts for the expected ertainties at the actual set point.

ge selection for the instrumentation covers the expected range of the process variable being nitored consistent with its application. The design of the reactor trip and engineered safety ures systems is such that the bistable trip set points are not set within 5 percent of the high and end of their calibrated span or range. Functional requirements established for every channel he reactor trip and engineered safety features systems stipulate the maximum allowable errors ccuracy, linearity, and reproducibility. The protection channels have the capability for, and are ed to ascertain that the characteristics throughout the entire span in all aspects are acceptable meet functional requirement specifications.

specific functional requirements for response time, set point, and operating span are based on results and evaluation of safety studies carried out using data pertinent to the plant. Emphasis laced on establishing adequate performance requirements under both normal and faulted ditions. This includes consideration of process transmitter margins such that even under a hly improbable situation of full power operation at the limits of the operating map (as defined 28/18 7.1-9 Rev. 31

onse is available to ensure plant safety.

2.1.10 Engineered Safety Features Motor Specifications tors are discussed in Section 8.3.1.

2.2 Independence of Redundant Safety Related Systems safety related systems in Section 7.1.1.1 are designed to meet the independence and aration requirements of Criterion 22 of the 1971 General Design Criteria and Paragraph 4.6 of E Standard 279-1971. The electrical power supplies, instrumentation, and control conductors redundant circuits have physical separation to preserve the redundancy and to ensure that no le credible event will prevent operation of the associated function due to electrical conductor age. Critical circuits and functions include power, control and analog instrumentation ciated with the operation of the reactor trip system or engineered safety features actuation em. Credible events shall include, but not be limited to, the effects of short circuits, pipe ure, missiles, fire, etc and are considered in the basic plant design. In the control board, aration of redundant circuits is maintained as described in Section 8.3.1.4.

2.2.1 General (Include Regulatory Guide 1.75 and IEEE Standard 384-1974) cription of separation is provided in Section 8.3, and compliance with Regulatory Guide 1.75 escribed in Section 1.8 for BOP Scope.

physical separation criteria for redundant safety related system sensors, sensing lines, eways, cables, and components on racks for the NSSS scope meet recommendations contained egulatory Guide 1.75 with the following comments.

1. The design of the protection system relies on the provisions of IEEE-384-74 relative to isolation devices to prevent malfunctions in one circuit from causing unacceptable influences on the functioning of the protection system. The protection system uses redundant instrumentation channels and actuation trains and incorporates physical and electrical separation to prevent faults in one channel from degrading any other protection channel.

2. Separation recommendations for redundant instrumentation racks are not the same as those given in Paragraph C16 of Regulatory Guide 1.75, Revision 1, for the control boards because of different functional requirements. Main control boards contain redundant circuits which are required to be physically separated from each other. However, since there are no redundant circuits which share a single compartment of an NSSS protection instrumentation rack, and since these redundant protection instrumentation racks are physically separated from each other, the physical separation requirements specified for the main control board do not apply.

28/18 7.1-10 Rev. 31

could be postulated that electrical faults, or interference, at these locations might be propagated into all redundant racks and degrade protection circuits because of the close proximity of protection and control wiring within each rack. Regulatory Guide 1.75, Paragraph C-4 and IEEE-384-1974, Paragraph 4.5(3), provide the option to demonstrate by tests that the absence of physical separation could not significantly reduce the availability of Class 1E circuits.

Westinghouse test programs have demonstrated that Class 1E protection systems, Nuclear Instrumentation System (NIS); Solid State Protection System (SSPS); and 7300 Process Control System (7300 PCS), are not degraded by non-Class 1E circuits sharing the same enclosure. Conformance to the requirements of IEEE-279 and Regulatory Guide 1.75 has been established and accepted by the NRC based on the following which is applicable to these systems at Millstone.

Tests conducted on the as-built designs of the NIS and SSPS were reported and accepted by the NRC in support of the Diablo Canyon application (Docket Numbers 50-275 and 50-323). Westinghouse considers these programs as applicable to all plants, including Millstone. Westinghouse tests on the 7300 PCS were covered in a report entitled, 7300 Series Process Control System Noise Tests, subsequently reissued as WCAP-8892-A. In a letter dated April 20, 1977, R.

Tedesco to C. Eicheldinger, the NRC accepted the report in which the applicability of the Millstone plant is established.

3. The physical separation criteria for instrument cabinets within the NSSS scope meet the recommendations contained in Paragraph 5.7 of IEEE-384-1974.

4. The core thermocouple system satisfies Regulatory Guide 1.75 separation requirement except for the two channels/trains inside the refueling cavity. The method of installation of the core thermocouples within the reactor cavity was completed prior to upgrading of the system to satisfy Regulatory Guide 1.97 requirements. The design within the refueling cavity is acceptable because:

• only a small, self generated signal exists in the cabling from the thermocouples to the reference junction boxes and therefore no chance exists for a postulated propagating fault, and

• due to the interference provided by the rod control mechanisms and rod position indicator stack, no likelihood exists for rendering all thermocouples inoperable.

2.2.2 Specific Systems ependence is maintained throughout the system, extending from the sensor through the devices ating the protective function. Physical separation is used to achieve separation of redundant 28/18 7.1-11 Rev. 31

ipment is separated by locating modules in different protection rack sets. Each redundant nnel set is energized from a separate AC power feed.

re are four separate process analog sets. Separation of redundant analog channels begins at the cess sensors and is maintained in the field wiring, containment penetrations and analog ection cabinets to the redundant trains in the logic racks. Redundant analog channels are arated by locating modules in different cabinets or compartments of a cabinet. Since all ipment within any cabinets is associated with a single protection set, there is no requirement channel separation of wiring and components within the cabinets.

he nuclear instrumentation system, process instrumentation systems, and the solid state ection system input cabinets where redundant channel instrumentation are physically cent, there are no wire ways, or cable penetrations which would permit, for example, a fire lting from electrical failure in one channel to propagate into redundant channels in the logic

s. Redundant analog channels are separated by locating modules in different cabinets or partments of a cabinet.

o reactor trip breakers are actuated by two separate logic matrices which interrupt power to the trol rod drive mechanisms. The breaker main contacts are connected in series with the power ply so that opening either breaker interrupts power to all full length control rod drive hanisms, permitting the rods to free fall into the core.

1. Reactor Trip System

a. Separate routing is maintained for the four basic reactor trip system channel sets analog sensing signals, bistable output signals and power supplies for such systems. The separation of these four channel sets shall be maintained from sensors to instrument cabinets to logic system input cabinets.

b. Separate routing of the redundant reactor trip signals from the redundant logic system cabinets is maintained, and in addition, they shall be separated (by spatial separation or by provision of barriers or by separate cable trays or wireways) from the four analog channel sets.

2. Engineered Safety Features Actuation System

a. Separate routing is maintained for the four basic sets of engineered safety features actuation system analog sensing signals, bistable output signals and power supplies for such systems. The separation of these four channel sets is maintained from sensors to instrument cabinets to logic system input cabinets.

28/18 7.1-12 Rev. 31

be separated by spatial separation or by provisions of barriers or by separate cable trays or wireways from the four analog channel sets.

c. Separate routing of control and power circuits associated with the operation of engineered safety features equipment is required to retain redundancies provided in the system design and power supplies.

3. Instrumentation and Control Power Supply System For separation criteria presented applicable for the load centers and buses distributing power to redundant components and to the control of these power supplies, see Section 8.3.1.4.

Reactor trip system and engineered safety features actuation system analog circuits may be routed in the same wireways provided circuits have the same power supply and channel set identified (I, II, III or IV).

2.2.3 Fire Protection electrical equipment within the NSSS scope of supply the NSSS specifies noncombustible or retardant material and conducts vendor-supplied specification reviews of this equipment ch includes assurance that materials will not be used which may ignite or explode from an trical spark, flame, or from heating, or will independently support combustion. These reviews include assurance of conservative current carrying capacities of all instrument cabinet wiring, ch precludes electrical fires resulting from excessive overcurrent (I R) losses. For example, ng used for instrument cabinet construction has Teflon or Tefzel insulation and is adequately d based on current carrying capacities set forth by the National Electric Code. In addition, fire rdant paint is used on protection rack or cabinet construction to retard fire or heat propagation m rack to rack. Braided sheathed material is noncombustible.

ails of the plant's fire protection system including consideration within BOP scope are vided in Section 9.5.1.

2.3 Physical Identification of Safety Related Equipment re are four separate protection sets identifiable with process equipment associated with the tor trip and engineered safeguards actuation systems. A protection set may be comprised of e than a single process equipment cabinet. The color coding of each process equipment rack eplate coincides with the color code established for the protection set of which it is a part.

undant channels are separated by locating them in different equipment cabinets. Separation of undant channels begins at the process sensors and is maintained in the field wiring, tainment penetrations and equipment cabinets to the redundant trains in the logic racks. The d state protection system input cabinets are divided into four isolated compartments, each ing one of the four redundant input channels. Horizontal 1/8-inch thick solid steel barriers, 28/18 7.1-13 Rev. 31

wireway for a particular compartment is open only into that compartment so that flame could propagate to affect other channels. A diagram of the input cabinet is given on Figure 7.1-2. At logic racks the protection set color coding for redundant channels is clearly maintained until channel loses its identity in the redundant logic trains. The color coded nameplates described w provide identification of equipment associated with protective functions and their channel association:

Protection Set Color Coding I RED with WHITE lettering II WHITE with BLACK lettering III BLUE with WHITE lettering IV YELLOW with BLACK lettering noncabinet mounted protective equipment and components are provided with an identification or nameplate. Small electrical components such as relays have nameplates on the enclosure ch houses them. All cables are numbered with identification tags. For ID of cables, cable trays conduits, see Section 8.3.1.2.4.

2.4 Conformance to Criteria sting of applicable criteria and the SAR Sections where conformance is discussed is given in le 7.1-1.

2.5 Conformance to Regulatory Guide 1.22 odic testing of the reactor trip and engineered safety features actuation systems, as described ections 7.2.2 and 7.3.2, complies with Regulatory Guide 1.22, Periodic Testing of Protection tem Actuation Functions.

ere the ability of a system to respond to a bona fide accident signal is intentionally bypassed the purpose of performing a test during reactor operation, each bypass condition is matically indicated to the reactor operator in the main control room by a separate annunciator the train in test. In accordance with Regulatory Guide 1.47, for an event that renders a safety em inoperable but does not automatically operate the system bypass indicator, capability to rate each bypass indicator manually has been provided to the reactor operator. Solid state ection system test circuitry does not allow two trains to be tested at the same time so that nsion of the bypass condition to the redundant system is prevented. Administrative controls vent both trains of the emergency generator load sequencer from being bypassed at the same e.

28/18 7.1-14 Rev. 31

ipment is not tested during reactor operation it has been determined that:

1. There is no practicable system design that would permit operation of the equipment without adversely affecting the safety or operability of the plant.

2. The probability that the protection system will fail to initiate the operation of the equipment is, and can be maintained, acceptably low without testing the equipment during reactor operation.

3. The equipment can routinely be tested when the reactor is shutdown.

list of equipment that cannot be tested at full power so as not to damage equipment or upset t operation is:

1. Manual actuation switches

2. Turbine

3. Main steam line isolation valves (close)

4. Main feedwater isolation valves (close)

5. Feedwater control valves (close)

6. Main feedwater pump trip solenoids

7. Reactor coolant pump seal water return valves (close)

8. Charging header to cold leg isolation valves

9. Charging and letdown isolation valves (close)

10. Deleted by PKG FSC 07-MP3-024

11. CVCS suction valves - Normal (close)

12. Instrument air to containment isolation valves (close)

13. Chillwater supply and return containment isolation valves (close) justification for not testing the above 13 items at full power is discussed below.

1. Manual Actuation Switches - These would cause initiation of their protection system function at power causing plant upset and/or reactor trip. It should be noted 28/18 7.1-15 Rev. 31

The analog signals, from which the automatic safety injection signal is derived, is tested at power in the same manner as the other analog signals and as described in Section (10). The processing of these signals in the solid state protection system (SSPS) wherein their channel orientation converts to a logic train orientation is tested at power by the built-in semi-automatic test provisions of the SSPS. The reactor trip breakers are tested at power as discussed in Section (10).

2. Turbine Mechanical and backup overspeed trip tests are performed periodically while carrying load without tripping the unit, by using special test provisions.

3. Closing the Main Steam Isolation Valves Main steam isolation valves are routinely tested during refueling outages. Testing of the main steam isolation valves to closure at power is not practical. As the plant power is increased, the coolant average temperature is programmed to increase. If the valves are closed under these elevated temperature conditions, the steam pressure transient would unnecessarily operate the steam generator relief valves and possibly the steam generator safety valves. The steam pressure transient produced would cause shrinkage in the steam generator level, which would cause the reactor to trip on low-low steam generator water level. Testing during operation will decrease the operating life of the valve.

Based on the above identified problems incurred with periodic testing of the main steam isolation valves at power and since, (1) no practical system design will permit operation of the valves without adversely affecting the safety or operability of the plant, (2) the probability that the protection system will fail to initiate the actuated equipment during this test. Although the actual closing of these valves is blocked when the slave relay is tested, all functions are tested to assure that no electrical malfunctions have occurred which could defeat the protective function.

It is noted that the solenoids work on the deenergize-to-actuate principle, so that the main steam isolation valves will fail close upon loss of electrical power to the solenoids.

Based on the above, the testing of the isolating function of main steam isolation valves meets the guidelines of Section D.4 of Regulatory Guide 1.22.

4. Closing the Feedwater Isolation Valve The feedwater isolation valves are routinely tested during refueling outages.

Periodic testing of these feedwater isolation valves closing them completely at power would induce steam generator water level transients and oscillations which 28/18 7.1-16 Rev. 31

variable-speed feedwater pump control system and the steam generator water level control system. Any operation which induces perturbations in the main feedwater flow, whether deliberate or otherwise, generally leads to a reactor trip and should be avoided.

Based on these identified problems incurred with periodic testing of the feedwater isolation valves and since:

a. No practical system design will permit operation of these valves without adversely affecting the safety or operability of the plant.

b. The probability that the protection system will fail to initiate the activated equipment is acceptably low due to final actuation, and

c. These valves are tested during refueling outages, meeting the guidelines of Section D.4 of Regulatory Guide 1.22.

5. Closing the Feedwater Control Valves These valves are routinely tested during refueling outages. To close them at power would adversely affect the operability of the plant. The verification of operability of feedwater control valves at power is assured by confirmation of proper operation of the steam generator water level system. The actual actuation function of the solenoids, which provides the closing function is periodically tested at power as discussed in Section 7.3.2.2.5. The operability of the slave relay which actuates the solenoid, which is the actuating device, is verified during this test.

Although the actual closing of these control valves is blocked when the slave relay is tested, all functions are tested to assure that no electrical malfunctions have occurred which could defeat the protective function. It is noted that the solenoids work on the de-energize-to-actuate principal, so that the feedwater control valves will fail close upon either the loss of electrical power to the solenoids or loss of air pressure.

Based on the above, the testing of the isolating function of feedwater control valves meets the guidelines of Section D.4 of Regulatory Guide 1.22.

6. Main Feedwater Pump Trip Solenoids Main Feedwater Pump - No credit is taken in the analysis for tripping the main feedwater pumps, and therefore this function does not require periodic testing.

These functions are routinely tested during refueling outages.

7. Seal Water Return Valves (Close) 28/18 7.1-17 Rev. 31

the possibility of valve chatter. Valve chatter would damage this relief valve.

Testing of these valves at power would cause equipment damage. Therefore, these valves will be tested during scheduled refueling outages. As above, additional containment penetrations and containment isolation valves introduce additional unnecessary potential pathways for radioactive release following a postulated accident. Thus, the guidelines of Section D.4 of Regulatory Guide 1.22 are met.

8. Charging Header to Cold Leg Isolation Valves (Open)

The opening of these valves during the test of the actuating protection channel would adversely affect the operability of the plant. The probability that the protection system will fail to open these valves is acceptably low due to testing up to final actuation and the valves are routinely tested during refueling outages.

9. Charging and Letdown Isolation Valves (Close)

The plant is designed for a limited number of letdown isolation thermal cycles, and exercising these valves during power operations can result in a thermal cycle to the charging path to the RCS. These valves are routinely tested during cold shutdowns and refueling outages.

10. Deleted by PKG FSC 07-MP3-024

11. CVCS Suction Valves - Normal (Close)

Actuating these valves in conjunction with RWST suction isolation injects a small amount of borated water from the RWST into the RCS, causing an increase in pressurizer level and possible outward rod motion. These valves are routinely tested during refueling outages. The probability that the protection system will fail to open these valves is acceptably low due to testing up to final actuation.

12. Instrument Air to Containment Isolation Valves (Close)

Allowing the valves to close puts the plant risk of a loss of instrument air inside containment in the event that the valves do not reopen following testing. A loss of containment instrument air would disrupt RCS volume and pressure control systems and result in a letdown isolation. These valves are routinely tested during refueling outages. The probability that the protection system will fail to open these valves is acceptably low due to testing up to final actuation.

13. Chillwater Supply and Return Containment Isolation Valves (Close)

Two valves are closed during each slave relay test - one supply and one return in opposite headers. Although the two headers are cross connected during testing, 28/18 7.1-18 Rev. 31

Specification Limit within a short period of time. Exceeding the Technical Specification Limit places the plant outside safety analysis assumptions for containment pressure, and requires operators to commence plant shutdown if pressure is not restored to within the limit within one hour. These valves are routinely tested during refueling outages. The probability that the protection system will fail to open these valves is acceptably low due to testing up to final actuation.

2.6 Conformance to Regulatory Guide 1.47 er to Section 1.8 and 7.5.3.

2.7 Conformance to Regulatory Guide 1.53 and IEEE Standard 379-1972 principles described in IEEE Standard 379-1972 were used in the design of the protection em. The system complies with the intent of this standard and the additional guidance of ulatory Guide 1.53 although the formal analyses have not been documented exactly as ined. Westinghouse has gone beyond the required analyses and has performed a fault tree lysis (WCAP-7706-L and WCAP-7706).

referenced topical report provides details of the analyses of the protection systems previously e to show conformance with single failure criterion set forth in Paragraph 4.2 of IEEE ndard 279-1971. The interpretation of single failure criterion provided by IEEE Standard

-1972 does not indicate substantial differences with the Westinghouse interpretation of the erion except in the methods used to confirm design reliability. Established design criteria in junction with sound engineering practices form the bases for the Westinghouse protection ems. The reactor trip and engineered safeguards actuation systems are each redundant safety ems. The required periodic testing of these systems will disclose any failures or loss of undancy which could have occurred in the interval between tests, thus ensuring the availability hese systems.

2.8 Conformance to Regulatory Guide 1.63 mpliance to Regulatory Guide 1.63 is described in Section 1.8.

2.9 Conformance to IEEE Standard 317-1972 ulatory Guide 1.63 addresses IEEE Standard 317.

2.10 Conformance to IEEE Standard 336-1971 quality assurance requirements for installing, inspecting, and testing of instrumentation, and tric equipment conforms to IEEE Standard 336-1971.

28/18 7.1-19 Rev. 31

periodic testing of the reactor trip system and engineered safety features actuation system forms to the requirements of IEEE Standard 338-1971 with the following comments:

1. The surveillance requirements of the Technical Specifications for the protection system ensure that the system functional operability is maintained comparable to the original design standards. Periodic tests demonstrate this capability for the system.

Overall protection systems response times are demonstrated by test. Sensors within the Westinghouse scope will be demonstrated adequate for this design by vendor testing, in-site tests in operating plants with appropriately similar design, or by suitable type testing. The nuclear instrumentation system detectors are excluded from time response testing since they exhibit response time characteristics such that delays attributable to them are negligible in the overall channel response time required for safety. The reactor coolant pump speed sensors are exempt from time response testing since they will either operate with a short and predictable time response or fail in a safe direction, indicating lower than actual pump speed.

A periodic testing program exists to determine the time response of sensors which cause a reactor trip or the actuation of engineered safety features consistent with requirements given in the Technical Specifications and the Technical Requirements Manual. Time response testing of sensors (with the exception of neutron detectors and reactor coolant pump speed sensors) is performed per Technical Specifications section 4.3.1.2.

Each Reactor Trip System and Engineered Safety Features Actuation System response time test shall include at least one logic train such that both logic trains are tested at least once per 36 months and one channel per function such that all channels are tested at least once every (N times 18 months), where N is the total number of redundant channels in a specific protective function.

The measurement of response time at the specified time intervals provides assurance that the protective and engineered safety features action function associated with each channel is completed within the time limit assumed in the accident analyses.

2. The reliability goals specified in Paragraph 4.2 of IEEE Standard 338-1971, have been developed and serve as a basis for adequate time intervals for testing of the protection system.

3. The periodic test interval discussed in Paragraph 5.2, which is based on items outlined in Paragraph 4.3 of IEEE Standard 338-1971, is specified in the plant Technical Specifications. The initial test interval is conservatively selected to 28/18 7.1-20 Rev. 31

4. The test interval discussed in Paragraph 5.2 of IEEE Standard 338-1971, is verified and/or corrected based on past operating experience and surveillance test results.

Test interval may be modified, if necessary, to assure that system and subsystem protection is reliably provided. If any protection channel fails to meet its acceptance criteria during periodic testing, actions are taken as required by the Technical Specifications. Analytic methods for determining reliability have been used to determine test interval.

ed on the scope definition given in IEEE Standard 338-1971, no other systems described in pter 7 are required to comply with this standard. Regulatory Guide 1.97 is discussed in post-dent monitoring report.

3 REFERENCE FOR SECTION 7.1 1 WCAP-7706-L, (Proprietary) and WCAP-7706, 1973, Gangloff, W.C. and Loftus, W.D.,

An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients.

2 WCAP-8892-A (Non proprietary) June 1977, Siroky, R.M. and Marasco, F.W.,

Westinghouse 7300 Series Process Control System Noise Tests.

3 Letter from R. Tedesco, Nuclear Regulatory Commission to C. Eicheldinger, Westinghouse, dated April 20, 1977.

28/18 7.1-21 Rev. 31

TABLE 7.1-1 LISTING OF APPLICABLE CRITERIA

1. GENERAL DESIGN CRITERIA (GDC), APPENDIX A TO 10 CFR PART 50 Conformance Discussed Criteria Title in C 1 Quality Standards and Records 3.1.2, 7 Design Bases for Protection Against Natural C 2 3.1.2, 3.10, 7.2.1.1.11 Phenomena C 3 Fire Protection 3.1.2, 7.1.2.2.3 C 4 Environmental and Missile Design Bases 3.1.2, 7.2.2.2 Sharing of Structures, Systems, and C 5 3.1.2 Components C 10 Reactor Design 3.1.2, 7.2.2.2 C 12 Suppression of Reactor Power Oscillations 3.1.2 C 13 Instrumentation and Control 3.1.2, 7.3.1, 7.3.2 C 15 Reactor Coolant System Design 3.1.2, 7.2.2.2 C 17 Electric Power Systems 3.1.2, 8.2.1 C 19 Control Room 3.1.2 C 20 Protection System Functions 3.1.2, 7.2.2.2, 7.3.1, 7.3.2 C 21 Protection System Reliability and Testability 3.1.2, 7.2.2.2, 7.3.1, 7.3.2 3.1.2, 7.1.2.2, 7.2.2.2, C 22 Protection System Independence 7.3.1, 7.3.2 C 23 Protection System Failure Modes 3.1.2, 7.2.2.2, 7.3.1, 7.3.2 Separation of Protection and Control C 24 3.1.2, 7.2.2.2, 7.3.1, 7.3.2 Systems Protection System Requirements for C 25 3.1.2, 7.3.2 Reactivity Control Malfunctions Reactivity Control System Redundancy and C 26 3.1.2 Capability Combined Reactivity Control Systems C 27 3.1.2, 7.3.1, 7.3.2 Capability C 28 Reactivity Limits 3.1.2, 7.3.1, 7.3.2 28/18 7.1-22 Rev. 31

Conformance Discussed Criteria Title in Protection Against Anticipated Operational C 29 3.1.2, 7.2.2.2 Occurrences C 33 Reactor Coolant Makeup 3.1.2 C 34 Residual Heat Removal 3.1.2 C 35 Emergency Core Cooling 3.1.2, 7.3.2 C 37 Testing of Emergency Core Cooling System 3.1.2, 7.3.2 C 38 Containment Heat Removal 3.1.2, 7.3.1, 7.3.2 Testing of Containment Heat Removal C 40 3.1.2, 7.3.2 System C 41 Containment Atmosphere Cleanup 3.1.2, 8.3.1.1 Testing of Containment Atmosphere Cleanup C 43 3.1.2, 7.3.2 Systems C 44 Cooling Water 3.1.2 C 46 Testing of Cooling Water System 3.1.2, 7.3.2 C 50 Containment Design Basis 3.1.2 C 54 Piping Systems Penetrating Containment 3.1.2 Reactor Coolant Pressure Boundary C 55 3.1.2 Penetrating Containment C 56 Primary Containment Isolation 3.1.2 C 57 Closed Systems Isolation Valves 3.1.2 INSTITUTE OF ELECTRICAL AND ELECTRONIC ENGINEERS (IEEE) STANDARDS:

Conformance Discussed Criteria Title in EE Std 279-1971 Criteria for Protection Systems for Nuclear 7.1, 7.2, 7.3, 7.6 NSI N42.7-1972) Power Generating Stations Criteria for Class IE Electric Systems for EE Std 308-1971 7.1.2.1.3 Nuclear Power Generating Stations 28/18 7.1-23 Rev. 31

Conformance Discussed Criteria Title in Electric Penetration Assemblies in EE Std 317-1972 Containment Structures for Nuclear Power 7.1.2.9 Generating Stations IEEE Standard for Qualifying Class IE EE Std 323-1974 Equipment for Nuclear Power Generating 3.11, 1.8 (R.G. 1.89)

Stations Type Tests of Continuous-Duty Class I EE Std 334-1971 Motors Installed Inside the Containment of 1.8 (R.G. 1.40), 7.1.2.1.10 Nuclear Power Generating Stations EE Std 336-1971 Installation, Inspection, and Testing Requirements for Instrumentation and Electric NSI 7.1.2.10 Equipment During the Construction of Nuclear 5.2.4-1972) Power Generating Stations Criteria for the Periodic Testing of Nuclear 7.1.2.11, 1.8 EE Std 338-1971 Power Generating Station Protection (R.G. 1.118)

Systems Guide for Seismic Qualification of Class I EE Std 344-1975 Electrical Equipment for Nuclear Power 3.10 NSI N41.7)

Generating Stations Guide for the Application of the Single EE Std 379-1972 7.1.2.7, 1.8 Failure Criterion to Nuclear Power NSI N41.2) (R.G. 1.53)

Generating Station Protection Systems EE Std 382-1972 Type Test of Class I Electric Valve Operators 1.8 (R.G. 1.73)

Criteria for Separation of Class IE 7.1.2.2.1, 1.8 EE Std 384-1974 Equipment and Circuits (R.G. 1.75)

3. REGULATORY GUIDES (RG)

Conformance Discussed Criteria Title in Independence Between Redundant Standby 1.6 (Onsite) Power Sources and Between Their Chapter 8 Distribution Systems Instrument Lines Penetrating Primary 1.11 1.8, 6.2.4 Reactor Containment 28/18 7.1-24 Rev. 31

Conformance Discussed Criteria Title in Periodic Testing of Protection System 1.8, 7.1.2.5, 7.3.2.2.5, 1.22 Actuation Functions 7.2.2.2.3 1.29 Seismic Design Classification 1.8 Quality Assurance Requirements for the 1.30 Installation, Inspection, and Testing of 1.8 Instrumentation and Electric Equipment Use of IEEE Std 308-1971 Criteria for 1.32 Class IE Electric Systems for Nuclear Power 1.8, 8.1.7, 8.3.2 Generating Stations Bypassed and Inoperable Status Indication 1.47 1.8, 7.1.2.6, 7.5.3 for Nuclear Power Plant Safety Systems Application of the Single-Failure Criterion to 1.53 7.1.2.7, 1.8 Nuclear Power Plant Protection Systems 1.62 Manual Initiation of Protection Actions 1.8, 7.3.2.2.7 Electric Penetration Assemblies in 1.63 Containment Structures for 1.8 Water-Cooled Nuclear Power Plants Preoperational and Initial Startup Test 1.68 1.8, Chapter 14 Programs for Water-Cooled Power Reactors Standard Format and Content of Safety 1.70 Analysis Reports for Nuclear Power Plants 1.8, Chapter 7 Rev. 3 Qualification Test of Electric Valve 1.73 1.8 Operators Installed Inside the Containment 1.75 Physical Independence of Electric Systems 1.8, 7.1.2.2.1 Assumptions for Evaluating the Habitability of a Nuclear Power Plant Control Room 1.78 9.4.1.1, 6.4 During a Postulated Hazardous Chemical Release Qualification of Class IE Equipment for 1.89 1.8, 3.11 Nuclear Power Plants Protection of Nuclear Power Plant Control 1.95 Room Operators Against an Accidental 1.8 Chlorine Release 28/18 7.1-25 Rev. 31

Conformance Discussed Criteria Title in Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant 1.97 1.8, 7.5 Conditions During and Following an Accident Seismic Qualification of Electric Equipment 1.100 1.8 for Nuclear Power Plants 1.105 Instrument Spans and Setpoints 1.8, 7.5.3 Periodic Testing of Electric Power and 1.118 1.8 Protection Systems Fire Protection Guidelines for Nuclear Power 1.120 1.8 Plants

4. Branch Technical Positions (BTP) EICSB Conformance Discussed Criteria Title in Backfitting of the Protection and Emergency P ICSB 1 7, 8 Power Systems of Nuclear Reactors Isolation of Low Pressure Systems from the P ICSB 3 7.6.2 High Pressure Reactor Coolant System Requirements on Motor-Operated Valves in P ICSB 4 7.6.4 the ECCS Accumulator Lines 7.2.2.2.3 (Item 10),

Scram Breaker Test Requirements - Technical Specifications P ICSB 5 Technical Specifications (Table 4.3-1, Items 21 and 18)

Table 4.3-1, Section 1, Definition and Use of Channel Calibration P ICSB 9 Definitions, in Technical

- Technical Specifications Specifications Electrical and Mechanical Equipment P ICSB 10 3.10 Seismic Qualification Program Protection System Trip Point Changes for P ICSB 12 Operation with Reactor Coolant Pumps Out 7.2.2.2.1 of Service 28/18 7.1-26 Rev. 31

Conformance Discussed Criteria Title in Design Criteria for Auxiliary Feedwater P ICSB 13 10.4.9 Systems Spurious Withdrawals of Single Control 7.7.2.2, 15.4.1, 15.4.2, P ICSB 14 Rods in Pressurized Water Reactors 15.4.8 P ICSB 15 Reactor Coolant Pump Breaker Qualification 7.2.1.1.2 (4)

Control Element Assembly (CEA) Interlocks P ICSB 16 Not Applicable in Combustion Engineering Reactors Application of the Single-Failure Criteria to P ICSB 18 Manually Controlled Electrically Operated Tech. Spec. 16. 3/4.5 Valves Acceptability of Design Criteria for P ICSB 19 Hydrogen Mixing and Drywell Vacuum Not Applicable Relief Systems Design of Instrumentation and Control P ICSB 20 Provided to Accomplish Changeover from 6.3.2.2.2, Table 6.3-7 Injection to Recirculation Mode Guidance for Application of Regulatory P ICSB 21 7.1.2.6 Guide 1.47 Guidance for Application of Regulatory P ICSB 22 7.1.2.5 Guide 1.22 Qualification of Safety Related Display P ICSB 23 Instrumentation for Post-Accident 7.5 Conditions Monitoring and Safe Shutdown Testing of Reactor Trip System and P ICSB 24 Engineered Safety Features Actuation 7.1.2.11 System Sensor Response Time Guidance for the Interpretation of General Design Criterion 37 for Testing the P ICSB 25 3.1.2, 7.3.2 Operability of the Emergency Core Cooling System as a Whole Requirements for Reactor Protection System P ICSB 26 7.2.1.1.2 (Item 6)

Anticipatory Trips Design Criteria for Thermal Overload P ICSB 27 Protection for Motors of Motor-Operated 8.3.1.1.4 Valves 28/18 7.1-27 Rev. 31

FIGURE 7.1-1 SOLID STATE PROTECTION SYSTEM BLOCK DIAGRAM 06/28/18 7.1-28 Rev. 31

FIGURE 7.1-2 REACTOR TRIP/ESF ACTUATION MECHANICAL LINKAGE FOR DUAL TRAIN SWITCHES 06/28/18 7.1-29 Rev. 31

1 DESCRIPTION 1.1 System Description reactor trip system automatically keeps the reactor operating within a safe region by shutting n the reactor whenever the limits of the region are approached. The safe operating region is ned by several considerations such as mechanical/hydraulic limitations on equipment and heat sfer phenomena. Therefore, the reactor trip system keeps surveillance on process variables ch are directly related to equipment mechanical limitations such as pressure, pressurizer water l (to prevent water discharge through safety valves, and uncovering heaters) and also on ables which directly affect the heat transfer capability of the reactor (e.g., flow and reactor lant temperatures). Still other parameters utilized in the reactor trip system are calculated from ous process variables. In any event, whenever a direct process or calculated variable exceeds a oint, the reactor will be shutdown in order to protect against either gross damage to fuel ding or loss of system integrity which could lead to release of radioactive fission products the containment.

following systems and equipment make up the reactor trip system (WCAP-7913; AP-8255; WCAP-7488-L and WCAP-7672):

1. Process instrumentation and control system

2. Nuclear instrumentation system

3. Solid state logic protection system

4. Reactor trip switchgear

5. Manual actuation circuit reactor trip system consists of sensors which, when connected with analog circuitry sisting of two to four redundant channels, monitor various plant parameters, and digital uitry, consisting of two redundant logic trains, which receives inputs from the analog ection channels as well as other digital inputs to complete the logic necessary to open the tor trip breakers.

h of the two trains, A and B, is capable of opening a separate and independent reactor trip ker, RTA and RTB, respectively. The two trip breakers in series connect three phase AC er from the rod drive motor generator sets to the rod drive power cabinets, as shown on ure 7.2-1, Sheet 2. During plant power operation, a DC undervoltage coil on each reactor trip ker holds a trip plunger out against its spring, allowing the power to be available at the rod trol power supply cabinets. For reactor trip, a loss of DC voltage to the undervoltage coil, as l as energization of the shunt trip coil, trips open the breaker. When either of the trip breakers ns, power is interrupted to the rod drive power supply, and the control rods fall, by gravity, 28/18 7.2-1 Rev. 31

kers BYA and BYB are provided to permit testing of the trip breakers, as discussed in tion 7.2.2.2.3.

1.1.1 Functional Performance Requirements reactor trip system automatically initiates reactor trip:

1. Whenever necessary to prevent fuel damage for an anticipated operational transient (Condition II)

2. To limit core damage for infrequent faults (Condition III)

3. So that the energy generated in the core is compatible with the design provisions to protect the reactor coolant pressure boundary for limiting fault conditions (Condition IV) reactor trip system initiates a turbine trip signal whenever reactor trip is initiated to prevent reactivity insertion that would otherwise result from excessive reactor system cooldown to id unnecessary actuation of the engineered safety features actuation system.

reactor trip system provides for manual initiation of reactor trip by operator action.

1.1.2 Reactor Trips various reactor trip circuits automatically open the reactor trip breakers whenever a condition nitored by the reactor trip system reaches a preset level. To ensure a reliable system, high lity design, components, manufacturing quality control and testing are used. In addition to undant channels and trains, the design approach provides a reactor trip system which monitors erous system variables, therefore providing protection system functional diversity. The extent his diversity has been evaluated for a wide variety of postulated accidents.

le 7.2-1 provides a list of reactor trips which are described below:

1. Nuclear Overpower Trips The specific trip functions generated are as follows:

a. Power range high neutron flux trip The power range high neutron flux trip circuit trips the reactor when two of the four power range channels exceed the trip setpoint.

There are two bistables, each with its own trip setting used for a high and a low range trip setting. The high trip setting provides protection during 28/18 7.2-2 Rev. 31

of the four power range channels read above approximately 10 percent power (P-10). Three out of the four channels below 10 percent power automatically reinstates the trip function. Refer to Table 7.2-2 for a listing of all protection system interlocks.

b. Intermediate range high neutron flux trip The intermediate range high neutron flux trip circuit trips the reactor when one out of the two intermediate range channels exceeds the trip setpoint.

This trip, which provides protection during reactor startup, can be manually blocked if two out of four power range channels are above approximately 10 percent power (P-10). Three out of the four power range channels below this value automatically reinstates the intermediate range high neutron flux trip. The intermediate range channels (including detectors) are separate from the power range channels. The intermediate range channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup.

This bypass action is annunciated on the control board.

c. Source range high neutron flux trip The source range high neutron flux trip circuit trips the reactor when one of the two source range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup and plant shutdown, can be manually bypassed when one of the two intermediate range channels reads above the P-6 setpoint value and is automatically reinstated when both intermediate range channels decrease below the P-6 setpoint value. This trip is also automatically bypassed by two out of four logic from the power range protection interlock (P-10). This trip function can also be reinstated below P-10 by an administrative action requiring manual actuation of two control board mounted switches. Each switch will reinstate the trip function in one of the two protection logic trains. The source range trip point is set between the P-6 setpoint (source range cutoff power level) and the maximum source range power level. The channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during plant shutdown or prior to startup. This bypass action is annunciated on the control board.

d. Power range high positive neutron flux rate trip This circuit trips the reactor when a sudden abnormal increase in nuclear power occurs in two out of four power range channels. This trip provides RCS overpressure protection for inadvertent RCCA withdrawal events and 28/18 7.2-3 Rev. 31

e. Power range high negative neutron flux rate trip This trip provided protection against the effects of two or more dropped control rods. Improved analysis techniques have shown the trip not to be required to provide a reactor trip function, and it is no longer included in the Technical Specifications. Rather than remove the trip, the trip setpoint has been increased sufficiently to prevent the trip from being actuated by most credible combinations of dropped control rods.

Figure 7.2-1, Sheet 3, shows the logic for all of the nuclear overpower and rate trips.

2. Core Thermal Overpower Trips The specific trip functions generated are as follows:

a. Overtemperature T Trip This trip protects the core against low DNBR and trips the reactor on coincidence as listed in Table 7.2-1, with one set of temperature measurements per loop. The setpoint for this trip is continuously calculated by analog circuitry for each loop by solving the following equation:

rtemperature T T (---------------------

---

1 + 1 S ) ( 1 + 4 S )

- K 1 - K 2 ---------------------

- ( T - T )t + K 3 ( P - P ) - f 1 ( I )

T 0 ( 1 + 2 S ) ( 1 + 5 S )

re:

T is measured Reactor Coolant System T, °F; T0 is loop specific indicated T at RATED THERMAL POWER, °F;

( 1 + 1 S )

---

is the function generated by the lead-lag compensator on measured T;

( 1 + 2 S )

1 and 2 are the time constants utilized in the lead lag compensator for T, 1 [*] sec, 2 [*] sec; K1 [*]

K2 [*] /°F; 28/18 7.2-4 Rev. 31

( 1 + 5 S )

4 and 5 are the time constants utilized in the lead-lag compensator for Tavg 4 [*] sec, 5 [*] sec 7 is the time constant utilized in the lag compensator for the Thot filter, 7 4 sec T is measured Reactor Coolant System average temperature; °F; T' is loop specific indicated Tavg at RATED THERMAL POWER, [*] °F; K3 [*] /psi P is measured pressurizer pressure, psia; P' is nominal pressurizer pressure, [*] psia; s is the Laplace transform operator, sec-1; and f1 (I) is a function of the indicated difference between top and bottom detectors of the power range neutron ion chambers; with nominal gains to be selected based on measured instrument response during plant startup tests calibrations such that:

1. For qt - qb between - [*]% and [*]%, f1(I) 0, where qt and qb are percent RATED THERMAL POWER in the upper and lower halves of the core, respectively, and qt + qb is the total THERMAL POWER in percent RATED THERMAL POWER;

2. For each percent that the magnitude of qt - qb exceeds - [*]%, the T Trip Setpoint shall be automatically reduced by [*]% of its value at RATED THERMAL POWER;

3. For each percent that the magnitude of qt - qb exceeds [*]%, the T Trip Setpoint shall be automatically reduced by [*]% of its value at RATED THERMAL POWER.

a. A separate long ion chamber unit supplies the flux signal for each overtemperature T trip channel. Increases in beyond a pre-defined deadband result in a decrease in trip setpoint. Refer to Figure 7.2-2.

The required one pressurizer pressure parameter per loop is obtained from separate sensors connected to three pressure taps at the top of the pressurizer. Four pressurizer pressure signals are obtained from the three taps by connecting one of the taps to two pressure transmitters. Refer to Section 7.2.2.3.3 for an analysis of this arrangement.

Figure 7.2-1, Sheet 5, shows the logic for overtemperature T trip function.

e values denoted with [*] are specified in the COLR.)

28/18 7.2-5 Rev. 31

This trip protects against excessive power (fuel rod rating protection) and trips the reactor on coincidence as listed in Table 7.2-1, with one set of temperature measurements per loop. The setpoint for each channel is continuously calculated using the following equation:

erpower T T (---------------------

---

1 + 1 S )

- K4 - K6 ( T - T )

T 0 ( 1 + 2 S )

ere:

is measured Reactor Coolant System T, °F; is loop specific indicated T at RATED THERMAL POWER, °F;

+ 1 S )

---

is the function generated by the lead-lag compensator on measured T;

+ 2 S )

nd 2 are the time constants utilized in the lead lag compensator for T, 1 [*]sec, 2 [*] sec;

[*];

s the time constant utilized in the lag compensator for the Thot filter, 7 4 sec measured Reactor Coolant System average temperature; °F; s loop specific indicated Tavg at RATED THERMAL POWER, [*] °F;

[*]/°F when T > T" and K6 [*]/°F when T T";

the Laplace transform operator, sec-1 e values denoted with [*] are specified in the COLR.)

The source of temperature information is identical to that of the overtemperature T trip and the resultant T setpoint is compared to the same T. Figure 7.2-1, Sheet 5, shows the logic for this trip function.

4. Reactor Coolant System Pressurizer Pressure and Water Level Trips The specific trip functions generated are as follows:

a. Pressurizer low pressure trip 28/18 7.2-6 Rev. 31

measured in the pressurizer. Above P-7 the reactor is tripped when the pressurizer pressure measurement fall below preset limits. This trip is blocked below P-7 to permit startup. The trip logic and interlocks are given in Table 7.2-1.

The trip logic is shown on Figure 7.2-1, Sheet 6.

b. Pressurizer high pressure trip The purpose of this trip is to protect the reactor coolant system against system overpressure.

The same sensors and transmitters used for the pressurizer low pressure trip are used for the high pressure trip except that separate bistables are used for trip. These bistables trip when uncompensated pressurizer pressure signals exceed preset limits on coincidence as listed in Table 7.2-

1. There are no interlocks or permissives associated with this trip function.

The logic for this trip is shown on Figure 7.2-1, Sheet 6.

c. Pressurizer high water level trip This trip is provided as a backup to the pressurizer high pressure trip and serves to prevent water relief through the pressurizer safety valves. This trip is blocked below P-7 to permit startup. The coincidence logic and interlocks of pressurizer high water level signals are given in Table 7.2-1.

The trip logic for this function is shown on Figure 7.2-1, Sheet 6.

5. Reactor Coolant System Low Flow Trips These trips protect the core from DNB in the event of a loss of coolant flow situation. Figure 7.2-1, Sheet 5 shows the logic for these trips. The means of sensing the loss of coolant flow are as follows:

a. Low reactor coolant flow The parameter sensed is reactor coolant flow. Four elbow taps in each coolant loop are used as a flow device that indicates the status of reactor coolant flow. The basic function of this device is to provide information as to whether or not a reduction in flow has occurred. An output signal from two out of the three bistables in a loop would indicate a low flow in that loop.

28/18 7.2-7 Rev. 31

b. Reactor coolant pump underspeed trip This function protects the reactor core from DNB in the event of loss of flow in more than one loop by tripping the reactor when the speeds on two out of the four reactor coolant pumps fall below the setpoints. Loss of flow in more than one loop could be caused by a voltage or frequency transient in the plant power supply such as would occur during a loss of offsite power, or by accidental opening of more than one RCP circuit breaker.

There is one speed detector mounted on each reactor coolant pump. The trip is blocked below P-7 to permit plant startup.

RCP speed is detected by a probe mounted on the reactor coolant pump frame. The speed signal is transmitted to the Process Instrumentation and Control System which convert the signal to a bistable output to the solid state protection system to provide the trip logic function described above.

The RCP underspeed trip replaces the undervoltage and underfrequency reactor trips used previously. The principle reason for this change is to improve plant availability during voltage dip transients which do not result in violations of plant safety limits. The undervoltage trip setpoint was chosen to trip the reactor if the RCP motor pull out torque dropped below nominal due to low voltage. This event could cause a pump speed decrease and a consequent flow reduction. The basis for the undervoltage trip setpoint and time response was the demonstration of acceptable results for the complete loss of flow accident. Transient voltage reductions below the undervoltage trip setpoint followed by subsequent voltage recovery could result in an undervoltage reactor trip even though pump speed and flow reductions would not violate safety limits.

The RCP underspeed trip provides a more direct measurement of the parameter of interest, and will permit the plant to ride through many postulated voltage dip transients without reactor trip if safety limits are not violated. Selection of the underspeed trip setpoint and time response provide for the timely initiation of reactor trip during the complete loss of flow accident and the limiting frequency decay event, consistent with the analysis results reported in Chapter 15.

The logic for this trip is shown on Figure 7.2-1, Sheet 5. The development of P-7 isshown on Figure 7.2-1, Sheet 4.

The capability for sensor checks and for test and calibration of the RCP underspeed trip are in accordance with Sections 4.9 and 4.10 of IEEE-279-1971.

28/18 7.2-8 Rev. 31

complete loss of flow accident and the limiting frequency decay event) in an environment (i.e., temperature, humidity, pressure, chemical, and radiation) no more severe than the environment in which they are required to perform their normal function. Therefore, it is not necessary to impose environmental qualification requirements on these detectors that are more restrictive than those imposed for use under rated conditions. The RCP speed detectors will be qualified for use under rated conditions with their performance verified by actual on-line operation in the plant. The RCP speed detectors will also require qualification to the worst vibrations to which they could be subjected and required to operate.

6. Steam Generator Low-Low Level Trip This trip protects the reactor from loss of heat sink. This trip is actuated on two out of four low-low water level signals occurring in any steam generator.

The logic is shown on Figure 7.2-1, Sheet 7.

7. Reactor Trip on a Turbine Trip (anticipatory)

The reactor trip on a turbine trip is actuated by two out of three logic from emergency trip fluid pressure signals or by all closed signals from the turbine steam stop valves. A turbine trip causes a direct reactor trip above P-9. Below P-9 the turbine trip to reactor trip signal is blocked. The reactor trip on turbine trip provides additional protection and conservatism beyond that required for the health and safety of the public. This trip is included as part of good engineering practice and prudent design. No credit is taken in any of the safety analysis (Chapter 15) for this trip.

The turbine provides anticipatory trips to the reactor protection system from contacts which change position when the turbine stop valves close or when the turbine emergency trip fluid pressure goes below its setpoint. Digital isolators (Section 7.2.1.1.8) have been used to isolate these contacts from the reactor protection system cabinets which receive the inputs from these contacts.

One of the design bases considered in the protection system is the possibility of an earthquake. With respect to these contacts, their functioning is unrelated to a seismic event in that they are anticipatory to other diverse parameters which cause reactor trip. The contacts are shut during plant operation and open to cause reactor trip when the turbine is tripped. No power is provided to the protection system from the contacts; they merely serve to interrupt power to cause reactor trip. This design functions in a deenergize-to-trip fashion to cause a plant trip if power is interrupted in the trip circuitry. This ensures that the protection system will in no way be degraded by this anticipatory trip because seismic design considerations do 28/18 7.2-9 Rev. 31

sensors are, of course, seismically qualified as discussed in Section 3.10.) The anticipatory trips thus meet IEEE-279-1971 and BTP ICSB-26, including redundancy, separation, single failure, etc. Seismic qualification of the contacts sensors is not required.

The logic for this trip is shown on Figure 7.2-1, Sheet 16.

8. Safety Injection Signal Actuation Trip A reactor trip occurs when a safety injection signal is initiated. The means of actuating the safety injection system are described in Section 7.3. This trip protects the core against a pipe rupture in the secondary system, an inadvertent secondary system depressurization, an inadvertent operation of the ECCS during power operations, or any other accident which results in a safety injection signal before a reactor trip is generated by the reactor trip system.

Figure 7.2-1, Sheet 8, shows the logic for this trip.

9. Manual Trip The manual trip consists of two switches. Each trip switch actuates the undervoltage and shunt trip attachments of the Train A and Train B reactor trip breakers and, when one of them is racked-in for surveillance testing, the Train A or Train B reactor trip bypass breakers.

There are no interlocks which can block this trip. Figure 7.2-1, Sheet 3, shows the manual trip logic. The design conforms to Regulatory Guide 1.62, as shown on Figure 7.1-1.

1.1.3 Reactor Trip System Interlocks

1. Power Escalation Permissives The overpower protection provided by the out of core nuclear instrumentation consists of three discrete, but overlapping ranges. Continuation of startup operation or power increase requires a permissive signal from the higher range instrumentation channels before the lower range level trips can be manually blocked by the operator.

One of two intermediate range permissive signals (P-6) is required prior to source range trip blocking and detector high voltage cutoff. Source range trips are automatically reactivated and high voltage restored when both intermediate range channels are below the permissive (P-6) setpoint. There are two manual reset switches for administratively reactivating the source range level trip and detector 28/18 7.2-10 Rev. 31

above the permissive P-10 setpoint.

The intermediate range level trip and power range (low setpoint) trip can only be blocked after satisfactory operation and permissive information are obtained from two of four power range channels. Four individual blocking switches are provided so that the low range power range trip and intermediate range trip can be independently blocked (one switch for each train). These trips are automatically reactivated when any three of the four power range channels are below the permissive (P-10) setpoint, thus ensuring automatic activation to more restrictive trip protection.

The development of permissives P-6 and P-10 is shown on Figure 7.2-1, Sheet 4.

Both of the permissives are digital; they are derived from analog signals in the nuclear power range and intermediate range channels.

2. Blocks of Reactor Trips at Low Power Interlock P-7 blocks a reactor trip at low power (below approximately 10 percent of full power) on a low reactor coolant flow in more than one loop, reactor coolant pump underspeed, pressurizer low pressure, pressurizer high water level. See Figure 7.2-1, Sheets 5, 6, and 16, for permissive applications. The low power signal is derived from three out of four power range neutron flux signals below the setpoint in coincidence with two out of two turbine impulse chamber pressure signals below the setpoint (low plant load). See Figure 7.2-1, Sheets 4 and 16, for the derivation of P-7.

The P-8 interlock blocks a reactor trip when the plant is below the P-8 setpoint listed in Technical Specifications Table 2.2-1, on a low reactor coolant flow in any one loop. The block action (absence of the P-8 interlock signal) occurs when three out of four neutron flux power range signals are below the setpoint. Thus, below the P-8 setpoint, the reactor has the capability to operate with one inactive loop and trip will not occur until two loops are indicating low flow. See Figure 7.2-1, Sheet 4, for derivation of P-8, and Sheet 5 for applicable logic.

The P-9 interlock blocks a reactor trip when the plant is below 51 percent of full power, on a turbine trip. The block action (absence of the P-9 interlock signal) occurs when three out of four neutron flux power range signals are below the setpoint. See Figure 7.2-1, Sheet 4, for the derivation of P-9 and Sheet 16 for applicable logic.

See Table 7.2-2 for the list of protection system blocks.

28/18 7.2-11 Rev. 31

individual narrow range hot and cold leg temperature signals required for input to the reactor circuits and interlocks are obtained using RTDs installed in each reactor coolant loop.

hot leg temperature measurement on each loop is accomplished with three fast-response, ow-range, single-element RTDs mounted in thermowells, spatially located approximately

° around the hot leg. One wide range RTD is installed in each hot leg. One fast response, ow range, dual element RTD is located in each cold leg at the discharge of the reactor coolant

p. One wide range RTD is installed in each cold leg. Temperature streaming in the cold leg is imized due to the mixing action of the RCP; hence, only one narrow range cold leg RTD is uired.

narrow range cold leg temperature measurement, together with the average obtained from the e narrow range hot leg temperatures, is used to calculate reactor coolant loop delta-T and g which are used in the reactor control and protection system.

1.1.5 Pressurizer Water Level Reference Leg Arrangement design of the pressurizer water level instrumentation employs a tank level arrangement using erential pressure between an upper and a lower tap on a column of water. A reference leg nected to the upper tap is kept full of water by condensation of steam at the top of the leg.

1.1.6 Analog System analog system consists of two instrumentation systems; the process instrumentation system the nuclear instrumentation system.

cess instrumentation includes those devices (and their interconnection into systems) which sure temperature, pressure, fluid flow, fluid level as in tanks or vessels, and occasional siochemical parameters such as fluid conductivity or chemical concentration. Process rumentation specifically excludes nuclear and radiation measurements. The process rumentation includes the process measuring devices, power supplies, indicators, recorders, m actuating devices, controllers, signal conditioning devices, etc., which are necessary for

-to-day operation of the nuclear steam supply system (NSSS) as well as for monitoring the t and providing initiation of protective functions upon approach to unsafe plant conditions.

primary function of nuclear instrumentation is to protect the reactor by monitoring the tron flux and generating appropriate trips and alarms for various phases of reactor operating shutdown conditions. It also provides a secondary control function and indicates reactor us during startup and power operation. The nuclear instrumentation system (NIS) uses rmation from three separate types of instrumentation channels to provide three discrete ection levels. Each range of instrumentation (source, intermediate, and power) provides the essary overpower reactor trip protection required during operation in that range. The overlap nstrument ranges provides reliable continuous protection beginning with source level through intermediate and low power level. As the reactor power increases, the overpower protection 28/18 7.2-12 Rev. 31

ucing power.

ious types of neutron detectors, with appropriate solid-state electronic circuitry, are used to nitor the leakage neutron flux from a completely shutdown condition to 120 percent of full er. The power range channels are capable of recording overpower excursions up to 200 ent of full power. The neutron flux covers a wide range between these extremes.

nuclear instrumentation providing reactor trip functions utilizes multiple-range detectors (i.e.,

detectors to monitor source range, compensated ion chambers for intermediate range, and ompensated ion chambers for power range). Compliance to requirements of Regulatory Guide

, Revision 2, (post-accident) and Appendix R to 10 CFR 50 (safe shutdown instrumentation) chieved through the use of dual-redundant channels of extended range fission chambers able of monitoring twelve decades of reactor power. The extended range fission chambers vide input to shutdown monitors which detect and annunciate a loss of shutdown margin, such nadvertent boron dilution during shutdown or refueling. The extended range fission chambers ot interface with the solid state protection system described in Section 7.2.1.1.7.

lowest range (source range) covers six decades of leakage neutron flux. The lowest erved count rate depends on the strength of the neutron sources in the core and the core tiplication associated with the shutdown reactivity. This is generally greater than two counts second. The next range (intermediate range) covers eight decades. Detectors and rumentation are chosen to provide overlap between the higher portion of the source range and lower portion of the intermediate range. The highest range of instrumentation (power range) ers approximately two decades of the total instrumentation range. This is a linear range that rlaps with the higher portion of the intermediate range.

system described above provides control room indication and recording of signals portional to reactor neutron flux during core loading, shutdown, startup and power operation, ell as during subsequent refueling. Start-up-rate indication for the source and intermediate ge channels is provided at the control board. Reactor trip, rod stop, control and alarm signals transmitted to the reactor control and protection system for automatic plant control.

ipment failures and test status information are annunciated in the control room. See AP-7913 and WCAP-8255 for additional background information on the process and nuclear rumentation.

1.1.7 Solid State Logic Protection System solid state logic protection system takes binary inputs (voltage/no voltage) from the process nuclear instrument channels corresponding to conditions (normal/abnormal) of plant meters. The system combines these signals in the required logic combination and generates a signal by interrupting voltage to the undervoltage trip attachments and by supplying voltage he shunt trip auxiliary relay coils of the reactor trip breakers when the necessary combination ignals occur. The system also provides annunciator, status light and computer input signals ch indicate the condition of bistable input signals, partial trip and full trip functions and the 28/18 7.2-13 Rev. 31

AP-7672).

1.1.8 Isolators log Isolators ertain applications, Westinghouse considers it advantageous to employ control signals derived m individual protection channels through isolation amplifiers contained in the protection nnel, as permitted by IEEE Standard 279-1971.

ll of these cases, analog signals derived from protection channels for non-protective functions obtained through isolation amplifiers located in the analog protection racks. By definition,

-protective functions include those signals used for control, remote process indication, and puter monitoring. Refer to Section 7.1.2.2.1 for discussion of electrical separation of control protection functions.

ital Isolators ital isolators provide separation between safety and non safety related control circuits. They located in the process instrumentation and control system, the nuclear instrumentation system, the solid state protection system. The isolators meet all the requirements of Regulatory des 1.75 and 1.89 for Class IE isolation devices.

ator cabinets are located in various places throughout the plant and provide an interface ween Class IE equipment and Non-Class IE equipment. All the wiring and devices in the ator cabinets associated with Class IE equipment are separated from those associated with

-Class IE equipment by a barrier panel so that any credible failure of Non-Class IE equipment not prevent the proper functioning of the Class IE system. The isolators consist of a coil on side of the barrier and a magnetically operated read switch on the other side.

1.1.9 Energy Supply and Environmental Variations energy supply for the reactor trip system, including the voltage and frequency variations, is cribed in Section 7.6 and Chapter 8. The environmental variations, throughout which the em performs, is given in Section 3.11 and Chapter 8.

1.1.10 Setpoints setpoints that require trip action are given in the Technical Specifications. A detailed ussion on setpoints is found in Section 7.1.2.1.9.

28/18 7.2-14 Rev. 31

seismic design considerations for the reactor trip system are given in Section 3.10. This gn meets the requirements of Criterion 2 of the 1971 General Design Criteria (GDC).

1.2 Design Bases Information information given below presents the design bases information requested by Section 3 of E Standard 279-1971.Functional logic diagrams are presented on Figure 7.2-1.

1.2.1 Generating Station Conditions reactor trip system limits the generating station conditions to:

1. DNBR not less than the safety analysis limits (see Section 4.4).

2. Power density (kilowatts per foot) not greater than the rated value for Condition II faults (see Section 4.1).

3. Reactor coolant system overpressure creating stresses approaching the limits specified in Chapter 5.

1.2.2 Generating Station Variables following are the variables and conditions required to be monitored in order to provide tor trips (Table 7.2-1):

1. Neutron flux.

2. Reactor coolant temperature.

3. Reactor coolant system pressure (pressurizer pressure).

4. Pressurizer water level.

5. Reactor coolant flow.

6. Reactor coolant pump operational status (shaft speed).

7. Steam generator water level.

8. Turbine-generator operational status (trip fluid pressure and stop valve position).

9. Automatic safety injection signals.

10. Manual reactor trips.

28/18 7.2-15 Rev. 31

12. SSPS N-1 misalignment.

N-1 operation is no longer within the Millstone Unit 3 Design Bases. Previously installed SSPS equipment to support N-1 operation still exists within the plant.

Therefore, the mis-alignment SSPS N-1 reactor trip has been maintained and remains operational should the selector switches be inadvertently actuated.

1.2.3 Spatially Dependent Variables

1. The measurement of reactor coolant hot leg temperature has significant spatial dependence. The effect on the measurement is limited by taking three temperature measurements spaced approximately 120° apart around the hot leg.

2. Reactor core power exhibits a spatial dependence across the plane of the core (i.e.,

radial power distribution) as well as along the length of the core (i.e., axial power distribution). The core safety limits, for which the Overpower and Overtemperature T reactor trips provide protection, are developed assuming a reference core power distribution. A compensating term, f1() is then added to the Overtemperature T reactor trip to account for axial core power distributions more severe than the reference core power distribution. Upper and lower sections of each power range neutron flux channel provide the measurements required to synthesize the f1() function.

1.2.4 Limits, Margins, and Setpoints parameter values that would require reactor trip are given in the Technical Specifications, the e Operating Limits Report (COLR) and in Chapter 15, Accident Analyses. Chapter 15 proves the setpoints used in the Technical Specifications are conservative.

setpoints for the various functions in the reactor trip system have been analytically rmined such that the operational limits so prescribed will prevent fuel clad damage and loss of grity of the reactor coolant system as a result of any ANS Condition II incident (anticipated function). As such, during any ANS Condition II incident, the reactor trip system limits the owing parameters to:

1. DNBR not less than the safety analysis limits (see Section 4.4)

2. Maximum system pressure not greater than 2750 psia

3. Fuel rod maximum linear power not greater than the design limit (see Section 4.1) accident analyses described in Chapter 15 demonstrate that the functional requirements as cified for the reactor trip system are adequate to meet the above considerations, even when ming, for conservatism, adverse combinations of instrument errors (Table 15.3-1). A 28/18 7.2-16 Rev. 31

1.2.5 Abnormal Events malfunctions, accidents or other unusual events which could physically damage reactor trip em components or could cause environmental changes are as follows:

1. Earthquakes (Chapters 2 and 3)

2. Fire (Section 9.5)

3. Explosion (hydrogen buildup inside containment) (Section 6.2)

4. Missiles (Section 3.5)

5. Flood (Chapters 2 and 3)

6. Wind and tornadoes (Section 3.3) reactor trip system fulfills the requirements of IEEE Standard 279-1971 to provide automatic ection and to provide initiating signals to mitigate the consequences of faulted conditions. The tor trip system relies upon provisions made by the owner and operator of the plant to provide ection against destruction of the system from fires, explosions, missiles, floods, wind, and adoes (see each item above).

1.2.6 Minimum Performance Requirements

1. Reactor trip system response times Reactor trip system response time is defined in Section 7.1. Maximum allowable time delays in generating the reactor trip signal are tabulated in Table 7.2-3. (See Section 7.1.2.11 for a discussion of periodic response time verification capabilities.)

2. Reactor trip accuracies Accuracy is defined in Section 7.1. Reactor trip accuracies are tabulated in Table 7.2-3. An additional discussion on accuracy is found in Section 7.1.2.1.9.

3. Reactor trip system ranges Reactor trip system ranges are tabulated in Table 7.2-3. Range selection for the instrumentation covers the expected range of the process variable being monitored during power operation. Reactor trip setpoints are at least 5 percent from the end of the instrument span.

28/18 7.2-17 Rev. 31

ctional block diagrams, electrical elementaries and other drawings required to assure trical separation and perform a safety review are provided in the safety related drawing kage (Section 1.7).

2 ANALYSES 2.1 Failure Mode and Effects Analyses analysis of the reactor trip system has been performed. Results of this study and a fault tree lysis are presented in WCAP-7706-L and WCAP-7706.

2.2 Evaluation of Design Limits ile most setpoints used in the reactor protection system are fixed, there are variable setpoints, t notably the overtemperature T and overpower T setpoints. All setpoints in the reactor trip em have been selected on the basis of engineering design or safety studies. The capability of reactor trip system to prevent loss of integrity of the fuel cladding and/or reactor coolant em pressure boundary during Condition II and III transients is demonstrated in Chapter 15.

se accident analyses are carried out using those setpoints determined from results of the ineering design studies. Setpoint limits are presented in the Technical Specifications and the LR. A discussion of the intent for each of the various reactor trips and the accident analyses ere appropriate) which utilizes this trip is presented below. It should be noted that the selected setpoints all provide for margin before protection action is actually required to allow for rument and process uncertainties. The design meets the requirements of Criteria 10 and 20 of 1971 GDC.

2.2.1 Trip Setpoint Discussion discussed in Section 4.4, the departure from nucleate boiling (DNB) design basis is that there be at least a 95 percent probability (at a 95 percent confidence level) that DNB will not occur to Condition I and II events. If the DNBR were to decrease below the safety analysis limits ng these events, the probability of local fuel cladding failure would be unacceptable. The BR existing at any point in the core for a given core design can be determined as a function of core inlet temperature, power output, operating pressure and flow. Consequently, core safety ts which are based on the DNBR safety limits (see Section 4.4) are developed as a function of T, Tavg and pressure, for a specified flow as illustrated by the solid lines on Figure 15.0-1.

o shown as a dashed line on Figure 15.0-1 are the loci of conditions equivalent to 121 percent ower as a function of T and Tavg representing the overpower (kW/ft) limit on the fuel (see pter 4). The dashed lines indicate the maximum permissible setpoint (T) as a function of g and pressure for the overtemperature and overpower reactor trip. Actual setpoint constants in equation representing the dashed lines are as given in the COLR. These values are servative to allow for instrument errors. The design meets the requirements of Criteria 10, 15, and 29, of the 1971 GDC.

28/18 7.2-18 Rev. 31

vidually result in violation of a core safety limit; whereas the combined variations, over icient time, may cause the overpower or overtemperature safety limit to be exceeded. The gn concept of the reactor trip system takes cognizance of this situation by providing reactor s associated with individual process variables in addition to the overpower/overtemperature ty limit trips. Process variable trips prevent reactor operation whenever a change in the nitored value is such that a core or system safety limit is in danger of being exceeded should ration continue. Basically, the high pressure, low pressure and overpower/overtemperature T s provide sufficient protection for slow transients as opposed to such trips as low flow or high which will trip the reactor for rapid changes in flow or flux, respectively, that would result in damage before actuation of the slower responding T trips could be affected.

refore, the reactor trip system has been designed to provide protection for fuel cladding and tor coolant system pressure boundary integrity where:

1. A rapid change in a single variable or factor will quickly result in exceeding a core or a system safety limit

2. A slow change in one or more variables will have an integrated effect which will cause safety limits to be exceeded.

Overall, the reactor trip system offers diverse and comprehensive protection against fuel cladding failure and/or loss of reactor coolant system integrity for Condition II and III accidents. This is demonstrated by Table 7.2-4 which lists the various trips of the reactor trip system, the corresponding technical specification on safety limits and safety system settings and the appropriate accident discussed in the safety analyses in which the trip could be utilized.

resetting of the reactor trip system instrumentation setpoints as listed in the Technical cifications will be carried out under prescribed administrative procedures, under the direction uthorized supervision, and with the plant conditions prescribed in Section 3.4.1.1 of the hnical Specifications.

RTS design meets the requirements of Criterion 21 of the 1971 GDC.

operational testing is performed on reactor trip system components and systems to determine ipment readiness for startup. This testing serves as a further evaluation of the system design.

lyses of the results of Condition I, II, III, and IV events, including considerations of rumentation installed to mitigate their consequences, are presented in Chapter 15. The rumentation installed to mitigate the consequences of load rejection and turbine trip is given in tion 7.4.

28/18 7.2-19 Rev. 31

elbow taps used on each loop in the primary coolant system are instrument devices that cate the status of the reactor coolant flow. The basic function of this device is to provide rmation as to whether or not a reduction in flow has occurred. The correlation between flow elbow tap signal is given by the following equation:

W- 2 P- = ------

---

(7.2-3)

P o W o ere Po is the pressure differential at the reference flow Wo, and P is the pressure differential e corresponding flow, W. The full flow reference point is established during initial plant tup. The low flow trip point is then established by extrapolating along the correlation curve.

expected absolute accuracy of the channel is within +/- 10 percent of full flow and field results e shown the repeatability of the trip point to be within +/- 1 percent.

2.2.3 Evaluation of Compliance to Applicable Codes and Standards reactor trip system meets the criteria of the general design criteria as indicated. The reactor system meets the requirements of Section 4 of IEEE Standard 279-1971, as indicated below:

1. General Functional Requirement The protection system automatically initiates appropriate protective action whenever a condition monitored by the system reaches a preset level. Functional performance requirements are given in Section 7.2.1.1.1. Section 7.2.1.2.4 presents a discussion of limits, margins and levels; Section 7.2.1.2.5 discusses abnormal events; and Section 7.2.1.2.6 presents minimum performance requirements.

2. Single Failure Criterion The protection system is designed to provide two, three, or four instrumentation channels for each protective function and two logic train circuits. These redundant channels and trains are electrically isolated and physically separated. Thus, any single failure within a channel or train does not prevent protective action at the system level when required. Loss of input power, the most likely mode of failure, to a channel or logic train, will result in a signal calling for a trip. This design meets the requirements of Criterion 23 of the 1971 GDC.

To prevent the occurrence of common mode failures, such additional measures as functional diversity, physical separation, and testing as well as administrative control during design, production, installation and operation, are employed, as discussed in WCAP-7706-L and WCAP-7706. The design meets the requirements of Criteria 21 and 22 of the 1971 GDC.

28/18 7.2-20 Rev. 31

For a discussion on the quality of the components and modules used in the reactor trip system, refer to Chapter 17. The quality assurance applied conforms to Criterion 1 of the 1971 GDC.

4. Equipment Qualification For a discussion of the type tests made to verify the performance requirements, refer to Section 3.11. The test results demonstrate that the design meets the requirements of Criterion 4 of the 1971 GDC.

5. Channel Integrity Protection system channels required to operate in accident conditions maintain necessary functional capability under extremes of conditions relating to environment, energy supply, malfunctions, and accidents. The energy supply for the reactor trip system is described in Section 7.6 and Chapter 8. The environmental variations, throughout which the system will perform are given in Section 3.11.

6. Independence Channel independence is carried throughout the system, extending from the sensor through to the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters. Separation of wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant channel. Redundant analog equipment is separated by locating modules in different protection cabinets. Each redundant protection channel set is energized from a separate AC power feed. This design meets the requirements of Criterion 21 of the 1971 GDC.

Two reactor trip breakers are actuated by two separate logic matrices which interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all full-length control rod drive mechanisms, permitting the rods to free fall into the core. See Figure 7.1-1.

The design philosophy is to make maximum use of a wide variety of measurements. The protection system continuously monitors numerous diverse system variables. Generally, two or more diverse protection functions would terminate an accident before intolerable consequences could occur (see Table 15.0-6). This design meets the requirements of Criterion 22 of the 1971 GDC.

7. Control and Protection System Interaction 28/18 7.2-21 Rev. 31

derived from individual protective channels through isolation amplifiers. The isolation amplifiers are classified as part of the protection system and are located in the analog protective racks. Non-protective functions include those signals used for control, remote process indication, and computer monitoring. The isolation amplifiers are designed such that a short circuit, open circuit, or the application of credible fault voltages from within the cabinets on the isolated output portion of the circuit, i.e., the non-protective side of the circuit, does not affect the input (protective) side of the circuit. The signals obtained through the isolation amplifiers are never returned to the protective racks. This design meets the requirements of Criterion 24 of the 1971 GDC and Paragraph 4.7 of IEEE Standard 279-1971.

The results of applying various malfunction conditions on the output portion of the isolation amplifiers show that no significant disturbance to the isolation amplifier input signal occurred.

8. Derivation of System Inputs To the extent feasible and practical, protection system inputs are derived from signals which are direct measures of the desired variables. Variables monitored for the various reactor trips are listed in Section 7.2.1.2.2.

9. Capability for Sensor Checks The operational availability of each system input sensor during reactor operation is accomplished by cross checking between channels that bear a known relationship to each other and that have read-outs available. Channel checks are discussed in Technical Specification 3/4.3 and Table 4.3-1 of the Technical Specifications.

10. Capability for Testing The reactor trip system is capable of being tested during power operation. Where only parts of the system are tested at any one time, the testing sequence provides the necessary overlap between the parts to assure complete system operation. The testing capabilities are in conformance with Regulatory Guide 1.22 as discussed in Section 7.1.2.5.

The protection system is designed to permit periodic testing of the analog channel portion of the reactor trip system during reactor power operation without initiating a protective action unless a trip condition actually exists. This is because of the coincidence logic required for reactor trip. These tests may be performed at any plant power from cold shutdown to full power. Before starting any of these tests with the plant at power, all redundant reactor trip channels associated with the function to be tested must be in the normal (untripped) mode in order to avoid 28/18 7.2-22 Rev. 31

Analog Channel Tests Analog channel testing is performed at the analog instrumentation rack set by individually introducing dummy input signals into the instrumentation channels and observing the tripping of the appropriate output bistables. Process analog output to the logic circuitry is interrupted during individual channel test by a test switch which, when thrown, de-energizes the associated logic input and inserts a proving lamp in the bistable output. Interruption of the bistable output to the logic circuitry for any reason (test, maintenance purposes, or removed from service) will cause that portion of the logic to be actuated (partial trip), accompanied by a partial trip alarm and channel status light actuation in the control room. Each channel contains those switches, test points, etc., necessary to test the channel (WCAP-7913; WCAP-8255).

The following periodic tests of the analog channels of the protection circuits are performed:

a. Tavg and T protection channel testing.

b. Pressurizer pressure protection channel testing.

c. Pressurizer water level protection channel testing.

d. Steam generator water level protection channel testing.

e. Reactor coolant low flow, underspeed protection channels.

f. Impulse chamber pressure channel testing.

Nuclear Instrumentation Channel Tests Prior to testing, the power range channels of the Nuclear Instrumentation System (NIS) may be calibrated on a tripped channel with the channel detector disabled to eliminate live channel interference. Because the power range channel reactor trip logic is two out of four, channel trip bypass is not required. The channel is tripped by removing the control power fuses in the channel under test. This results in a one out of three logic to cause a reactor trip.

To test a power range channel, a TEST-OPERATE switch is provided to require deliberate operator action, operation of which initiates the CHANNEL TEST annunciator in the control room. The channel may be tested with the channel tripped or by restoring the channel to operation. It should be noted that if testing is performed after the channel is restored to operation, a valid trip signal would cause 28/18 7.2-23 Rev. 31

by increasing the test signal to its trip setpoint and verifying bistable relay operation by control board annunciator and trip status lights.

A nuclear instrumentation system channel which can cause a reactor trip through one of two protection logic (source or intermediate range) is provided with a bypass function which prevents the initiation of a reactor trip from that particular channel during the short period that it is undergoing test. These bypasses are annunciated in the control room.

The nuclear instrumentation system periodically in accordance with Table 4.3-1 of the Technical Specifications.

Any deviations noted during the performance of the tests are investigated and corrected in accordance with the established calibration and troubleshooting procedures for the nuclear instrumentation system. Reactor trip setpoints are indicated in the Technical Specifications.

For additional background information on the nuclear instrumentation system, refer to WCAP-8255.

Solid State Logic Testing The reactor logic trains of the reactor trip system are designed to be capable of complete testing at power. After the individual channel analog testing is complete, the logic matrices are tested from the Train A and Train B logic rack test panels.

This step provides overlap between the analog and logic portions of the test program. During this test, all of the logic inputs are actuated automatically in all combinations of trip and non-trip logic. The reactor trip undervoltage and shunt trip relay coils are pulsed in order to check logic. During logic testing of one train, the other train can initiate any required protective functions. Door limit switches on each door of each train assembly provide remote indication of open solid state protection system doors. Annunciation is also provided in the control room to indicate when a train is in test (train output bypassed) and when a reactor trip breaker is bypassed. Logic testing can be performed in less than 30 minutes.

Logic testing is one of the SSPS surveillances. Refer to Technical Specifications Section 3/4.3.1 for Reactor Trip System surveillance requirements and limiting conditions for operation.

A reactor trip resulting from underspeed of the reactor coolant pumps is provided as discussed in Section 7.2.1 and shown on Figure 7.2-1. The logic for this trip is capable of being tested during power operation. When parts of the trip are being tested, the sequence is such that an overlap is provided between parts so that a complete logic test is provided.

28/18 7.2-24 Rev. 31

The permissive and block interlocks associated with the reactor trip system and engineered safety features actuation system are given in Tables 7.2-2 and 7.3-3 and designated protection or p interlocks. As a part of the protection system, these interlocks are designed to meet the testing requirements of IEEE Standard 279-1971 and 338-1971.

Testing of all protection system interlocks is provided by the logic testing and semi-automatic testing capabilities of the solid state protection system. In the solid state protection system, the undervoltage trip attachment and shunt trip auxiliary relay coils (reactor trip) and master relays (engineered safeguards actuation) are pulsed for all combinations of trip or actuation logic with and without the interlock signals. For example, reactor trip on low flow (2 out of 4 loops showing 2 out of 3 low flow) is tested to verify operability of the trip above P-7 and non-trip below P-7 (Figure 7.2-1, Sheet 5). Interlock testing may be performed at power.

Testing of the logic trains of the reactor trip system includes a check of the input relays and a logic matrix check. The following sequence is used to test the system:

a. Check of input relays During testing of the process instrumentation system and nuclear instrumentation system channels, each channel bistable is placed in a trip mode causing one input relay in Train A and one in Train B to de-energize.

A contact of each relay is connected to a universal logic printed circuit card. This card performs both the reactor trip and monitoring functions.

Each reactor trip input relay contact causes a status lamp and an annunciator on the control board to operate. Either the Train A or Train B input relay operation lights the status lamp and annunciator.

Each train contains a multiplexing test switch. At the start of a process of nuclear instrumentation system test, this switch (in either train) is placed in the A + B position. The A + B position alternately allows for information to be transmitted from the two trains to the control board. A steady status lamp and annunciator indicates that input relays in both trains have been de-energized. A flashing lamp means that the input relays in the two trains did not both de-energize. Contact inputs to the logic protection system such as turbine stop valve limit switches operate input relays which are tested by operating the remote contacts as described above and using the same type of indications as those provided for bistable input relays.

Actuation of the input relays provides the overlap between the testing of the logic protection system and the testing of those systems supplying the inputs to the logic protection system. Test indications are status lamps and 28/18 7.2-25 Rev. 31

example, a function that trips the reactor when two out of four channels trip becomes a one out of three trip when one channel is placed in the trip mode. Both trains of the logic protection system remain in service during this portion of the test.

b. Check of logic matrices Logic matrices are checked one train at a time. Input relays are not operated during this portion of the test. Reactor trips from the train being tested are inhibited with the use of the input error inhibit switch on the semi-automatic test panel in the train. At the completion of the logic matrix tests, the bistable status lights on the main control board section 4 (3IHA-ANNMB4G) will be checked to ensure the closure of the input error inhibit switch contacts. The tripped condition of the bistable status lights for Power Range P-10 Permissives channel 1 through 4 or Turbine Stop Valves 1 through 4 will be checked depending on the plant thermal power level (above 10% or below 10% respectively) during the test. The logic test scheme uses pulse techniques to check the coincidence logic. All possible trip and non trip combinations are checked. Pulses from the tester are applied to the inputs of the universal logic card at the same terminals that connect to the input relay contacts. Thus there is an overlap between the input relay check and the logic matrix check. Pulses are fed back from the reactor trip breaker undervoltage trip attachment and shunt trip auxiliary relay coils to the tester. The pulses are of such short duration that the reactor trip breaker undervoltage coil armature cannot respond mechanically (Figure 7.1-2).

Test indications that are provided are an annunciator in the control room indicating that reactor trips from the train have been blocked and that the train is being tested, and green and red lamps on the semi-automatic tester indicate a good or bad logic matrix test. Protection capability provided during this portion of the test is from the train not being tested.

The testing capability meets the requirements of Criterion 21 of the 1971 GDC.

Testing of Reactor Trip Breakers Normally, reactor trip breakers 52/RTA and 52/RTB are in service, and bypass breakers 52/BYA and 52/BYB are withdrawn (out of service). The following procedure describes the method used for testing the trip breakers:

a. With bypass breaker 52/BYA racked out in the Test position, manually close and trip it to verify its operation.

28/18 7.2-26 Rev. 31

Block pushbutton on the automatic shunt trip panel. This verifies operation of the undervoltage trip attachment (UVTA) when the breaker trips. After reclosing RTA, trip it again by operation of the Auto Shunt Trip Test pushbutton on the automatic shunt trip panel. This is to verify tripping of the breaker through the shunt trip device.

c. Close 52/RTA.

d. Trip and rack out 52/BYA.

e. Repeat above steps a through d to test reactor trip breaker 52/RTB using bypass breaker 52/BYB.

Auxiliary contacts of the bypass breakers are connected into the alarm system of their respective trains such that if either train is placed in test while the bypass breaker of the other train is closed, both reactor trip breakers and both bypass breakers automatically trip.

Auxiliary contacts of the bypass breakers are also connected in such a way that if an attempt is made to close the bypass breaker in one train while the bypass breaker of the other train is already closed, both bypass breakers automatically trip.

The Train A and Train B alarm systems operate separate annunciators in the control room. The two bypass breakers also operate separate annunciators in the control room. Bypassing of a protection train with either the bypass breaker or with the test switches would result in audible and visual indications.

The complete reactor trip system is normally required to be in service. However, to permit online testing of the various protection channels or to permit continued operation in the event of a subsystem instrumentation channel failure, a technical specification, 3/4.3, defining the minimum number of operable channels has been formulated. This technical specification also defines the required restriction to operation in the event that the channel operability requirements cannot be met.

11. Channel Bypass or Removal from Operation The protection system is designed to permit periodic testing of the analog channel portion of the reactor trip system during reactor power operation without initiating a protective action unless a trip condition actually exists. This is because of the coincidence logic required for reactor trip. Additional information is given in Section 7.2.2.2.

12. Operating Bypass 28/18 7.2-27 Rev. 31

whenever permissive conditions are not met (see Table 7.2-2). Devices used to achieve automatic removal of the bypass of a protective function are considered part of the protective system and are designed in accordance with the criteria of this section.

13. Indication of Bypasses Bypass indication is further discussed in Section 7.1.2.5.

Indication is provided in the control room if some part of the system has been administratively bypassed or taken out of service.

14. Access to Means for Bypassing The design provides for administrative control of access to the means for manually bypassing channels or protective functions.

15. Multiple Setpoints For monitoring neutron flux, multiple setpoints are used. When a more restrictive trip setting becomes necessary to provide adequate protection for a particular mode of operation or set of operating conditions, the protective system circuits are designed to provide positive means or administrative control to assure that the more restrictive trip setpoint is used. The devices used to prevent improper use of less restrictive trip settings are considered part of the protective system and are designed in accordance with the criteria of this section.

16. Completion of Protective Action The protection system is so designed that, once initiated, a protective action goes to completion. Return to normal operation requires action by the operator.

17. Manual Initiation Switches are provided on the control board for manual initiation of protective action. Failure in the automatic system does not prevent the manual actuation of the protective functions. Manual actuation relies on the operation of a minimum of equipment.

18. Access The design provides for administrative control of access to all setpoint adjustments, module calibration adjustments, and test points.

28/18 7.2-28 Rev. 31

Protective channel identification is discussed in Section 7.1.2.3. Indication is discussed in Item 20 below.

20. Information Readout The protective system provides the operator with complete information pertinent to system status and safety. All transmitted signals (flow, pressure, temperature, etc.) which can cause a reactor trip will be either indicated or recorded for every channel, including all neutron flux power range currents (top detector, bottom detector, algebraic difference and average of bottom and top detector currents).

The only transmitted signal that is not indicated or recorded is the reactor coolant pump shaft speed. This speed does not need to be indicated or recorded because it is a parameter that the operator can neither control nor is it credible for the sensor to fail in ways to indicate erroneously high speed.

Any reactor trip will actuate an alarm and an annunciator. Such protective actions are indicated and identified down to the channel level.

Alarms and annunciators are also used to alert the operator of deviations from normal operating conditions so that he may take appropriate corrective action to avoid a reactor trip. Actuation of any rod stop or trip of any reactor trip channel will actuate an alarm.

21. System Repair The system is designed to facilitate the recognition, location, replacement, and repair of malfunctioning components or modules. Refer to the discussion in Item 10 above.

2.3 Specific Control and Protection Interactions 2.3.1 Neutron Flux r power range neutron flux channels are provided for overpower protection. An isolated tioneered high signal is derived by auctioneering of the four channels for automatic rod trol. If any channel fails in such a way as to produce a low output, that channel is incapable of per overpower protection but will not cause control rod movement because of the auctioneer.

o out of four overpower trip logic will ensure an overpower trip if needed even with an pendent failure in another channel.

ddition, channel deviation signals in the control system will give an alarm if any neutron flux nnel deviates significantly from the average of the flux signals. Also, the control system will ond only to rapid changes in indicated neutron flux; slow changes or drifts are compensated 28/18 7.2-29 Rev. 31

2.3.2 Reactor Coolant Temperature accuracy of the narrow range resistance temperature detector loop temperature measurements emonstrated during plant startup tests by comparing temperature measurements from all loop ow range resistance temperature detectors with one another as well as with the temperature surements obtained from the wide-range resistance temperature detector located in the hot leg cold leg piping of each loop. The comparisons are done with the reactor coolant system in an hermal condition. The linearity of the T measurements obtained from the hot leg and cold leg ow range loop resistance temperature detectors as a function of plant power is also checked ng plant startup tests. The absolute value of T versus plant power is not important, per se, as as reactor protection is concerned. Reactor trip system setpoints are based upon percentages of indicated T at nominal full power rather than on absolute values of T. This is done to ount for loop differences which are inherent. Therefore the percent T scheme is relative, not olute, and therefore provides better protective action without the expense of accuracy. For this on, the linearity of the T signals as a function of power is of importance rather than the olute values of the T. As part of the plant startup tests, the narrow range loop resistance perature detector signals will be compared with the core exit thermocouple signals.

ctor control is based upon signals derived from protection system channels after isolation by ation amplifiers such that no feedback effect can perturb the protection channels.

ce control is based on the average temperature of the loop with the highest temperature, the trol rods are always moved based upon the most pessimistic temperature measurement with ect to margins to DNB. A spurious low average temperature measurement from any loop perature control channel will cause no control action; additionally, rod control cannot matically withdraw rods. A spurious high average temperature measurement will cause rod rtion (safe direction).

nnel deviation signals in the control system will give an alarm if any temperature channel iates significantly from the auctioneered (highest) value. Turbine runback (power demand uction) will also occur if any two of the four overtemperature or overpower T channels cate an adverse condition.

2.3.3 Pressurizer Pressure pressurizer pressure protection channel signals are used for high and low pressure protection as inputs to the overtemperature T trip protection function and power-operated relief valves.

ated output signals from these channels are used for pressure control. These are used to trol pressurizer spray and heaters. Pressurizer pressure is sensed by fast response pressure smitters.

28/18 7.2-30 Rev. 31

logic for safety injection to ensure low pressure protection.

rpressure protection is based upon the positive surge of the reactor coolant produced as a lt of turbine trip under full load, assuming the core continues to produce full power. The

-actuated safety valves are sized on the basis of steam flow from the pressurizer to ommodate this surge at a setpoint of 2500 psia and an accumulation of 3 percent. Note that no it is taken for the relief capability provided by the power-operated relief valves during this e.

ddition, operation of any one of the power-operated relief valves can maintain pressure below high pressure trip point for most transients. The rate of pressure rise achievable with heaters is

, and ample time and pressure alarms are available to alert the operator of the need for ropriate action.

undancy is not compromised by having a shared tap for two of the four pressurizer pressure smitters (Section 7.2.1.1.2) since the logic for this trip is two out of four. If the shared tap is gged, the affected channels remain static. If the impulse line bursts, the indicated pressure ps to zero. In either case the fault is easily detectable, and the protective function remains rable.

2.3.4 Pressurizer Water Level ee pressurizer water level channels are used for reactor trip. Isolated signals from these nnels are used for pressurizer water level control. A failure in the level control system could or empty the pressurizer at a rate that allows the operator to mitigate the transient.

high pressurizer water level trip setpoint provides sufficient margin such that the undesirable dition of discharging liquid coolant through the safety valves is avoided. Even at full power ditions, which would produce the worst thermal expansion rates, a failure of the water level trol would not lead to any liquid discharge through the safety valves. This is due to the rators taking manual action and the automatic high pressurizer pressure reactor trip, a function rse to the high pressurizer water level trip, actuating at a pressure sufficiently below the safety e setpoint to prevent liquid discharge.

control failures which tend to empty the pressurizer, ample time and alarms exist to alert the rator of the need for appropriate action. If action is not taken, letdown will isolate on low surizer level, reducing RCS outflow. Should low pressurizer pressure occur, safety injection actuate.

2.3.5 Steam Generator Water Level basic function of the reactor protection circuits associated with low-low steam generator er level is to preserve the steam generator heat sink for removal of long-term residual heat.

uld a complete loss of feedwater occur, the reactor would be tripped on low-low steam 28/18 7.2-31 Rev. 31

m generators are dry. This reduces the required capacity, increases the time interval before iliary feedwater pumps are required, and minimizes the thermal transient on the reactor lant system and steam generators. Therefore, a low-low steam generator water level reactor circuit is provided for each steam generator to ensure that sufficient initial thermal capacity is ilable in the steam generator at the start of the transient. Two-out-of-four low-low steam erator water level trip logic ensures a reactor trip if needed even if the protection channel used control fails and a second protection channel experiences a postulated random failure.

purious low signal from the feedwater flow channel being used for control would cause an ease in feedwater flow. The mismatch between steam flow and feedwater flow produced by spurious signal would actuate alarms to alert the operator of the situation in time for manual ection. If the condition continues, a two-out-of-four high-high steam generator water level al in any loop, independent of the indicated feedwater flow, will cause feedwater isolation and the turbine. The turbine trip will result in a subsequent reactor trip if power is above the P-9 oint. The high-high steam generator water level trip is an equipment protective trip preventing essive moisture carryover which could damage the turbine blading.

ddition, a high-high steam generator water level turbine trip and feedwater isolation or a low-steam generator water level reactor trip may be avoided in the event of a steam or feedwater instrument channel failure since the steam generator water level input to the three element m generator water level controller will attempt to restore water level to its nominal setpoint.

purious high steam generator water level signal from the protection channel used for control tend to close the feedwater valve. A spurious low steam generator water level signal will tend pen the feedwater valve. Before a reactor trip would occur, two-out-of-four channels in a loop ld have to indicate a low-low water level. Any slow drift in the water level signal will permit operator to respond to the level alarms and take corrective action.

omatic protection is provided in case the spurious high level reduces feedwater flow iciently to cause low-low level in the steam generator. Automatic protection is also provided ase the spurious low level signal increases feedwater flow sufficiently to cause high level in steam generator. A turbine trip and feedwater isolation would occur on two-out-of-four h-high steam generator water level in any loop.

2.4 Additional Postulated Accidents s of plant instrument air or loss of component cooling water is discussed in Section 7.3.2.

d rejection and turbine trip are discussed in further detail in Section 7.7.

control interlocks, called rod stops, that are provided to prevent abnormal power conditions ch could result from excessive control rod withdrawal are discussed in Section 7.7.1.4.1 and d on Table 7.7-1. Excessively high power operation, if allowed to continue, might lead to a ty limit (as given in the Technical Specifications) being reached. Before such a limit is hed, protection will be available from the reactor trip system. Rod block setpoints are reached 28/18 7.2-32 Rev. 31

3 TESTS AND INSPECTIONS reactor trip system meets the testing requirements of IEEE Standard 338-1971, as discussed ection 7.1.2.11. The testability of the system is discussed in Section 7.2.2.2.3. The initial test rvals are specified in the Technical Specifications. Written test procedures and documentation, forming to the requirements of IEEE Standard 338-1971, will be available for audit by onsible personnel. Periodic testing complies with Regulatory Guide 1.22 as discussed in tions 7.1.2.5 and 7.2.2.2.3.

4 REFERENCES FOR SECTION 7.2 1 WCAP-7488-L, 1971 (Proprietary) and WCAP-7672, 1971 (Non proprietary), (Additional background information only) Katz, D. N., Solid State Logic Protection System Description.

2 WCAP-7706-L, 1971 (Proprietary) and WCAP-7706, 1971 (Non proprietary), Gangloff, W. C. and Loftus, W. D., An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients.

3 WCAP-7913, 1973, (Additional background information only) Reid, J. B., Process Instrumentation for Westinghouse Nuclear Steam Supply Systems.

4 WCAP-8255, 1974, (Additional background information only) Lipchak, J. B., Nuclear Instrumentation System.

5 DNC Letter 07-0450I, Dominion Nuclear Connecticut, Inc. Millstone Power Station Unit 3 Stretch Power Uprate License Amendment Request Additional Information in Connection with the NRC Audit Held on May 13, 2008 in Rockville, Maryland, dated May 21, 2008.

28/18 7.2-33 Rev. 31

Reactor Trip Coincidence Logic Interlocks Comments High neutron flux (Power Manual block of low setting permitted Automatic reset of lowm setting

1. Range) 2 -out-of-4 at or above P-10 (high setting has no below P-10 (high and low settings) interlocks)

Intermediate range neutron Manual block permitted at or above P-

2. 1-out-of-2 Automatic reset below P-10 flux 10 Manual block permitted at or above P- Manual reset permitted below

3. Source range neutron flux 1-out-of-2

6. Automatic block at or above P-10. P-10. Automatic reset below 6.

Power range high positive

4. 2 -out-of-4 No interlocks Manual reset neutron flux rate Power range high negative

5. 2 -out-of-4 No interlocks Manual reset neutron flux rate

6. Overtemperature T 2 -out-of-4 No interlocks

7. Overpower T 2 -out-of-4 No interlocks

8. Pressurizer low pressure 2 -out-of-4 Interlocked with P-7 Blocked below P-7

9. Pressurizer high pressure 2 -out-of-4 No interlocks

10. Pressurizer high water level 2-out-of-3 Interlocked with P-7 Blocked below P-7 Low flow in two loops will caus reactor trip when at or above P-2-out-of-3 in 2 -out-

11. Low reactor coolant flow Interlocked with P-7 Blocked below P-7. Low flow i of-4 loops one loop will cause a reactor tri when at or above P-8.

2-out-of-3 in any Interlocked with P-8 Blocked below P-8 loop 06/28/18 7.2-34 Rev. 31

Reactor Trip Coincidence Logic Interlocks Comments Reactor coolant pump shaft Low speed on all pumps permitt

12. 2 -out-of-4 Interlocked with P-7 underspeed below P-7 Low-low steam generator 2 -out-of-4 in any

13. No interlocks water level loop Coincident with (See Section 7.3 for Engineered

14. Safety injection signal actuation of safety No interlocks Safety Features actuation injection conditions)

15. Turbine (anticipatory) trip a) Low trip fluid pressure 2-out-of-3 Interlocked with P-9 Blocked below P-9 b) Turbine stop valve close 4-out-of-4 Interlocked with P-9 Blocked below P-9

16. Manual 1-out-of-2 No interlocks Reactor Trip or SIS SSPS General Warning

17. 2-out-of-2 No interlocks Both trains simultaneously Alarm N-1 Misalignment (see section

18. N/A No interlocks N-1 switches in SSPS misaligne Section 7.2.1.2.2, item 12, for details) 06/28/18 7.2-35 Rev. 31

esignation Derivation Function Power Escalation Permissives:

Presence of P-6: 1-out-of-2 neutron Allows manual block of source range P-6 flux (intermediate range) above reactor trip.

setpoint.

Absence of P-6: 2-out-of-2 neutron Defeats the block of source range reactor flux (intermediate range) below trip setpoint.

Allows manual block of power range (low set-point) reactor trip.

Allows manual block of intermediate Presence of P-10: 2-out-of-4 range reactor trip and intermediate range P-10 neutron flux (power range) above rod stops (C-1).

setpoint.

Automatically blocks source range reactor trip (back-up for P-6).

Input to P-7.

Defeats the block of power range (low set-point) reactor trip.

Defeats the block of intermediate range Absence of P-10: 3-out-of-4 neutron reactor trip and intermediate range rod flux (power range) below setpoint. stops (C-1).

Input to P-7.

Allows reset of block of source range reactor trip.

Blocks of Reactor Trips:

Absence of P-7: 3-out-of-4 neutron Blocks reactor trip on: Low reactor flux (power range) below setpoint coolant flow in more than one loop, P-7 (from P-10) and 2-out-of-2 turbine underspeed, pressurizer low pressure, impulse chamber pressure below and pressurizer high level.

setpoint (from P-13).

Absence of P-8: 3-out-of-4 neutron Blocks reactor trip on low flux reactor P-8 (power range) below setpoint. coolant flow in a single loop.

Absence of P-9: 3-out-of-4 neutron P-9 Blocks reactor trip on turbine trip.

flux (power range) below setpoint.

Absence of P-13: 2-out-of-2 turbine P-13 impulse chamber pressure below Input to P-7 setpoint.

28/18 7.2-36 Rev. 31

Reactor Trip Syste Reactor Trip Signal Process Measurement Range Total Allowance (1) (2) Response Tim Power range high neutron flux 0 to 120 percent of full power Hi - 6.3% of span 0.5 second (3)

1. (High and low settings)

Lo - 8.3% of span 8 decades of neutron flux overlapping Intermediate range high neutron (4) (4)

2. both source and power ranges (10-11 to flux 10-3 amperes)

3. Source range high neutron flux 6 decades of neutron flux (1 to 106 (4) (4) counts/sec)

Power range high positive neutron

4. 0 to +120 percent of full power 1.08% of span (5) 0.5 seconds (5) flux rate Power range high negative neutron (4) (4)

5. 0 to 120 percent of full power flux rate Overtemperature T THOT 530 to 650°F 11.3 percent of T span 11.0 seconds TCOLD 510 to 630°F TAVG 530 to 630°F

6. PPZR 1700 to 2500 psia f() -60 to +60% (4)

T setpoint 0 to 150% of full power T

06/28/18 7.2-37 Rev. 31

Reactor Trip Syste Reactor Trip Signal Process Measurement Range Total Allowance (1) (2) Response Tim Overpower T THOT 530 to 650°F 4.9 percent of T span 11.0 seconds TCOLD 510 to 630°F

7. TAVG 530 to 630°F T setpoint 0 to 150% of full power T

8. Pressurizer low pressure 1700 to 2500 psia 5.0 percent of span 2.0 seconds

9. Pressurizer high Pressure 1700 to 2500 psia 5.0 percent of span 2.0 seconds Span between level taps ( 520

10. Pressurizer high water level 11.0 percent of span 2.0 seconds inches) 0 to 120 percent of thermal design

11. Low reactor coolant flow 4.2 percent of span 1.0 seconds flow Reactor coolant pump shaft under

12. 960 to 1260 RPM 1.6 percent of span 0.6 seconds (6) speed Low-low Steam generator water Span between narrow range level taps

13. 18.1 percent of span 2.0 seconds level ( 128 inches)

14. Turbine trip N/A N/A (7)

NOTES:

(1) Refer to Technical Specifications Section B 3/4.3.1 for a discussion of Total Allowance.

(2) Reactor Trip System Response Time is defined by Technical Specification 1.28 as: ...the time interval from when the monitored parameter exceeds its trip the channel sensor until loss of stationary gripper coil voltage.

(3) Neutron detectors are exempt from time response testing.

(4) Information not applicable since Trip(s) are not required by safety analysis per FSAR Table 15.0-4.

(5) Credited in generic Westinghouse analysis applicable to MPS-3 (Reference 7.2-5).

(6) RCP speed sensors are exempt from time response testing.

(7) The FSAR Chapter 15 safety analysis does not credit reactor trip due to turbine trip in demonstrating that the acceptance criteria is met. Therefore, time testing for this function is not required.

06/28/18 7.2-38 Rev. 31

Trip(a) Accident (b) Tech Spec. (c)

1. Power range high neutron 2.2.1 flux trip (low setpoint) Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a

1. Table 2.2-1 #2 Subcritical or Low Power Startup Condition (15.4.1)

See Note (d)

2. Spectrum of Rod Cluster Control Assembly Ejection Accidents (15.4.8)

Chemical and Volume Control System Malfunction that Results in a 3.

Decrease in the Boron Concentration in the Reactor Coolant (15.4.6)

Excessive heat removal due to feedwater system malfunctions (15.1.1 and 4.

15.1.2)

2. Power range high neutron 2.2.1 flux trip (high setpoint) Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a Table 2.2-1 #2 1.

Subcritical or Low Power Startup Condition (15.4.1)

See Note (d)

Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power 2.

(15.4.2)

Excessive Heat Removal Due to Feedwater System Malfunctions (15.1.1 and 3.

15.1.2)

4. Excessive Increase In Secondary Steam Flow (15.1.3)

Inadvertent Opening of a Steam Generator Relief or Safety Valve Causing a 5.

Depressurization of the Main Steam System (15.1.4)

6. Steam System Piping Failure (15.1.5)

7. Spectrum of Rod Cluster Control Assembly Ejection Accidents (15.4.8)

Chemical and Volume Control System Malfunction that Results in a 8.

Decrease in the Boron Concentration in the Reactor Coolant (15.4.6) 06/28/18 7.2-39 Rev. 31

Trip(a) Accident (b) Tech Spec. (c)

3. Intermediate range high Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a 2.2.1 neutron flux trip 1.

Subcritical or Low Power Startup Condition (15.4.1) Table 2.2-1 #5

4. Source range high neutron Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a 2.2.1 1.

flux trip Subcritical or Low Power Startup Condition (15.4.1) Table 2.2-1 #6 Chemical and Volume Control System Malfunction that Results in a 2.

Decrease in the Boron Concentration in the Reactor Coolant (15.4.6)

5. Power range high positive Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power and 2.2.1 neutron flux rate trip 1. Spectrum of Rod Cluster Control Assembly Ejection Accidents (15.4.2 and Table 2.2-1 #3 15.4.8)

Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a 2.

Subcritical or Low Power Startup Condition (15.4.1)

6. Power range high negative flux rate trip See Note (e) 06/28/18 7.2-40 Rev. 31

Trip(a) Accident (b) Tech Spec. (c)

7. Overtemperature T trip Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power 2.2.1 1.

(15.4.2) Table 2.2-1 #7 Chemical and Volume Control System Malfunction that Results in a 2.

Decrease in the Boron Concentration in the Reactor Coolant (15.4.6)

3. Loss of External Electrical Load and/or Turbine Trip (15.2.2 and 15.2.3)

Excessive Heat Removal Due to Feedwater System Malfunctions 4.

(15.1.1 and 15.1.2)

5. Excessive Increase In Secondary Steam Flow (15.1.3)

6. Inadvertent Opening of a Pressurizer Safety or Relief Valve (15.6.1)

7. Rod Cluster Control Assembly Misalignment (15.4.3)

8. Loss of Normal Feedwater Flow (15.2.7)

9. Steam Generator Tube Failure (15.6.3)

10. Feedwater System Pipe Break (15.2.8) 06/28/18 7.2-41 Rev. 31

Trip(a) Accident (b) Tech Spec. (c)

8. Overpower T trip Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power 2.2.1 1.

(15.4.2) Table 2.2-1 #8 Excessive Heat Removal Due to Feedwater System Malfunctions 2.

(15.1.1 and 15.1.2)

3. Excessive Increase In Secondary Steam Flow (15.1.3)

Inadvertent Opening of a Steam Generator Relief or Safety Valve Causing a 4.

Depressurization of the Main Steam System (15.1.4)

5. Steam System Piping Failure (15.1.5)

6. Rod Cluster Control Assembly Misalignment (15.4.3)

7. Loss of External Electrical Load and/or Turbine Trip (15.2.2 and 15.2.3)

9. Pressurizer low pressure trip 2.2.1

1. Inadvertent Opening of a Pressurizer Safety or Relief Valve (15.6.1)

Table 2.2-1 #9 Loss-of-Coolant Accidents Resulting from a Spectrum of Postulated Piping 2.

Breaks within the Reactor Coolant Pressure Boundary (15.6.5)

3. Excessive Increase In Secondary Steam Flow (15.1.3)

4. Steam Generator Tube Failure (15.6.3)

Inadvertent Opening of a Steam Generator Relief or Safety Valve Causing a 5.

Depressurization of the Main Steam System (15.1.4)

6. Steam System Piping Failure (15.1.5)

7. Rod Cluster Control Assembly Misalignment (15.4.3)

Inadvertent Operation of the Emergency Core Cooling System During Power 8.

Operation (15.5.1) 06/28/18 7.2-42 Rev. 31

Trip(a) Accident (b) Tech Spec. (c)

10. Pressurizer high pressure Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power 2.2.1 1.

trip (15.4.2) Table 2.2-1 #10

2. Loss of External Electrical Load and/or Turbine Trip (15.2.2 and 15.2.3)

3. Loss of Normal Feedwater Flow (15.2.7)

4. Feedwater System Pipe Break (15.2.8)

11. Pressurizer high water level Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power 2.2.1 1.

trip (15.4.2) Table 2.2-1 #11

12. Low reactor coolant flow 2.2.1

1. Partial Loss of Forced Reactor Coolant Flow (15.3.1)

Table 2.2-1 #12

2. Loss of Nonemergency AC Power to the Station Auxiliaries (15.2.6)

3. Complete Loss of Forced Reactor Coolant Flow (15.3.2)

4. Reactor Coolant Pump Shaft Seizure (Locked Rotor) (15.3.3)

13. Reactor coolant pump 2.2.1

1. Complete Loss of Forced Reactor Coolant Flow (15.3.2) underspeed trip Table 2.2-1 #15

14. Low-low steam generator 2.2.1

1. Loss of Normal Feedwater Flow (15.2.7) water level trip Table 2.2-1 #13

2. Loss of Nonemergency AC Power to the Station Auxiliaries (15.2.6)

3. Loss of External Electrical Load and/or Turbine Trip (15.2.2 and 15.2.3)

4. Feedwater System Pipe Break (15.2.8)

5. Steam System Piping Failure (15.1.5) 06/28/18 7.2-43 Rev. 31

Trip(a) Accident (b) Tech Spec. (c)

15. Reactor trip on turbine trip Excessive Heat Removal Due to Feedwater System Malfunctions 2.2.1 1.

(15.1.1 and 15.1.2) Table 2.2-1 #16

2. Loss of Nonemergency AC Power to the Station Auxiliaries (15.2.6)

16. Safety injection signal Inadvertent Opening of a Steam Generator Relief or Safety Valve Causing a 2.2.1 1.

actuation trip Depressurization of the Main Steam System (15.1.4) Table 2.2-1 #17

2. Steam System Piping Failure (15.1.5)

Inadvertent Operation of the Emergency Core Cooling System During Power 3.

Operation (15.5.1)

4. Feedwater System Pipe Break (15.2.8)

17. Manual trip 2.2.1

1. Available for all accidents (Chapter 15)

Table 2.2-1 #1 NOTES:

(a) Trips are listed in order of discussion in Section 7.2.

(b) References refer to accident analysis presented in Chapter 15.

(c) References refer to Technical Specifications presented in Chapter 16.

(d) The power range high neutron flux trip is not required to be OPERABLE in MODES 3, 4 or 5. Administrative controls have been implemented to preclu uncontrolled rod/bank withdrawal from occurring in these MODES when plant conditions are not bounded by the accident assumptions.

(e) A Technical Specification reference is not required because this trip is not assumed to function in the accident analysis.

06/28/18 7.2-44 Rev. 31

IGURE 7.2-1 (SHEETS 1-19) P&IDS FUNCTIONAL DIAGRAM, REACTOR TRIP YSTEM/LOOP STOP VALVE INTERLOCKS/PRESSURIZER PRESSURE RELIEF SYSTEM figure indicated above represents an engineering controlled drawing that is Incorporated by erence in the MPS-3 FSAR. Refer to the List of Effective Figures for the related drawing ber and the controlled plant drawing for the latest revision.

28/18 7.2-45 Rev. 31

FIGURE 7.2-2 SETPOINT REDUCTION FUNCTION FOR OVERPOWER AND OVER-TEMPERATURE T TRIP 06/28/18 7.2-46 Rev. 31

ddition to the requirements for a reactor trip for anticipated abnormal transients, the facility is vided with adequate instrumentation and controls to sense accident situations and initiate the ration of necessary engineered safety features. The occurrence of a limiting fault, such as a

-of-coolant accident or a steam line break, requires a reactor trip plus actuation of one or more he engineered safety features in order to prevent or mitigate damage to the core and reactor lant system component and ensure containment integrity.

rder to accomplish these design objectives, the engineered safety features system has proper timely initiating signals which are to be supplied by the sensors, transmitters, and logic ponents making up the various instrumentation channels of the engineered safety features ation system. The engineered safety features actuation system as discussed in Section 7.3 is sistent with Technical Specification Table 3.3-3.

1 DESCRIPTION engineered safety features actuation system (ESFAS) uses selected plant parameters, rmines whether or not predetermined safety limits are being exceeded and, if they are, bines the signals into logic matrices sensitive to combinations indicative of Condition III or aults. In addition, some engineered safety features such as auxiliary feedwater may be ated for condition II faults such as loss of normal feedwater flow. Once the required logic bination is completed, the system sends actuation signals to the appropriate engineered safety ures components. The ESFAS meets the requirements of Criteria 13, 20, 27, 28, and 38 of the 1 General Design Criteria (GDC).

1.1 System Description ESFAS is a functionally defined system described in this section. The equipment which vides the actuation functions identified in Section 7.3.1.1.1 is listed and discussed in this ion (WCAP-7913, 1973; WCAP-7488-L, 1971; WCAP-7705, 1976):

1. Process Instrumentation and Control System (WCAP-7913, 1973).

2. Solid State Logic Protection System (WCAP-7488-L, 1971).

3. Engineered Safety Features Test Cabinet (WCAP-7705, 1976).

4. Manual Actuation Circuits.

5. Emergency Generator Load Sequencer, Table 7.1-1, Logic Diagram Package.

6. Control building inlet and containment purge air radiation monitoring channels.

ESFAS consists of two discrete portions of circuitry: (1) an analog portion consisting of two our redundant channels per parameter or variable to monitor various plant parameters such as 28/18 7.3-1 Rev. 31

m the analog protection channels and perform the logic needed to actuate the engineered safety ures. Each digital train is capable of actuating the engineered safety features (ESF) equipment uired. Two channels of pressure switches are provided on the refueling water storage tank ST) to perform ESF functions. The intent is that any single failure within the ESFAS does not vent system action when required.

escription of the emergency generator load sequencer is found in Section 7.3.1.1.5. A cription of the applicable channels of the radiation monitoring system is in Section 11.5.2.2.

redundant concept is applied to both the analog and logic portions of the system. Separation edundant analog channels begins at the process sensors and is maintained in the field wiring, tainment vessel penetrations and analog protection racks terminating at the redundant guards logic racks. The design meets the requirements of Criteria 20, 21, 22, 23, and 24 of the 1 GDC.

variables are sensed by the analog circuitry as discussed in WCAP-7913 (1973) and in tion 7.2. The outputs from the analog channels are combined into actuation logic as shown on ure 7.2-1, Sheets 5, 6, 7, and 8. Refer to Technical Specification Table 3.3-3 for ESFAS rumentation channel requirements.

interlocks associated with the ESFAS are outlined in Table 7.3-1. These interlocks satisfy the ctional requirements discussed in Section 7.1.2.

nual actuation from the control board of containment isolation Phase A is provided by ration of either one of the redundant momentary containment isolation Phase A controls. The arate trains are thereby linked by mechanical means in a fashion similar to that shown on ure 7.1-2. Also on the control board is a manual actuation of safety injection by one of the undant controls and a manual actuation of containment isolation Phase B by either of the two of controls.

nual controls are also provided to switch from the injection to the recirculation phase after a

-of-coolant accident.

1.1.1 Function Initiation specific functions which rely on the ESFAS for initiation are listed below. In addition, see le 15.0-6 for the engineered safety features required for specific design basis plant conditions.

further information about the design of the functions discussed below, see appropriate Logic grams referenced in Table 1.7-1.

1. A reactor trip, provided one has not already been generated by the reactor trip system.

28/18 7.3-2 Rev. 31

of the reactor coolant system (Table 7.3-3).

3. Those pumps and associated valves which provide core, containment, and other safety-related cooling functions (e.g., service water and component cooling water pumps).

4. Motor-driven and steam-driven auxiliary feedwater pumps and associated valves to provide a heat sink for the removal of decay heat from the reactor.

5. Phase A containment isolation, whose function is to prevent fission product release. (Isolation of all lines not essential to reactor protection.) (Table 7.3-4).

6. Steam line isolation to prevent the continuous, uncontrolled blowdown of more than one steam generator and thereby uncontrolled reactor coolant system cooldown (Table 7.3-5).

7. Main feedwater line isolation, as required, to prevent or mitigate the effect of excessive cooldown (Table 7.3-6).

8. Start the emergency generators to assure backup supply of power to ESF and essential auxiliary supporting systems components.

9. Initiate pressurized filtration for the control room to meet control room occupancy requirements. (Table 7.3-7).

10. Containment depressurization actuation (CDA) which performs the following functions:

a. Initiates containment spray to reduce containment pressure and temperature following a loss-of-coolant accident or a main steam or feedwater line break accident inside of containment (Table 7.3-8).

b. Initiates Phase B containment isolation which isolates the containment following a loss of reactor coolant accident, or a main steam or feedwater line break within containment to limit radioactive releases. (Phase B isolation, together with Phase A isolation, results in isolation of all but emergency core cooling system and containment spray lines penetrating the containment.) (Table 7.3-9).

11. Stripping of electrical loads, blocking of manual starting and time delayed starting, when required, of safety related electrical loads by the Emergency Generator Load Sequencer.

28/18 7.3-3 Rev. 31

accident per Section 15.7.4.

13. Ventilation and filtration fans and associated dampers and valves which provide ventilation for vital building areas and filtration of air discharged from building.

1.1.2 Analog Circuitry process analog sensors and racks for the ESFAS are generically discussed in WCAP-7913 73). Discussed in this report are typical parameters to be measured, including pressures, flows, and vessel water levels, and temperatures, as well as the measurement and signal smission considerations. These latter considerations include the transmitters, orifices and flow ments, resistance temperature detectors, as well as automatic calculations, signal conditioning, location and mounting of the devices.

sensors monitoring the primary system are located as shown on the piping and rumentation diagrams in Chapter 5, reactor coolant system. The secondary system sensor tions are shown on the steam and feedwater system piping and instrumentation diagrams n in Chapter 10.

1.1.3 Digital Circuitry ESF logic racks are discussed in detail in WCAP-7488-L (1971). The description includes the siderations and provisions for physical and electrical separation, as well as details of the uitry. WCAP-7488-L (1971) also covers certain aspects of online test provisions, provisions test points, considerations for the instrument power source, considerations for accomplishing sical separations. The outputs from the analog channels are combined into actuation logic as wn on Sheets 5, 6, 7, 8, 13, 14, 15 and 16 on Figure 7.2-1.

acilitate engineered safety features actuation testing, four cabinets (two per train) are provided ch enable operation, to the maximum practical extent, of safety features loads on a group-by-up basis until actuation of all devices has been checked. Final actuation testing is discussed in il in Section 7.3.2.

Emergency Generator Load Sequencer uses digital logic which is described in tion 7.3.1.1.5 and shown on the Logic Diagrams referenced in Table 1.7-1. Each channel (one train) of the radiation monitoring instrumentation associated with the Containment Purge ation function provides outputs directly to actuate equipment.

28/18 7.3-4 Rev. 31

outputs of the solid state logic protection system (the slave relays) are energized to actuate, as most final actuators and actuated devices. These devices are listed as follows:

1. Emergency core cooling system pump and valve actuators. See Chapter 6 for flow diagrams and additional information.

2. Containment isolation (Phase A - T signal isolates all nonessential process lines on receipt of safety injection signal; Phase B - P signal isolates remaining process lines (which do not include safety injection lines) on receipt of 2-out-of-4 hi-3 containment pressure signal). For further information, see Section 6.2.4.

3. Service water pump and valve actuations (Chapter 9).

4. Auxiliary feed pumps start and valve actuators (Chapter 10).

5. Diesel start (Chapter 8).

6. Feedwater isolation valve actuators (Chapter 10).

7. Ventilation isolation valve and damper actuators (Chapter 6).

8. Steam line isolation valve actuators (Chapter 10).

9. Quench spray and recirculation containment pumps and valve actuators (Chapter 6).

1.1.5 ESF and Essential Auxiliary Support Systems ineered Safety Features System tems that comprise the ESF and essential auxiliary supporting systems for Millstone 3 are d in Table 7.3-10. Their function and operation following ESFAS initiation are summarized his section. Additional information on these systems can be found in the referenced sections.

ergency Core Cooling System emergency core cooling system (ECCS) is described in Section 6.3 and is shown on ure 6.3-1. Development of the SIS and CDA is shown on Figure 7.2-1 (Sheet 8 of 19).

low pressure safety injection system, high pressure safety injection system, charging pumps he chemical and volume control system, containment recirculation system, and residual heat oval system perform the function of core cooling for both normal plant cooldown and rgency core cooling.

28/18 7.3-5 Rev. 31

RCS pressure condition exist (P-19), will discharge to the reactor coolant cold leg.

component interlocks used in different modes of system operation are described in tion 6.3.2.1.

RHS Pump Interlock from Injection to Recirculation details of achieving cold leg recirculation following safety injection are given in tion 6.3.2 and in Table 6.3-7. Figure 7.6-3 shows the logic which is used to automatically trol RHS pumps.

Sequenced Safeguard Signals equenced safeguard signal is generated by the emergency generator load sequencer for the ty injection pump, RHS pump, or charging pump whenever the signals listed with the ciated pumps exist.

1. Safety Injection Pump

• SIS or SIS and LOP

• CDA or CDA and LOP

• SIS recirculation mode then LOP

• CDA recirculation mode then LOP

2. Residual Heat Removal Pumps

• SIS or SIS and LOP

• CDA or CDA and LOP

3. Charging Pumps

• SIS or SIS and LOP

• CDA or CDA and LOP

• SIS recirculation mode and then LOP

• CDA recirculation mode and then LOP 28/18 7.3-6 Rev. 31

1. Residual Heat Removal System Pumps The RHS pumps have manual controls on the main control board and at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected. A low-low RWST level is directly annunciated in the control room and interlocks with the SI signal to trip the RHR pumps. The pumps are started automatically on receipt of a sequenced safeguard signal. When a safety injection signal exists, the pumps are stopped automatically on low-low RWST level.

Ammeters and indicator lights are located on the main control board and at the switchgear for the RHS pumps. ESF status lights on the main control board indicate when the RHS pumps are running. RHS pump AUTO trip and overcurrent is alarmed in the control room. Bypass and inoperable alarms are provided in accordance with Regulatory Guide 1.47.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

There are two residual heat removal pumps powered from separate emergency buses. No single failure at the system level will prevent operation of at least one residual heat removal system train.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

One train of the residual heat removal system at a time is taken out of service and periodically tested in accordance with the Technical Specifications.

This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.

28/18 7.3-7 Rev. 31

A RHR pump low pressure safety injection system Train A or Train B bypass annunciator is alarmed in the control room when any of the following conditions exist for Train A or B:

• Residual heat removal pump control switch in pull to lock.

• Loss of control power to RHS pump.

• RHS pump circuit breaker racked out.

• RWST to RHR pump valve not full open.

• RHR pump to charging pump valve not full closed.

• ESF ACU breaker open or control power not available.

• RHR to hot leg isolation valve not full closed.

• RHR heat exchanger flow control valve not full open.

• Reactor plant CCW system bypass.

• RHR to cold leg isolation valve not full open.

e. IEEE Standard 279-1971, Paragraph 4.16:

Once a safety signal is received, the residual heat removal system will go to completion. Deliberate operator action is required to stop the RHR pumps.

The safety signal must be reset and manual controls used.

f. IEEE Standard 279-1971, Paragraph 4.17:

The residual heat removal pumps have manual controls on the main control board and at the switchgear. A REMOTE/LOCAL control transfer switch at the switchgear is alarmed in the control room when LOCAL is selected.

2. Safety Injection Pumps The safety injection pumps have manual controls on the main control board and at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected. The pumps are started automatically on receipt of a sequenced safeguard signal. Ammeters and indicator lights are located on the main control board and at the switchgear for the safety injection pumps. ESF status lights on the main control board indicate when a safety injection pump is running. Safety injection pump AUTO Trip or overcurrent is alarmed in the control room. Bypass 28/18 7.3-8 Rev. 31

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

There are two safety injection pumps powered from separate emergency buses. No single failure at the system level will prevent safety injection.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A bypass and inoperable annunciator in the control room is alarmed when any of the following conditions exists for Train A or B:

• Safety injection pump control switch in pull to lock.

• SI pump loss of control power or breaker racked out.

• Bypass push button depressed.

• RWST to safety injection pump valve not full open and valve circuit breaker open or control power not available.

• ESF ACU breaker open or control power not available.

• Safety injection cross connect valve not full open and valve circuit breaker open.

• Safety injection pump to hot leg valve not full closed and valve circuit breaker open or control power not available.

• Safety injection pump to cold leg valve not full open and valve circuit breaker open or control power not available.

• Safety injection pump suction valve not full open and valve circuit breaker open or control power not available.

• Containment recirculation injection system bypassed.

• Safety Injection Pump Cooling Pump Circuit Breaker Open or Control Power Not Available or Motor Thermal Overload.

28/18 7.3-9 Rev. 31

The safety injection pumps have manual controls on the main control board and at the switchgear. A REMOTE/LOCAL control transfer switch at the switchgear is alarmed in the control room when LOCAL is selected.

e. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

One train at a time is taken out of service and periodically tested in accordance with the Technical Specifications.

This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.

3. Charging Pumps Normally, one charging pump is running. During a loss-of-coolant accident (LOCA), two charging pumps operate as part of the safety injection system. The third pump is a swing pump with a breaker cubicle on each emergency bus that is normally empty. The swing pump uses the breaker of the pump which is not in service. Mechanical and keylock switches prevent the pump from being placed on Train A and Train B emergency buses at the same time.

On a loss-of-power (LOP) signal the charging pump that is running is not stripped from the emergency bus; therefore, the pump starts immediately when power is restored. The pumps are started automatically on receipt of a sequenced safeguard signal.

Manual controls are provided on the main control board and at the switchgear for the charging pumps. An annunciator is alarmed on the main control board when local control is selected. ESF status lights indicate when a charging pump is running.

Ammeter and indicator lights are located at the switchgear and on the main control board.

Bypass and inoperable alarms are provided in accordance with Regulatory Guide 1.47.

Each charging pump has an auxiliary lube oil pump with a local STOP-AUTO control switch. The auxiliary lube oil pumps start automatically when AUTO is selected on low lube oil pressure, or when the associated charging pump is stopped. The auxiliary lube-oil pump stops automatically when AUTO is selected 28/18 7.3-10 Rev. 31

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

There are three charging pumps, 3CHS*P3A, B, and C. The C pump is a swing pump. Normally, two charging pumps (3CHS*P3A and B) have their breakers racked in and one of the two is running. In the event that the A or B pump fails, its breaker is racked out and racked into the C pump cubicle (Train A or B). Mechanical and electrical interlocks prevent the C pump from being connected to two buses at the same time.

Power is supplied to the charging pumps from two separate emergency buses. No single failure at the system level will prevent charging pump safety injection.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A bypass and inoperable annunciator in the control room is alarmed when any of the following conditions exists for Train A or B:

• Charging pump A, B, or C control switch in pull to lock or loss of control power or breaker racked out.

• Charging pump cubicle ventilation system bypassed.

(Auxiliary circuits associated with the inlet and outlet ventilation dampers for the charging pump cubicles do not provide input to bypass annunciator.)

• Bypass push button depressed for charging pumps safety injection.

• Charging pump header isolation valve not full open.

• RWST to charging pump valve circuit breaker open.

• VCT to charging pump valve circuit breaker open.

• Charging pumps to reactor cold legs isolation valve circuit breaker open.

28/18 7.3-11 Rev. 31

• Charging pump cooling pump control switch in PULL TO LOCK or circuit breaker open.

• Charging pump to reactor coolant system isolation valve circuit breaker open.

• Containment recirculation injection system bypassed.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once a safety signal is initiated, the charging pumps go to completion.

Deliberate operator action is required to stop a charging pump. The safety signal must be reset and the pump stopped by manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

The charging pumps have manual controls on the main control board and at the switchgear. A REMOTE/LOCAL control transfer switch at the switchgear is alarmed in the control room when LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

One charging pump at a time can be taken out of service and periodically tested in accordance with the Technical Specifications.

g. This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.

4. Refueling Water Storage Tank to Charging Pump Valve Redundant RWST to charging pump valves have manual controls and indicator lights on the main control board and at the auxiliary shutdown panel. REMOTE/

LOCAL transfer switches are on the transfer switch panels. An annunciator is alarmed in the control room when LOCAL control is selected. ESF status lights indicate when the valves are open. Open and closed valve positions are monitored by the plant computer. The valves open automatically on receipt of an SIS or when the volume control tank level is low-low.

Analysis 28/18 7.3-12 Rev. 31

The RWST to charging pump valves are redundant and powered from separate emergency buses. No single failure at the system level will prevent charging pump safety injection.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

• Circuit breaker for valve open.

• Loss of control power to valve.

• Valve motor thermal overload.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS is initiated, the RWST to charging pump valves go to the fully open position. Deliberate operator action is required to close the valves.

The SIS must be reset and the valves closed by manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

The RWST to charging pump valves have manual controls on the main control board and at the auxiliary shutdown panel. The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The RWST valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.

5. Volume Control Tank Outlet Isolation Valves Redundant volume control tank (VCT) outlet isolation valves have manual controls and indicator lights on the main control board and on the auxiliary shutdown panel. REMOTE/LOCAL transfer switches are on the transfer switch 28/18 7.3-13 Rev. 31

alarmed in the control room when a VCT outlet isolation valve is closed. Open and closed valve positions are monitored by the plant computer. The valves close automatically on receipt of an SIS or VCT low-low level signal, provided the associated RWST to the charging pump valve is open.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The VCT outlet isolation valves are redundant and powered from separate emergency buses. No single failure at the system level will prevent VCT outlet isolation.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

• Circuit breaker for valve open.

• Loss of control power to valve.

• Valve motor thermal overload.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS or VCT low-low level signal is received, the VCT outlet isolation valves go fully closed. The SIS must be reset and the VCT low-low level signal cleared and the valves opened by manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

The VCT outlet isolation valves have manual controls on the main control board and at the auxiliary shutdown panel. The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

28/18 7.3-14 Rev. 31

engineered safety actuation system.

6. Charging Pump to Reactor Cold Leg Isolation Valves Redundant charging pump to reactor cold leg isolation valves have manual controls and indicator lights on the main control board. Open and closed valve positions are monitored by the plant computer. ESF status lights indicate when the valves are open. An annunciator is alarmed in the control room when an isolation valve is open. The valves open automatically on receipt of an SIS in conjunction with the cold leg injection permissive (P-19).

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The charging pump to reactor cold leg isolation valves are redundant and powered from separate emergency buses. No single failure at the system level will prevent charging pump safety injection.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

• Circuit breaker for valve open.

• Loss of control power to valve.

• Valve motor thermal overload.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS is initiated and the cold leg injection permissive (P-19) is enabled, the charging pump to cold leg isolation valves go to fully open.

Deliberate operator action is required to close the valves. The SIS must be reset and the valves closed by manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

28/18 7.3-15 Rev. 31

f. IEEE Standard 279-1971, Paragraph 4.10:

The charging pumps to reactor cold leg isolation valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.

7. Charging Pump to Reactor Coolant System Isolation Valves Redundant charging pump to reactor coolant system isolation valves (normal charging flow path) have manual controls and indicator lights on the main control board. Open and closed valve positions are monitored by the plant computer. ESF status lights indicate when the valves are closed. The valves close automatically on receipt of an SIS.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The charging pump to reactor coolant system isolation valves are redundant and powered from separate emergency buses. No single failure at the system level will prevent isolation of normal charging to reactor coolant system.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

• Circuit breaker for valve open.

• Loss of control power to valve.

• Valve motor thermal overload.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS is initiated, the charging pump to reactor coolant isolation valves go to the fully closed position. Deliberate operator action is required 28/18 7.3-16 Rev. 31

e. IEEE Standard 279-1971, Paragraph 4.17:

The charging pump to reactor coolant isolation valves have manual controls on the main control board and at the auxiliary shutdown panel.

The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The charging pump to reactor coolant system isolation valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.

8. Charging Pump Miniflow Isolation Valves (Train B)

The miniflow isolation valve for each charging pump has manual controls and indicator lights on the main control board and at the auxiliary shutdown panel.

REMOTE/LOCAL control transfer switches are on a transfer switch panel. An annunciator is alarmed in the control room when LOCAL control is selected. An annunciator is alarmed in the control room when a valve is closed. ESF status lights indicate when a valve is closed. Open and closed positions are monitored by the plant computer. The valves close automatically on receipt of an SIS.

9. Charging Pump Miniflow Isolation Valve (Train A)

The charging pump combined miniflow isolation valve has manual control and indicator lights on the main control board. An annunciator alarms in the control room when the valve is closed. An ESF status light indicates when the valve is closed. The valve is closed automatically on receipt of an SIS.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

There are three Train B miniflow isolation valves and one combined Train A miniflow isolation valve. The Train A and Train B valves are powered from separate emergency buses. No single failure at the system level will prevent charging pump miniflow isolation.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

28/18 7.3-17 Rev. 31

The charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

• Circuit breaker for valve open.

• Loss of control power to valve.

• Valve motor thermal overload.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS is initiated, the charging pump to miniflow isolation valves go to the fully closed position. Deliberate operator action is required to open the valves. The SIS must be reset and the valves opened by manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

The Train B charging pump miniflow isolation valves have manual controls on the main control board and at the auxiliary shutdown panel.

The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The charging pump miniflow isolation valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of engineered safety actuation system.

10. Accumulator Isolation Valves Two accumulator isolation valves are powered from the Train A emergency bus; the other two are powered from the Train B emergency bus. Each valve has manual controls and indicator lights on the main control board and at the auxiliary shutdown panel. An annunciator is alarmed in the control room when LOCAL control is selected. ESF status lights indicate when a valve is closed. An annunciator is alarmed in the control room when a valve is closed. Open and closed positions are monitored by the plant computer. Signals from the ESFAS are provided to the valve(s) upon initiation of SIS or high pressurizer pressure (pressure above the P-11 setpoint). These signals would open the valves if they were closed and energized, but since the valves are locked open during normal operation with their power removed, the signals perform no actual function.

(See Section 6.3.2.2.6).

28/18 7.3-18 Rev. 31

a. IEEE Standard 279-1971, Paragraph 4.2:

The Train A and B accumulator isolation valves are powered from separate emergency buses.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The accumulator tank low pressure safety injection bypass annunciator is alarmed in the control room whenever an accumulator isolation valve is not fully open.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS is initiated, the accumulator isolation valves would go to the fully open position if power were available and if the valves were closed.

Since these valves are locked open during normal operation with their power removed, the signal performs no actual function. (See Section 6.3.2.2.6). Deliberate operator action is required to close a valve.

The SIS must be reset, power must be restored and the valves closed by manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

The accumulator isolation valves have manual controls on the main control board and at the auxiliary shutdown panel. The REMOTE/LOCAL control transfer switches on the transfer switch panels are alarmed in the control room whenever LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The accumulator isolation valves are periodically tested in accordance with the Technical Specifications. Refer to Sections 7.3.1.2 and 7.3.2 for testing of the engineered safety features actuation system.

tainment Depressurization System containment depressurization systems design is described in Section 6.2.2, and the flow rams are shown on Figures 6.2-37 and 6.2-38. The containment depressurization systems sist of the quench spray system and the containment recirculation spray system.

28/18 7.3-19 Rev. 31

p suction lines and discharge headers are open. To ensure proper position of these valves, the A signal actuates the valves to open and to override a possible close-test position. The motor-rated isolation valves in the quench spray system are closed during normal unit operation. The ation valves in the quench spray discharge headers open upon receipt of a CDA signal. The noid pilot air-operated valves in the suction line from the RWST to the refueling water rculation pumps close on a safety injection signal (SIS), thus isolating the nonsafety related ion of the suction piping downsteam of the second isolation valve.

quench spray pumps are started automatically on receipt of a CDA signal. On receipt of a A signal combined with a LOP signal, the quench spray pumps are sequenced on by the rgency generator load sequencer. The quench spray pumps are stopped automatically on ipt of a RWST empty signal.

containment recirculation pumps are sequenced on automatically on receipt of a RWST Low-Level signal coincident with a CDA signal.

Containment Recirculation System Instrumentation following instrumentation is provided in the control room to monitor the system ormance.

1. Redundant level indicators for the containment sump. One level channel is recorded.

2. Containment recirculation pump discharge pressure indicators.

3. Containment recirculation pump seal head tank low level alarm which detects seal water leakage or seal failure.

4. Containment recirculation cooler recirculation water outlet temperature.

5. Redundant containment sump temperature indicators.

6. Containment recirculation cooler service water outlet flow indicators.

7. Containment recirculation pump flow indicators.

8. Containment recirculation pump low discharge pressure annunciators interlocked with pump running signal.

ressure transmitter in the common test line from the RWST and a pressure transmitter in the harge line of each containment recirculation pump are utilized by the plant computer to verify ormance of the containment recirculation pumps.

28/18 7.3-20 Rev. 31

a. IEEE Standard 279-1971, Paragraph 4.2:

The containment recirculation system is divided into two separate, redundant mechanical and electrical trains. This provides redundancy to prevent a failure of an active or passive component from impairing the system capability to supply water for the containment depressurization system.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The containment recirculation system bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A and B):

• Containment recirculation pump loss of control power or breaker racked out.

• Containment recirculation pump control switch in pull to lock.

• Service water system bypassed.

• Containment recirculation pump area air conditioning unit - loss of control power or circuit breaker open.

• Service water valve to reactor plant component cooling water heat exchanger not fully closed and circuit breaker open or loss of control power.

• Service water valve to containment recirculation coolers not fully open and loss of control power or circuit breaker open.

• Service water outlet valve for containment recirculation coolers not fully open.

• Service water valve to turbine plant component cooling heat exchangers not fully closed and loss of power or circuit breaker open.

• Service water valves to reactor plant component cooling heat exchangers safeguards test cabinet switch in PUSH TO TEST (Block Test Equip.).

• Service water inlet valves for containment recirculation coolers safeguards test cabinet switch in PUSH TO TEST (Block Test Equip.).

28/18 7.3-21 Rev. 31

Equip.).

• Recirculation spray header isolation valve not fully open and loss of power or circuit breaker open.

• Cross-connect valve to low pressure safety injection system not fully closed.

• Recirculation spray pump suction valve not fully open and loss of power or circuit breaker open.

• Manual bypass push button depressed.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once a CDA signal coincident with an RWST Low-Low signal is received, the containment recirculation pumps are started automatically. Deliberate operator action is required to stop the pumps.

e. IEEE Standard 279-1971, Paragraph 4.10:

The containment recirculation system is periodically tested in accordance with the Technical Specifications.

f. IEEE Standard 279-1971, Paragraph 4.17:

Controls and indicators are provided in the control room for manual operation of the containment recirculation system. REMOTE/LOCAL control selector switches are provided for the containment recirculation pumps outside the control room at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected.

tchover from the injection to recirculation phase for the recirculation system is described in tion 6.3. Logic for the RWST signals is found in Section 6.3.5.4.

Quench Spray System Instrumentation following instrumentation is provided in the control room to monitor the quench spray em.

1. Quench spray pump discharge flow indicators and low flow annunciators.

2. RWST (level indication and level alarms).

28/18 7.3-22 Rev. 31

High and low RWST temperature is alarmed on the main control board.

4. The refueling water recirculation pumps and the associated coolers operate only during normal unit operation. One refueling water recirculation pump is normally in AUTO and starts on a predetermined RWST high temperature signal. The second pump can be placed in service manually. Both pumps are stopped by a low temperature signal - RWST temperature or refueling water recirculation pump suction line temperature. The objective of the instrumentation associated with the refueling water recirculation pumps is to maintain the temperature of the refueling water within design limits.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The quench spray system is divided into two separate, redundant mechanical and electrical trains. This dual concept provides redundancy to prevent a failure of an active component or a passive component at the system level to supply water for the containment depressurization system.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The quench spray pump bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A and B):

• Quench spray pump in pull to lock.

• Quench spray header isolation valve loss of control power or circuit breaker open.

• Quench spray pump loss of control power or breaker racked out.

• Quench spray pump area air conditioning unit loss of control power or circuit breaker open.

• Manual bypass push button depressed.

28/18 7.3-23 Rev. 31

Quench spray pump operation is automatically initiated on receipt of a Sequenced Safeguard Signal which is initiated by a CDA signal. The pumps stop automatically on receipt of an 'RWST Empty' signal. Deliberate operator action is required to stop the pumps prior to receipt of this signal.

e. IEEE Standard 279-1971, Paragraph 4.17:

Controls and indicators are provided in the control room for manual operation of the quench spray system. REMOTE/LOCAL control selector switches are provided for the quench spray pumps outside the control room at the switchgear.

An annunciator is alarmed in the control room when LOCAL control is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The quench spray pumps are periodically tested in accordance with the Technical Specifications.

The testing and calibration of the level switches used for the detection of the RWST level is accomplished by taking one logic Train (A or B) out of service for a short duration.

The testing of the RWST level switches used for tripping the quench spray pumps will be used as an example. The switches may be tested in either of two ways:

• In the first method, the circuit breakers in the train under test are racked to the TEST position and left in TRIP. The level switches for the train are then isolated from the RWST at the isolation valve in the safeguard building. A pressure test signal is injected to simulate level in the RWST above the reset point of the switch. The breaker is then closed and the test pressure is slowly decreased until the trip point is reached. Breaker indicating lights, annunciators, and computer points in the control room are verified to indicate the breaker tripped/empty condition and that the quench spray pump discharge valve goes shut.

• In the second method, the quench spray pump for the train in test is manually started. Test pressure is then varied and indications are verified as stated above.

Verification that the test pressure connections have been removed and manifold valves have been reopened is accomplished by the use of alarms, valve position lights, and administrative procedures.

ting and inspections of the containment heat removal and depressurization systems are cribed in Section 6.2.2.4.

28/18 7.3-24 Rev. 31

initiation signals for the containment isolation system are a part of the engineered safety ures actuation system. Penetration types and containment isolation valve arrangements are cribed in detail in Section 6.2.4.

safety function of the containment isolation system is to isolate automatically appropriate s penetrating the containment structure in order to limit the uncontrolled release of radioactive erials to the environment, following an accident.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

Containment isolation valves are located inside and outside of the containment structure, ensuring containment integrity. The containment isolation system provides two barriers between the atmosphere outside the containment structure and 1) the atmosphere inside the containment structure, 2) the reactor coolant system, and 3) the systems connected to Items 1 or 2 as a result of or subsequent to a DBA signal provided by safety injection, containment isolation Phase A (CIA),

containment isolation Phase B (CIB), feedwater isolation (FWI), or steam line isolation (SLI).

These signals open or close containment structure penetrations for ESF systems which function to mitigate the consequences of an accident.

Containment isolation valves are actuated by electrically powered solenoid valves, by solenoid-operated air pilot valves or by motor operators. Valves controlled by electrically powered solenoid valves or solenoid-operated air pilot valves are designed to fail in the closed position upon loss of power or instrument air.

Operators for motor-operated valves are designed for fast closure so as to ensure containment isolation in the shortest possible time. Motor-operated valves fail in the as is position. Torque and limit switches ensure proper valve setting.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A containment isolation Phase A bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

• Reactor coolant pump seal water return valve - loss of power or circuit breaker open or motor thermal overload.

28/18 7.3-25 Rev. 31

• Loss of AC power to auxiliary relay control circuit.

• Manual bypass push button depressed.

• Containment atmosphere monitoring discharge isolation valve - loss of power or circuit breaker open, or thermal overload (Train B only).

A containment isolation Phase B bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

• Reactor plant component cooling isolation valves - loss of power or circuit breaker open or motor thermal overload.

• Manual bypass push button depressed.

d. IEEE Standard 279-1971, Paragraph 4.16:

Any automatic containment isolation action, once initiated, will go to completion.

The return to normal operating conditions requires deliberate operator action.

Consistent with IE Bulletin 80-06 which allows actions other than modification or design change to ensure safety related equipment remains in its emergency mode upon reset of an ESF signal, procedural steps are prescribed to ensure the main steam pressure relieving valves remain closed upon SLI reset.

e. IEEE Standard 279-1971, Paragraph 4.17:

The operator has the means for manual initiation of the containment isolation system independent of automatic actuation. Manual controls and visual indication for the containment isolation valves are described in Sections 7.5 and 6.2.4.

f. IEEE Standard 279-1971, Paragraph 4.10:

Containment isolation valves are tested to ensure they are capable of closing by operating manual switches in the control room and by observing the position lights. Periodic testing during normal operation is performed on all containment isolation valves except those where the test would interrupt or upset normal operation. Testing of these valves is performed during refueling shutdowns.

Refer to Section 6.2.4.4 for testing and inspection procedures of containment isolation valves in various systems. Table 6.2-65 lists design, operating, and functional parameters of all containment isolation valves.

design bases for the controls of the containment isolation system are:

28/18 7.3-26 Rev. 31

of the containment isolation valve controls from affecting the controls of the redundant valve.

2. The controls of the containment isolation system are designed to withstand seismic loads and to operate in adverse environmental conditions in accordance with requirements described in Sections 3.10 and 3.11, respectively.

us lights monitoring the status of containment isolation valves enable the operator, during rgency conditions, to make sure all isolation valves are in the required position, or to take ective action if necessary.

mbustible Gas Control System in Containment (HCS) combustible gas control system is described in Section 6.2.5 and its piping and rumentation diagram is shown on Figure 6.2-36.

hydrogen recombiner system, though currently installed, is not used to provide any gating function. The hydrogen recombiner system, associated controls, alarms (including ulatory Guide 1.47 bypass alarms) and ventilation dampers have been isolated awaiting ndonment. The system discussion describes the system as originally installed and operated.

h of the redundant trains in the hydrogen recombiner system is completely instrumented to ure the system performs its function following any single failure. Because the hydrogen mbiner is connected to safety related electrical busses, the hydrogen recombiners are safety-ted.

ydrogen analyzer is permanently installed in each train to provide the capability of analyzing hydrogen content in the gas being drawn from the containment atmosphere.

e the hydrogen burn-off process has started, a temperature controller maintains the mbiner chamber temperature at approximately 1,300°F. Flow, temperature, and pressure cation is provided at each hydrogen recombiner blower discharge. Temperature indication is vided at the discharge of each electric preheater and a pressure indicator is provided at the harge of each hydrogen recombiner.

h set of instrumentation and controls requiring electric power is supplied from an independent rce. 120 VAC power is supplied from the 120 VAC vital buses and 125 VDC power from the VDC buses.

Analysis

a. Deleted:

28/18 7.3-27 Rev. 31

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A DBA hydrogen recombiner system bypassed annunciator is alarmed in the control room whenever any of the following conditions exists (Train A or B):

• Recombiner building inlet and outlet ventilation damper loss of control power.

(Auxiliary power circuits associated with the inlet and outlet ventilation dampers do not provide input to bypass annunciator.)

• Manual bypass push button depressed.

d. IEEE Standard 279-1971, Paragraph 4.16:

The DBA hydrogen recombiner system is manually initiated and monitored locally in the hydrogen recombiner building. After the initial heatup of the system, the system operates automatically with common alarms located in the control room to alert the operator of a malfunction.

e. IEEE Standard 279-1971, Paragraph 4.17:

The DBA hydrogen recombiner system operating parameters are monitored, indicated, and controlled locally. In addition, recombiner bypassed and common trouble alarms are annunciated in the control room. Indicators and a recorder (Channel A only) for hydrogen gas concentration are located on the main control boards. The system bypass push button and loss of control power to the system cubicle ventilation dampers are monitored by the plant computer.

f. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

The hydrogen analyzer is tested, by injecting sample gases, to verify zero and span calibration.

plementary Leak Collection and Release System supplementary leak collection and release system (SLCRS) is described in Section 6.2.3; its diagram is shown on Figure 9.4-2.

SLCRS consist of two exhaust fans, each supplied from a separate emergency bus, two filter ks, and the associated ductwork and dampers.

28/18 7.3-28 Rev. 31

ation within 120 seconds upon receipt of an SIS or when manually started.

owing a LOCA, the SIS signal 1) opens the SLCRS Train A and B filter bank inlet and 2) ts the SLCRS Train A and B exhaust fans h differential pressure across the roughing filter, high efficiency particulate air (HEPA) filter, on absorber, and HEPA filter of each filter bank is alarmed in the control room.

filtered exhaust is monitored for radiation (Section 11.5) prior to discharge to atmosphere via Millstone 1 stack.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The supplementary leak collection and release system is divided into two separate, redundant mechanical and electrical trains. This dual train concept provides sufficient redundancy to prevent a single failure from impairing the system capability to maintain a negative pressure of greater than or equal to 0.4 inch water gauge at the 24 foot 6 inch elevation within 120 seconds.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The SLCRS bypassed annunciator is alarmed in control room whenever any of the following conditions exists (Train A or B):

• SLCRS fan control switch in pull to lock position.

• SLCRS fan loss of power or circuit breaker open.

• Manual bypass push button depressed.

• Reactor plant component cooling pump cubicle ventilation system bypass.

• Auxiliary Building filter system exhaust fan control switch in pull to lock, or circuit breakers open, or loss of control power.

• Auxiliary Building filter system exhaust fan damper circuit breaker open, or loss of control power.

28/18 7.3-29 Rev. 31

Once an SIS is received, the SLCRS exhausts, creates, and maintains a partial vacuum of greater than or equal to 0.4 inch water gauge at the 24 foot 6 inch elevation within 120 seconds. Deliberate operator action is required to release the SLCRS from maintaining this vacuum.

e. IEEE Standard 279-1971, Paragraph 4.10:

The SLCRS is periodically tested in accordance with the Technical Specifications.

Fans, air operated dampers, and controls for the supplementary leak collection system are tested by automatically starting on a simulated SIS signal and allowing them to reach operating speed with all dampers in the operating position before being shut down.

iliary Feedwater System auxiliary feedwater system, except for ESFAS initiation signals, is described in tion 10.4.9. The safety related portions of the auxiliary feedwater system are shown on ure 10.4-6.

turbine-driven auxiliary feedwater pump and two motor-driven pumps are provided. Each or-driven pump has half the capacity of the turbine-driven pump. Power is supplied to the or-driven pumps from separate emergency buses. Steam supply to the turbine-driven pump is wn on Figure 10.3-1. A branch line from three main steam lines (A, B, D) is connected into a mon header to supply steam to the turbine. A normally closed air-operated valve is installed ach branch line (A,B,D). Each air-operated valve is controlled by two solenoid-operated es connected in series in the air supply line. The solenoid-operated valves are supplied power m separate emergency 125 VDC buses. Loss of DC power to either solenoid-operated valve ts air to open the associated air-operated valve. A motor-operated stop check valve is installed ach line. These valves are normally in the open position. Power for each of the motor-operated check valves is supplied from an emergency bus.

ing normal operation, the operability of all valves in the auxiliary feedwater system is verified emote manual action. The three air-operated valves are exercised similarly by isolating the m supply to the turbine-driven auxiliary feedwater pump by closing the motor-operated stop ck valves in the steam lines.

he auxiliary feedwater system, the motor-driven pumps are started automatically by the owing signals: (These signals also close the blowdown isolation and sample line valves for all m generators.)

Safety injection or containment depressurization (from the Emergency Generator Load sequencer).

28/18 7.3-30 Rev. 31

AMSAC actuation signal (from AMSAC system).

Emergency bus loss of power (LOP signal).

motor-driven pumps are also started manually.

ting the turbine-driven pump is initiated automatically by:

Two out of four (2/4) low-low level in two or more steam generators (from solid state protection system).

Emergency DC bus loss of power (not actually an initiation signal but, rather, a failure mode of the solenoid valves for the turbine-driven auxiliary feedwater pump steam supply valves).

AMSAC actuation signal (from AMSAC system).

turbine-driven pump is also started manually.

cation and controls required for the auxiliary feedwater system in the event of inaccessibility he control room are provided on the auxiliary shutdown panel described in Section 7.4.

rumentation required for post-accident monitoring is described in Section 7.5. The solenoid-rated modulating valves in the auxiliary feedwater supply line to each steam generator are ually-operated from the main control board or from the auxiliary shutdown panel.

motor-operated valves in the auxiliary feedwater lines from the motor-driven auxiliary water pumps discharge are manually operated from the main control board or from the iliary shutdown panel. The valves associated with any one auxiliary feedwater line are ered from different emergency buses. The valves are normally open so that loss of power to emergency bus does not prevent the isolation or control of auxiliary feedwater to a steam erator. An air-operated valve is provided for each motor-driven steam generator auxiliary water pump, and a hand control valve is provided for the turbine-driven auxiliary feedwater p between the pump suction and the condensate storage tank to allow pump suction to be n from the tank. The condensate storage tank suction valves for the motor-driven pumps can perated from the main control board or from the auxiliary shutdown panel, or close matically on receipt of an SIS, CDA, auxiliary feedwater pump AUTO start (any steam erator 2/4 low-low level), AMSAC, or LOP signal. The condensate storage tank suction valve the turbine-driven auxiliary feedwater pump is administratively locked closed. These valves normally closed, and the air-operated valves fail closed on loss of control air or electric power.

m generator auxiliary feedwater pump suction and discharge pressure is indicated in the trol room and monitored by the plant computer. Flow in each steam generator auxiliary water supply line is indicated by flow indicators in the control room and on the auxiliary 28/18 7.3-31 Rev. 31

litate safe shutdown from shutdown locations following a fire as described in Section 6.2.11 he Fire Protection Evaluation Report.)

correct operation of the auxiliary feedwater system is verified in conjunction with the steam erator auxiliary feedwater pump test described in Section 10.4.9.4. The steam generator iliary feedwater pumps are operated during this test. Testing of actuated devices and ciated control is performed periodically to ensure reliability and performance.

undant demineralized water storage tank (DWST) level transmitters with redundant level cators are provided on the main control board and on the auxiliary shutdown panel. Level is rded for one channel and the other channel provides high, low, and low-low level unciation on the main control board.

DWST temperature is maintained above a minimum temperature automatically by a ineralized water storage tank electric heater and circulating pump. Low temperature is med on the main control board.

ass indication is provided in the control room and is isolated such that it does not degrade the ection function of the auxiliary feedwater system.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

There are two motor-driven auxiliary feedwater pumps with power supplied from separate emergency buses. The motor-driven pumps each supply auxiliary feedwater to two steam generators.

A turbine-driven auxiliary feedwater pump supplies auxiliary feedwater to all four steam generators. The turbine is supplied steam from three separate steam generators (3RCS*SG1A, B, or D). Each steam supply line to the auxiliary feed pump turbine has an air-operated valve normally closed and a motor-operated valve normally open. Each air-operated valve has two solenoid valves, each supplied power from separate emergency DC buses. Loss of power to either solenoid valve vents air from the associated air-operated valve and cause it to open. Two of the normally open motor-operated valves are powered from the Train A emergency bus and the other is powered from the Train B emergency bus. No single failure at the system level will prevent the auxiliary feedwater pumps from supplying auxiliary feedwater to the steam generators.

Each auxiliary feedwater line from a motor-driven pump has a normally open solenoid valve that fails open and a motor-operated valve normally open that fails as is on loss of power. The valves are powered from separate emergency buses; the motor-operated valve is powered from the opposite electrical train as the motor-28/18 7.3-32 Rev. 31

Each auxiliary feedwater line from the turbine-driven pump has two normally open solenoid valves that fail open. The valves are powered from separate emergency buses. No single failure will prevent the control of auxiliary feedwater flow to a steam generator.

Each auxiliary feedwater line to a steam generator has a Train A and a Train B feedwater flow transmitter that is powered from separate power supplies. One auxiliary feedwater flow transmitter has an associated main control room indicator and the other displays on plant computer. Two Train A and two Train B auxiliary feedwater flow indicators, one for each steam generator, are on the main control board and on the auxiliary shutdown panel. No single failure will prevent at least two auxiliary feedwater flow indicators from indicating at the main control board and at the auxiliary shutdown panels. There is a Train A and Train B steam generator level indicator for each steam generator on the main control board and at the auxiliary shutdown panel that can be used as backup indication for the flow indicators.

There are two trains of DWST level indicators on the main control board and at the auxiliary shutdown panel. The Train A level is recorded on the main control board.

The trains are powered from separate buses. No single failure will prevent DWST level indication on the main control board or at the auxiliary shutdown panel.

No single failure at the system level will prevent auxiliary feedwater from being supplied to the steam generators.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

The motor-driven auxiliary feedwater system bypass (Train A) annunciator is alarmed in the control room whenever any of the following conditions exist:

• Any auxiliary feedwater control or isolation valve for motor-driven pumps not fully open.

• Auxiliary feedwater pump ventilation system bypassed.

• Either feed pump motor loss of control power or breaker racked out.

• Either pump motor control switch in pull to lock position.

28/18 7.3-33 Rev. 31

The auxiliary turbine-driven feed pump bypass (Train B) annunciator is alarmed in the control room whenever any of the following conditions exist:

• Any auxiliary feedwater control or isolation valve for turbine-driven pump not fully open.

• 3MSS*MOV17A, B, or D not fully open.

• Auxiliary feedwater pump ventilation system bypassed.

• Turbine-driven auxiliary feedwater pump trip and throttle valve not fully open.

• Manual bypass push button depressed.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once an auxiliary feedwater pump start signal is received, the auxiliary feedwater pumps go to completion and run. Deliberate operator action must be taken to stop an auxiliary feedwater pump. The AUTO start signal must be cleared and the pumps stopped by manual controls. An exception is that the motor-driven pumps are stopped automatically by low lube oil pressure, and electrical protection trips; the Train A motor-driven pump is isolated from AUTO start and sequencer signals when in LOCAL control to facilitate safe shutdown from a remote shutdown location following a fire as described in Section 6.2.11 of the Fire Protection Evaluation Report. The turbine-driven auxiliary feedwater pump is stopped automatically by overspeed protection.

e. IEEE Standard 279-1971, Paragraph 4.17:

The motor-driven auxiliary feedwater pumps have manual controls on the main control board and at the switchgear. REMOTE/LOCAL control transfer switches at the switchgear are alarmed in the control room when LOCAL is selected.

The turbine-driven auxiliary feedwater pump steam supply valves have manual controls on the main control board and at the auxiliary shutdown panel. REMOTE/

LOCAL control transfer switches on the transfer switch panels are alarmed in the control room when LOCAL is selected.

The turbine-driven auxiliary feedwater pump speed changer has manual controls on the main control board and local to the pump. REMOTE/LOCAL control transfer switch on the local control panel is alarmed in the control room when remote is selected.

28/18 7.3-34 Rev. 31

transfer switches on the transfer switch panels are alarmed in the control room when LOCAL is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

One motor-driven auxiliary feedwater pump at a time is taken out of service and periodically tested in accordance with the Technical Specifications.

This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.

Refer to Section 10.4.9.4 for testing of turbine-driven auxiliary feedwater pump.

The auxiliary feedwater control and isolation valves are periodically tested in accordance with the Technical Specifications. The valves are operated manually with controls on the main control board and at the auxiliary shutdown panel.

The steam supply valves for the turbine-driven pump are periodically tested in accordance with the Technical Specifications.

g. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

The DWST level transmitters and auxiliary feedwater flow transmitters are periodically tested in accordance with the Technical Specifications.

Filtration System ESF filtration system consists of the auxiliary building filter system (ABFS) which is cribed in Section 9.4.2 and its flow diagram is shown on Figure 9.4-2.

ABFS consists of two ABFS exhaust fans, each supplied from a separate emergency bus, two n filter banks, and the associated ductwork and dampers.

following areas are exhausted by the ABFS:

Waste disposal building Auxiliary building Containment purge air system 28/18 7.3-35 Rev. 31

aust from the areas can be directed through the auxiliary building filters or bypassed to osphere. Both paths of exhaust are provided with redundant air-operated dampers with noid pilot valves, with the exception of the filter inlet from the charging pump and component ling water pump area. The redundant dampers are in series and fail closed on loss of power or filter inlet dampers from the charging pump and component cooling water area are in parallel one is fixed full open, the other fixed closed. Normally, the exhaust from the areas is bypassed he atmosphere. However, the exhaust from any or all of the areas can be manually directed ugh the filters. On receipt of a SIS, LOP, or CDA signal, the normal exhaust dampers from the rging pump and component cooling water pump area close automatically. All other inlet pers and filter bypass to atmosphere dampers are closed on receipt of a SIS, LOP, or CDA, or manual operation, the Train A filter inlet and exhaust fan discharge dampers open and start the n A filter exhaust fan. Train B is then on standby. The safeguard signal is initiated by a SIS or A signal. During LOP, the exhaust fans are sequenced in accordance with the emergency erator load sequence. The standby filter train is started automatically on a high plenum sure signal from the operating train.

ing refueling and in the event of high radiation from one of the areas exhausted by the ABFS, exhaust flows are manually diverted to the auxiliary building filter bank.

fuel building filter banks are normally bypassed by the unfiltered exhaust fan. During eling and in the event of high radiation, the fuel building exhaust is manually diverted to the building filter bank. Either Train A or Train B is operated with the other train in standby.

auxiliary building and fuel building filter banks have manual controls located on the main ting and ventilation panel in the control room and at the switchgear. REMOTE/LOCAL trol selector switches are provided at the switchgear. An annunciator is alarmed in the control m when LOCAL control is selected.

h differential pressure across the prefilter, carbon absorber, and/or HEPA filter of each filter k is alarmed in the control room.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

There are two redundant ESF filtration Trains (A and B). The equipment in Train A is supplied from one emergency bus and Train B equipment is supplied from a separate emergency bus. No single failure at the system level will prevent the ESF filtration system from filtering the air system during an accident.

28/18 7.3-36 Rev. 31

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A charging pump high pressure safety injection system bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

• Auxiliary building filter system fan in pull to lock position.

• Auxiliary building filter system fan loss of control power or breaker racked out.

• Auxiliary building filter system fan outlet damper loss of power or circuit breaker open.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once initiated by a safety signal, the ESF filtration system will go to completion.

Return to normal operation requires deliberate operator action by resetting safety signals and using manual controls.

e. IEEE Standard 279-1971, Paragraph 4.17:

The auxiliary building and fuel building filter banks have manual controls located on the main heating and ventilation panel in the control room and at the switchgear. REMOTE/LOCAL control selector switches are provided at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The ESF filtration system is periodically tested in accordance with the Technical Specifications.

ential Auxiliary Support Systems iliary support systems that are required to function upon initiation of ESFAS are listed in le 7.3-10. A summary description of these systems are provided in this section. Additional ils can be found in the referenced sections.

28/18 7.3-37 Rev. 31

service water system is described in Section 9.2.1 and its flow diagram is shown on ure 9.2-1. For the purpose of instrumentation and control application, a recapitulation of the em design follows.

o service water headers, each supplied by two service water pumps, are provided. The power the two-train design is supplied from two separate emergency buses as shown on Figure 8.1-1.

er of the two redundant service water system trains has the capability to supply sufficient ntities of cooling water to the required equipment for safe shutdown. For the emergency mode peration, the supply lines to the nonsafety related equipment are isolated by automatic closure solation valves. A LOP, CDA, or service water low header pressure signal automatically closes ation valves in the supply line to the turbine plant component cooling heat exchangers. A LOP DA signal automatically closes isolation valves in the supply lines to the circulating water ps lube water. In addition to those closed on a LOP or CDA signal, the CDA signal matically closes the isolation valves in the supply lines to the reactor plant component ling heat exchangers and automatically opens supply valves to the containment recirculation lers. A LOP, SIS, or CDA signal causes automatic opening of the air-operated valves in the et lines from the diesel engine coolers. A LOP signal starts service water booster pumps that ply the MCC and rod control area air-conditioning units.

tinuous radiation monitoring is provided in the service water discharge headers ction 11.5). Following a DBA, continuous radiation monitoring (Section 11.5) is provided in discharge of each train of containment recirculation coolers. Each containment recirculation ler has a remotely operated valve in its supply and discharge line. On a high radiation alarm, operator can isolate the affected containment recirculation cooler train.

trol switches and indicating lights for the service water pump motors are provided on the n control board and at the switchgear. REMOTE/LOCAL control selector switches and AD/FOLLOW pump selector switches are located at the switchgear. An annunciator is med in the control room when LOCAL control is selected. One service water pump in each n is started manually. The standby pump is started automatically by a pressure switch detecting discharge pressure in the associated header. The action of these pressure switches is blocked LOP signal.

service water pumps are operated in the following manner under the indicated accident ditions:

1. LOCA with off site power available. All pumps that are operating prior to the accident continue to operate.

2. LOCA coincident with loss of off site power. Two pumps, one on each emergency bus, start automatically in accordance with the emergency generator loading sequence. Should one of the two service water pumps fail to start, the redundant pump on the same emergency bus starts automatically after a time delay.

28/18 7.3-38 Rev. 31

two service water pumps fail to start, the redundant pump on the same emergency bus starts automatically after a time delay.

service water system is also a cooling source for the control building chilled water system.

er and slave valves in the chiller condenser outlet line and a temperature element/controller in booster pump discharge line provide temperature control for the chilled water system denser by means of a controlled bypass from the slave valve to the booster pump suction.

control building chilled water system service water booster pumps are interlocked to start and with the associated control building chilled water pump. Pressure in the service water ders is indicated in the control room. For reliability purposes, correct operation of the pressure suring loop in the service water header is verified by valving the pressure transmitter out of ice and applying a simulated signal. Similarly, the header low pressure annunciation is also fied during normal operation. These tests verify correct operation of the loops and of the cations provided in the control room.

vice water discharge flow indicators and high/low flow annunciators are provided on the main trol board for the containment recirculation coolers and reactor plant component cooling heat hangers. High/low service water outlet flow annunciators are provided on the main control rd for the diesel engine jacket water coolers. Correct operation of flow measuring loops is fied by valving the flow transmitter or switch out of service and applying a simulated signal.

operability of the service water system controls and indications common for both normal and rgency mode of operation is verified by their normal use. Instrumentation provided for the tainment recirculation coolers is tested in conjunction with the containment recirculation em test.

ass indication is provided in the control room for the service water system.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

There are two redundant service water trains (A and B) and there are two service water pumps in each train. Normally one pump in each train is running with the other in standby. The pumps in Train A are supplied from one emergency bus and Train B pumps are supplied from a separate emergency bus. No single failure at the system level will prevent the service water pumps from supplying service water.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

28/18 7.3-39 Rev. 31

A bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

• Service water pump loss of control power or breaker racked out or control switch in pull to lock and the other pump in the same train with loss of control power or breaker racked out or control switch in pull to lock.

• Service water pump area air conditioning unit circuit breaker open or loss of control power.

• Service water pump area air conditioning unit control switch in pull to lock.

• Manual bypass push button depressed.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once a safety signal is initiated, the lead service water pump in each Train (A and B) will start. In the event that the lead pump does not start, the follow pump will start one-half second later. To stop a running service water pump requires deliberate operator action; the safety signals must be reset and manual controls used to stop the pump.

e. IEEE Standard 279-1971, Paragraph 4.17:

The service water pumps have manual controls located on the main control board and at the switchgear. REMOTE/LOCAL control selector switches at the switchgear are alarmed in the control room when LOCAL control is selected.

f. IEEE Standard 279-1971, Paragraph 4.10:

The service water system is periodically tested in accordance with the Technical Specifications.

This testing will consist of manually starting the pump during normal surveillance of the system or the breaker for the pump will be in the test position. Once the pump is running or the breaker is in the test position, the AUTO start and tripping is verified using the emergency generator load sequencer with safety signals generated internally or externally to the sequencer.

ctor Plant Component Cooling Water System reactor plant component cooling water system design is described in Section 9.2.2.1 and the diagram is shown on Figure 9.2-2.

28/18 7.3-40 Rev. 31

provided at the switchgear; an annunciator is alarmed in the control room when LOCAL trol is selected. Normally, two pumps are operating with the third pump on stand-by in Train hree pump motor breakers are supplied for four breaker cubiclestwo for each train. The ps for Trains A and B are normally racked into their respective cubicles, with the third pump ker racked into its Train B cubicle. The third pump may be operated on Train A by first ing its breaker out of Train B and then racking it into the Train A cubicle. An electrical rlock prevents simultaneous operation of two pumps on the same train. A keylock switch is vided which allows the third pump to operate on one train or the other, but not on both at once.

tor overcurrent and auto trip are alarmed in the control room. Status lights and bypass cation are provided in the control room. Power to Trains A and B reactor plant component ling water pump motors is supplied from separate emergency buses.

reactor plant component cooling pumps are started automatically by an SIS or LOP signal.

pumps are sequenced on by the emergency generator load sequencer when an LOP signal ts.

undant level switches located on the surge tank for the reactor plant component cooling water em are set to detect a sudden drop in reactor plant component cooling water system surge tank l, which would result from a rupture of nonsafety-related system piping. These level switches matically close isolation valves, thus isolating the systems safety-related portions from the safety-related.

supply lines to reactor plant component cooling water users, both safety related and nonsafety ted, are provided with flow indicators and high flow alarms in the control room. Flow is led by the plant computer. Remote temperature indicators are provided in the suction lines of h reactor plant component cooling pump. Each compartment of the reactor plant component ling water surge tank is provided with a level sensing instrument. The makeup to the surge is automatically controlled by level in the compartment. The level in each compartment is cated, and low and high level extremes are alarmed in the control room.

adiation monitor is utilized to monitor Train A or Train B outlet from the reactor plant ponent cooling water heat exchangers. Indication and alarm are provided locally; and cation, recording, and alarm are provided in the control room (Section 11.5).

containment isolation valves in the reactor plant component cooling water lines serving the ipment inside the containment structure are closed automatically on receipt of a CIB signal.

ns A and B cross-connect valves inside the containment are closed automatically on receipt of IS or surge tank low level signal.

owing a LOP or CIA signal, the cooling water source for the nonsafety-related components de the containment structure is automatically transferred from the chilled water system to the tor plant component cooling water system.

28/18 7.3-41 Rev. 31

ms are provided on the main control board.

lysis of Reactor Plant Component Cooling Water System Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The reactor plant component cooling water system is divided into two separate, redundant mechanical and electrical trains. The system can be cross-connected; the cross-connect valves are closed automatically by an SIS supplied or surge tank low-level signal. The cross-connect valves are air-operated and fail close on loss of air or loss of power to the associated solenoid valve. No single failure at the system level will prevent the system from supplying reactor plant component cooling water for at least one train.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A reactor plant component cooling system bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

• Reactor plant component cooling pump (A or B) control switch in pull to lock or circuit breaker racked out or loss of control power and reactor plant component cooling pump (C) control switch in pull to lock or circuit breaker racked out or loss of control power.

• Containment isolation valve not fully open.

• Service water system bypassed.

• Reactor plant component cooling heat exchanger service water supply valve not fully open.

• Manual bypass push button depressed.

• Reactor plant component cooling pump area vent system bypass.

28/18 7.3-42 Rev. 31

Once an SIS is received, the reactor plant component cooling pumps are started automatically. When a LOP exists, the pumps are automatically started by the emergency generator load sequencer. Deliberate operator action must be taken to stop a pump. The SIS and LOP must be reset and manual control used to stop a pump.

The containment air recirculation cooling coil supply and return valves are opened automatically by a LOP or CIA signal. The LOP and CIA must be reset to close the valves manually. The valves close automatically on reactor plant component cooling water surge tank low-level. The surge tank low-level signal must be cleared and the CLOSE/AUTO push button depressed before the valves can be opened automatically or manually.

The nonsafety header supply and return isolation valves close automatically on receipt of a CIA or reactor plant component cooling surge tank low-level signal.

The CIA must be reset and the surge tank low-level signal cleared and manual controls used to open the valves.

The reactor plant component cooling cross-connect valves close automatically on receipt of a SIS or reactor plant component cooling surge tank low-level signal.

The SIS must be reset and the surge tank low-level signal cleared and manual controls used to open the valves.

The containment isolation valves close automatically on receipt of a CIB signal.

The CIB signal must be reset and manual controls used to open the valves.

The reactor plant component cooling heat exchanger service water supply valves close automatically on receipt of a CDA signal. The CDA signal must be reset and manual controls used to open the valves.

e. IEEE Standard 279-1971, Paragraph 4.10:

The reactor plant component cooling system is periodically tested in accordance with the Technical Specifications.

f. IEEE Standard 279-1971, Paragraph 4.17:

Controls and indicators are provided in the control room for manual operation of the reactor plant component cooling water system. REMOTE/LOCAL control selector switches are provided for the reactor plant component cooling water pumps outside the control room at the switchgear. An annunciator is alarmed in the control room when LOCAL control is selected.

28/18 7.3-43 Rev. 31

cription of instrumentation and controls is provided in Section 9.4.1.5.

ctrical cription of the onsite electrical system is found in FSAR Sections 8.1.4, 8.1.5 and 8.3.

ergency Generator Load Sequencer emergency generator loading sequencer (EGLS) is a solid-state digital system which provides y contact outputs to shed loads, block manual starts, and sequentially load the plant rgency AC buses during emergency conditions. The system is composed of two cabinets, one h for Train A and Train B. The primary purpose of the EGLS is to automatically control the ing of the emergency AC buses when a loss of offsite power has occurred and the buses are g re-energized by the emergency diesel generator.

EGLS accepts bus undervoltage (BUV), safety injection (SIS), containment depressurization ation (CDA), recirculation (RECIRC), auxiliary reserve breaker (AR BKR) status, and diesel erator breaker (DG BKR) status input signals in the form of contact closures and will provide edetermined sequence of outputs.

EGLS has seven operating modes. Five of these modes are for plant emergency conditions ch involve a loss of off site power. The other two are for plant emergency conditions which do involve a loss of off site power. The modes, in terms of which EGLS inputs are activated, are ollows.

1. SIS only

2. CDA only or SIS and CDA

3. LOP only

4. SIS and LOP

5. CDA and LOP or SIS and CDA and LOP

6. SIS, RECIRC, and LOP

7. CDA or SIS and CDA, RECIRC, and LOP modes are prioritized such that a CDA mode will always take precedence over a SIS mode n both inputs are present and such that a LOP mode will always take precedence over a non-P mode.

28/18 7.3-44 Rev. 31

ty equipment. These signals effectively strip the bus, block closing of the DG BKR for a time od sufficient to strip the bus, and temporarily inhibit the operator from restarting any loads.

s allows the diesel generator time to start, achieve proper voltage and frequency and, via the BKR, be connected to the plant safety bus without incurring adverse loading conditions.

n receiving a signal confirming that the DG BKR has closed, the EGLS will begin generating e sequenced safeguard signals (SSS) and manual trip block (MTB) signals to plant equipment.

SSS and MTB signals, once initiated, are maintained until the EGLS is reset or a change in rating mode occurs. The EGLS automatically terminates individual LOP signals associated h the loads being started and terminates the remaining LOP signals and MSB signals matically, 40 seconds after the DG BKR has closed. Should a SIS or CDA input occur hout a LOP, the appropriate SSS and MTB signals are generated immediately without time uencing, and the LOP and MSB outputs remain reset. Start signals to the containment rculation pumps are delayed during a CDA only sequence, even if there is no LOP signal.

MTB signal inhibits the operator from retripping loads once they have been automatically ted.

P outputs also are generated for plant equipment which does not have an associated EGLS SSS put signal. In some cases, the LOP outputs are terminated at the end of the 40-second period.

ther cases, the LOP outputs are not terminated until the EGLS is manually reset. In some of cases, the LOP outputs are also generated by a SIS only or CDA only input.

iation of the RECIRC and LOP operating modes differs from the other LOP operating modes s much as that during recirculation, the SIS or CDA input must have occurred and been reset r to the loss of power. Otherwise, even though the RECIRC input is present, the EGLS will ond in a SIS and LOP or CDA and LOP operating mode. Internal memories, which must be ually reset, retain the information necessary to allow the EGLS to differentiate between CIRC and non-RECIRC operating modes.

ion LOP and sequencer LOP memories, which also must be manually reset, are used to retain rmation concerning the initial loss of power and re-energization of the bus by the diesel erator. Two memories are employed to prevent the EGLS from responding to transient voltage appearing on the bus during loading. Normally, the EGLS would not respond to a second loss ower if both memories had not been reset, but circuitry in the EGLS provides a subsequent P detection window between the sequencer LOP reset and station LOP reset during which the LS will respond to a second or subsequent LOP occurring during reset procedures.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2 The emergency generator load sequencers are divided into two separate, redundant mechanical and electrical trains. No single failure at the system level will prevent the system from sequentially loading the plant safety buses during emergency conditions.

28/18 7.3-45 Rev. 31

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

An emergency generator load sequencer bypass annunciator will alarm in the control room whenever any of the following conditions exist (Train A or B):

• System is in manual Test 2.

• Control power not available.

• Manual bypass push button depressed.

d. IEEE Standard 279-1971, Paragraph 4.10:

The emergency generator load sequencer is tested periodically in accordance with the Technical Specifications.

following is a description of the various test modes that will be used to verify the operability he EGLS.

o Test auto test circuit (ATC) is an EGLS subsystem that is contained within the sequencer panel.

ATC is designed to run continuously having approximately 50 separate test states. Each test e is 10 m sec in duration with actual testing being performed during the last 1 m sec of each state. An exception to this is three test states where the test state timer is interrupted long ugh to verify the operability of the normal frequency clocks.

ATC verifies two basic types of EGLS responses. First, that no outputs occur when no Auto t Inputs (Otis) are applied. Second, that the proper outputs occur when ATIs are applied.

h odd numbered test state is used to verify that the proper output patterns occur when various binations of ATIs are injected into the front end (input buffers) of the sequencer logic.

versely, each even numbered test state verifies that no outputs occur when no ATIs are lied. The even test states also verify that the EGLS was reset following the last odd numbered each test, the ATC makes the assumption that the sequencer will fail. At the start of each test, layed EGLS fault signal is generated. This, in effect, leaves the sequencer with approximately illisecond in which to properly respond in order to reset the fault delay timer. A successful t delay reset will allow the ATC to begin the next test state. If a fault is detected, the ATC s testing the EGLS and provides main board annunciation. The ATC display on the EGLS t panel indicates the specific test state where the fault occurred.

28/18 7.3-46 Rev. 31

s. These tests will be performed during refueling outages as specified in the Surveillance quency Control Program. The loads which are actuated by output relays will be tested during EGLS integrated tests. In addition, if a real plant input is received by the EGLS requiring on, the ATC is automatically faulted to prevent it from interfering with EGLS operation.

ummation, the ATC verifies, on a continuing basis, all critical logic paths in which a failure ld prevent the EGLS from performing its complete safety function. The ATC may be used to nd the technical specifications actuation logic test requirements per Technical Specifications, le 4.3-2.

o Test Test auto test test panel is supplied with the EGLS system as test equipment that will be used on a rterly basis to verify the operability of the ATC.

auto test test panel has the ability to simulate an EGLS failure for ATC operational fication (the ability of the ATC to identify a failure). This is accomplished by creating auto outputs (ATOs) when they should not occur or by inhibiting ATOs when they should occur.

ry auto test fault circuit can be verified using the auto test test panel.

nual Test Features de 1 manual test features provide a means to simulate EGLS inputs and verify response to those uts. When initiated, Manual Test 1 inhibits all sequencer outputs except MSBs. Each vidual load, however, may be selectively unblocked using its associated TEST/INHIBIT tch; i.e., placing the switch into the TEST position. This allows the option of testing the EGLS c including sequence times or additionally testing selected output relay(s) by actually starting loads. The latter provides the means to satisfy the requirement of periodically testing safety-ted loads.

inputs to the EGLS are provided by front panel push buttons for LOP, SIS, CDA, and CIRC. These inputs can be applied at any time and in any order during a test to obtain any de of operation desired. A DG breaker push button is not provided; rather, a simulated DG ker closure is automatically generated approximately 10 seconds after the LOP push button is sed.

ting the EGLS using Manual Test 1 does not remove the sequencer from service. If at any time ng testing a real input is received, the EGLS resets itself to normal operation responding to the ut signal regardless of the TEST/INHIBIT switch positions.

28/18 7.3-47 Rev. 31

nual Test 2 is identical to Manual Test 1 except that the EGLS is not reset when a real input al is received. Rather, the EGLS responds to the input condition taking into account the vidual load TEST/INHIBIT switches. Manual Test 2 provides the ability to perform integrated ems testing, inhibiting loads that are not desirable to operate.

LS Actuation Timer Test s test will be performed each refueling to verify system operation by actuating the input relays monitoring the output logic indicating lights for proper response. A calibrated timer and a o camera will be used to record the proper response of all inputs and outputs and the response e for each output logic signal actuated relative to the beginning of the test. The tests that will ncluded within the EGLS actuation timer test are listed below.

LOP CDA RECIRC only SIS and LOP SIS followed by CDA CDA and LOP LOP followed by CDA SIS RECIRC and LOP LOP followed by SIS CDA RECIRC and LOP LOP followed by SIS RECIRC SIS only LOP followed by CDA RECIRC CDA only SIS and DG breaker without LOP SIS RECIRC only SIS followed by LOP SIS and Reserve Breaker CDA followed by LOP CDA and Reserve Breaker MSB Verification In Manual Test Mode 1, LOP only CDA followed by LOP prior to RSS Pumps Start Test LOP followed by subsequent LOP during Reset Test ergency Generator Fuel Oil System emergency generator fuel oil system design and operation are described in Section 9.5.4 and iping and instrumentation diagram is shown on Figure 9.5-2.

el controls and indicators are tested in conjunction with the diesel engine test described in tion 8.3. The frequency of this test is given in the Technical Specifications.

ergency Diesel Engine Cooling Water System emergency diesel engine cooling water system is described in Section 9.5.5 and its piping and rumentation flow diagram is shown on Figure 9.5-3.

instrumentation requirements for the emergency diesel engine cooling water system are cribed in Section 9.5.5.5.

28/18 7.3-48 Rev. 31

emergency generator starting air system is described in Section 9.5.6 and its piping and rumentation diagram is shown on Figure 9.5-3.

instrumentation requirements for the emergency generator starting air system are described in tion 9.5.6.5.

ergency Diesel Engine Lubrication System emergency diesel engine lubrication system is described in Section 9.5.7 and its piping and rumentation diagram is shown on Figure 9.5-3.

instrumentation requirements for the emergency diesel engine lubrication system are cribed in Section 9.5.7.5.

ergency Generator Combustion Air Intake and Exhaust System emergency generator combustion air intake and exhaust system is described in Section 9.5.8 its piping and instrumentation diagram is shown on Figure 9.5-3.

instrumentation requirements for the emergency diesel engine combustion air intake and aust system are described in Section 9.5.8.5.

Analysis Note: Analysis addresses all preceding emergency generator auxiliary systems.

a. IEEE Standard 279-1971, Paragraph 4.2:

The emergency generator fuel oil system is divided into two separate, redundant mechanical and electrical trains. This dual train concept provides sufficient redundancy to prevent a single failure from impairing the systems capability to supply fuel oil to at least one of the diesel engines.

Each emergency generator has the following associated systems: emergency diesel generator engine cooling water system, starting air system, engine lubrication system, and combustion air intake and exhaust system. The electrical equipment for these associated systems is supplied from separate emergency buses. Nonsafety related electrical equipment associated with the above systems is either disconnected from the emergency buses automatically by a SIS, CDA, or LOP signal or connected to the emergency buses by two Class 1E circuit breakers in series to prevent degrading the emergency buses. The equipment is not required for emergency generator operation. Each emergency generator and its associated system are completely independent and separate from each other with the exception of the fuel oil system. The ability to cross-connect the A and B train fuel 28/18 7.3-49 Rev. 31

emergency bus.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11. The following electrical equipment does not perform an active safety function. The equipment is only required to maintain mechanical integrity:

• Emergency generator standby jacket coolant pump and heater.

• Prelube oil filter pump and heater.

• Rocker arm prelube oil pump.

c. IEEE Standard 279-1971, Paragraph 4.13:

An emergency diesel generator system bypass annunciator is alarmed in the control room whenever any of the following conditions exist:

• Emergency generator breaker racked out or loss of control power.

• Emergency generator air compressor loss of control power or motor thermal overload.

• Emergency generator crankcase vacuum pump loss of control power or motor thermal overload.

• Emergency generator auxiliary fuel oil pump loss of control power or motor thermal overload.

• Remote voltage switch in MANUAL.

• Local voltage mode switch in MANUAL.

• Manual bypass push button depressed.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once a LOP, SIS, or CDA signal is received, the emergency generator will attempt to start. If engine speed does not reach a specified RPM within 7 seconds, the start signal is blocked and a diesel not ready for AUTO start annunciator will alarm in the control room and at the emergency generator local panel. An emergency diesel reset push button in the control room or at the emergency generator panel must be 28/18 7.3-50 Rev. 31

e. IEEE Standard 279-1971, Paragraph 4.10:

SIS, CDA, or LOP signals cause the emergency generator load sequencer to strip certain non-essential emergency generator auxiliary equipment and actuate the starting air system. These functions are periodically verified consistent with Technical Specification requirements.

f. IEEE Standard 279-1971, Paragraph 4.17:

Manual controls and indication are on the main control board and at the emergency generator panels for manual operation of the emergency generators.

Conditioning, Heating, Cooling, and Ventilation Systems safety-related (QA Category I) air-conditioning, heating, cooling, and ventilation systems are d in Table 3.2-1.

system designs, flow diagrams, and instrumentation applications are given in Section 9.4.

design bases for the control and instrumentation of the safety-related air-conditioning, ting, cooling, and ventilation systems adhere to the following:

1. Automatic operation during normal and accident conditions.

2. Manual controls and indication of the status of all components in the control room.

3. Automatic controls as well as manual controls of redundant components are independent and electrically and physically separated.

4. Failure of an operating component and/or start of the redundant component is annunciated in the control room.

5. Redundant motors and motor-operated dampers have power supplied from separate emergency buses. Each redundant air-operated damper, with solenoid pilot valve, has power supplied from the separate DC bus. The dampers are designed to fail in the position of greater safety on loss of air and/or power supply.

safety objective of the instrumentation and control for safety-related air conditioning, ting, cooling, and ventilation systems is to maintain the temperatures within the specific areas serve, within the design limits required, during normal and accident conditions. The control m and instrument rack and computer rooms are automatically supplied air in the pressurized ation mode of operation upon receiving a control building isolation (CBI) signal. A CBI signal enerated whenever any one of the following conditions exist:

28/18 7.3-51 Rev. 31

Containment pressure hi-1, 2 out of 3 (2/3) hi.

Manual SIS.

Manual CBI.

ifferential pressure indicator with a scale range from zero to 0.50 in WC is provided in the trol room to enable the operator to determine that the pressure in the control room is being ntained slightly above the atmospheric pressure following an accident.

ere high efficiency particulate air (HEPA) filters or carbon absorbers are provided in the em, differential pressure alarms are provided to alert the operator to excessive differential sure across the filter or absorber and to indicate that changeover to the standby train should be e.

trol Building Isolation control building isolation (CBI) logic receives automatic signals from one radiation monitor train located in the intake ventilation to the control building. A containment hi-1 pressure al (2/3 logic) is also utilized as an input to the CBI logic.

BI signal (Train A or B) can be manually initiated from CBI push buttons on the main control rd or from the main heating and ventilation panel in the control room. A CBI is also initiated manual SIS initiation.

CBI logic relays are located in auxiliary relay panels AR4 (Train A) and AR5 (Train B). The els are in the instrument rack room. The output relays have test push buttons in the auxiliary y panels. The CBI K1 relays are interlocked with the controls for the Control Building ergency Ventilating Fan 1A inlet damper and the chilled water pump. The CBI K2 relays are rlocked with the Control Building Emergency Ventilating Fan 1B inlet damper. This ngement allows for testing the emergency ventilation system and chilled water pumps for h Train (A or B). The logic relays are energized to initiate the pressurized filtration mode of ration of the Control Building Emergency Ventilation System. CBI RESET push buttons in A and B) are on the main control board.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.1:

A CBI signal is automatically initiated on receipt of a high radiation or containment hi-1 pressure high.

28/18 7.3-52 Rev. 31

The CBI has redundant and separate trains supplied from separate safety-related 120 V AC and separate 125 V DC buses. No single failure will prevent a CBI at the system level.

c. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

d. IEEE Standard 279-1971, Paragraph 4.8:

The radiation monitors and containment pressure transmitters all derive signals that are direct measures of the variable being monitored.

e. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

Testing of the automatic CBI signals from the radiation monitor and containment hi-1 pressure signal (2/3 logic) will be performed by testing each signal for each train.

The inlet ventilation radiation monitors will be calibrated on a refueling basis using solid point calibration sources and a fixed geometry.

On a quarterly basis, an analog channel operational which verifies the alarm set point will be performed.

The individual signals shall automatically initiate the pressurized filtration mode of operation of the Control Building Emergency Ventilation System.

Testing the containment hi-1 pressure (2/3 logic) will be accomplished in accordance with Section 7.3.2.2.5.

f. IEEE Standard 279-1971, Paragraph 4.13:

Bypass and inoperative alarms on the main control board for CBI Train A and B are in accordance with Regulatory Guide 1.47. A CBI bypass annunciator is alarmed on the main control board whenever any of the following conditions exist:

• CBI bypass push button depressed.

• Loss of control power to CBI logic relays.

28/18 7.3-53 Rev. 31

A CBI initiated on the system level will go to completion. The CBI signal can be reset manually on the main control board.

After a CBI has gone to completion, deliberate operator action is required to return to normal operation. The CBI signal must be manually reset. The emergency ventilation system must be manually stopped, and the control building ventilation realigned for normal operation.

h. IEEE Standard 279-1971, Paragraph 4.17:

A CBI signal can be initiated manually with push buttons on the main heating and ventilation panel and on the main control board. A manual SIS signal also initiates a CBI signal. No single failure within the manual, automatic, or common portions of the CBI system will prevent a CBI initiation.

i. IEEE Standard 279-1971, Paragraph 4.18:

The CBI radiation monitor set points are administratively controlled. The set point cannot be changed at the monitor until a permissive has been granted by a key at the radiation monitoring panel in the control room. The permissive key is administratively controlled.

j. IEEE Standard 279-1971, Paragraph 4.19:

High radiation is alarmed on the main control board and on the radiation monitoring system workstations in the control room. An ESF status light indicates on the main control board when a CBI signal exists. Hi-1 containment pressure high is alarmed on the main control board by any channel. Indicator lights on the main control board indicate each channel that is alarmed and each is monitored for high pressure by the plant computer.

rging Pumps Cooling System charging pumps cooling system is a supporting system for the charging pumps and is required perate during normal unit operation and following a LOCA and/or loss-of-power. The system gn and description are given in Section 9.2.2.4 and its flow diagram is shown on Figure 9.2-5.

trol switches and indicator lights for the charging pump cooling pumps are provided on the n control board and on the auxiliary shutdown panel. REMOTE/LOCAL control selector tches are located on the transfer switch panels in the vicinity of the auxiliary shutdown panel.

annunciator is alarmed in the control room when local control is selected. For normal unit ration, one of the two pumps is required to operate. This pump is started manually and the er pump is placed on standby. The pump in standby is automatically started on low pressure by essure switch in the pumps discharge header.

28/18 7.3-54 Rev. 31

et crossover automatically close, thus providing the two independent flow paths required ng these modes of operation. Each charging pumps cooling pump motors power supply is m a separate emergency bus, and the motors start automatically on loss of power and/or on an

. The air-solenoid, pilot-operated isolation valves are supplied from separate DC buses and on of air and/or loss of power fail closed.

charging pumps cooling surge tank is divided into two compartments with each compartment ing one charging pumps cooling pump, thus providing redundancy in the fluid system design.

rumentation is provided to monitor and control water level in each compartment of the surge at all times. The reactor plant component cooling water system automatically provides mal makeup to each surge tank compartment.

status lights are provided on the main control board to indicate charging pumps cooling p and crossover valve status.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The charging pumps cooling system is normally cross-connected at the discharge and suction of the cooling pumps. On receipt of a SIS or LOP signal, the cross-connect valves are closed automatically to separate Train A from Train B. There are four normally open, air-operated, cross-connected valves that fail closed on loss of air or loss of power to the solenoid valves. Solenoid valves control air to the cross-connect valves; two are powered from the Train A emergency DC bus and two are powered from the Train B emergency DC bus.

A temperature control valve for each charging pump cooler is controlled by a temperature indicating controller and a safety-related solenoid valve powered from an emergency DC bus. The temperature control valve opens to the heat exchanger on loss of air, loss of power to the solenoid valve, or when the charging pump cooler outlet temperature is greater than a predetermined set point. The solenoid valves are powered from separate buses.

The charging pumps cooling pumps are powered from separate emergency buses.

Normally, one pump is running and the other on standby. On receipt of an SIS or LOP signal, both pumps are started automatically.

No single failure at the system level can prevent cooling water from being supplied to at least one charging pump.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

28/18 7.3-55 Rev. 31

A charging pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

• Charging pumps cooling control switch in pull to lock position.

• Charging pumps cooling pump loss of control power.

• Charging pumps cooling pump motor thermal overload.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once an SIS or LOP signal is received, the charging pumps cooling pumps are started and the cross-connect valves are closed. Deliberate operator action must be taken to open the valves or stop a pump. The SIS and LOP signals must be reset and manual control used by the operator.

e. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

The charging pumps cooling system is periodically tested in accordance with the Technical Specifications.

f. IEEE Standard 279-1971, Paragraph 4.17:

Controls and indicators are provided in the control room for manual operation of the charging pumps cooling system. REMOTE/LOCAL control selector switches are provided at the transfer switch panels outside the control room, and manual controls and indication are on the auxiliary shutdown panels. An annunciator is alarmed in the control room when local control is selected.

ety Injection Pumps Cooling System safety injection pumps cooling system is a supporting system for the safety injection pumps is required to operate only following a LOCA.

system design and description are given in Section 9.2.2.5, and the flow diagram is shown on ure 9.2-4. The power supply for each train of the two-train system is from a separate rgency bus.

starting of the safety injection pumps cooling pumps is interlocked with the starting of the ty injection pumps; i.e., when a safety injection pump is started for testing purposes or due to S, its associated cooling pump is started automatically. The safety injection cooling pumps e tank is divided into two compartments, with each compartment serving a separate pump, providing redundancy in the fluid system design. Instrumentation is provided to monitor and 28/18 7.3-56 Rev. 31

status lights are provided on the main control board to indicate status of the safety injection ps cooling pumps.

Analysis

a. IEEE Standard 279-1971, Paragraph 4.2:

The safety injection pumps cooling system is divided into two mechanical and electrical trains. The safety injection pumps cooling pumps are powered from separate emergency buses. No single failure at the system level can prevent the safety injection pumps cooling system from supplying cooling water to at least one safety injection pump.

b. IEEE Standard 279-1971, Paragraph 4.4:

Equipment qualifications are discussed in Sections 3.10 and 3.11.

c. IEEE Standard 279-1971, Paragraph 4.13:

A safety injection pump high pressure safety injection bypass annunciator is alarmed in the control room whenever any of the following conditions exist (Train A or B):

• Safety injection pump cooling pump circuit breaker open.

• Safety injection pump cooling pump loss of control power.

• Safety injection pump cooling pump motor thermal overload.

d. IEEE Standard 279-1971, Paragraph 4.16:

Once a safety injection pump is started, the cooling pump starts automatically.

Deliberate operator action must be taken to stop a cooling pump. The associated safety injection pumps must be stopped and manual controls used to stop the cooling pump.

e. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10:

The safety injection pumps cooling system is periodically tested in accordance with the Technical Specifications.

28/18 7.3-57 Rev. 31

Controls and indicators are provided in the control room for manual operation of the safety injection pumps cooling system.

1.2 Design Bases Information functional diagrams presented on Figure 7.2-1, Sheets 5, 6, 7, 8, 13, 14, 15 and 16 provide a phic outline of the functional logic associated with requirements for the ESFAS. Requirements the ESF system are given in Chapters 6, 10, 11 and 15. Given below is the design bases rmation required in IEEE Standard 279-1971.

1.2.1 Generating Station Conditions following is a summary of those generating station conditions requiring protective action by ESFAS.

1. Primary System:

a. Loss-of-coolant accident (LOCA).

b. Steam generator tube failure.

c. Dropped fuel assembly.

2. Secondary System:

a. Inadvertent opening of a steam generator relief or safety valve.

b. Steam system piping failure.

c. Loss of feedwater events including feedwater system pipe break.

3. Conditions Requiring Control Building Isolation:

a. High control building inlet ventilation radiation.

b. High containment pressure.

1.2.2 Generating Station Variables following list summarizes the generating station variables required to be monitored for the matic initiation of engineered safety features during each condition identified in the eding section. Post-accident monitoring requirements are given in Table 7.5.1.

1. Primary System Accidents:

28/18 7.3-58 Rev. 31

b. Containment pressure (not required for steam generator tube failure).

c. Containment purge air radiation.

2. Secondary System Accidents:

a. Pressurizer pressure.

b. Steam line pressures and pressure rate.

c. Containment pressure.

d. Steam generator water level.

e. Reactor coolant temperature.

f. Loss of Emergency Bus Power (LOP).

3. Control Building Isolation:

a. Control building inlet radiation high.

b. Containment pressure hi-1.

1.2.3 Spatially Dependent Variables only variable sensed by the ESFAS which has significant spatial dependence is reactor lant hot leg temperature. Its spatial dependence is discussed in Section 7.2.1.2.3.

1.2.4 Limits, Margins, and Set points dent operational limits, available margins, and set points before onset of unsafe conditions uiring protective action are discussed in Chapter 15 and the technical specifications.

1.2.5 Abnormal Events malfunctions, accidents, or other unusual events which could physically damage protection em components or could cause environmental changes are as follows.

1. Loss-of-coolant accident (Chapter 15)

2. Secondary system accidents (Chapter 15)

3. Earthquakes (Chapters 2 and 3) 28/18 7.3-59 Rev. 31

5. Explosion (hydrogen buildup inside containment) (Section 15.4)

6. Missiles (Section 3.5)

7. Flood (Chapters 2 and 3)

8. LOP (Chapter 8)

9. Wind and tornadoes (Section 3.3) 1.2.6 Minimum Performance Requirements imum performance requirements are as follows.

1. Response times Required engineered safety features response time is defined in Section 7.1.2.1.9.

Maximum allowable ESFAS time delays are tabulated in Technical Requirements Manual Table 3.3.2-1. See Section 7.1.2.11 for a discussion of periodic response time verification capabilities.

2. ESFAS channel uncertainties and trip setpoints The method for determining ESFAS setpoints is discussed in Section 7.1.2.1.9.

The ESFAS setpoints, allowable values for use in surveillance testing and instrumentation channel uncertainty components are tabulated in Technical Specifications Table 3.3-4.

3. Instrumentation ranges ESFAS instrumentation ranges are tabulated in Table 7.3-2. Range selection for ESFAS instrumentation encompasses the expected range of the process variable being monitored, for normal power operation and accident conditions, for which generating an ESFAS actuation signal is required.

1.3 Final System Drawings schematic diagrams for the systems discussed in this section are listed in Section 1.7 and are mitted in support of this application.

2 ANALYSIS ure mode and effects analyses have been performed on ESF systems equipment within the tinghouse scope of supply (WCAP-8584, Rev. 1). The Millstone ESF systems, although not 28/18 7.3-60 Rev. 31

lyses of the instrumentation and control systems used to initiate the operation of the ESF ems and their essential auxiliary supporting systems have been made. For balance-of-plant ty systems, the assurance that safety-related instrumentation and control fulfill their functions uming a single failure) is achieved by the use of redundant channels, trains, components, and er supplies with the appropriate separation provided between them. Detailed documentation he form of the failure modes and effects analysis or fault tree analyses (based on actual wiring rams and components of the plant) are presented in a separate report described in tion 7.3.1.2. The analyses were made to assure that each system satisfies the applicable design eria and performs as intended during all plant operations and accident conditions for which its ction is required.

ESF and essential supporting systems are designed so that a loss of plant instrument air, the of cooling water to vital equipment, a plant load rejection, or a turbine trip does not prevent completion of the safety function under postulated accidents and failures. Evaluation of the vidual and combined capabilities of the ESF and supporting systems can be found in pters 6, 8, 9, 10 and 15 2.1 Failure Modes and Effects Analysis systematic, organized, analytical procedure for identifying the possible modes of failure and luating their consequences is called a failure modes and effects analysis (FMEA). Its purpose demonstrate and verify how the General Design Criteria (GDC) and IEEE Standard

-1971 requirements are satisfied. FMEAs that are performed on the Class 1E electric power instrumentation and control portions of the safety-related auxiliary supporting systems also rmine if they meet the single failure criteria.

FMEA is produced in the form of a computerized tabulation that identifies the component, its ure mode, the method of failure detection, and its effect on the safety-related system. This lation is derived from the fault tree analysis (FTA). Figure 7.3-1 shows a typical page from a EA.

FTA is a technique by which failures that can contribute to an undesired event are ematically and deductively organized from a top event down to subordinate events. It is orially represented by rectangular blocks connected via flow lines to logic gates, all placed ther in a tree-shaped configuration.

FTA identifies all failure modes that are significant to the failure of the safety-related system, failure paths from the failed items up through the fault tree to a single top failure event and single failures that may result in the failure of the system to perform its intended safety ction. It also provides a visual display of how the system can malfunction. See Figure 7.3-2 an example of a computer-plotted fault tree diagram.

28/18 7.3-61 Rev. 31

ed the FMEA. The FMEAs for the systems listed in Table 7.3-10 are in a report titled Failure des and Effects Analysis, submitted as part of the documentation provided in Section 1.7.4.

2.2 Compliance with Standards and Design Criteria cussion of the GDC is provided in various sections of Chapter 7 where a particular GDC is licable. Applicable GDCs include Criteria 13, 20, 21, 22, 23, 24, 25, 27, 28, 35, 37, 38, 40, 43, 46 of the 1971 GDC. Compliance with certain IEEE Standards is presented in tions 7.1.2.7, 7.1.2.9, 7.1.2.10, and 7.1.2.11. Compliance with Regulatory Guide 1.22 is ussed in Section 7.1.2.5. The discussion given below shows that the ESFAS complies with E Standard 279-1971 (Institute of Electrical and Electronics Engineers, Inc. 1971).

2.2.1 Single Failure Criteria discussion presented in Section 7.2.2.2.3 is applicable to the ESFAS with the following eption.

he FSFAS, a loss of instrument power will cause the specific bistable or trip actuating device ch lost power to change to its actuated position with the exception of Hi-3 Containment sure which affects containment spray. The power supply for the protection systems is ussed in Section 7.6 and in Chapter 8. For containment spray, the final bistables are energized ip to avoid spurious actuation. In addition, manual containment spray requires a simultaneous ation of two manual controls. This is considered acceptable because spray actuation on hi-3 tainment pressure signal provides automatic initiation of the system via protection channels.

reover, two sets (two switches per set) of containment spray manual initiation switches are vided to meet the requirements of IEEE Standard 279- 1971. Also, it is possible for all ESF ipment (valves, pumps, etc) to be individually manually actuated from the control board.

ce, a third mode of containment spray initiation is available. The design meets the uirements of Criteria 21 and 23 of the 1971 GDC.

2.2.2 Equipment Qualification ipment qualifications are discussed in Sections 3.10 and 3.11.

2.2.3 Channel Independence discussion presented in Section 7.2.2.2.3 is applicable. The ESF slave relay outputs from the d state logic protection cabinets are redundant, and the actuation signals associated with each n are energized up to and including the final actuators by the separate ac power supplies which er the logic trains.

2.2.4 Control and Protection System Interaction discussions presented in Section 7.2.2.2.3 are applicable.

28/18 7.3-62 Rev. 31

discussions of system testability in Section 7.2.2.2.3 are applicable to the sensor, analog uitry, and logic trains of the ESFAS.

following discussions cover those areas in which the testing provisions differ from those for reactor trip system.

ting of Engineered Safety Features Actuation Systems ESFASs are tested to provide assurance that the systems operate as designed and are available unction properly in the unlikely event of an accident. The testing program meets the uirements of Criteria 21, 37, 40, 43 and 46 of the 1971 GDC and Regulatory Guide 1.22 as ussed in Section 7.1.2.8. The tests described in Section 7.3.2.2.3 and further discussed in tion 6.3.4 meet the requirements on testing of the ECCS as stated in GDC 37, except for the ration of those components that would cause an actual safety injection. The test, as described, onstrates the performance of the full operational sequence that brings the system into ration, the transfer between normal and emergency power sources, and the operation of ciated cooling water systems. After the safety injection and residual heat removal pumps are ted and operated, their performance is verified in a separate test discussed in Section 6.3.4.

en the pump tests are considered in conjunction with the ECCS test, the requirements of GDC n testing of the ECCS are met as closely as possible without causing an actual safety ction.

system design, as described in Sections 6.3.4, 7.2.2.2.3, and 7.3.2.2.3, provides complete odic testability during reactor operation of all logic and components associated with the CS. This design meets the requirements of Regulatory Guide 1.22 as discussed in the above ions. The program is as follows:

1. Prior to initial plant operations, ESF system tests are conducted.

2. Subsequent to initial startup, ESF system tests are conducted during regularly scheduled refueling outage. As specified in the Surveillance Frequency Control Program.

3. During on-line operation of the reactor, all of the ESF analog and logic circuitry can be fully tested. In addition, essentially all of the ESF final actuators can be fully tested. The remaining few final actuators, whose operation is not compatible with on-line plant operation, can be checked by means of continuity testing or other means.

4. During normal operation, the operability of testable final actuation devices of the ESF systems can be tested by manual initiation from the control room or, as indicated in 3 above, by actuation of the solid state protection system slave relays from the ESF test cabinets.

28/18 7.3-63 Rev. 31

ing reactor operation, the basis for ESFAS acceptability will be the successful completion of overlapping tests performed on the initiating system and the ESFAS (Figure 7.3-3). Checks of cess indications verify operability of the sensors. Analog checks and tests verify the rability of the analog circuitry from the input of these circuits through to and including the c input relays except for the input relays associated with the containment spray function ch are tested during the solid state logic testing. Solid state logic testing also checks the digital al path from and including logic input relay contacts through the logic matrices and master ys and perform continuity tests on the coils of the output slave relays; final actuator testing rates the output slave relays and verifies operability of those devices which require safeguards ation and which can be tested without causing plant upset. A continuity check and/or other sures are performed on the actuators of the untestable devices. Operation of the final devices onfirmed by control board indication and visual observation that the appropriate pump kers close and automatic valves shall have completed their travel.

basis for acceptability for the ESF interlocks will be control board indication of proper ipt of the signal upon introducing the required input at the appropriate set point.

ipment which makes up the ESFAS is qualified for its required application. Equipment not lified for the life of the plant is periodically replaced or maintained consistent with equipment lification program requirements.

quency of Performance of Engineered Safety Features Actuation Tests ing reactor operation, complete system testing (excluding sensors or those devices whose ration would cause plant upset) is performed periodically as specified in the Technical cifications. Testing, including the sensors, is also performed during scheduled plant shutdown refueling.

ineered Safety Features Actuation Test Description following sections describe the testing circuitry and procedures for the online portion of the ing program. The guidelines used in developing the circuitry and procedures are:

1. The test procedures must not involve the potential for damage to any plant equipment.

2. The test procedures must minimize the potential for accidental tripping.

3. The provisions for online testing must minimize complication of engineered safety features actuation circuits so that their reliability is not degraded.

28/18 7.3-64 Rev. 31

eral systems, as listed in Section 7.3.1.1.1, comprise the total engineered safety features em, the majority of which may be initiated by different process conditions and be reset pendently of each other.

remaining functions are initiated by a common signal (safety injection) which in turn may be erated by different process conditions.

ddition, operation of all other vital auxiliary support systems, such as auxiliary feedwater, ponent cooling, and service water, is initiated by the safety injection signal.

output of each of the initiation circuits consists of a master relay which drives slave relays for tact multiplication as required. The logic, master, and slave relays are mounted in the solid e logic protection cabinets designated Train A and Train B, respectively, for the redundant nterparts. The master and slave relay circuits operate various pump and fan circuit breakers or ters, motor-operated valve contractors, solenoid-operated valves, emergency generator ting, etc.

log Testing log testing methods are identical to those used for reactor trip circuitry and are described in tion 7.2.2.2.3.

exception to this is containment spray, which is energized to actuate 2-out-of-4 and reverts to ut-of-3 when one channel is in test.

odic tests of the following ESFAS instrumentation channels are performed:

a. Steam generator water level protection channels*

b. Steam pressure protection channels

c. Containment pressure protection channels

d. Pressurizer pressure protection channels *

e. TAVG protection channels *

f. Containment purge air radiation protection channels

g. Control building inlet radiation protection channels

h. Emergency AC bus undervoltage relays

• Also a part of reactor trip system (see Section 7.2.2.2.3) 28/18 7.3-65 Rev. 31

ept for containment spray channels, solid state logic testing is the same as that discussed in tion 7.2.2.2.3. During logic testing of one train, the other train can initiate the required ineered safety features function. For additional details, see WCAP-7488-L (1971).

uator Testing his point, testing of the initiation circuits through operation of the master relay and its contacts he coils of the slave relays has been accomplished. The ESFAS logic slave relays in the SSPS put cabinets are subjected to coil continuity tests by the output relay tester in the SSPS inets. Slave relays (K601, K602, etc.) do not operate because of reduced voltage applied to r coils by the mode selector switch (TEST/OPERATE). A multiple position master relay ctor switch chooses different master relays and corresponding slave relays to which the coil tinuity is applied. The master relay selector switch is returned to OFF before the mode ctor switch is placed back in the OPERATE mode. However, failure to do so will not result efeat of the protective function. The ESFAS slave relays are activated during testing by the ne test cabinet so that overlap testing is maintained.

ESFAS final actuation device or actuated equipment testing is performed from the engineered guards test cabinets. These cabinets are located near the solid state logic protection system ipment. There is one test cabinet provided for each of the two protection Trains A and B. Each inet contains individual test switches necessary to actuate the slave relays. To prevent dental actuation, test switches are of the type that must be rotated and then depressed to rate the slave relays. Assignments of contacts of the slave relays for actuation of various final ices or actuators has been made such that groups of devices or actuated equipment can be rated individually during plant operation without causing plant upset or equipment damage. In unlikely event that an SIS is initiated during the test of the final device that is actuated by this

, the device will already be in its safeguards position.

ing this last procedure, close communication between the main control room operator and the rator at the test panel is maintained. Prior to the energizing of a slave relay, the operator in the n control room assures that plant conditions will permit operation of the equipment that will ctuated by the relay. After the tester has energized the slave relay, the main control room rator observes that all equipment has operated as indicated by appropriate indicating lamps, nitor lamps and annunciators on the control board, and records all operations. He then resets evices and prepares for operation of the next slave relay actuated equipment.

means of the procedure outlined above, all ESF devices actuated by ESFAS initiation circuits, h the exceptions noted in Section 7.1.2.5 under a discussion of Regulatory Guide 1.22 are rated by the automatic circuitry.

uator Blocking and Continuity Test Circuits ices that cannot be actuated during plant operation (discussed in Section 7.1.2.5) fall into two gories. These devices either have been assigned to slave relays for which additional test 28/18 7.3-66 Rev. 31

t operation but were later removed from the on-line testing program. For the latter case, these ices have been assigned slave relays without the special test circuitry. Therefore, during the ormance of online slave relay testing, other measures are taken (i.e., jumpers, removal of or overloads, etc.) to prevent selected equipment from actuating. For devices which have been gned to slave relays with the additional test circuitry, operation of these slave relays, including tact operations, and continuity of the electrical circuits associated with the final devices trol are checked in lieu of actual operation. The circuits provide for monitoring of the slave y contacts, the devices control circuit cabling, control voltage, and the devices actuation noids. Interlocking prevents blocking the output from more than one output relay in a ection train at a time. Interlocking between trains is also provided to prevent continuity testing h trains simultaneously, therefore the redundant device associated with the protection train not er test will be available if event protection action is required. If an accident occurs during ing, the automatic actuation circuitry will override testing as noted above. One exception to is that if the accident occurs while testing a slave relay whose output must be blocked, those final actuation devices associated with this slave relay will not be overridden; however, the undant devices in the other train would be operational and would perform the required safety ction. Actuation devices which cannot be tested at full power so as not to damage equipment pset plant operation are identified in Section 7.1.2.5.

those components which cannot be actuated online and have been assigned slave relays with special test circuitry, the continuity test circuits are verified by test lights on the safeguards test inets.

ices 9-13 identified within Section 7.1.2.5 are blocked by administrative controls. If an dent occurs while testing, the redundant equipment in the other train would be operational and ld perform the required safety function.

typical schemes for blocking operation of selected protection function actuator circuits are wn on Figure 7.3-4 as details A and B. The schemes operate as explained below and are licated for each safeguards train.

ail A shows the circuit for contact closure for protection function actuation. Under normal t operation and equipment not under test, the test lamps DS* for the various circuits will be rgized. Typical circuit path will be through the normally closed test relay contact K8* and ugh test lamp connections 1 to 3. Coils X1 and X2 will be capable of being energized for ection function actuation upon closure of solid state logic output relay contacts K*. Coil or X2 is typical for a breaker closing auxiliary coil, motor starter master coil, coil of a noid valve, auxiliary relay, etc. When the contacts K8* are opened to block energizing of X1 and X2, the white lamp is de-energized, and the slave relay K* may be energized to orm continuity testing. To verify operability of the blocking in both blocking and restoring mal service, open the blocking relay contact in series with lamp connections - the test lamp uld be de-energized; close the block relay contact in series with the lamp connections - the test p should now be energized, which verifies that the circuit is now in its normal, i.e., operable dition.

28/18 7.3-67 Rev. 31

be energized, and the green test lamp DS* will be de-energized. Typical circuit path for te lamp DS* will be through the normally closed solid state logic output relay contact K*

through test lamp connections 1 to 3. Coils Y1 and Y2 will be capable of being de-rgized for protection function actuation upon opening of solid state logic output relay contacts

. Coil Y2 is typical for a solenoid valve coil, auxiliary relay, etc. When the contacts K8*

closed to block de-energizing of coils Y1 and Y2, the green test lamp is energized and the e relay K* may be energized to verify operation (opening of its contacts). To verify rability of the blocking relay in both blocking and restoring normal service, close the blocking y contact to the green lamp - the green test lamp should now be energized also; open this king relay contact - the green test lamp should be de-energized, which verifies that the circuit ow in its normal, i.e., operable position.

e Required for Testing log testing can be performed at a rate of several channels per hour. Logic testing of Trains A B can be performed in less than 30 minutes each. Testing of actuated components (including e which can only be partially tested) will be a function of control room operator availability. It uires several shifts to accomplish these tests. During this procedure, automatic actuation uitry will override testing, except for those few devices associated with a single slave relay se outputs must be blocked and then only while blocked. Continuity testing associated with a ked slave relay takes several minutes. During this time, the redundant devices in the other n would be functional.

mary of Online Testing Capabilities procedures described provide capability for checking completely from the process signal to logic cabinets and from there to the individual pump and fan circuit breakers or starters, valve tractors, pilot solenoid valves, etc, including all field cabling actually used in the circuitry ed upon to operate for an accident condition. For those few devices whose operation could ersely affect plant or equipment operation, the same procedure provides for checking from the cess signal to the logic rack. To check the final actuation device, a continuity test of the vidual control circuits is performed, or other measures are taken such as installation of pers, removal of thermal overloads, etc.

procedures require testing at various locations:

1. Analog testing and verification of bistable set point are accomplished at process analog racks. Verification of bistable relay operation is done at the main control room status lights.

2. Logic testing through operation of the master relays and low voltage application to slave relays is done at the logic rack test panel.

28/18 7.3-68 Rev. 31

4. Continuity testing for those circuits assigned that cannot be operated is done at the same test panel mentioned in 3 above.

reactor coolant pump essential service isolation valves consist of the isolation valves for the ponent cooling water return and the seal water return header.

main reason for not testing these valves periodically is that the reactor coolant pumps may be aged. Although pump damage from this type of test would not result in a situation which angers the health and safety of the public, it could result in unnecessary shutdown of the tor for an extended period of time while the reactor coolant pump or certain of its parts could eplaced.

ting During Shutdown CS tests will be performed periodically in accordance with the Technical Specifications with reactor coolant system isolated from the ECCS by closing the appropriate valve. A test SIS then be applied to initiate operation of active components (pumps and valves) of the ECCS.

s is in compliance with Criterion 37 of the 1971 GDC.

tainment spray system tests will be performed periodically. The pump tests will be performed h the isolation valves in the spray supply lines at the containment blocked closed and the es will be tested periodically with the pumps shutdown.

tem Performance Monitoring AS performance is monitored to ensure that the reliability of the system remains within blished performance criteria. Performance criteria is established for various aspects of ESFAS ration. A record is maintained of the functional failures which might cause one of the undant channels or trains to be unable to perform its safety function. Appropriate corrective on is required if the system fails to meet its established performance criteria. System ormance monitoring is performed for the following ESFAS equipment.

1. Process instrumentation & control system

2. Solid state protection system.

3. Engineered safety features test cabinets.

4. Analog sensor and digital contact inputs.

5. Emergency generator load sequencer.

6. Control building inlet and containment area radiation monitors.

28/18 7.3-69 Rev. 31

cial attention in Section 7.5.

2.2.6 Manual Resets and Blocking Features manual reset feature associated with containment spray actuation is provided in the design of solid state protection system for two basic purposes. First, the feature permits the operator to t an interruption procedure of automatic containment spray in the event of false initiation of an ate signal. Second, although spray system performance is automatic, the reset feature enables operator to start a manual takeover of the system to handle unexpected events which can be er dealt with by operator appraisal of changing conditions following an accident.

nual control of the spray system does not occur, once actuation has begun, by just resetting the ciated logic devices alone. Components will seal in (latch) so that removal of the actuate al, in itself, will neither cancel nor prevent completion of protective action or provide the rator with manual override of the automatic system by this single action. In order to take plete control of the system to interrupt its automatic performance, the operator must berately unlatch relays which have sealed in the initial actuate signals in the associated or control center, in addition to tripping the pump motor circuit breakers, if stopping the ps is desirable or necessary.

manual reset feature associated with containment spray, therefore, does not perform a bypass ction. It is merely the first of several manual operations required to take control from the matic system or interrupt its completion should such an action be considered necessary.

he event that the operator anticipates system actuation and erroneously concludes that it is esirable or unnecessary and imposes a standing reset condition in one train (by operating and ding the corresponding reset switch at the time the initiate signal is transmitted) the other train automatically carry the protective action to completion. In the event that the reset condition is osed simultaneously in both trains at the time the initiate signals are generated, the automatic uential completion of system action is interrupted and control has been taken by the operator.

nual takeover will be maintained, even though the reset switches are released, if the original ate signal exists. Should the initiate signal then clear and return again, automatic system ation will repeat. No procedures or training direct the operator to manually interrupt matic actuation of the containment spray system using the containment spray manual reset tch.

e also that any time delays imposed on the system action are to be applied after the initiating als are latched. Delay of actuate signals for fluid systems lineup, load sequencing, etc., do not vide the operator time to interrupt automatic completion, with manual reset alone, as would be case if time delay was imposed prior to sealing of the initial actuate signal.

manual block features associated with pressurizer and steam line SISs provide the operator h the means to block initiation of safety injection and steam line isolation during plant startup shutdown. These block features meet the requirements of Paragraph 4.12 of IEEE Standard 28/18 7.3-70 Rev. 31

2.2.7 Manual Initiation of Protective Actions (Regulatory Guide 1.62) re are four individual main steam isolation trip valve momentary control switches (one per p) mounted on the control board. Each switch, when actuated, isolates one of the main steam

s. In addition, there are two system level switches. Operating either switch actuates all four n steam line isolation and bypass valves at the system level.

nual initiation of switchover to recirculation is in compliance with Section 4.17 of IEEE ndard 279-1971 with the following comment.

nual initiation of either one of two redundant safety injection actuation main control board unted switches provides for actuation of the components required for reactor protection and gation of adverse consequences of the postulated accident. Manual safety injection actuation initiate delayed actuation of sequenced started emergency electrical loads if a LOP signal is present. The safety injection mode is completed when the residual heat removal (RHR) ps automatically stop on receipt of a low-low RWST level signal. Refer to Section 6.3 for a ussion of the manual switchover from injection mode to cold leg recirculation mode. Manual ration of other components or manual verification of proper position as part of emergency cedures is not precluded nor otherwise in conflict with the above described compliance to graph 4.17 of IEEE Standard 279-1971 of the semi-automatic switchover circuits.

exception to the requirements of IEEE Standard 279-1971 has been taken in the manual ation circuit of safety injection. Although Paragraph 4.17 of IEEE Standard 279-1971 requires a single failure within common portions of the protective system shall not defeat the ective action by manual or automatic means, the standard does not specifically preclude the ing of initiated circuitry logic between automatic and manual functions. It is true that the ual safety injection initiation functions associated with one actuation train (e.g., Train A) res portions of the automatic initiation circuitry logic of the same logic train; however, a single ure in shared functions does not defeat the protective action of the redundant actuation train

., Train B). A single failure in shared functions does not defeat the protective action of the ty function. It is further noted that the sharing of the logic by manual and automatic initiation onsistent with the system level action requirements of the IEEE Standard 279-1971, Paragraph and consistent with the minimization of complexity.

2.3 Further Considerations 2.3.1 Instrument Air and Component Cooling ddition to the considerations given above, a loss of instrument air or loss of component ling water to vital equipment has been considered. Neither the loss of instrument air nor the of component cooling water (assuming no other accident conditions) can cause safety limits iven in the Technical Specifications to be exceeded. Likewise, loss of either one of the two not adversely affect the core or the reactor coolant system nor will it prevent an orderly 28/18 7.3-71 Rev. 31

conservatism during the accident analysis (Chapter 15), credit is not taken for the instrument ystems nor for any control system benefit.

design does not provide any circuitry which will directly trip the reactor coolant pumps on a of component cooling water. Normally, indication in the control room is provided whenever ponent cooling water is lost to the reactor coolant pumps. The reactor coolant pumps can run ut 20 minutes after a loss of component cooling water. This provides adequate time for the rator to correct the problem or trip the plant if necessary.

2.4 Summary effectiveness of the ESFAS is evaluated in Chapter 15, based on the ability of the system to tain the effects of Condition II, III and IV faults, including loss-of-coolant and steam break dents. The ESFAS parameters of time response, channel uncertainty and range are based upon component performance specifications which are provided by the manufacturer and/or fied by test for each component. ESFAS setpoints are determined by the safety limits assumed he accident analyses as documented in Chapter 15 as well as appropriate allowances to ount for process measurement accuracy, drift, calibration, environmental effects and other ertainties.

ESFAS must detect Condition II, III and IV faults and generate signals which actuate the

. The system must sense the accident condition and generate the signal actuating the ection function reliably and within a time determined by, and consistent with, the accident lyses in Chapter 15.

ch longer times are typically associated with the actuation of the mechanical and fluid system ipment associated with engineered safety features than for the generation of actuation signals.

s includes the time required for switching, bringing pumps and other equipment to speed and time required for them to take load.

Technical Specifications establish the requirements for ESFAS operability. However, the undancy of system components is such that the system operability assumed for the safety lyses can still be met with certain instrumentation channels out of service. Channels that are of service are to be placed in the tripped mode or bypass mode in the case of HI-3 containment sure.

2.4.1 Loss-of-Coolant Protection analysis of LOCAs and in system tests, it has been verified that except for very small coolant em breaks which can be protected against by the charging pumps followed by an orderly tdown, the effects of various LOCAs are reliably detected by the low pressurizer pressure al which will ensure the ECCS is actuated in time to prevent or limit core damage.

28/18 7.3-72 Rev. 31

ve ECCS phase and provides the high flow rate necessary to begin refilling the reactor vessel.

h containment pressure also actuates the ECCS. Therefore, emergency core cooling actuation be brought about by sensing this other direct consequence of a primary system break; that is, ESFAS detects the discharge and flashing of the coolant into the containment.

tainment spray provides emergency cooling and pressure control of containment and also ts fission product release upon sensing elevated containment pressure (hi-3) to mitigate the cts of a LOCA.

response times are periodically confirmed including the times associated with the generation ctuation signals by the ESFAS, sequencing time delays and the time for actuated equipment to rate. The response times confirmed are those specified in the Technical Requirements Manual.

eneral, ESFAS actuation signal time delays are short compared to sequencing time delays and time required for actuated equipment to operate.

analyses in Chapter 15 show that the diverse methods of detecting the accident condition and time for generation of the signals by the protection systems are adequate to provide reliable timely protection against the effects of loss-of-coolant.

2.4.2 Steam Line Break Protection ECCS is also actuated in order to protect against a steam line break. The response time for sing low steam line pressure and generation of the safety injection and steam line isolation ation signals are short compared to sequencing time delays and the time required for actuated ipment to operate. Analysis of steam break accidents assuming this delay for signal generation ws that the ECCS is actuated for a steam line break in time to limit or prevent further core age for steam line break cases. There is a reactor trip but the core reactivity is further reduced he highly borated water injected by the ECCS.

itional protection against the effects of steam line break is provided by feedwater isolation ch occurs upon actuation of the emergency core cooling system. Feedwater line isolation is ated in order to prevent excessive cooldown of the reactor vessel and thus protect the reactor lant system boundary and reduce reactivity addition to the core to limit the potential for core age. It also limits mass/energy release to the containment to reduce the pressure and perature transients in containment.

itional protection against a steam break accident is provided by closure of all steam line ation valves in order to prevent uncontrolled blowdown of all steam generators. The ESF onse time for steam line isolation which includes closing of the fast acting steam line isolation es is less than or equal to 11.8 seconds. ESF response times are provided in the Technical uirements Manual Table 3.3.2-1.

28/18 7.3-73 Rev. 31

her reduced by the highly borated water injected by the ECCS.

analyses in Chapter 15 show that the diverse methods of detecting the accident condition and time for generation of the signals by the protection systems are adequate to provide reliable timely protection against the effects of steam line break accidents.

3 REFERENCES FOR SECTION 7.3 1 IEEE Standard 279-1971. The Institute of Electrical and Electronics Engineers, Inc. IEEE Standard: Criteria for Protection System for Nuclear Power Generating Stations.

2 WCAP-7913, 1973, Reid, J. B., Process Instrumentation for Westinghouse Nuclear Steam Supply System (4 Loop Plant using WCID 7300 Series Process Instrumentation).

3 WCAP-7488-L (Proprietary) and WCAP-7672, 1971 (Non proprietary) 1971.

4 WCAP-7705, Revision 2 (Information only; i.e., not a generic topical WCAP) 1976, Swogger, J. W., Testing of Engineered Safety Features Actuation System.

28/18 7.3-74 Rev. 31

SYSTEM esignation Input Function Performed Reactor trip Actuates turbine trip Closes main and bypass feedwater valves on Tavg below setpoint Prevents opening of main and bypass feedwater valves which were closed by safety injection or High-High steam generator water level Allows manual block of the automatic reactuation of safety injection Transfer steam dump control from the load rejection controller to the plant trip controller Reactor not tripped Defeats the block preventing automatic reactuation of safety injection 1 2/3 Pressurizer pressure Allows manual block of safety injection actuation below setpoint on low pressurizer pressure signal Allows manual block of safety injection actuation and steam line isolation on low compensated steam line pressure signal, and allows steam line isolation on high steam line negative pressure rate 2/3 Pressurizer pressure Defeats manual block above setpoint of safety injection actuation on low pressurizer pressure.

Defeats manual block of safety injection and steam line isolation on low steam line pressure and defeats steam line isolation on high steam line negative pressure rate. Provides open signal to accumulator isolation valves.

2 2/4 Tavg below setpoint Blocks steam dump. Allows manual bypass of steam dump block for the cooldown valves only 3/4 Tavg above setpoint Defeats the manual bypass of steam dump block 4 2/4 Steam generator water Closes all feedwater control valves and isolation level above setpoint on valves any steam generator Trips all main feedwater pumps which closes the pump discharge valves Actuates turbine trip 9 2/4 Pressurizer pressure Allows charging pump safety injection to RCS below setpoint cold leg 28/18 7.3-75 Rev. 31

INSTRUMENTATION ESF Actuation Signal Process Measurement Range Pressurizer low pressure 1700 to 2500 psia Reactor coolant average temperature THOT 530 to 650 °F TCOLD 510 to 630 °F TAVG 530 to 630 °F Steam line low pressure 0 to 1300 psig Steam line negative pressure rate 0 to 1300 psig Steam generator low-low water level Span between narrow range level taps (approximately 128 inches)

Steam generator high-high water level Span between narrow range level taps (approximately 128 inches)

Containment high pressure 0 to 60 psia Control building inlet radiation 10-6 to 10-1 Ci/cc Containment purge exhaust and supply 10-2 to 105 R/hr valves radiation monitors

• Radiation monitors are not credited in Section 15.7.4 for post-accident mitigation of a fuel handling accident.

28/18 7.3-76 Rev. 31

BOP/ Accident Accid NSSS Train A Equip Mark No. Condition Function Train B Equip Mark No. Condi NSSS 3CHS*LCV112B Closed VCT outlet isol 3CHS*LCV112C Clos NSSS 3CHS*LCV112D Open RWST to charging pump 3CHS*LCV112E Ope NSSS 3CHS*MV8105 Closed Charging pump to reactor clnt sys 3CHS*MV8106 Clos Isol NSSS 3CHS*MV8110 Closed Charging pump mini-flow isol 3CHS*MV8111A, B, C Clos NSSS 3CHS*MV8511A Open Charging pump alternate mini-flow 3CHS*MV8511B Ope control valve NSSS 3SIH*MV8801A Note 3 Charging pump to reactor cold leg 3SIH*MV8801B Note isol NSSS 3SIL*MV8808C Open Accumulator isolation 3SIL*MV8808D Ope NSSS 3SIL*MV8808A Open Accumulator isolation 3SIL*MV8808B Ope BOP 3HVR*AOD85 Closed Electrical tunnel area EXH dampers 3HVR*AOD86 Clos BOP 3HVR*FN12A On SLCR exhaust fan 3HVR*FN12B On BOP 3GWS*AOD78A Closed Gaseous wastes to Unit 1 stack 3GWS*AOD78B Clos isolation vv BOP 3QSS*AOV27 Closed Refueling water recirc pump suct isol 3QSS*AOV28 Clos BOP 3RPS*PNLESCA Note 1 Emergency gen load sequencer 3RPS*PNLESCB Note 06/28/18 7.3-77 Rev. 31

BOP/ Accident Accid NSSS Train A Equip Mark No. Condition Function Train B Equip Mark No. Condi BOP 3HVV*FN1D Stopped Main steam vlv bldg ventilation 3HVV*FN1C Stop 3HVV*AOD50A2 Closed 3HVV*AOD50B2 Clos 3HVV*AOD50B1 Closed 3HVV*AOD50A1 Clos 3HVV*MOD50D Closed 3HVV*MOD50C Clos 3HVV*MOD51A Closed 3HVV*MOD51B Clos 3HVV*MOD51D Closed 3HVV*MOD51C Clos BOP 3CCP*AOV179A Closed Component cooling water cross 3CCP*AOV179B Clos connect BOP 3CCP*AOV180A Closed Component cooling water cross 3CCP*AOV180B Clos connect BOP 3HVQ*AOD41A, 40A, Closed ESF bldg ventilation 3HVQ*AOD41B, 40B, 41D, Clos 41C, 43A, 42A, 43C, 43B, 42B, 43D, 42D, 40D 42C, 40C 3HVQ-FN1 Stopped 3HVQ-FN1 Stop BOP 3HVR*AOD33B Closed Aux bldg heating and ventilating 3HVR*AOD35B Clos 3HVR*AOD33A Closed 3HVR*AOD35A Clos 3HVR-HVU2A Stopped 3HVR-HVU2A Stop 3HVR-HVU2B Stopped 3HVR-HVU2B Stop BOP 3HVR*AOD174A Closed Ctmt purge inlet dampers 3HVR*AOD55A Clos 3HVR*AOD174B 3HVR*AOD55B BOP 3FWA*AOV23A Closed Aux feedwater alternate suction valve 3FWA*AOV23B Clos 06/28/18 7.3-78 Rev. 31

BOP/ Accident Accid NSSS Train A Equip Mark No. Condition Function Train B Equip Mark No. Condi BOP 3FWA*AOV61A Open DWST to aux feed-pump suction 3FWA*AOV61B Ope valve BOP 3FWA*AOV62A Closed Aux feed-pump discharge crossover 3FWA*AOV62B Clos valve BOP

• Main turbine Tripped Main turbine Main turbine Trip BOP

• 3FWS-P1 Tripped Feedwater pumps 3FWS-P1 Trip 3FWS-P2A Tripped 3FWS-P2A Trip 3FWS-P2B Tripped 3FWS-P2B Trip Note 1: Equipment receiving an actuation signal from the EGLS is not listed in this table. Refer to drawing LSK-24-9.4.

Note 2: An SI signal also initiates Feedwater Isolation (Table 7.3-6), Containment Isolation Phase A (Table 7.3-4) and, on a manual SI only, Control Building Isolation (Table 7.3-7). Refer to FSAR Figure 7.2-1, Sheets 8, 13 and 14 for interaction among these ES functions.

Note 3: 3SIH*MV8801A and B will open on SI coincident with a cold leg injection permissive (P-19).

The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment receiving a subsequent ac signal (e.g. from auxiliary relays) as a result of the ESFAS signal is not included in the table

• The Main Turbine and Feedwater Pumps listed receive their trip signals from SSPS slave relay K620A(B) through isolation relay 06/28/18 7.3-79 Rev. 31

Train A Equip Accident Train B Equip Accident BOP/NSSS Mark No. Condition Function Mark No. Condition NSSS 3CHS*CV8160 Closed Letdown line isolation 3CHS*CV8152 Closed NSSS 3SIL*CV8968 Closed Accum nitrogen line isol 3SIL*CV8880 Closed NSSS 3SIL*CV8890A Closed RHR pp/cold leg test line NSSS 3SIL*CV8825 Closed SI pp/ hot leg test line NSSS 3SIL*CV8890B Closed RHR pump cold leg test line NSSS 3SIH*CV8871 Closed Test line header isolation 3SIH*CV8964 Closed NSSS 3SIH*CV8881 Closed SI pp hot leg test line isol NSSS 3SIH*CV8823 Closed SI pp/cold leg test line isol NSSS Accum fill line isolation 3SIH*CV8888 Closed NSSS 3SIH*CV8824 Closed SI pp/hot leg test line isol NSSS 3SIH*CV8843 Closed Charging pp test line isolation NSSS 3CHS*MV8112 Closed RCP seal water isolation 3CHS*MV8100 Closed NSSS 3SSR*CV8026 Closed PZR rel tank gas space sample isolation 3SSR*CV8025 Closed BOP 3SSR*CTV20 Closed Pressurizer vapor space sample isolation 3SSR*CTV21 Closed BOP 3SSR*CTV26 Closed Reactor coolant hot leg sample isolation 3SSR*CTV27 Closed BOP 3SSR*CTV32 Closed Safety injection accumulator sample isol 3SSR*CTV33 Closed BOP 3SSR*CTV29 Closed Reactor coolant cold leg sample isolation 3SSR*CTV30 Closed BOP 3IAS*PV15 Closed Containment instrument air supply isolation 3IAS*MOV72 Closed BOP 3CCP*AOV10A Closed Reac plnt comp cooling nonsafety header sup 3CCP*AOV10B Closed and return isol 3CCP*AOV19A Closed 3CCP*AOV19B Closed 06/28/18 7.3-80 Rev. 31

Train A Equip Accident Train B Equip Accident BOP/NSSS Mark No. Condition Function Mark No. Condition BOP 3CCP*MOV222 Open Reac plant comp cooling x-conn to chilled wtr 3CCP*MOV226 Open 3CCP*MOV223 Open 3CCP*MOV227 Open BOP 3CCP*MOV224 Open Reac plant comp cooling x-conn to chilled wtr 3CCP*MOV228 Open 3CCP*MOV225 Open 3CCP*MOV229 Open BOP 3CCP*AOV194 Closed React plant comp cooling nonsafety header sup 3CCP*AOV194A Closed B and return isol 3CCP*AOV197 Closed 3CCP*AOV197A Closed B

BOP 3CDS-AOV45C Closed Containment air recirc coil chill wtr isol 3CDS-AOV45B Closed 3CDS-AOV46C Closed 3CDS-AOV46B Closed BOP 3CDS*CTV39B Closed Chilled water containment isolation 3CDS*CTV40B Closed 3CDS*CTV38A Closed 3CDS*CTV91A Closed BOP 3CDS*CTV38B Closed Chilled water con closed containment isolation 3CDS*CTV91B Closed 3CDS*CTV39A Closed 3CDS*CTV40A Closed BOP 3GSN*CTV105 Closed Pressurizer relief tank nitrogen sply isol 3GSN*CV8033 Closed NSSS 3PGS*CV8046 Closed Pressurizer relief tank water sply isol 3PGS*CV8028 Closed BOP 3DAS*CTV24 Closed Reactor plant aerated drains isol 3DAS*CTV25 Closed BOP 3CVS*CTV20A Closed Containment vacuum system isol 3CVS*CTV21A Closed 3CVS*CTV20B Closed 3CVS*CTV21B Closed BOP 3CMS*CTV20 Closed Containment atmosphere monitoring sys isol 3CMS*CTV21 Closed 3CMS*CTV23 Closed 3CMS*MOV24 Closed 06/28/18 7.3-81 Rev. 31

Train A Equip Accident Train B Equip Accident BOP/NSSS Mark No. Condition Function Mark No. Condition BOP 3VRS*CTV20 Closed Reactor plant gaseous vents isolation 3VRS*CTV21 Closed BOP 3DGS*CTV24 Closed Reactor plant gaseous drains isolation DGS*CTV25 Closed BOP 3FPW*CTV48 Closed Containment fire protection water isolation 3FPW*CTV49 Closed BOP 3SSP*CTV7 Closed Post-Accident Sample Valve BOP 3SSP*CTV8 Closed Post-Accident Sample Return 06/28/18 7.3-82 Rev. 31

Train A Equip Mark Accident Train B Equip Mark Accident BOP/NSSS No. Condition Function No. Condition BOP 3MSS*HV28A Closed Main steam isolation bypass 3MSS*HV28A Closed BOP 3MSS*HV28B Closed Main steam isolation bypass 3MSS*HV28B Closed BOP 3MSS*HV28C Closed Main steam isolation bypass 3MSS*HV28C Closed BOP 3MSS*HV28D Closed Main steam isolation bypass 3MSS*HV28D Closed BOP 3MSS*CTV27A Closed Main steam isolation 3MSS*CTV27A Closed BOP 3MSS*CTV27B Closed Main steam isolation 3MSS*CTV27B Closed BOP 3MSS*CTV27C Closed Main steam isolation 3MSS*CTV27C Closed BOP 3MSS*CTV27D Closed Main steam isolation 3MSS*CTV27D Closed BOP 3DTM*AOV29A Closed Main steam line drain valve 3DTM*AOV61A Closed BOP 3DTM*AOV29B Closed Main steam line drain valve 3DTM*AOV61B Closed BOP 3DTM*AOV29C Closed Main steam line drain valve 3DTM*AOV61C Closed BOP 3DTM*AOV29D Closed Main steam line drain valve 3DTM*AOV61D Closed BOP 3DTM*AOV63A Closed Main steam line drain valve 3DTM*AOV64A Closed BOP 3DTM*AOV63B Closed Main steam line drain valve 3DTM*AOV64B Closed BOP 3DTM*AOV63D Closed Main steam line drain valve 3DTM*AOV64D Closed BOP 3MSS*PV20B Closed Steam Generator atmospheric relief 3MSS*PV20A Closed valve 3MSS*PV20D Closed 3MSS*PV20C Closed The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment received a subsequent act signal (e.g., from auxiliary relays) as a result of the ESFAS signal is not included in the table.

06/28/18 7.3-83 Rev. 31

Train A Equip Accident Train B Equip Accident BOP/NSSS Mark No. Condition Function Mark No. Condition BOP 3FWS*FCV510 Closed Main fdwtr flow control vv loop 1 BOP 3FWS*FCV520 Closed Main fdwtr flow control vv loop 2 BOP 3FWS*FCV530 Closed Main fdwtr flow control vv loop 3 BOP 3FWS*FCV540 Closed Main fdwtr flow control vv loop 4 BOP Main fdwtr isolation vv loop 1 3FWS*CTV41A Closed BOP Main fdwtr isolation vv loop 2 3FWS*CTV41B Closed BOP Main fdwtr isolation vv loop 3 3FWS*CTV41C Closed BOP Main fdwtr isolation vv loop 4 3FWS*CTV41D Closed BOP 3FWS*LV550 Closed Fdwtr cont vv bypass loop 1 BOP 3FWS*LV560 Closed Fdwtr cont vv bypass loop 2 BOP 3FWS*LV570 Closed Fdwtr cont vv bypass loop 3 BOP 3FWS*LV580 Closed Fdwtr cont vv bypass loop 4 BOP 3SGF*AOV24A Closed Stm gen chem feed pp isol vv 3SGF*AOV24B Closed BOP 3SGF*AOV24C Closed Stm gen chem feed isol vv 3SGF*AOV24D Closed BOP

• Main Turbine Tripped Main Turbine Main Turbine Tripped BOP

• 3FWS-P1 Tripped Feedwater Pumps 3FWS-P1 Tripped 3FWS-P2A Tripped 3FWS-P2A Tripped 3FWS-P2B Tripped 3FWS-P2B Tripped 06/28/18 7.3-84 Rev. 31

Main Turbine and Feedwater Pumps are only tripped on Feedwater Isolation signals originating from Safety Injection or High-High steam generator level. The Main Turbine and Feedwater Pumps listed receive their trip signals from SSPS slave relay K620A(B) through isolation relay K620X.

The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment received a subsequent actuation signal (e.g. from auxiliary relays) as a result of the ESFAS signal is not included in the table.

28/18 7.3-85 Rev. 31

Train A Equip Train B Equip Mark BOP/NSSS Mark No. Accident Condition Function No. Accident Conditio BOP 3HVC*AOD27A Closed Control bldg 3HVC*AOD27B Closed ventilation makeup air damper BOP 3HVC*AOV20 Closed Control room vent 3HVC*AOV21 Closed outlet air isol valve BOP 3HVC*AOV25 Open Control room vent 3HVC*AOV26 Open inlet air isol valve BOP 3HVC*AOV22 Closed Control room purge 3HVC*AOV23 Closed outlet air isol valve BOP 3HVK*P1A 1 pump run and 1 pump Control bldg chilled 3HVK*P1B 1 pump run and 1 standby (a) water pump standby (a)

BOP 3HVC*MOD33A Open Control building 3HVC*MOD33B Open emergency ventilation fan inlet damper BOP 3HVC*AOD119 Open Control building 3HVC*AOD119B Open A emergency ventilation filter air return damper BOP 3HWS-MOD29 Closed TSC Vent. Exhst. Air 3HWS-MOD29 (b) Closed (b) Damper BOP 3HWS-MOD31(b) Open TSC Vent. Recirc. 3HWS-MOD31 (b) Open Damper.

BOP 3HWS-MOD30 Closed TSC Vent. Outdoor 3HWS-MOD30 (c) Closed (c) Air Damper 06/28/18 7.3-86 Rev. 31

Train A Equip Train B Equip Mark BOP/NSSS Mark No. Accident Condition Function No. Accident Conditio BOP 3HWS-MOD33 Closed TSC Vent. Outdoor 3HWS-MOD33 (b) Closed (b) Air Damper (a) Normal operation - one pump running, one pump in standby. Control Building Isolation signal prevents manual stop. In normal o the chilled water pumps are not affected by a CBI signal.

(b) Damper is operated on both A and B Train Signals.

(c) Damper is operated on both A and B Train Signals. Loop also includes a time delay to open damper if there is sufficient flo The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment receiving a subsequent ac signal (e.g., from auxiliary relays) as a result of the ESFAS signal is not included in the table.

06/28/18 7.3-87 Rev. 31

Train A Equip Accident Train B Equip Accident BOP/NSSS Mark No. Condition Function Mark No. Condition BOP 3SWP*MOV54A Open Containment recirc clr supply 3SWP*MOV54B Open BOP 3SWP*MOV54C Open Containment recirc clr supply 3SWP*MOV54D Open BOP 3RSS*MOV20A Open Containment recirc wtr spray hdr isol 3RSS*MOV20B Open BOP 3RSS*MOV20C Open Containment recirc wtr spray hdr isol 3RSS*MOV20D Open BOP 3SWP*MOV50A Closed Reactor plant comp clg hx supply valve 3SWP*MOV50B Closed BOP 3SWP*MOV71A Closed Turbine plant component clg hx inlet 3SWP*MOV71B Closed BOP 3RSS*MOV23A Open Containment recirc pump suct valve 3RSS*MOV23B Open BOP 3RSS*MOV23C Open Containment recirc pump suct valve 3RSS*MOV23D Open BOP 3QSS*MOV34A Open Quench spray header isol valve 3QSS*MOV34B Open BOP 3SWP*MOV115A Closed Circ wtr pp brg lube wtr supply valve 3SWP*MOV115B Closed BOP 3WTC*AOV25A Closed Service wtr feed to chlorination system 3WTC*AOV25B Closed BOP 3RPS*PNLESCA Emergency generator load sequencer 3RPS*PNLESCB BOP 3FWA*AOV23A Closed Aux feedwater alternate suction valve 3FWA*AOV23B Closed BOP 3FWA*AOV61A Open DWST to aux feedpump suction valve 3FWA*AOV61B Open BOP 3FWA*AOV62A Closed Aux feedpump discharge crossover valve 3FWA*AOV62B Closed Note 1:Equipment receiving an actuation signal from the EGLS is not listed in this table. Refer to drawing LSK-24-9.4.

Note 2:A CDA signal also initiates Containment Isolation Phase B (Table 7.3-9). Refer to FSAR Figure 7.2-1, Sheet 8 for interaction these ESFAS functions.

The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment receiving a subsequent ac signal (e.g. from auxiliary relays) as a result of the ESFAS signal is not included in the table.

06/28/18 7.3-88 Rev. 31

Accident Accident BOP/NSSS Train A Equip Mark No. Condition Function Train B Equip Mark No. Condition BOP 3CCP*MOV45A Closed RPCCW Cont Isol valve 3CCP*MOV45B Closed BOP 3CCP*MOV48A Closed RPCCW Cont Isol valve 3CCP*MOV49A Closed BOP 3CCP*MOV49B Closed RPCCW Cont Isol valve 3CCP*MOV48B Closed The items listed in this table receive the specified ESFAS signal directly from SSPS slave relays. Equipment receiving a subsequent ac signal (e.g. from auxiliary relays) as a result of the ESFAS signal is not included in the table.

06/28/18 7.3-89 Rev. 31

SAFETY FEATURES AND ESSENTIAL AUXILIARY SUPPORTING SYSTEMS FSAR Section Reference Engineered Safety Features Systems

1. Emergency core cooling system (ECCS) 6.3

2. Containment depressurization system 6.2.2

a. Quench spray system

b. Containment recirculation system

3. Containment isolation system: 6.2.4

a. Main steam isolation 10.3

b. Feedwater isolation 10.4.7

4. Hydrogen recombiner system 6.2.5

5. Supplementary leak collection and release system 6.2.3

6. Auxiliary feedwater system 10.4.9

7. ESF filtration system

a. Control room emergency ventilation system 9.4.0

b. Charging pump, component cooling water pump and heat 9.4.4 exchanger ventilation system (part of auxiliary building filter system)

Essential Auxiliary Support System

1. Service water system (heat removal portion) 9.2.1

2. Reactor plant component cooling water system 9.2.2

3. Chilled water system (control building only) 9.4.0

4. Electrical system Chapter 8

5. Emergency generator fuel oil system 9.5.4

6. Emergency diesel engine cooling water system 9.5.5

7. Emergency generator starting air system 9.5.6

8. Emergency diesel engine lubrication system 9.5.7

9. Emergency generator combustion air intake and exhaust system 9.5.8

10. Air conditioning, heating, cooling, and ventilation systems

a. Diesel room ventilation 9.4.5

b. Battery room cooling 9.4.0 28/18 7.3-90 Rev. 31

FSAR Section Reference

c. Switchgear area HVAC 9.4.0

d. ESF building ventilation 9.4.4

11. Charging and safety pumps cooling systems 9.2.2 28/18 7.3-91 Rev. 31

COMPONENT FTSK COMPONENT AND FAILURE MODE METHOD OF FAILURE DETECTION EFFECT ON SYSTEM OTHER REMA IDENTIFIER MB OR ASP TRIP CIRCUIT 27-12-X Q0115DG3 1A-3QSSA01 PERIODIC TEST ESTABLISHED CONTACT 3 FAILS CLOSED MB OR ASP TRIP CIRCUIT 27-12-X Q0125DG6 1A-3QSSA01 PERIODIC INSPECTION ESTABLISHED IN TRIP OPERATOR ERROR ESCA-TRIP BLOCK 27-12-E Q0135DG3 ESCA - PERIODIC TEST CONTACT CLOSED TRIP BLOCK CONT FAILS CLOSED ESCA-TRIP BLOCK 27-12-E Q0145DG3 ESCA - PERIODIC TEST ESCA-VITRO INTERFAC CONTACT CLOSED NO TRIP BLOCK SIGNAL QUENCH SPRAY SYSTEM 27-12-D Q0155DG3 3QSS*P3A PERIODIC TEST ONE OF TWO REDUND TRAIN A FAILURE ACB CLOS MECH FAILURE QUENCH SPRAY SYSTEM 27-12-D Q0165DG1 CKT 3QSSA01 ANNUNCIATED IN CONTROL ROOM ONE OF TWO REDUND TRAIN A FAILURE NO 4KV OPER PHR AVAILABLE QUENCH SPRAY SYSTEM 27-12-D Q0175DG3 52HL-3QSSA01 PERIODIC TEST ONE OF TWO REDUND TRAIN A FAILURE CONTACT 6 FAILS OPEN QUENCH SPRAY SYSTEM 27-12-D Q0185DG1 CKT 3QSSA01 ANNUNCIATED IN CONTROL ROOM ONE OF TWO REDUND TRAIN A FAILURE 35A (+) FUSE FAILS OPEN QUENCH SPRAY SYSTEM 27-12-D Q0195DG1 CKT 3QSSA01 ANNUNCIATED IN CONTROL ROOM ONE OF TWO REDUND TRAIN A FAILURE 35A (-) FUSE FAILS OPEN QUENCH SPRAY SYSTEM 27-12-D Q0205DG1 CKT 3QSSA01 ANNUNCIATED IN CONTROL ROOM ONE OF TWO REDUND TRAIN A FAILURE CONTROL PCHER SHORT CIRCUIT QUENCH SPRAY SYSTEM 27-12-D Q0215DG1 CKT 3QSSA01 ANNUNCIATED IN CONTROL ROOM ONE OF TWO REDUND TRAIN A FAILURE 15A (+) FUSE FAILS OPEN QUENCH SPRAY SYSTEM 27-12-D Q0225DG1 CKT 3QSSA01 ANNUNCIATED IN CONTROL ROOM ONE OF TWO REDUND TRAIN A FAILURE 15A (-) FUSE FAILS OPEN 06/28/18 7.3-92 Rev. 31

06/28/18 7.3-93 Rev. 31 06/28/18 7.3-94 Rev. 31 06/28/18 7.3-95 Rev. 31 functions necessary for safe shutdown are available from instrumentation channels that are ciated with the major systems in both the primary and secondary systems of the nuclear steam ply system (NSSS). These channels are normally aligned to serve a variety of operational ctions, including startup and shutdown as well as protective functions.

wever, prescribed procedures for securing and maintaining the plant in a safe condition can be ituted by appropriate alignment of selected systems in the NSSS. The discussion of these ems together with the applicable codes, criteria and guidelines is found in other sections of the ety Analysis Report. In addition, the alignment of shutdown functions associated with the ineered safety features (ESF) which are invoked under postulated limiting fault situations is ussed in Chapter 6 and Section 7.3.

o kinds of shutdown conditions, both capable of being achieved with or without offsite power, addressed in this section: hot standby and cold shutdown. Hot standby is a stable condition of reactor achieved shortly after a programmed or emergency shutdown of the plant. Cold tdown is a stable condition of the plant achieved after the residual heat removal process has ught the primary coolant temperature below 200°F. A description of systems required to ieve and maintain cold shutdown are described in Section 5.4.7, Residual Heat Removal tem.

either case of safe shutdown, i.e., hot standby or cold shutdown, the reactivity control systems ntain a subcritical condition of the core. The plant technical specifications explicitly define h hot standby and cold shutdown conditions.

a minimum, the electrically powered equipment necessary to be aligned for achieving and ntaining safety grade cold shutdown without offsite power, and with an event initiated by a le random failure, with limited operator action outside the control room, are:

1. Emergency Class IE electrical power supply 28/18 7.4-1 Rev. 31

3. Residual heat removal (and isolation) system

4. Borated water inventory supply to centrifugal charging pump suction via the gravity feed system

5. Redundant discharge system from and including centrifugal charging pump system supplying RCS and RCP seals

6. Pressure relief system for RCS

7. Accumulator isolation or venting.

8. Decay heat removal using steam generator PORVs and bypass

9. Reactor head vent letdown system

10. Reactor protection system instrumentation and functions which are required to be aligned for maintaining hot standby

1. Prevent the reactor from achieving criticality in violation of the technical specifications

2. Provide an adequate heat sink such that design and safety limits are not exceeded

3. Pressurizer pressure control

4. Reactor coolant system inventory control 1 DESCRIPTION hot standby systems are identified in the following lists together with the associated rumentation and controls systems. The identification of the monitoring indicators ction 7.4.1.1) and controls (Section 7.4.1.2) are those necessary for maintaining a hot standby.

equipment and services for a cold shutdown are identified in Section 7.4.1.4. Instrumentation controls provided outside the control room for safe shutdown are listed in Table 7.4-1. Loss he auxiliary shutdown panel (ASP) and normal automatic systems are not assumed coincident h evacuation. For applicable drawings, see Section 1.7.

1.1 Monitoring Indicators characteristics of these indicators, which are provided outside as well as inside the control m, are described in Section 7.5. The necessary indicators are as follows:

28/18 7.4-2 Rev. 31

2. Pressure indicator for each steam generator

3. Pressurizer water level indicator

4. Pressurizer pressure indicator

5. Reactor trip breaker indication

6. Auxiliary feedwater flow rate

7. Loop hot leg temperature

8. Loop cold leg temperature

9. DWST level

10. Emergency bus voltmeters

11. Boric acid tank level 1.2 Controls 1.2.1 General Considerations

1. The turbine is tripped. (Note that this can be accomplished at the turbine as well as in the control room.)

2. The reactor is tripped. (Note that this can be accomplished at the reactor trip switchgear as well as in the control room.)

3. Safety related manual controls for hot standby shutdown are located inside as well as outside the main control room. These controls are provided with REMOTE/

LOCAL selector switches located outside the main control room. An annunciator is alarmed in the main control room and the indicator lights in the main control room are turned off when LOCAL CONTROL is selected.

1.2.2 Pumps and Fans

1. Auxiliary feedwater pumps In the event of a main feedwater pump stoppage due to a loss of electrical power, the auxiliary feedwater pumps start automatically or can be started manually.

START/STOP controls located outside as well as inside the control room are provided.

28/18 7.4-3 Rev. 31

START/STOP motor controls for these pumps are located outside, as well as inside the control room.

3. Service water pumps These pumps start automatically following a loss of normal electrical power.

START/STOP motor controls are located outside as well as inside the control room.

4. Component cooling water pumps These pumps, energized from the emergency generator, start automatically following a loss of normal electrical power. START/STOP controls are located outside as well as inside the control room.

5. Control room ventilation units including the control room air inlet dampers.

The control room ventilation units are started and stopped by the associated control building chilled water pumps. The chilled water pumps have LOCAL/

REMOTE switches. Normally, one air-conditioning train is operating with the other train on standby. Upon a loss of power, one train starts automatically with the second on standby. The control room ventilation isolation valves are automatically opened (if closed) on receipt of a control building isolation (CBI) signal. The isolation valves can also be operated manually from within the control room.

1.2.3 Emergency Generators se units start automatically following a loss of normal AC power. However, manual controls diesel startup are provided locally at the emergency generator (as well as within the control m). For a description of Class IE power supplies, refer to Section 8.3.

1.2.4 Valves and Heaters

1. Charging flow control Flow control valves fail open. Subsequent control can be maintained by the use of solenoid valves described in Section 5.4.7 controlled manually from both inside and outside the control room.

2. Letdown valves Letdown can be established through the RCS head vent, if normal letdown is unavailable, by manual control from both inside and outside the control room (Section 5.4.15).

28/18 7.4-4 Rev. 31

Manual control for these valves are located on the ASP. Transfer switches for these valves are located on the Transfer Switch Panel. These controls duplicate functions that are inside the control room.

4. Steam generator safety valves

5. Pressurizer heater control ON/OFF control selector switches are provided for two backup heater groups on the ASP. The heater groups are connected to separate buses, such that each can be connected to separate emergency generators in the event of loss of outside power.

The controls are grouped with the charging flow controls and duplicate functions available in the control room.

1.3 Control Room Evacuation noted that the instrumentation and controls listed in Sections 7.4.1.1 and 7.4.1.2 which are d to achieve and maintain a safe shutdown are available in the event that an evacuation of the trol room is required. These controls and instrumentation channels together with the ipment identified in Section 7.4.1.4 identify the potential capability for cold shutdown of the tor subsequent to a control room evacuation through the use of suitable procedures. The trol room evacuation shall not occur simultaneously or coincident with an abnormal operating dition (ANS Condition II, III, or IV), except the loss of offsite power which would be cident. The auxiliary shutdown panel and the equipment used to maintain remote shutdown ills the single failure criterion.

1.4 Equipment and Systems Necessary for Cold Shutdown

1. Auxiliary feedwater pumps (Section 10.4.9) 28/18 7.4-5 Rev. 31

3. Charging pumps (Section 9.3.4)

4. Service water pumps (Section 9.2.1)

5. Control room ventilation (Section 9.4.0)

6. Component cooling pumps (Section 9.2.2.1)

7. Residual heat removal pumps (Section 5.4.7)

8. Certain motor control center and switchgear (Section 8.3.1)

9. Controlled steam release (Sections 7.7 and 10.4.4)

10. Nuclear instrumentation system (NIS) (source range or intermediate range)

(Section 7.2). For a more complete description of the NIS, refer to WCAP 8255.

11. Reactor coolant inventory control (charging and letdown) (Section 9.3.4 and Section 5.4.15)

12. Pressurizer pressure control including opening control for pressurizer relief valves and heater control (Sections 5.4.10 and 7.6)

13. Accumulator piping and valving for isolation and venting (Section 6.3) ddition, the pressurizer pressure and steam line pressure safety injection trip signals must be ked and the accumulator isolation valves closed.

trols are provided to block the steamline low pressure and pressurizer low pressure signals.

se controls prevent an SIS provided that the pressure within the pressurizer is less than a determined design level.

rumentation and controls provided outside the control room for cold shutdown are listed in le 7.4-1.

1.5 Other Considerations

1. Additional shutdown air compressors are powered from Class IE buses and are provided to increase availability of normal controls and minimize operator actions.

28/18 7.4-6 Rev. 31

a. Containment recirculation coolers

b. CRDM air cooling fans

3. Loss of instrument air does not prevent the operation of the minimum systems necessary for hot standby or cold shutdown described in Section 7.4.1.

2 ANALYSIS shutdown is a stable plant condition, automatically reached following a reactor trip from er. The plant design features also permit the achievement of cold shutdown as referred to in tion 7.4.1.2 and described in Section 5.4.7. In the unlikely event that access to the control m is restricted, the plant can be safely kept at a hot standby by the use of the monitoring cators and the controls listed in Sections 7.4.1.1 and 7.4.1.2, and described in Section 7.4.1.3, l the control room can be re-entered.

d shutdown conditions can be achieved from outside the control room through the use of able procedures and by virtue of local control of the equipment listed in Section 7.4.1.2, in junction with the instrumentation and controls provided on the auxiliary shutdown panel P) (Table 7.4-1). The layout of the ASP is provided in the ESK series drawings, listed in tion 1.7.

design basis for the ASP is as follows:

1. The design of the system to provide redundant safety grade capability to achieve and maintain a safe shutdown condition from location(s) remote from the control room is as follows.

Panels and associated equipment used in control room evacuation are located at elevation 4 feet 6 inches in the control building. Also located at elevation 4 feet 6 inches is the emergency switchgear for each train, along with two transfer switch panels (TSP) and the ASP.

Controls which are located outside the control room are listed in Table 7.4-1. Most pumps have their controls located at their respective emergency switchgear.

Two rooms are provided to separate the redundant emergency switchgear and the transfer switch panels. The ASP panel is located in the purple switchgear room (Train B) and the two trains (A and B) of the ASP are separated by a non-train panel.

2. All controls and instrumentation required for the reactor hot and cold shutdown from ASP are decoupled from those normally used in the main control room in 28/18 7.4-7 Rev. 31

failure of equipment in the main control room.

3. The ASP is provided with a communication network to important plant locations which include locations of equipment required for reactor shutdown. The control room and cable spreading room can be isolated from the system by controls at the ASP.

4. The following design criteria are applicable to the instrumentation and control devices located on the ASP:

ANSI C37.90 1978 IEEE 279 1971 IEEE 308 1974 IEEE 323 1974 IEEE 344 1975 IEEE 338 1971 IEEE 379 1972 IEEE 384 1974 IEEE 420 1974 NUREG-0588 Dec. 1979 RG 1.75 Feb. 1974 28/18 7.4-8 Rev. 31

6. There are no cases in which transfer from the main control room to the auxiliary shutdown panel requires a jumper or equipment to be received.

7. The design is such that transfer of equipment from the main control room to the alternate shutdown area will not change the status of the equipment.

8. Loss of offsite power will not negate shutdown capability from the remote shutdown area.

9. The design is such that access to the remote shutdown stations at the ASP, the TSPs and the 4 kV switchgear requires keys for operation of equipment. Access to these areas is under administrative control.

Each cabinet located at the remote shutdown area (TSPs, ASP) has door limit switches mounted on the front and rear doors which annunciate in the main control room whenever personnel gain access to the equipment. Also, each transfer switch mounted on the TSPs is annunciated in the main control room whenever local control of assigned equipment has been taken over.

10. The ASP is located such that it can be safely occupied during a remote shutdown event. Ventilation temperature control is provided to allow continuous occupancy.

11. The design requirements for compliance with Appendix R, 10 CFR 50, are explained in the Millstone 3 Fire Protection Evaluation Report.

controls available on the ASP provide the capabilities of achieving and maintaining a safe tdown when the main control room is inaccessible. The controls necessary for immediate rator action to establish a stable plant condition are available on the ASP or in adjacent rgency switchgear rooms. The controls provide a means of sustaining the capability for ation, letdown, residual heat removal, natural circulation, continuing reactor coolant pump injection and for thermal barrier cooling water flow, and depressurization. The rumentation and control functions which are required to be aligned for maintaining safe tdown of the reactor that are discussed above are the minimum number of instrumentation and trol functions.

per operation of other nonsafety related systems allows a more normal shutdown to be made maintained by preventing a transient (Section 7.7).

onsidering more restrictive conditions than those discussed in Section 7.4, certain accidents transients are postulated in the Chapter 15 safety analyses which take credit for safe shutdown n the protection systems reactor trip terminates the transients and the engineered safety ures system mitigates the consequences of the accident. In these transients, in general, no it is taken for the control system operation should such operation mitigate the consequences 28/18 7.4-9 Rev. 31

control system, whose equipment failure was assumed to have initiated the transient. These lyses in Chapter 15 show that safety is not adversely affected when such transients include the owing:

1. Inadvertent boron dilution

2. Loss of normal feedwater

3. Loss of external electrical load and/or turbine trip

4. Loss of AC power to the station auxiliaries results of the analysis which determined the applicability of the nuclear steam supply system shutdown systems to the NRC General Design Criteria, IEEE Standard 279-1971, applicable C Regulatory Guides and other industry standards are presented in Table 7.1-1. The functions sidered and listed below include both safety-related and nonsafety-related equipment.

1. Reactor trip system

2. Engineered safety features actuation system

3. Safety related display instrumentation for post-accident monitoring

4. Main control board

5. Auxiliary shutdown station

6. Residual heat removal

7. Instrument power supply

8. Control systems 28/18 7.4-10 Rev. 31

COLD SHUTDOWN Safety-Related Instruments on ASP ASP Section 1 ASP Section 3 Electrical Train A Electrical Train B Description (Orange) (Purple)

R Heat Exchanger tlet (0-800 gpm x 10) 3CCP*FI67A2 3CCP*FI67B2 oling Flow ric Acid Tank 5A (0-240 gal x 100) 3CHS*LI102A 3CHS*LI104A vel ric Acid Tank 5B (0-240 gal x 100) 3CHS*LI105A 3CHS*LI106A vel m Gen 1 Level (0-100%) 3FWS*LI501A 3FWS*LI519A m Gen 2 Level (0-100%) 3FWS*LI529A 3FWS*LI502A m Gen 3 Level (0-100%) 3FWS*LI503A 3FWS*LI537A m Gen 4 Level (0-100%) 3FWS*LI548A 3FWS*LI504A S Pressure (0-300 psia x 10) 3RCS*PI405B 3RCS*PI403B min Water Storage (18,520-352,435 gal) 3FWA*LI20A2 3FWA*LI20B2 nk Level m Gen 1 Aux Fdwtr (0-350 gpm) 3FWA*FI51A2 Note 1 w

m Gen 2 Aux Fdwtr (0-350 gpm) Note 1 3FWA*FI33B2 w

m Gen 3 Aux Fdwtr (0-350 gpm) Note 1 3FWA*FI33C2 w

m Gen 4 Aux Fdwtr (0-350 gpm) 3FWA*FI51D2 Note 1 w

fueling Water rage Tank Level (0-1.2 gal x 106) 3QSS*LI930A 3QSS*LI931A Loop 1 Hot Leg (0-700°F) 3RCS*TI413C Note 2 mp Loop 2 Hot Leg (0-700°F) 3RCS*TI423C Note 2 mp Loop 3 Hot Leg (0-700°F) 3RCS*TI433C Note 2 mp Loop 4 Hot Leg (0-700°F) 3RCS*TI443C Note 2 mp 28/18 7.4-11 Rev. 31

Safety-Related Instruments on ASP ASP Section 1 ASP Section 3 Electrical Train A Electrical Train B Description (Orange) (Purple)

Loop 1 Cold Leg (0-700°F) Note 2 3RCS*TI413D mp Loop 2 Cold Leg (0-700°F) Note 2 3RCS*TI423D mp Loop 3 Cold Leg (0-700°F) Note 2 3RCS*TI433D mp Loop 4 Cold Leg (0-700°F) Note 2 3RCS*TI443D mp ssurizer Level (0-100%) 3RCS*LI459C RCS*LI460C ssurizer Pressure (170-250 psia x 10) 3RCS*PI455B 3RCS*PI456B m Gen 1 Pressure (0-1300 psig) 3MSS*PI514B 3MSS*PI515B m Gen 2 Pressure (0-1300 psig) 3MSS*PI524B 3MSS*PI525B m Gen 3 Pressure (0-1300 psig) 3MSS*PI534B 3MSS*PI535B m Gen 4 Pressure (0-1300 psig) 3MSS*PI544B 3MSS*PI545B er 4.16 kV Bus 34C (0-5250V) VM2-3ENS*SWG-A Note 3 in A er 4.16 kV Bus 34D (0-5250V) Note 3 VM2-3ENS*SWG-in B B

ntainment Pressure (0-60 psia) 3LMS*PI937A 3LMS*PI936A fety-Related Equipment with Controls on ASP x Fdwtr Control Valve (Throttling) 3FWA*HV31A 3FWA*HV31B x Fdwtr Control Valve (Throttling) 3FWA*HV31D 3FWA*HV31C x Fdwtr Control Valve (Throttling) 3FWA*HV32A 3FWA*HV32B x Fdwtr Control Valve (Throttling) 3FWA*HV32D 3FWA*HV32C x Fdwtr Control Valve (Throttling) 3FWA*HV36B 3FWA*HV36A x Fdwtr Control Valve (Throttling) 3FWA*HV36C 3FWA*HV36D x Fdwtr Isolation Valve 3FWA*MOV35B 3FWA*MOV35A x Fdwtr Isolation Valve 3FWA*MOV35C 3FWA*MOV35D x Fdwtr Pump Alt Suction Valve 3FWA*AOV23A 3FWA*AOV23B 28/18 7.4-12 Rev. 31

Safety-Related Instruments on ASP ASP Section 1 ASP Section 3 Electrical Train A Electrical Train B Description (Orange) (Purple) rbine Driven Aux Fdwtr Pump Stm Supply 3MSS*AOV31A 3MSS*AOV31B lve rbine Driven Aux Fdwtr Pump Stm Supply Note 4 3MSS*AOV31D lve in Stm Pressure Relieving Valve Isol Valve 3MSS*MOV18A 3MSS*MOV18B in Stm Pressure Relieving Valve Isol Valve 3MSS*MOV18C 3MSS*MOV18D in Stm Pressure Relieving Valve Bypass Valve 3MSS*MOV74B 3MSS*MOV74A in Stm Pressure Relieving Valve Bypass Valve 3MSS*MOV74D 3MSS*MOV74C ssurizer Power Relief Valve 3RCS*PCV455A 3RCS*PCV456 ssurizer Relief Isol Valve 3RCS*MV8000A 3RCS*MV8000B ssurizer Aux Spray Valve 3RCS*AV8145 Note 5 actor Vessel Head Vent Isol Valve 3RCS*SV8095A 3RCS*SV8095B actor Vessel Head Vent Isol Valve 3RCS*SV8096A 3RCS*SV8096B actor Vessel to Excess Letdown Valve 3RCS*MV8098 Note 6 actor Vessel to Pressurizer Relief Tank 3RCS*HCV442A 3RCS*HCV442B tdown Valve ssurizer Level Control Valve 3RCS*LCV459 Note 7 ssurizer Level Control Valve 3RCS*LCV460 Note 7 tdown Orifice Isol Valve 3CHS*AV8149A Note 8 tdown Orifice Isol Valve 3CHS*AV8149B Note 8 tdown Orifice Isol Valve 3CHS*AV8149C Note 8 tdown to VCT/GWS Divert Valve 3CHS*LCV112A Note 9 l Control Tank Outlet Isol Valve 3CHS*LCV112B 3CHS*LCV112C ST to Charging Pump Suction Valve 3CHS*LCV112D 3CHS*LCV112E arging System to RCS Isol Valve 3CHS*AV8147 3CHS*AV8146 ric Acid Gravity Feed Valve 3CHS*MV8507A 3CHS*MV8507B arging Header Isol Valve 3CHS*MV8438A 3CHS*MV8438B arging Header Isol Valve 3CHS*MV8438C Note 10 arging Pump A Recirc Valve Note 11 3CHS*MV8111A 28/18 7.4-13 Rev. 31

Safety-Related Instruments on ASP ASP Section 1 ASP Section 3 Electrical Train A Electrical Train B Description (Orange) (Purple) arging Pump B Recirc Valve Note 11 3CHS*MV8111B arging Pump C Recirc Valve Note 11 3CHS*MV8111C SI to Charging Pumps Suction Valve 3CHS*MV8468A 3CHS*MV8468B arging Header Flow Control Valve 3CHS*HCV190A 3CHS*HCV190B arging Header Isol Bypass Valve 3CHS*MV8116 Note 12 arging Pump to RCS Isol Valve 3CHS*MV8105 3CHS*MV8106 arging Pump Miniflow Control Valve 3CHS*MV8511A 3CHS*MV8511B S Heat Exchanger Component Cooling Water 3CCP*FV66A 3CCP*FV66B tlet Valve S to Cold Leg Isol Valve 3SIL*MV8809A 3SIL*MV8809B ST to RHR Pump Suction Valve 3SIL*MV8812A 3SIL*MV8812B fety Injection Accumulator Tank Isol Valve 3SIL*MV8808A 3SIL*MV8808B fety Injection Accumulator Tank Isol Valve 3SIL*MV8808C 3SIL*MV8808D fety Injection Accumulator Tank 1 Nitrogen 3SIL*SV8875A 3SIL*SV8875E pply fety Injection Accumulator Tank 2 Nitrogen 3SIL*SV8875B 3SIL*SV8875F pply fety Injection Accumulator Tank 3 Nitrogen 3SIL*SV8875C 3SIL*SV8875G pply fety Injection Accumulator Tank 4 Nitrogen 3SIL*SV8875D 3SIL*SV8875H pply fety Injection Accumulator Vent Control 3SIL*HCV943A 3SIL*HCV943B 3RHS*MV8701A S Inlet Isol Valve 3RHS*MV8701B (Note 13)

S Inlet Isol Valve 3RHS*MV8701C 3RHS*MV8702B S Inlet Isol Valve RHS*MV8702A 3RHS*MV8702C arging Pump Cooling Pump 3CCE*P1A 3CCE*P1B 3RCS*H1A 3RCS*H1B ssurizer Heater Backup (Group A) (Group B) ld Shutdown Air Compressor 3IAS-C2A 3IAS-C2B 28/18 7.4-14 Rev. 31

Safety-Related Instruments on ASP ASP Section 1 ASP Section 3 Electrical Train A Electrical Train B Description (Orange) (Purple) r Conditioning Unit for SI, QS, and RHR Pump 3HVQ*ACUS1A 3HVQ*ACUS1B ea fety-Related Miscellaneous Controls in Stm Line Safety Injection Block/Reset Train A Train B ssurizer Pressure Safety Injection Block/Reset Train A Train B quencer LOP Reset Train A Train B quencer LOP Reset Light Train A Train B quencer Manual Start Block Light Train A Train B S Cold Overpressure Mitigating Arm/Block Train A Train B nSafety-Related Instruments on ASP Section on-Train serve Instrument Air (0-150 psig) 3IAS-PI73B ader Pressure S-Source Range unt Rate (100 - 106 CPS) 3NMS-NI31C S-Source Range unt Rate (100 - 106 CPS) 3NMS-NI32C R Heat Exchanger (50-400°F) 3RHS-TI604 Outlet Temp S-Intermediate nge Neutron Flux (10 10-3 AMPS) 3NMI-NI35C S-Intermediate nge Neutron Flux (10 10-3 AMPS) 3NMI-NI36C ndensate Storage nk Level (0-300 x 103 GAL) 3CNS-LI15A lume Control Tank (0-100%) 3CHS-LI112A vel tdown Flow (0-200 gpm) 3CHS-FI132A generative Heat (100-600°F) 3CHS-TI126A changer Outlet Temp 28/18 7.4-15 Rev. 31

Safety-Related Instruments on ASP ASP Section 1 ASP Section 3 Electrical Train A Electrical Train B Description (Orange) (Purple)

R Heat Exchanger (50-400°F) 3RHS-TI605 Outlet Temp P 1 Seal Water Flow (0-15 gpm) 3CHS-FI145C P 2 Seal Water Flow (0-15 gpm) 3CHS-FI144C P 3 Seal Water Flow (0-15 gpm) 3CHS-FI143C P 4 Seal Water Flow (0-15 gpm) 3CHS-FI142C ABLE 7.4-1 INSTRUMENTS AND CONTROLS OUTSIDE CONTROL ROOM FOR COLD SHUTDOWN (CONTINUED)

Description Mark No.

uipment with Nonsafety-Related Controls ASP ction 2/Non-Train cess Letdown Flow Control Valve 3CHS*HCV123 R Letdown Flow Control Valve 3CHS*HCV128 arging Flow Control Valve 3CHS*FCV121 w Pressure Letdown Control Valve 3CHS*PCV131 P Seal Water Supply Control Valve 3CHS*HCV182 R Heat Exchanger A Outlet Flow Control 3RHS*HCV606 R Heat Exchanger A Bypass Control 3RHS*FCV618 R Heat Exchanger A Component Cooling 3CCP*FV66A w Control R Heat Exchanger B Component Cooling 3CCP*FV66B w Control R Heat Exchanger B Outlet Flow Control 3RHS*HCV607 R Heat Exchanger B Bypass Flow Control 3RHS*FCV619 in Stm Pressure Relieving Valve 3MSS*PV20A in Stm Pressure Relieving Valve 3MSS*PV20B in Stm Pressure Relieving Valve 3MSS*PV20C 28/18 7.4-16 Rev. 31

Description Mark No.

in Stm Pressure Relieving Valve 3MSS*PV20D scellaneous Controls ASP Section 2/Non-Train hite Indicator Light (Steam Line Safety Injection Blocked, Train A) hite Indicator Light (Steam Line Safety Injection Blocked, Train B) hite Indicator Light (Pressurizer Safety Injection Blocked, Train A) hite Indicator Light (Pressurizer Safety Injection Blocked, Train B) fety-Related Controls on 4160V Emergency itchgear tor-Driven Aux 3FWA*P1A, Train A wtr Pumps 3FWA*P1B, Train B arging Pumps 3CHS*P3A, Train A 3CHS*P3B, Train B 3CHS*P3C, Swing Pump rvice Water Pumps 3SWP*P1A, Train A 3SWP*P1C, Train A 3SWP*P1B, Train B 3SWP*P1D, Train B actor Plant Component Cooling Pumps 3CCP*P1A, Train A 3CCP*P1B, Train B 3CCP*P1C, Swing Pump ntrol Building Chilled Water Pumps 3HVK*P1A, Train A 3HVK*P1B, Train B R Pumps 3RHS*P1A, Train A 3RHS*P1B, Train B cal, Manual Valve Control justable travel limiters 3RHS*FCV618, Train A be used during safety grade cold shutdown h single failure loss of one train of RHS and 3RHS*FCV619, Train B s of all instrument air.)

28/18 7.4-17 Rev. 31

There is one auxiliary feedwater flow indicator per steam generator on the ASP - two are Train A and two are Train B.

The RC loop hot leg temperature indicators are Train A; the cold leg temperature indicators are Train B.

There is one emergency bus volt meter for each emergency bus (Trains A and B) on the ASP.

There are three steam supply valves for the turbine-driven auxiliary feedwater pump - one is Train A and two are Train B.

The pressurizer auxiliary spray valve is Train A only.

There is no Train B reactor vessel to the excess letdown valve.

3RCS*LCV459 and 460 are in series; both are Train A letdown valves.

The three letdown orifice isolation valves are all Train A.

3CHS*LCV112A is Train A; 3CHS*AOV71 up stream of 3CHS*LCV112A is non-train and can be controlled from the main board or gaseous waste panel.

3CHS*MV8438C is Train A only; it is the charging header cross connect valve.

3CHS*MV8111A, B, and C - charging pump recirculation valves are all Train B.

3CHS*MV8110 is the Train A common recirculation valve and can be operated from the main control board; it is normally OPEN.

The charging header isolation bypass valve is Train A only.

3RHS*MV8701A is not interlocked with RCS pressure low from ASP control.

In the event of a loss of Control Room and transfer of operations to the ASP, Local-Remote switches outside the Control Room are used to transfer certain control functions.

Control power to operate valves 3RHS*HCV 606 & 607 and 3RHS*FCV 618 & 619 (energize solenoid operated valves on pneumatic tubing) will be shifted via the local-remote switch that transfers control of valves 3SIL*MV8809 A & B to the ASP.

28/18 7.4-18 Rev. 31

1 DESCRIPTION analysis was conducted to identify the appropriate variables and establish appropriate design es and qualification criterion for instrumentation employed by the operator for monitoring ditions in the reactor coolant system, the secondary heat removal system and the containment, uding engineered safety functions and other systems normally employed for attaining a safe tdown condition.

instrumentation is used by the operators to monitor Millstone 3 throughout all operating ditions, including anticipated operational occurrences and accidents and post accident ditions. Table 7.5-1 provides a listing of the variables identified to meet the intent of ulatory Guide 1.97 Revision 2. The table includes the following information for each variable tified:

1. Sensor and Main Board Instrument Component Identification Tag Numbers.

2. Recommended Range and Regulatory Guide 1.97 Design Category, versus, Actual Range and Design Category.

3. Designed Redundancy.

4. Type of Power Supply.

5. Display Methodology (Variable, Trend, and/or Safety Parameter Display System (SPDS) or Offsite Facilities Information System (OFIS) availability).

6. Regulatory Guide 1.97 Revision 2, Type and Category (as defined in Specification SP-M3-IC-022).

7. Environmental Qualification (as defined in Specification SP-M3-IC-022).

8. Seismic Qualification (as defined in Specification SP-M3-IC-022).

9. Quality Assurance Qualification (as defined in Specification SP-M3-IC-022).

assist in understanding the process for identifying the variables in Table 7.5-1, Specification M3-IC-022 The Millstone 3 Design Basis to Respond to Regulatory Guide 1.97, Revision 2, cribes:

1. Plant conditions under which the instrumentation must be operable

2. Selection criteria (Type A, B, C, D, or E)

3. Qualification criteria (Category 1, 2, or 3) 28/18 7.5-1 Rev. 31

5. Processing display criteria (assessibility, historical record, etc.)

title of this section originates from Regulatory Guide 1.70. Although this section is titled ety Related Display Instrumentation, not all the instruments discussed in this section are safety ted.

1.1 Safety Parameter Display System purpose of the Safety Parameter Display System (SPDS) is to provide a concise display of cal plant variables to control room operators to aid them in rapidly and reliably determining safety status of the plant. SPDS is designed to assist the operator in implementing the ctional restoration guidelines in the Emergency Operations Procedures (EOPs) by providing puter-driven displays that show the current state of the plants critical safety functions used by guidelines. Details of the SPDS design are provided in Specification SP-EE-149A.

means of displaying the variables identified in Table 7.5-1 as part of the Safety Parameter play System and the Emergency Response Facilities (EOF/TSC) are discussed in Specification M3-IC-022.

1.2 Emergency Response Facilities Emergency Response Facilities are discussed in Section 13.3 of the FSAR as part of the lstone Nuclear Power Station Emergency Plan.

2 ANALYSIS lyses for compliance with the requirements of this section are addressed in Table 7.5-1.

ther information is provided in Specification SP-M3-IC-022 The Millstone 3 Design Basis to pond to Regulatory Guide 1.97, Revision 2.

3 COMPLIANCE WITH OTHER REGULATORY REQUIREMENTS

1. Compliance with Regulatory Guide 1.47 for bypassed and inoperable status design philosophy is described below.

a. An indicator of bypass is provided for each protection system. Bypass includes any deliberate action which renders a protection system inoperable.

b. The indicator is at the system level, not the channel or component level.

(Quench spray is a system. A quench spray pump is a component.) There is a separate indicator for each train.

28/18 7.5-2 Rev. 31

• The action is deliberate. (Component failure may be indicated by component failure indicators but should not operate the system bypass indicator. It is not the intent of the indicator to show operator errors or component failures.)

• The action is expected to occur more often than once a year. This more often than once a year criterion should be interpreted liberally. If an accessible, permanently installed electrical control device will bypass a safety system, assume that it will be used more than once a year.

Devices within the containment are not accessible.

• The action is expected when the protection system must be operable. (Bypass of source range flux trip during normal power operation should not, for example, be indicated on the system bypass indicator. It may be indicated on a channel or component status indicator.)

• The action renders the system inoperable, not merely potentially inoperable. (If, for example, redundant, parallel, 100 percent valves are provided for the discharge line of a spray pump, the system bypass indicator should not be actuated by the closing of only one of those valves. Valve closing may be indicated on a component status indicator. If both valves have been deliberately moved from the Open position, the system bypass indicator should be operated. If, on the other hand, each valve carried only 50 percent flow, the system would be inoperable if either was not open. That inoperability should be indicated at the system level. Also, if a system is put in the Trip mode during test, there should be no operation of the system bypass indicator. Such a test may be indicated on a channel status indicator. If a channel is put into bypass mode for test and sufficient redundant channels remain capable of operating the protection system and not more than one channel at a time is expected to be tested, the channel bypass should not be indicated at the system level. If an actuation signal will override the bypass, the system bypass indicator should not be operated.

• Some deliberate action has taken place in the protection system or a necessary supporting system. (For example, if the cooling water inlet valve for a recirculation spray heat exchanger is deliberately 28/18 7.5-3 Rev. 31

d. The bypass indicators are separate from other plant indicators and grouped in a logical fashion.

e. A capability is provided to operate each bypass indicator manually. This lets the operator provide bypass indication for an event that renders a safety system inoperable but does not automatically operate the system bypass indicator.

f. There is not any capability to defeat an automatic operation of a bypass indicator. (Audible alarms may be silenced.)

g. The bypass indicators are accompanied by audible alarm.

h. No immediate operator action is required as a result of any system bypass indication.

i. The indication system is mechanically and electrically isolated from the safety system to avoid degradation of the safety system. No fault in the indicator system can impair the ability of the safety system to perform its safety-related function. The bypass indicators are not considered safety-related; i.e., they need not be designed to safety system criteria such as IEEE-279.

j. In accordance with IEEE-279, Paragraph 4.20, the operator must be able to determine why a system level bypass is indicated. This information is provided by the plant computer.

k. Inoperative indicators are provided for the Service Water, Emergency Diesel Generator, Control Building Chilled Water, Reactor Plant Component Cooling Water, and Vital Battery systems. These support systems are unique. They are important enough to warrant bypass indicators, but these indicators are differentiated from non-support system bypass indicators by color.

l. System design meets the recommendations of Branch Technical Position ICSB-21 as follows:

• Each safety system has a Train A (orange) and Train B (purple) bypass indicator. The indicators are grouped together by train on the main control board. Support systems have white bypass indicators and are arranged together with the associated train of bypass indicators.

28/18 7.5-4 Rev. 31

• Means by which the operator can cancel erroneous bypassed indications are not provided.

• The bypass indication systems does not perform functions essential to safety. No operator action is required based solely on the bypass indication.

• The indication system has no effect on plant safety systems.

• The bypass indicating and annunciating function can be tested during normal plant operation.

2. Compliance with Regulatory Guide 1.75 for separation criteria is described in Section 1.8 and Specification SP-M3-IC-022.

3. Compliance with Regulatory Guide 1.105 for instrument spans and setpoints is described in Sections 1.8 and Specification SP-M3-IC-022 and referenced in Section 7.1.

28/18 7.5-5 Rev. 31

APPENDIX 7.5A MILLSTONE UNIT 3 DEVIATIONS TO REGULATORY GUIDE 1.97 REVISION 2 28/18 Rev. 31

Table of Contents iation mber Variable Page iation Number 1 RCS Pressure (Wide Range) .............................................................................1 iation Number 2 RCS Wide Range T-Hot ...................................................................................2 iation Number 3 RCS Wide Range T-Cold .................................................................................3 iation Number 4 Steam Generator Level (Wide Range) ..............................................................4 iation Number 5 Deleted ........................................................................................................ 5 iation Number 6 Steamline Pressure ............................................................................................6 iation Number 7 RCS Subcooling ................................................................................................7 iation Number 8 Containment Hydrogen Concentration .............................................................8 iation Number 9 Reactor Coolant Level ......................................................................................9 iation Number 10 Containment Isolation Valve Status ...............................................................10 iation Number 11 RHR-Heat Exchanger Discharge Temperature ...............................................11 iation Number 12 Accumulator Tank Pressure ............................................................................12 iation Number 13 Accumulator Level .........................................................................................13 iation Number 14 Pressurizer Heater Breaker Position ...............................................................14 iation Number 15 Containment Sump Water Temperature .........................................................15 iation Number 16 Containment Sump Level (NR) ......................................................................16 28/18 7-ii Rev. 31

iation mber Variable Page iation Number 17 VCT Level ......................................................................................................17 iation Number 18 High Level Liquid Radwaste Tank Level .......................................................18 iation Number 19 Condenser Air Ejector ....................................................................................19 iation Number 20 Reactor Coolant System Soluble Boron Concentration ..................................20 iation Number 21 Heat removal by the Containment Fan Heat Removal System ......................21 iation Number 22 Radioactive Gas Holdup Tank Pressure .........................................................22 iation Number 23 Radiation Exposure Rate (inside building or areas which are in direct contact with primary containment where penetrations and hatches are located) ........23 iation Number 24 Radiation Exposure Rate (inside buildings or areas where access is required to service equipment important to safety) ...........................................................24 iation Number 25 Deleted by FSARCR 05-MP3-006 .................................................................25 iation Number 26 Pressurizer Relief Tank Level, Pressure, and Temperature ............................26 iation Number 27 Hydrogen Recombiner Cubicle Ventilation Monitor .....................................27 iation Number 28 This Deviation deleted per FSARCR 01-MP3-33. .........................................28 iation Number 29 Flow rate to Millstone Stack (SLCRS) ...........................................................29 iation Number 30 Flow out Ventilation Vent ..............................................................................30 iation Number 31 Deleted ............................................................................................................31 iation Number 32 Valve Status ....................................................................................................32 iation Number 33 28/18 7-iii Rev. 31

iation mber Variable Page Main Steam Isolation and Bypass Valve Status .............................................34 iation Number 34 Steam Generator Safety Valve Status .............................................................36 28/18 7-iv Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 1 Variable Name AMI Table Item Number S Pressure (Wide Range) A1, B5, B15, C5, D4, D18 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 3000 PSIA, versus a recommended range of 3000 PSIG.

tification actual range of 0-3000 PSIA, which is approximately -14.7 to 2985.3 PSIG, is adequate to nitor the Reactor Coolant System pressure. In addition, RCS pressure (Extended Range, 15-0 PSIA) which is also a Regulatory Guide 1.97 variable, envelopes the recommended range as cribed above.

28/18 7.5A-1 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 2 Variable Name AMI Table Item Number S Wide Range T-Hot A2, B2, B13 iation From Regulatory Guide 1.97 Rev. 2 Guidance

1. Actual range is 0-700°F, versus a recommended range of 50-750°F.

2. Main board indicators are not redundant as recommended for Category 1 variables.

tification h the range and redundancy deviations have been accepted per SSER 4, Appendix L, 3.3.2.

28/18 7.5A-2 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 3 Variable Name AMI Table Item Number S Wide Range T-Cold A3, B3, B14 iation From Regulatory Guide 1.97 Rev. 2 Guidance

1. Actual range is 0-700°F, versus a recommended range of 50-750°F.

2. Main board indicators are not redundant as recommended for Category 1 variables.

tification h the range and redundancy deviations have been accepted per SSER 4, Appendix L, 3.3.2.

28/18 7.5A-3 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 4 Variable Name AMI Table Item Number am Generator Level (Wide Range) A4, B7, B10, B18, D27 iation From Regulatory Guide 1.97 Rev. 2 Guidance n board indicators are not redundant as recommended for Category 1 variables.

tification e Range Steam Generator Level and Auxiliary Feedwater Flow is considered diverse undant instrumentation. Although loss of one division of power supply would result in loss of cation of both flow and wide range level for two of the four steam generators, the design has n determined acceptable in accordance with the intent of Regulatory Guide 1.97, since only steam generator is required for safe shutdown and Narrow Range Steam Generator Level ruments provide adequate backup information. Refer to NRC Inspection Report 50-423/90-August 14, 1990.

28/18 7.5A-4 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 5 Variable Name AMI Table Item Number iation From Regulatory Guide 1.97 Rev. 2 Guidance eted tification 28/18 7.5A-5 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 6 Variable Name AMI Table Item Number amline Pressure A8, B19, D23 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 0 to 1300 PSIG, versus a recommended range of from Atmospheric pressure to above the lowest safety valve setting. The lowest safety valve setting is 1185 PSIG.

tification s range deviation has been accepted per SSER 4, Appendix L, 3.3.14.

28/18 7.5A-6 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 7 Variable Name AMI Table Item Number S Subcooling A15, B16 iation From Regulatory Guide 1.97 Rev. 2 Guidance s variable is designed as a Category 2, versus a recommended Category 1 design.

tification Inadequate Core Cooling Monitor (ICCM) is designed and installed as a Class 1E System.

wever, its primary means of display in the Main Control Room is the Safety Parameter Display tem (SPDS), which is a Non-Class 1E system. This design satisfies the requirements of REG-0737, Item II.F.2. The design category deviation has been accepted per SSER 4, endix L, 3.3.4 and SSER 5, 4.4.8.

28/18 7.5A-7 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 8 Variable Name AMI Table Item Number ntainment Hydrogen Concentration C12 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 0-10% (capable of operating from 11.76 PSIA to maximum design pressure),

us a recommended range of 0-10% (capable of operating from 10 PSIA to maximum design sure).

tification s range deviation has been accepted per SSER 4, Appendix L, 3.3.7.

28/18 7.5A-8 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 9 Variable Name AMI Table Item Number actor Coolant Level B11 iation From Regulatory Guide 1.97 Rev. 2 Guidance

1. Actual range of Plenum Level: 0 to 100% and Head Level: 63 to 100%, versus a recommended range of Bottom of Core to Top of Vessel.

2. This variable is designed as a Category 2, versus a recommended Category 1 design.

tification

1. The actual range is consistent with the recommended range in Regulatory Guide 1.97 Rev. 3 of Top of Vessel to Top of Core. This range deviation has been accepted per SSER 4, Appendix L, 3.3.3.

2. The Inadequate Core Cooling Monitor (ICCM) processes the reactor coolant level information for display. The ICCM is designed and installed as a Class 1E System.

However, its primary means of display in the Main Control Room is the Safety Parameter Display System (SPDS), which is a Non-Class 1E system. This design satisfies the requirements of NUREG-0737, Item II.F.2. The design category deviation has been accepted per SSER 4, Appendix L, 3.3.3 and SSER 5, 4.4.8.

28/18 7.5A-9 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 10 Variable Name AMI Table Item Number ntainment Isolation Valve Status C16 iation From Regulatory Guide 1.97 Rev. 2 Guidance

1. Containment Isolation Valves are qualified to recommended Category 1 requirements with exception of redundancy of associated main board valve indicators. Therefore, this variable will be considered a Category 2 variable.

2. Containment Isolation Valve 3CVS*MOV25 is not supplied with highly reliable power as recommended for Category 2 variables.

tification

1. Type C variables which indicate the actual breach of a fission product barrier have been designated as preferred backup information and are qualified to Category 2 criteria. The deviation regarding redundancy of main board indicators has been accepted per SSER 4, Appendix L, 3.3.5.

2. Containment Isolation Valve 3CVS*MOV25 is locked closed. This valve does not perform a containment isolation function during a Design Basis Accident and should not be considered a Regulatory Guide 1.97 variable.

28/18 7.5A-10 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 11 Variable Name AMI Table Item Number R-Heat Exchanger Discharge Temperature D1 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 50-400°F, versus a recommended range of 32-350°F.

tification s range deviation has been accepted per SSER 4, Appendix L, 3.3.8.

28/18 7.5A-11 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 12 Variable Name AMI Table Item Number cumulator Tank Pressure D10 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 0-700 PSIA, versus a recommended range of 0-750 PSIG.

tification s range deviation has been accepted per SSER 4, Appendix L, 3.3.10. However, the eptance was based on a designed range of 0-700 PSIG, while the actual range is 0-700 PSIA, ch is approximately -14.7 - 685.3 PSIG. The existing range is adequate to monitor expected umulator tank pressures.

28/18 7.5A-12 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 13 Variable Name AMI Table Item Number cumulator Level D13 iation From Regulatory Guide 1.97 Rev. Guidance s variable is designed as a Category 3, versus a recommended Category 2 design.

tification NRC has accepted the design category deviation per NRC letter to John F Opeka, dated April 992, Docket Number 50-423. Refer to SSER 4, Appendix L, 3.3.9.

28/18 7.5A-13 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 14 Variable Name AMI Table Item Number ssurizer Heater Breaker Position D16 iation From Regulatory Guide 1.97 Rev. 2 Guidance ssurizer Heater Breaker Position is monitored, versus a recommended measurement of electric ent.

tification s deviation was accepted per SSER 4, Appendix L, 3.3.13.

28/18 7.5A-14 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 15 Variable Name AMI Table Item Number ntainment Sump Water Temperature D37 iation From Regulatory Guide 1.97 Rev. 2 Guidance s variable is designed as a Category 3, versus a recommended Category 2 design.

tification roval of the installation of containment sump temperature as a Category 3 variable was nted by the NRC with the issue of Amendment 42 to Operating License NPF-49 in response to NNECO request of August 14, 1989, which deleted license condition 2.C (6).

28/18 7.5A-15 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 16 Variable Name AMI Table Item Number ntainment Sump Level (NR) D38 iation From Regulatory Guide 1.97 Rev. 2 Guidance s variable is designed as a Category 3, versus a recommended Category 2 design.

tification s deviation was explicitly described in the Response to NRC question 420.6. The NRC roved the response to question 420.6 as part of SSER 4. The response to 420.6 states that two ss 1E qualified wide range and one unqualified narrow range sump water level channels are d to monitor the Containment Water Level. The narrow and wide range channels overlap.

28/18 7.5A-16 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 17 Variable Name AMI Table Item Number T Level D44 iation From Regulatory Guide 1.97 Rev. 2 Guidance y the cylindrical portion of the tank is measured for level, versus a recommended surement of Top to Bottom.

tification s deviation was accepted per SSER 4, Appendix L, 3.3.19.

28/18 7.5A-17 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 18 Variable Name AMI Table Item Number gh Level Liquid Radwaste Tank Level D63 iation From Regulatory Guide 1.97 Rev. 2 Guidance cation via dial, digital, CRT, or stripchart recorder of tank level is not provided in the Main trol Room as recommended for Category 3 variables.

tification y a common trouble alarm is available in the Main Control Room. Variable indication and h/low level alarms are provided locally. This deviation has been accepted per SSER 4, endix L, 3.3.21 28/18 7.5A-18 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 19 Variable Name AMI Table Item Number ndenser Air Ejector C9 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 1.5x10-5 to 100Ci/cc, versus a recommended range of 10-6 to 10-2Ci/cc.

tification low range or sensitivity of this monitor depends on the radionuclide mix and on the monitor kground radiation. Both of these parameters are variable and therefore so is the monitors sitivity. The ability to detect certain size RCS leakage into the steam generator secondary side lso highly dependent on the reactor coolant activity, which is also highly variable. Even with coolant activity, these monitors meet the intent of Regulatory Guide 1.97 Rev. 2, in that any or RCS leakage, including a tube rupture, would be easily detected and alarmed by the denser Air Ejector Monitor.

28/18 7.5A-19 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 20 Variable Name AMI Table Item Number actor Coolant System Soluble Boron Concentration Not Listed iation From Regulatory Guide 1.97 Rev. 2 Guidance ulatory Guide 1.97 Rev. 2 recommends Category 3 instrumentation with a range of 0 to 6000 s per million for this variable.

tification egory 1 Neutron Flux monitoring will adequately perform this function. This is being ressed by the NRC as part of their review of NUREG-0737, Item II.B.3 as described in SSER ppendix L, 3.3.1 28/18 7.5A-20 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 21 Variable Name AMI Table Item Number at removal by the Containment Fan Heat Removal System Not Listed iation From Regulatory Guide 1.97 Rev. 2 Guidance ulatory Guide 1.97 Rev. 2 recommends plant specific instrumentation for this variable.

tification containment air coolers are not used in an accident or post-accident condition, and, therefore is not considered a Regulatory Guide 1.97 variable. This has been accepted per SSER 4, endix L, 3.3.16.

28/18 7.5A-21 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 22 Variable Name AMI Table Item Number dioactive Gas Holdup Tank Pressure Not Listed iation From Regulatory Guide 1.97 Rev. 2 Guidance ulatory Guide 1.97 Rev. 2 recommends instrumentation for this variable.

tification lstone 3 does not have radioactive gas holdup tanks and therefore will not provide rumentation for this variable. This has been accepted per SSER 4, Appendix L, 3.3.22.

28/18 7.5A-22 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 23 Variable Name AMI Table Item Number diation Exposure Rate (inside building or areas which are in Not Listed ect contact with primary containment where penetrations and ches are located) iation From Regulatory Guide 1.97 Rev. 2 Guidance ulatory Guide 1.97 Rev. 2 recommends monitoring radiation exposure rates inside buildings reas, e.g., auxiliary building, reactor shield building annulus, fuel handling building, which in direct contact with primary containment where penetrations and hatches are located, for the pose of monitoring the containment structure for an indication of breach. This variable is listed er type C variables.

tification utility is providing area radiation monitors, some of which happen to satisfy this requirement.

monitors are listed in FSAR Table 12.3-2. The utility declines to list these monitors in any dent plans and does not consider them to be safety related, nor Regulatory Guide 1.97 ables for the following reasons. Regulatory Guide 1.97 Rev. 2 requires the monitors for cation of breach of containment. Breach of containment is best indicated by the effluent nitors and field test results. The proposed area monitors would be essentially useless for this pose. During a serious accident, typical streaming and shine dose rates from the containment ld be approximately 100 R/hr in these areas. Add to this the direct dose rates from any piping rces (e.g., RHR piping could be reading 106 R/hr) and it is obvious that the accident levels in e areas would preclude any determination of airborne leakage. Even if containment breach ld be detected, these monitors would not be used for a quantitative estimate of release rates.

er to response to NRC question 420.6, note 29.

28/18 7.5A-23 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 24 Variable Name AMI Table Item Number diation Exposure Rate (inside buildings or areas where Not Listed ess is required to service equipment important to safety) iation From Regulatory Guide 1.97 Rev. 2 Guidance ulatory Guide 1.97 Rev. 2 recommends monitoring radiation exposure rates inside buildings reas where access is required to service equipment important to safety, for the purpose of ction of significant releases, release assessment, and long-term surveillance. This variable is d under type E variables.

tification utility is providing area radiation monitors, some of which happen to satisfy this requirement.

se monitors are listed in FSAR Table 12.3-2. The utility declines to list these monitors in any dent plans and does not consider them safety related, nor Regulatory Guide 1.97 variables for following reason. Regulatory Guide 1.97 states that these areas should have monitors with a ge of 10-1 R/hr to 104 R/hr. This range is too high because dose rates above 102 R/hr will lude personnel access to the area. At Millstone Unit 3, any radiation areas that need personnel ess will be surveyed by radiation protection teams using portable survey instruments to obtain ore accurate radiation picture than would be obtained with a single permanently mounted high ge area monitor. Also, the high range area monitors would not be used for any post-accident e assessments nor corrective actions. Refer to response to NRC Question 420.6, Note 67.

28/18 7.5A-24 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 25 Variable Name AMI Table Item Number leted by FSARCR 05-MP3-006 eted 28/18 7.5A-25 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 26 Variable Name AMI Table Item Number ssurizer Relief Tank Level, Pressure, and Temperature Not Listed iation From Regulatory Guide 1.97 Rev. 2 Guidance ulatory Guide 1.97 Rev. 2 recommends instrumentation to monitor Quench Tank Level, ssure, and Temperature. Millstone Unit 3 does not list these instruments as accident nitoring variables.

tification rumentation is provided for the above variables that meet the requirements of Regulatory de 1.97 Rev. 2. However, the utility does not consider these instruments as post-accident nitoring instrumentation. This deviation was accepted by the NRC as part of the response to C question 420.6.

28/18 7.5A-26 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 27 Variable Name AMI Table Item Number drogen Recombiner Cubicle Ventilation Monitor C10, E10 iation From Regulatory Guide 1.97 Rev. 2 Guidance ual range is 10-6 to 100Ci/cc, versus a recommended range of 10-6 to 102Ci/cc.

tification s variable is not considered a release point, but is used to actuate closure of the hydrogen mbiner cubicle. Because this is not a release point, instrumentation in conformance to ulatory Guide 1.97 Rev. 2 is not needed. This has been accepted per SSER 4 Appendix L, 24.

28/18 7.5A-27 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 28 s Deviation deleted per FSARCR 01-MP3-33.

28/18 7.5A-28 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 29 Variable Name AMI Table Item Number w rate to Millstone Stack (SLCRS) E3 iation From Regulatory Guide 1.97 Rev. 2 Guidance CRS accident monitoring instrumentation flow rate range is 150 to 12,150 Standard Cubic Feet Minute (SCFM), versus a recommended flow rate range of 0 to 110% vent design flow.

tification ulatory Guide 1.97 recommends instrumentation for this variable with a range of 0 to 110 ent of design flow rate. The SLCRS design maximum flow rate is 10,800 SCFM. The flow corresponding to 110 percent of the SLCRS design flow is 11,880 SCFM. The flow rate of low end of the indication range, 150 SCFM, corresponds to 1.4 percent of the SLCRS design actual SLCRS flow range is approximately 200 SCFM to 10,800 SCFM. Actual minimum during SLCRS accident operation is 7600 SCFM and maximum flow is 10,800 SCFM.

refore, the accident monitoring instrumentation flow range of 150 to 12,150 SCFM is servative and bounding. This range exceeds 110 percent requirement of the Regulatory Guide flow rate to the Millstone Stack. The minimum flow rate indication of 150 SCFM bounds the imum system flow rate of 200 SFCM, although it deviates slightly from the Regulatory Guide requirement of 0 percent flow rate. Based on this minor nature of the deviation, and the fact the indication provided fully bounds the expected system flow rates, this deviation is sidered insignificant.

28/18 7.5A-29 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 30 Variable Name AMI Table Item Number w out Ventilation Vent E2 iation From Regulatory Guide 1.97 Rev. 2 Guidance w out Ventilation Vent instrumentation flow rate range is 30,000 to 280,000 Standard Cubic t per minute (SCFM), versus a recommended flow rate range of 0 to 110% vent design flow.

tification ulatory Guide 1.97 recommends instrumentation for this variable with a range of 0 to 110 ent of design flow rate. The Ventilation Vent maximum flow rate is 232,000 SCFM. The flow corresponding to 110 percent of the Ventilation Vent maximum flow is therefore 255,200 FM. The measurement flow rate at the low end of the indication range, 30,000 SCFM, esponds to 13 percent of the Ventilation Vent maximum flow.

actual SLCRS flow range is approximately 17,000 SCFM to 232,000 SCFM. Therefore, the tilation Vent flow instruments measurement range is conservative and bounding at the high but will not measure down to the minimum flow rate that is possible. This minimum flow rate ld result when a loss of power (LOP) occurs during cold weather conditions, i.e., when the rging pump cubicle dampers have been manually throttled. This system alignment isolates all the ventilation from the Charging Pump Cubicles and with the dampers partially closed in r winter mode will result in approximately 17,000 SCFM. Otherwise, the expected minimum em flow will be above the instruments minimum flow value of 30,000 SCFM. The flow rument provides input to the Ventilation Vent radiation monitor computer to support a ulation of the amount of radioactivity released from the Ventilation Vent for the purpose of ite dose estimates. Should a LOCA occur during this condition of flow rates below the ruments measurement capability, the flow instrument will default to its minimum signal value ch will result in a conservative (larger) estimate of activity release. While less than desirable, will result in conservative decisions with respect to Emergency Plan actions resulting from dose assessment calculations.

ed upon this conservative result the deviation is determined to be acceptable.

28/18 7.5A-30 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 31 Variable Name AMI Table Item Number leted 28/18 7.5A-31 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 32 Variable Name AMI Table Item Number in Steam Isolation and Bypass Valve Status B21 am Generator Atmospheric Valve Status D20 in Steam Isolation and Bypass Valve Status D21 FW Control and Bypass Valve Status D24 FW Isolation Valve Status D25 am Generator Blowdown Isolation Valve Status D29 iation From Regulatory Guide 1.97 Rev. 2 Guidance it switches providing valve position indication are not qualified for long term post accident nitoring following a Main Steam Line Break (MSLB) inside the Main Steam Valve Building VB).

tification er the worst case MSLB scenario in the MSVB the NAMCo limit switches monitoring safety ted valve position may fail to provide the Regulatory Guide 1.97 required position indication ause the limit switch temperature can exceed their qualification temperature during long term t accident periods (Reference 2). The NAMCo limit switches for the subject components are d in EQRs 109-0-7, 109-8-2 and 109-3-1. As described in Reference 3, the MSVB NAMCo t switches subjected to the temperature rise for this bounding scenario perform one of the owing functions:

1. Valve position indication via lights on the Main Control Board and or local electrical distribution equipment, plant process computer valve position input, and valve position annunciation. Failure of these limit switches will simply result in loss, or ambiguity, of those position signals. Many of these are credited for Regulatory Guide 1.97 post accident monitoring, primarily for containment isolation verification. Because this environmental condition is from a MSLB in the MSVB, containment isolation is not a required function and loss of these indications will not be significant nor impact any safety function. For the other valve position indications which are related to feedwater and/or steam line isolation, the closure of the valve will be recorded in the plant process computer history file once the valve has reached its safety position, which will occur prior to 28/18 7.5A-32 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS reaching the NAMCo qualification temperature. Subsequent indirect indication of maintaining valve closure will be evident through monitoring of steam generator level indications. These are indications only and any environmental failure of these limit switches cannot result in a repositioning of these valves from their safety position.

2. Air Operated Valve (AOV) control seal-in circuits which hold the AOVs solenoid valve energized after the momentary push button opens the AOV. These limit switch contacts are normally open in their de-energized state, i.e., the limit switch internal spring opposes contact closure. Once the valves move to their fail safe position, closed, there is no credible failure mechanism on the part of these limit switches that could cause a re-actuation of the solenoid and subsequent opening of the AOV.

3. The Feedwater Isolation Valves (FWIVs) limit switches perform no function in the FWIVs safety action to close upon receipt of a Feedwater Isolation signal, nor can their failure prevent the FWIVs safety action to close. Additionally any failure of the limit switches will not cause the FWIVs to open once they have moved to their fail safe closed position.

refore, should any of the subject MSVB NAMCo limit switches fail as a result of being osed to the bounding worst case MSLB postulated above, they will not prevent any safety ctions from occurring, nor will their failure result in any unacceptable consequences.

erences

1. Calculation 07-ENG-04255M3, Rev. 00, Impact of SPU on MSVH Temperature

& Pressure Transient due to Steam Line Break.

2. 08-SPUP-04379M3, Rev. 0, Thermal Lag Analysis for NAMCO Limit Switches Exposed to a HELB in the MSVB under SPU conditions.

3. Letter to NRC Serial Number 08-0248A RAI response to Stretch Power Uprate LAR dated May 15, 2008.

28/18 7.5A-33 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 33 Variable Name AMI Table Item Number in Steam Isolation and Bypass Valve Status B21, D21 iation From Regulatory Guide 1.97 Rev. 2 Guidance ition sensor coils of the main steam isolation valves (MSIVs) are not qualified for long term t accident monitoring following a Main Steam Line Break (MSLB) inside the Main Steam ve Building (MSVB).

tification IV (3MSS*CTV27A-D) valve position status is provided via position sensor coils in the valve ies. The position sensor coils provide confirmation of steam line isolation through valve ition indication, following a MSLB. The MSVB environment resulting from the worst case LB in the MSVB will result in the Sulzer position sensor coils exceeding their qualification perature during this event with possible loss of position indication. In a letter to the NRC ference 1), it was stated that alternately, steam generator level indication, which does not see MSVB harsh environment, can be used to establish that isolation has occurred. This is further forced by Supplement 5 of the Millstone 3 SER (Reference 2), which states:

addition, the licensee stated that all Millstone 3 equipment which is required to function to gate the consequences of a main steam line break accident is qualified to function at the imum compartment temperature of 325°F at steam line isolation. The licensee also stated that equipment will remain in its safe position regardless of the fact that it will be exposed to peratures above the qualification temperature. The staff reviewed all information provided by licensee and found it acceptable.

refore position indication is not necessary following Main Steam Line Break inside Main m Valve Building since alternate methods are available for monitoring.

erences

1. Letter from J.F. Opeka (NU) to NRC, Millstone Nuclear Power Station, Unit Number 3, Evaluation of Environmental Effects of Main Steam Line Break (MSLB) Outside Containment, Docket Number 50-423, B11944, dated January 7, 1986.

28/18 7.5A-34 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS

2. NUREG-1031, Supplement Number 5, Safety Evaluation Report related to the Operation of Millstone Nuclear Power Station, Unit Number 3, Docket Number 50-423, January 1986.

28/18 7.5A-35 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS iation Number 34 Variable Name AMI Table Item Number am Generator Safety Valve Status D22 iation From Regulatory Guide 1.97 Rev. 2 Guidance flow elements (3SVV-FE28A-D, 3SVV-FE29A-D, 3SVV-FE30A-D, 3SVV-FE31A-D, and V-32A-D) which sense flow through the main steam safety relief valves (3MSS*RV22A-D, 23A-D, *RV24A-D, *RV25A-D, *RV26A-D), are not qualified for long term monitoring of

/ no flow indication following a Main Steam Line Break (MSLB) inside the Main Steam ve Building (MSVB).

tification R 191-1-2 currently states the function of the flow elements is to sense flow through the main m safety relief valves (3MSS*RV22A-D, *RV23A-D, *RV24A-D, *RV25A-D, *RV26A-and to provide flow / no flow indication to the plant control room in order to verify whether safety valves are open or closed. The safety function of the flow element is to provide rmation on the main steam safety valve position, but they are not required for long term post dent monitoring following an MSLB in the MSVB, since there are other means to detect the ty valve lift. In a Letter from J. F. Opeka (NU) to NRC, Millstone Nuclear Power Station, t No.3, Evaluation of Environmental Effects of Main Steam Line Break (MSLB) Outside tainment, Docket Number 50-423, B11944, dated January 7, 1986 states that following a m line break, the steam generator level indication, which is located inside containment, will vailable to identify the faulted loop. The letter further states:

r the intact loops, indication that the steam generators are isolated and level is maintained heat removal is being accomplished can be obtained from steam generator level, auxiliary water flow and reactor coolant system temperature, none of which are affected by the MSLB ironment. Safety valve lift can be detected using main steam flow indication located inside tainment or visual indication from the yard, and successful heat removal an be monitored by erving steam generator level, auxiliary feedwater flow and reactor coolant system perature, as stated above. Containment isolation indication in the main steam valve building r the MSIV position indication. Isolation can be established via the main steam line pressure smitters, which will be operable at the time of MSIV closure. Alternatively, steam generator l indication, which does not see the harsh environment, can be used to establish that isolation occurred.

28/18 7.5A-36 Rev. 31

MILLSTONE UNIT 3 REGULATORY GUIDE 1.97 REV. 2 DEVIATIONS s is further reinforced by Supplement 5 of the Millstone 3 SER NUREG-1031, Supplement mber 5, Safety Evaluation Report related to the Operation of Millstone Nuclear Power ion, Unit Number 3, Docket Number 50-423, January 1986, which states:

addition, the licensee stated that all Millstone 3 equipment which is required to function to gate the consequences of a main steam line break accident is qualified to function at the imum compartment temperature of 325°F at steam line isolation. The licensee also stated the ipment will remain in its safe position regardless of the fact that it will be exposed to peratures above the qualification temperature. The staff reviewed all the information provided he licensee and found it acceptable.

refore, the Steam Generator safety valve flow elements will not be required to be qualified for g term post accident monitoring following a MSLB inside the MSVB. Alternately, safety valve can be detected using main steam flow indication located inside containment or visual cation from the yard, and successful heat removal can be monitored by observing steam erator level, auxiliary feedwater flow and reactor coolant system temperature. Deviation to ulatory Guide 1.97 Program, specific to MSLB in MSVB, has no adverse impact on any other ctures, systems, or components important to safety.

erences

1. Letter from J.F. Opeka (NU) to NRC, Millstone Nuclear Power Station, Unit Number 3, Evaluation of Environmental Effects of Main Steam Line Break (MSLB) Outside Containment, Docket Number 50-423, B11944, dated January 7, 1986.

2. NUREG-1031, Supplement No. 5, Safety Evaluation Report related to the Operation of Millstone Nuclear Power Station, Unit Number 3, Docket Number 50-423, January 1986.

28/18 7.5A-37 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes PLANT SPECIFIC TYPE A VARIABLES

• SEE Deviation Number 1, IN A1 RCS PRESSURE (WR) 0-3000 PSIG 1 0-3000 PSIA

• YES VITAL UPS 3RCS*PI403 3RCS-PR403 RCS-P403 1 YES YES YES DED_REC Appendix 7.5A.

3RCS*PT403 3RCS*PI405 RCS-P405 OFIS 3RCS*PT403A SPDS 3RCS*PT405 3RCS*PT405A

• SEE Deviation Number 2, IN A2 RCS WIDE RANGE T-HOT 50-750°F 1 0-700°F

• NO ** VITAL UPS 3RCS*TI413A 3RCS-TR413A RCS-T413A 1 YES YES YES DED_REC Appendix 7.5A.

• • CORE EXIT THERMOCOUPLES 3RCS*TE413C 3RCS*TI423A 3RCS*TR433A RCS-T423A OFIS (A13) PROVIDES DIVERSE MEASUREMENT.

3RCS*TE423C RCS-T433A SPDS 3RCS*TE433C RCS-T443A 3RCS*TE443C RCS WIDE RANGE T-

• SEE Deviation Number 3, IN A3 50-750°F 1 0-700°F

• NO ** VITAL UPS 3RCS*TI413B 3RCS-TR413B RCS-T413B 1 YES YES YES DED_REC COLD Appendix 7.5A.

• • STEAMLINE PRESSURE 3RCS*TE413B 3RCS*TI423B 3RCS*TR433B RCS-T423B OFIS PROVIDES DIVERSE MEASUREMENT.

3RCS*TE423B RCS-T433B SPDS 3RCS*TE433B RCS-T443B 3RCS*TE443B A4 S/G LEVEL (WR) 1 0-100% OF NO

• VITAL UPS 3FWS*LI501 3FWS-LR501 FWS-L501 1 YES YES YES DED_REC

• SEE Deviation Number 4, IN 3FWS*LT501 SPAN FROM 3FWS*LI502 3FWS-LR503 FWS-L502 OFIS Appendix 7.5A.

FROM TUBE SHEETS TO 3FWS*LT502 TUBE 3FWS*LI503 FWS-L503 AUXILIARY FEEDWATER FLOW SEPARATORS 3FWS*LT503 SHEETS TO 3FWS*LI504 FWS-L504 (A11) PROVIDES DIVERSE 3FWS*LT504 SEPARATORS MEASUREMENT.

06/28/18 7.5-38 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes 0-100% OF A5 S/G LEVEL (NR) NS 1 YES VITAL UPS 3FWS*LI517 3FWS-FR510 FWS-L517 1 YES YES YES DED_REC SPAN 3FWS*LT517 3FWS*LI518 3FWS-FR520 FWS-L518 OFIS 3FWS*LT518 3FWS*LI519 3FWS-FR530 FWS-L519 SPDS 3FWS*LT519 3FWS*LI527 3FWS-FR540 FWS-L551 3FWS*LT551 3FWS*LI528 FWS-L527 3FWS*LT527 3FWS*LI529 FWS-L528 3FWS*LT528 3FWS*LI537 FWS-L529

• NON-QA LEVEL INDICATORS PROVIDE ADDITIONAL 3FWS*LT529 3FWS*LI538 FWS-L552 INFORMATION BUT ARE NOT 3FWS*LT552 3FWS*LI539 FWS-L537 CREDITED AS RG 1.97 CATEGORY 1 3FWS*LT537 3FWS*LI547 FWS-L538 CHANNELS.

3FWS*LT538 3FWS*LI548 FWS-L539 3FWS*LT539 3FWS*LI549 FWS-L553 3FWS*LT553 3FWS-LI551

• FWS-L547 3FWS*LT547 3FWS-LI552 FWS-L548 3FWS*LT548 3FWS-LI553 FWS-L549 3FWS*LT549 3FWS-LI554 FWS-L554 3FWS*LT554 0 TO 100% 0F A6 PRESSURIZER LEVEL BOTTOM TO TOP 1 YES VITAL UPS 3RCS*LI459A 3RCS-LR459 RCS-L459 1 YES YES YES DED_REC SPAN 3RCS*LT459 3RCS*LI460A RCS-L460 OFIS 3RCS*LT460 3RCS*LI461 RCS-L461 SPDS 3RCS*LT461 CONTAINMENT A7 0 TO DESIGN PRESSURE 1 0 TO 60 PSIA YES VITAL UPS 3LMS*PI934 3LMS-PR934 LMS-P934 1 YES YES YES DED_REC PRESSURE (NR) 3LMS*PT934 3LMS*PI935 LMS-P935 OFIS 3LMS*PT935 3LMS*PI936 LMS-P936 SPDS 3LMS*PT936 3LMS*PI937 LMS-P937 3LMS*PT937 0 TO 1300

• SEE Deviation Number 6, IN A8 STEAMLINE PRESSURE 1 YES VITAL UPS 3MSS*PI514A 3MSS-PR514 MSS-P514 1 YES ** YES YES DED_REC PSIG

• Appendix 7.5A.

3MSS*PT514 3MSS*PI515A 3MSS-PR535 MSS-P515 OFIS 3MSS*PT515 3MSS*PI516A MSS-P516 SPDS 3MSS*PT516 3MSS*PI524A MSS-P524 3MSS*PT524 FROM ATMOS. 3MSS*PI525A MSS-P525 PRESSURE TO 20%

3MSS*PT525 3MSS*PI526A MSS-P526 ABOVE THE LOWEST 3MSS*PT526 3MSS*PI534A MSS-P534 SAFETY VALVE 3MSS*PT534 3MSS*PI535A MSS-P535 SETTING.

3MSS*PT535 3MSS*PI536A MSS-P536 3MSS*PT536 3MSS*PI544A MSS-P544 3MSS*PT544 3MSS*PI545A MSS-P545 3MSS*PT545 3MSS*PI546A MSS-P546 3MSS*PT546 0 TO 1,200,000 A9 RWST LEVEL TOP TO BOTTOM 1 YES VITAL UPS 3QSS*LI930 3QSS-LR930 QSS-L930 1 YES YES YES DED_REC GAL 3QSS*LT930 3QSS*LI931 QSS-L931 OFIS 3QSS*LT931 3QSS*LI932 QSS-L932 SPDS 06/28/18 7.5-39 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes 3QSS*LT932 3QSS*LI933 3QSS*LT933 CONTAINMENT WATER 1 TO 17 FEET

• EEQ EXCEPT FOR LITS WHICH A10 1 YES VITAL UPS 3RSS*LI22A 3RSS*LR22 RSS-L22A1 1 YES* YES YES DED_REC LEVEL (WR) ** ARE IN A MILD ENVIRONMENT.

• • EQUIVALENT TO A RANGE OF 3RSS*LE22A1 3RSS*LI22B RSS-L22B1 OFIS 5,000 TO 1,400,000 GALLONS.

3RSS*LE22A2 BOTTOM OF SPDS CONTAINMENT TO 3RSS*LE22A3 600,000 GAL 3RSS*LE22B1 EQUIVALENT 3RSS*LE22B2 3RSS*LE22B3 3RSS*LIT22A 3RSS*LIT22B 0 TO 110% OF DESIGN VITAL & FWA-F33A3,

• SG LEVEL (A4 & A5) PROVIDE A11 AUX FEEDWATER FLOW 1 0 TO 350 GPM YES

• 3FWA*FI33B1 1 YES YES YES OFIS FLOW VITAL UPS B3, C3, D3 DIVERSE MEASUREMENT.

FWA-F51A3, 3FWA*FT33A, B, C, D 3FWA*FI51A1 SPDS B3, C3, D3 3FWA*FI51A, B, C, D 3FWA*FI33C1 3FWA*FI51D1 CONTAINMENT STRUCT. 1R/hr TO 100 TO 108R/

A12 1 YES VITAL UPS 3RMS*RAK1A 3HVR*RR10A RMS-R04A 1 YES YES YES OFIS

• DIGITAL DISPLAY ON RAK RAD. LEVEL (HR) 104R/hr hr 3RMS*RE04A 3RMS*RAK1B 3HVR*RR19A RMS-R05A SPDS DIGITAL 3RMS*RE05A DISPLAY *

• ICC CABINETS ARE NOT IN CORE EXIT 200°F TO A13 200°F TO 2300°F 1 YES VITAL PS 3CTS*ICCA CVCTST1-50 1 YES YES YES OFIS MAIN CONTROL ROOM, PRIMARY TEMPERATURE 2300°F MEANS OF DISPLAY IS VIA SPDS.

3CTS*TE1 THROUGH 50 3CTS*ICCB CVCETMX SPDS

• 3RPS*RAKNIS1

• THIS INSTRUMENTATION LOOP 10-6% TO 100% FULL SR: 10-1 TO A14 NEUTRON FLUX 1 YES VITAL UPS 3NME*NR1 NME-DET1SR 1 YES YES YES REDN_REC IS PART OF THE GAMMAMETRICS POWER 105 CPS SYSTEM.

WR: 10-8% TO 3RPS*RAKNIS2 3NME*DET1 3NME*NR2 NME-DET2SR OFIS 100%

3NME*DET2 NME-DET1WR SPDS NME-DET2WR

• SEE Deviation Number 7, IN A15 RCS SUBCOOLING 1* N/A VITAL UPS 3CTS*ICCA CVSUBCOOL 2* YES YES YES OFIS 200°F SUB- Appendix 7.5A.

200°F SUBCOOLING TO COOLING TO ** ICC CABINETS ARE NOT IN SEE A1 AND A13 FOR 35°F SUPERHEAT 35°F 3CTS*ICCB SPDS MAIN CONTROL ROOM, PRIMARY LIST OF SENSORS SUPERHEAT MEANS OF DISPLAY IS VIA SPDS.

SPDS **

A16 Deleted by FSARCR 05-MP3-010 A17 Deleted by FSARCR 05-MP3-006 TYPE B VARIABLES REACTIVITY CONTROL 06/28/18 7.5-40 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes B1 NEUTRON FLUX 10-6% TO 100% FULL 1 SEE A14 SEE A14 POWER 3NME*DET1 3MNE*DET2 B2 RCS WIDE RANGE T-HOT 50 - 750°F 1 SEE A2 SEE A2 RCS WIDE RANGE T-B3 50 - 750°F 1 SEE A3 SEE A3 COLD DIGITAL ROD 0 TO 228 FULL IN OR NOT FULL POSITION B4 CONTROL ROD POSITION 3 STEPS, FULL N/A N/A 3 N/A N/A N/A IN INDICATION IN LIGHT DISPLAY RCS PRESSURE CONTROL B5 RCS PRESSURE (WR) 0-3000 PSIG 1 SEE A1 SEE A1 CONTAINMENT B6 0 TO DESIGN PRESSURE 1 SEE A7 SEE A7 PRESSURE (NR)

FROM TUBE SHEETS TO B7 S/G LEVEL (WR) 1 SEE A4 SEE A4 SEPARATORS RCS INVENTORY CONTROL B8 PRESSURIZER LEVEL BOTTOM TO TOP 1 SEE A6 SEE A6 BOTTOM OF CONTAINMENT WATER CONTAINMENT TO B9 1 SEE A10 SEE A10 LEVEL (WR) 600,000 BAL EQUIVALENT FROM TUBE SHEETS TO B10 S/G LEVEL (WR) 1 SEE A4 SEE A4 SEPARATORS NOT PLENUM REACTOR COOLANT BOTTOM OF CORE TO REQUIRED

• SEE Deviation Number 9, IN B11 1 LEVEL: *0 TO YES VITAL UPS 3CTS*ICCA CVHDLVL 2* YES YES YES OFIS LEVEL TOP OF VESSEL PER RG 1.97 Appendix 7.5A.

100%

REV. 2 HEAD ** ICC CABINETS ARE NOT IN 3CTS*HJTCA1 THRU A8 LEVEL: 3CTS*ICCB CVHDLVLA SPDS ** MAIN CONTROL ROOM, PRIMARY 63 TO 100% MEANS OF DISPLAY IS VIA SPDS.

3CTS*HJTCB1 THRU B8 SPDS ** CVHDLVLB CVUPLENLVL CVPLENLVLA CVPLENLVLB REACTOR CORE COOLING CORE EXIT B12 200°F TO 2300°F 1 SEE A13 SEE A13 TEMPERATURE B13 WIDE RANGE T-HOT 50-750°F 1 SEE A2 SEE A2 B14 WIDE RANGE T-COLD 50-750°F 1 SEE A3 SEE A3 B15 RCS PRESSURE (WR) 0-3000 PSIG 1 SEE A1 SEE A1 200°F SUB TO 35°F B16 RCS SUBCOOLING 1 SEE A15 SEE A15 SUPERHEAT HEAT SINK MAINTENANCE B17 S/G LEVEL (NR) NS NS SEE A5 SEE A5 FROM TUBE SHEETS TO B18 S/G LEVEL (WR) 1 SEE A4 SEE A4 SEPARATORS 06/28/18 7.5-41 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes FROM ATMOS.

PRESSURE TO 20%

B19 STEAMLINE PRESSURE ABOVE THE LOWEST 1 SEE A8 SEE A8 SAFETY VALVE SETTING.

CORE EXIT B20 200°F TO 2300°F 1 SEE A13 SEE A13 TEMPERATURE FULLY TWO PAIR OF OPENED, MAIN STEAMLINE RED/GREEN FULLY

• VALVE LVDTS ARE USED AS B21 ISOLATION & BYPASS NS NS N/A VITAL UPS LIGHTS PER MSS-Z27A# 2 YES *** YES YES OFIS **

CLOSED, & SENSORS.

VALVE STATUS

• ISOLATION INTERMEDIA VALVE TE

• • FOR ISOLATION VALVES NOT 3MSS*CTV27A MSS-Z27B#

BYPASS VALVES.

• • • SEE DEVIATION NOS. 32 AND 3MSS*CTV27B MSS-Z27C#

ONE PAIR OF 33 IN Appendix 7.5A 3MSS*CTV27C RED/GREEN MSS-Z27D#

3MSS*CTV27D LIGHTS PER 3MSS*HV28A BYPASS VALVE 3MSS*HV28B 3MSS*HV28C 3MSS*HV28D PRIMARY REACTOR CONTAINMENT B22 0 TO DESIGN PRESSURE 1 SEE A7 SEE A7 PRESSURE (NR)

B23 Deleted by FSARCR 05-MP3-010 TYPE C VARIABLES IN-CORE FUEL CLAD CORE EXIT C1 200°F TO 2300°F 1 SEE A13 SEE A13 TEMPERATURE PRIMARY COOLANT 10 Ci/ml to

• REFER TO SSER 4, APPENDIX L, C2 3 N/A N/A ** 3 N/A N/A N/A GAMMA SPECTRUM 10 Ci/ml 3.3.1, 3.3.6

• • NO EXISTING INSTRUMENTS 10 Ci/gm TO 10 Ci/gm MONITOR THIS VARIABLE.

OR CONTINGENCY PLANS TO OBTAIN TID-14844 SOURCE AND ANALYZE SAMPLES OF TERM IN COOLANT PRIMARY COOLANT ARE VOLUME CONTAINED WITHIN CHEMISTRY DEPARTMENT IMPLEMENTING PROCEDURES.

C3 Deleted by FSARCR 05-MP3-015 RCS BOUNDARY 06/28/18 7.5-42 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes VITAL &

• ALTHOUGH THIS VARIABLE IS C4 RCS PRESSURE (ER) NS NS 15-3500 PSIA YES 3RCS*P149 RCS-P49 1* YES YES YES OFIS VITAL UPS DESIGNED TO CATEGORY 1 CRITERIA, IT IS NOT UTILIZED AS A KEY VARIABLE. THIS VARIABLE IS USED AS A PREFERRED BACKUP 3RCS*PT49 3RCS*P150 VARIABLE TO MONITOR AN ACTUAL BREACH OF RCS BOUNDARY. REFER TO SPECIFICATION SP-M3-IC-022.

3RCS*PT50 C5 RCS PRESSURE (WR) 0-3000 PSIG 1 SEE A1 SEE A1 CONTAINMENT C6 0 TO DESIGN PRESSURE 1 SEE A7 SEE A7 PRESSURE (NR)

BOTTOM OF 1 CONTAINMENT WATER CONTAINMENT TO C7 SEE A10 SEE A10 LEVEL (WR) 600,000 GAL EQUIVALENT CONTAINMENT 1R/hr TO C8 STRUCTURE RADIATION 1 SEE A12 SEE A12 INTERNAL 107R/hr 1.5x10-5 Ci/cc CONDENSER AIR 10-6Ci/cc TO

• SEE Deviation Number 19, IN C9 3 TO 100Ci/cc N/A N/A 3ARC-RIY21 CVARC21 3 N/A N/A N/A OFIS EJECTOR MONITOR 10-2Ci/cc Appendix 7.5A.

3RMS-CNSL1 3ARC-RE21 Workstation Monitor CONTAINMENT BOUNDARY

• RECOMMENDED RANGE IS HYDROGEN NOT SPECIFIED FOR TYPE C IN THE RECOMBINER CUBICLE 10-6 TO 10-6 TO VITAL & REGULATORY GUIDE. THIS RANGE C10 2 N/A 3HVZ*RIY09A 3HVR*RR10B CVHVZ09A 2 NO YES YES REDN_REC VENTILATION 102 Ci/cc

• 100 Ci /cc ** VITAL UPS IS FROM ALL OTHER IDENTIFIED RADIATION RELEASE POINTS UNDER THE TYPE E CRITERIA IN RG 1.97 REV. 2

• • SEE Deviation Number 27, IN 3HVZ*RE09A 3HVZ*RIY09B 3HVR*RR19B CVHVZ09B OFIS Appendix 7.5A.

3HVZ*RE09B CONTAINMENT PRES. VITAL &

C11 1 0 TO 200 PSIA YES 3LMS*PI24A 3LMS*PR24 LMS-P24A 1 YES YES YES DED_REC (ER) 5 PSIA TO 3 TIMES VITAL UPS 3LMS*PT24A DESIGN PRESSURE 3LMS*PI24B LMS-P24B OFIS 3LMS*PT24B SPDS CONTAINMENT

• SEE Deviation Number 8 IN C12 HYDROGEN 0 TO 10% 3 0-10% YES VITAL 3SSP*AI58A 3SSP*AR58A SSP-A58A 1 ** YES ** YES ** YES ** DED_REC Appendix 7.5A.

CONCENTRATION

• • ALTHOUGH REG. GUIDE 1.7 REV. 3 ALLOWS A DESIGN VITAL UPS 3SSP*AI58B SSP-A58B OFIS CATEGORY 3, THE MONITORS ARE INSTALLED AND MAINTAINED AS CATEGORY I.

06/28/18 7.5-43 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes SPDS

• SUPPLY AND RETURN LINES 10-6 TO VITAL &

C13 VENTILATION VENT (ER) 2 -7 N/A 3HVR*RIY10A 3HVR*RIY10A CVHR10A1 2 NO YES

• YES DED_REC ARE CONNECTED TO NON-SEISMIC 103 Ci/cc 5X10 TO VITAL UPS DUCT.

3HVR*RE10A (HR) 104 Ci/cc 3HVR*RIY10B 3HVR*RR10B CVHR10B OFIS 3HVR*RE10B (NMR) SPDS SUPPLEMENTARY LEAK 10-6 TO 5X10-7 TO VITAL &

C14 COLLECTION AND 2 N/A 3HVR*RIY19A 3HVR*RR19A CVHVR19A1 2 NO YES YES DED_REC 103 Ci/cc 104Ci/cc VITAL UPS RELEASE SYSTEM (ER) 3HVR*RE19A (HR) 3HVR*RIY19B 3HVR*RR19B CVHVR19B OFIS 3HVR*RE19B (NMR) SPDS CONTAINMENT RECIRCULATION 10-6 TO 10- VITAL &

C15 NS NS 1 N/A 3SWP*RIY60A 3SWP*RR60A CVSWP60A 2 NO YES YES DED_REC COOLER SERVICE WATER Ci/cc VITAL UPS OUTLET 3SWP*RE60A 3SWP*RIY60B 3SWP*RR60B CVSWP60B OFIS 3SWP*RE60B SPDS FULLY OPENED, FULLY YES

• SEE Deviation Number 10, IN C16 CLOSED-NOT CLOSED 1 NO

• CIA 2 YES YES OFIS CLOSED, & **** Appendix 7.5A.

INTERMEDIA CONTAINMENT **

TE ISOLATION VALVE

• • VALVE LIMIT SWITCHES ARE STATUS INCLUDES ALL VITAL & ONE PAIR OF CIB USED AS SENSORS.

VALVES FROM FSAR VITAL UPS RED/GREEN

• • • 3CVS*MOV25 IS NOT SUPPLIED Table 6.2-65EXCEPT NON-VITAL LIGHTS PER *****

WITH HIGHLY RELIABLE POWER.

CHECK VALVES, RELIEF UPS *** VALVE

• • • • REFER TO EQML.

VALVES, & MANUALLY

• • • • • THESE OFIS POINTS PROVIDE OPERATED VALVES.

STATUS OF CONTAINMENT ISOLATION SIGNALS. THEY DO NOT PROVIDE STATUS OF INDIVIDUAL CONTAINMENT ISOLATION VALVES.

CONTAINMENT C17 0 TO DESIGN PRESSURE 1 SEE A7 SEE A7 PRESSURE (NR)

TYPE D VARIABLES RHR HEAT EXCHANGER NON-VITAL

• SEE Deviation Number 11, IN D1 DISCHARGE 32 TO 350°F 2 50 TO 400°F

• N/A 3RHS-TR612 RHS-T604 2 YES YES NO DED_REC UPS Appendix 7.5A.

TEMPERATURE 3RHS-TE604 3RHS-TR613 RHS-T605 OFIS 3RHS-TE605 0 TO 110% OF DESIGN 0 TO 6000 NON-VITAL

• REFER TO SSER 4, APPENDIX L, D2 FLOW (LHSI)

• 2 N/A 3RHS-FI618 RHS-F618 2 YES YES NO OFIS FLOW GPM UPS 3.3.11.

3RHS-FT618 3RHS-FI619 RHS-F619 SPDS 3RHS-FT619 06/28/18 7.5-44 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes FULLY OPENED, ONE PAIR OF VALVE STATUS SEE FULLY SEE SEE Attachment 1FOR

• VALVE LIMITS SWITCHES ARE D3 NS NS N/A LIGHTS PER 2 Attachment 1 CLOSED, & Attachment 1 QUALIFICATIONS USED AS SENSORS.

VALVE INTERMEDIA TE D4 RCS PRESSURE (WR) 0-3000 PSIG 1 SEE A1 SEE A1 SAFETY INJECTION SYSTEMS D5 RWST LEVEL TOP TO BOTTOM 1 SEE A9 SEE A9 CHARGING PUMP FLOW 0 TO 110% DESIGN 0 TO 1000 NON-VITAL

• SEE ITEM NUMBER D7 FOR SI 2 N/A 3SIH-FI917 CHSP3A 2 YES YES NO OFIS **

(HHSI)

• FLOW GPM UPS PUMP FLOW.

D6 3SIH-FT917 CHSP3B

• • CHARGING PUMP BREAKER CHS3C/C POSITION IS MONITORED VIA OFIS CHS3C/D 0 TO 100% OF DESIGN 27 TO 800 NON-VITAL

• SEE ITEM NUMBER D6 FOR D7 SI PUMP FLOW (HHSI)

• 2 N/A 3SIH-FI918 SIHP1A 2 NO YES NO OFIS **

FLOW GPM (FI918) UPS CHARGING PUMP FLOW.

32 TO 800 ** CHARGING PUMP BREAKER 3SIH-FT918 N/A 3SIH-FI922 SIHP1B GPM (FI922) POSITION IS MONITORED VIA OFIS 3SIH-FT922 BOTTOM OF CONTAINMENT WATER CONTAINMENT TO D8 1 SEE A10 SEE A10 LEVEL (WR) 600,000 GAL EQUIVALENT D9 CCI PUMP STATUS

• NS NS BREAKER N/A VITAL 2 NO YES YES

• ALTERNATE TYPE D VARIABLE ONE PAIR OF 32-4T(F2F), 3CCI*P1A POSITION TO CCW FLOW TO ESF LIGHTS PER OPEN/ COMPONENT (ITEM D54) REFER TO 32-3U(F2D), 3CCI*P1B PUMP CLOSED SSER 4, APPENDIX L, 3.3.20 ACCUMULATOR TANK 0 TO 700 PSIA NON-VITAL

• SEE Deviation Number 12, IN D10 0 TO 750 PSIG 2 N/A 3SIL-PI961 2 NO YES NO PRESSURE 3SIL-PT961

• UPS Appendix 7.5A.

3SIL-PT963 3SIL-PI963 3SIL-PT965 3SIL-PI965 3SIL-PT967 3SIL-PI967 FULLY OPENED, ACCUMULATOR ONE PAIR OF FULLY

• VALVE LIMIT SWITCHES ARE D11 ISOLATION VALVE CLOSED/OPEN 2 N/A VITAL LIGHTS PER 2 YES YES YES CLOSED, & USED AS SENSORS.

STATUS

• VALVE INTERMEDIA TE 3SIL*MV8808A, B, C, D

FULLY ACCUMULATOR OPENED, ONE PAIR OF NITROGEN VENT FULLY

• VALVE LIMIT SWITCHES ARE D12 NS NS N/A VITAL UPS LIGHTS PER 2 YES YES YES ISOLATION VALVE CLOSED, & USED AS SENSORS.

VALVE STATUS

• INTERMEDIA TE 3SIL*SV8875A THRU H, 3SIL*ZI943A 3SIL*HCV943A, B 3SIL*ZI943B 06/28/18 7.5-45 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes 6560 TO 7340 NON-VITAL

• SEE Deviation Number 13, IN D13 ACCUMULATOR LEVEL 2 N/A 3SIL-LI950 3* N/A N/A N/A GAL* UPS Appendix 7.5A.

3SIL-LT950 3SIL-LI951 3SIL-LT951 3SIL-LI952 3SIL-LT952 10% TO 90% OF 3SIL-LI953 3SIL-LT953 VOLUME 3SIL-LI954 3SIL-LT954 3SIL-LI955 3SIL-LT955 3SIL-LI956 3SIL-LT956 3SIL-LI957 3SIL-LT957 REACTOR COOLANT SYSTEM CLOSED/NOT D14 PORV STATUS CLOSED/NOT CLOSED 2 N/A VITAL UPS ONE PAIR OF RCS-Z455A# 2 YES YES YES OFIS CLOSED LIGHTS PER 3RCS*PCV455A RCS-Z456#

VALVE 3RCS*PCV456 ONE PAIR OF PRESSURIZER SAFETY CLOSED/NOT NON-VITAL D15 2 N/A LIGHTS PER 2 YES YES NO VALVE STATUS CLOSED/NOT CLOSED CLOSED (VIA UPS VALVE (VIA FLOW ELEMENT/ FLOW 3RCS-FE48A SWITCH) ELEMENT/

3RCS-FE48B SWITCH) 3RCS-FE48C BREAKERS

• ONLY HEATER GROUP A & B PRESSURIZER HEATER **

D16 ELECTRIC CURRENT 2 N/A VITAL RCS-H1A 2 NO YES YES OFIS ARE CONSIDERED POST-ACCIDENT BREAKER POSITION

• OPEN/ ONE PAIR OF VARIABLE (420.6-1, NOTE 43)

CLOSED LIGHTS PER BREAKER ** SEE Deviation Number 14, IN 32S5-2 (3RCS*H1A) RCS-H1B Appendix 7.5A.

32V4-2 (3RCS*H1B)

D17 PRESSURIZER LEVEL BOTTOM TO TOP 1 SEE A6 SEE A6 D18 RCS PRESSURE (WR) 0-3000 PSIG 1 SEE A1 SEE A1 REACTOR COOLANT 0 TO 800

• REFER TO SSER 4, APPENDIX L.

D19 MOTOR CURRENT 3 N/A N/A MB5A0403 3 N/A N/A N/A PUMP STATUS

• AMPS 3.3.12.

MB5A0403 MC5B0203 MC5B0203 MB5C0503 MB5C0503 MC5D0103 MC5D0103 SECONDARY SYSTEM 06/28/18 7.5-46 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes S/G ATMOSPHERIC

• NON-VITAL POWER SIGNAL TO D20 CLOSED/NOT CLOSED 2 N/A 2 YES ** YES YES VALVE STATUS POSITIONER 3MSS*PV20S

• • SEE Deviation Number 32 IN 3MSS*MOV74A FULLY Appendix 7.5A 3MSS*MOV74B OPENED, VITAL & ONE PAIR OF FULLY 3MSS*MOV74C NON-VITAL LIGHTS PER CLOSED, &

3MSS*MOV74D UPS

• VALVE INTERMEDIA 3MSS*PV20A TE 3MSS*PV20B 3MSS*PV20C 3MSS*PV20D MAIN STEAMLINE D21 ISOLATION AND BYPASS NS NS SEE B21 SEE B21 VALVE STATUS S/G SAFETY VALVE CLOSED/NOT NON-VITAL ONE PAIR OF SEE Deviation Number 34 IN Appendix D22 CLOSED/NOT CLOSED 2 N/A SVV-F28A 2 YES

• YES NO OFIS STATUS CLOSED UPS LIGHTS PER 7.5A 3SVV-FE28A VALVE SVV-F28B SPDS 3SVV-FE28B SVV-F28C 3SVV-FE28C SVV-F28D 3SVV-FE28D SVV-F29A 3SVV-FE29A SVV-F29B 3SVV-FE29B SVV-F29C 3SVV-FE29C SVV-F29D 3SVV-FE29D VALVE SVV-F30A STATUS 3SVV-FE30A SVV-F30A INDICATING 3SVV-FE30B SVV-F30B LIGHT 3SVV-FE30C SVV-F30C BASED ON 3SVV-FE30D SVV-F30D FLOW/NO 3SVV-FE31A FLOW SVV-F31A 3SVV-FE31B SVV-F31B 3SVV-FE31C SVV-F31C 3SVV-FE31D SVV-F31D 3SVV-FE32A SVV-F32A 3SVV-FE32B SVV-F32B 3SVV-FE32C SVV-F32C 3SVV-FE32D SVV-F32D FORM ATMOS.

PRESSURE TO 20%

D23 STEAMLINE PRESSURE ABOVE THE LOWEST 1 SEE A8 SEE A8 SAFETY VALVE SETTING.

FULLY OPENED, VITAL & ONE PAIR OF MFW CONTROL AND FULLY

• VALVE LIMIT SWITCHES USED D24 NS NS N/A NON-VITAL LIGHTS PER 2 YES *** YES YES BYPASS VALVE STATUS CLOSED, & AS SENSOR.

UPS** VALVE INTERMEDIA TE 06/28/18 7.5-47 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes

• • NON-VITAL POWER SIGNAL TO 3FWS*FCV510 VALVE POSITIONER.

• • • SEE Deviation Number 32 IN 3FWS*FCV520 Appendix 7.5A 3FWS*FCV530 3FWS*FCV540 3FWS*LV550 3FWS*LV560 3FWS*LV570 3FWS*LV580 VITAL &

MFW ISOLATION VALVE

• VALVE LIMIT SWITCHES USED D25 NS NS N/A NON-VITAL 2 YES *** YES YES STATUS FULLY AS SENSOR.

UPS**

OPENED, ONE PAIR OF ** NON-VITAL POWER SIGNAL TO 3FWS*CTV41A FULLY LIGHTS PER VALVE POSITIONER.

CLOSED, &

VALVE *** SEE Deviation Number 32 IN 3FWS*CTV41B INTERMEDIA Appendix 7.5A TE 3FWS*CTV41C 3FWS*CTV41D NON-VITAL D26 MFW FLOW 3 0 TO 5 MPPH N/A 3FWS-FI510A FWS-F510 2 NO NO NO OFIS UPS 3FWS-FT510 3FWS-FI511A FWS-F511 SPDS 3FWS-FT511 3FWS-FI520A FWS-F520 3FWS-FT520 0 TO 100% DESIGN 3FWS-FI521A FWS-F521 3FWS-FT521 FLOW 3FWS-FI530A FWS-F530 3FWS-FT530 3FWS-FI531A FWS-F531 3FWS-FT531 3FWS-FI540A FWS-F540 3FWS-FT540 3FWS-FI541A FWS-F541 3FWS-FT541 FROM TUBE SHEETS TO D27 S/G LEVEL (WR) 1 SEE A4 SEE A4 SEPARATORS D28 S/G LEVEL (NR) NS NS SEE A5 SEE A5 FULLY OPENED,

• VALVE LIMIT SWITCHES ARE S/G BLOWDOWN ONE PAIR OF FULLY USED AS SENSORS. THESE VALVES D29 ISOLATION VALVE NS NS N/A VITAL UPS LIGHTS PER 2 YES ** YES YES CLOSED, & ARE ALSO PART OF CONTAINMENT STATUS

• VALVE INTERMEDIA ISOLATION VALVES, C16.

TE

• • SEE Deviation Number 32 IN 3BDG*CTV22A Appendix 7.5A 3BDG*CTV22B 3BDG*CTV22C 3BDG*CTV22D EMERGENCY FEEDWATER SYSTEM AUXILIARY FEEDWATER 0 TO 110% OF DESIGN D30 1 SEE A11 SEE A11 FLOW FLOW 06/28/18 7.5-48 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes FULLY OPENED, AUXILIARY FEEDWATER ONE PAIR OF FULLY SEE SEE Attachment 1 FOR

• VALVE LIMIT SWITCHES ARE D31 VALVE STATUS

• SEE NS NS N/A LIGHTS PER 2 CLOSED, & Attachment 1 QUALIFICATIONS USED AS SENSORS.

Attachment 1 VALVE INTERMEDIA TE

• BASED ON CALCULATION NSP-D32 DWST LEVEL PLANT SPECIFIC 1 18,520 TO YES 3FWA*LI20A1 3FWA*LR20 FWA-L20B1 1 YES YES YES DED_REC VITAL & 098-FWA REV. 2 352,435 3FWA*LT20A VITAL UPS 3FWA*LI20B1 FWA-L20B2 OFIS GALLONS

• 3FWA*LT20B FWA-L20B3 CONTAINMENT COOLING SYSTEM CONTAINMENT VITAL &

D33 40 TO 400°F 2 0 TO 400°F N/A 3LMS*TI21A 3LMS*TR21 2 YES YES YES DED_REC TEMPERATURE VITAL UPS 3LMS*TE21A, B 3LMS*TI21B BOTTOM OF CONTAINMENT WATER CONTAINMENT TO D34 1 SEE A10 SEE A10 LEVEL (WR) 600,000 GAL EQUIVALENT SPRAY SYSTEM VALVE

• VALVE LIMIT SWITCHES ARE D35 NS NS N/A VITAL 2 YES YES YES STATUS USED AS SENSORS.

FULLY 3QSS*MOV34A, B SPDS OPENED, 3RSS*MOV20A, B, C, ONE PAIR OF FULLY D LIGHTS PER CLOSED, &

3RSS*MOV23A, B, C, VALVE INTERMEDIA D

TE 3RSS*MV8837A, B 3RSS*MV8838A, B CONTAINMENT D36 0 TO DESIGN PRESSURE 1 SEE A7 SEE A7 PRESSURE (NR)

• SEE Deviation Number 15, IN CONTAINMENT SUMP D37 50 TO 250 °F 2 0 TO 300 °F N/A N/A 3RSS-TI21A 3* N/A N/A N/A Appendix 7.5A. REFER TO SSER 4, WATER TEMPERATURE APPENDIX L, 3.3.17.

3RSS-TE21A, B 3RSS-TI21B

• SUPPLEMENTS CONTAINMENT CONTAINMENT SUMP WR LEVEL (ITEM A10) TO D38 SUMP 2 0 TO 3 FEET N/A N/A 3RSS-LI49 3** N/A N/A N/A LEVEL (NR) MONITOR THE LOWER END OF THE SUMP LEVEL.

• • SEE Deviation Number 16, IN 3RSS-LE49

• Appendix 7.5A.

RSS HEAT EXCHANGER NON-VITAL D39 NS NS 40 TO 350°F N/A 3RSS-TI28A 2 YES YES NO OUTLET TEMPERATURE UPS 3RSS-TE28A, B, C, D 3RSS-TI28B 3RSS-TI28C 3RSS-TI28D 06/28/18 7.5-49 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes CONTAINMENT RECIRC 0 TO 110% OF DESIGN 0 TO 3300 YES/

• FT40C, D AND FIS ARE D40 2 N/A 3RSS-FI38A RSSP1A 2** YES YES OFIS SPRAY FLOW (RSS) FLOW GPM NO* NONSAFETY RELATED.

• • REFER TO SSER4, APPENDIX L, 3RSS*FT38A 3RSS-FI38B RSSP1B SPDS VITAL & 3.3.15.

VITAL UPS *** PUMP BREAKER STATUS IS 3RSS*FT38B NON-VITAL 3RRS-FI40C RSSP1C PROVIDED BY OFIS FOR ALL UPS PUMPS SPDS PROVIDES BREAKER STATUS 3RSS-FT40C 3RRS-FI40D RSSP1D FOR ALL THE A, B, C, & D PUMPS.

3RSS-FT40D ***

CONTAINMENT QUENCH 0 TO 5000 NON-VITAL

• REFER TO DOCKETED D41 NS NS N/A 3QSS-FI32A 3* N/A N/A N/A SPRAY FLOW (QSS) GPM UPS CORRESPONDENCE DOCKET NO.

50-423 A04668. REFER TO SSER4, 3QSS-FT32A, B 3QSS-FI32B APPENDIX L, 3.3.15.

CVCS 0 TO 110% DESIGN NON-VITAL

• REFER TO SSER4, APPENDIX L, D42 CHARGING FLOW 2 0 TO 200 GPM N/A 3CHS-FI121A CHS-F121 2 YES YES NO OFIS FLOW UPS 3.3.11 & 3.3.18.

3CHS-FT121

• SPDS D43 LETDOWN FLOW 0 TO 110% DESIGN 2 0 TO 200 GPM N/A NON-VITAL 3CHS-FI132 CHS-F132 2 YES YES NO OFIS 3CHS-FT132 FLOW UPS 0 TO 100% NON-VITAL YES/ YES/

D44 VCT LEVEL TOP TO BOTTOM 2 N/A 3CHS-LI112 (CRT) CHS-L112 2 NO OFIS

• LT112 IS EEQ, LT185 IS NOT.

(LI185) ** UPS NO* NO*

• • SEE Deviation Number 17, IN 3CHS-LT112 3CHS-LI185 Appendix 7.5A.

3CHS-LT185

• REFER TO SSER 4, APPENDIX L, D45 SEAL INJECTION FLOW

• 2 0 TO 15 GPM N/A 3CHS-FI142A 2* YES YES NO 3.3.11 & 3.3.18.

3CHS-FT142 0 TO 110% DESIGN NON-VITAL 3CHS-FI143A 3CHS-FT143 FLOW UPS 3CHS-FI144A 3CHS-FT144 3CHS-FI145A 3CHS-FT145 FULLY OPENED, ONE PAIR OF VALVE STATUS

• FULLY SEE SEE Attachment 1 FOR

• VALVE LIMIT SWITCHES ARE D46 NS NS N/A LIGHTS PER 2 SEE Attachment 1 CLOSED, & Attachment 1 QUALIFICATIONS USED AS SENSORS.

VALVE INTERMEDIA TE D47 CCE PUMP STATUS NS NS BREAKER N/A VITAL 2 NO YES YES ONE PAIR OF 32-1R(R2K) (3CCE*P1A) POSITION LIGHTS PER OPEN /

32-1W(R2K) (3CCE*P1B) VALVE CLOSED ONE PAIR OF FULLY

• VALVE LIMIT SWITCHES ARE D48 CCE VALVE STATUS

• NS NS N/A VITAL UPS LIGHTS PER 2 YES YES YES OPENED, USED AS SENSORS.

VALVE FULLY 3CCE*AOV26A CLOSED, &

3CCE*AOV26B INTERMEDIA 3CCE*AOV30A TE 3CCE*AOV30B 06/28/18 7.5-50 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes CCW

• REFER TO SSER 4, APPENDIX L, D49 HEADER TEMPERATURE 32 TO 200°F 2 0 TO 200°F N/A 3CCP-TI34A 2 YES YES NO 3.3.20 NON-VITAL 3CCP-TE34A 3CCP-TI34B UPS 3CCP-TE34B 3CCP-TI34C 3CCP-TE34C FULLY

• SOME VALVES ARE NOT OPENED, EXPOSED TO HARSH ONE PAIR OF FULLY VITAL & YES/ ENVIRONMENTS DURING D50 VALVE STATUS

• NS NS N/A LIGHTS PER 2 YES YES CLOSED, & VITAL UPS NO* ACCIDENT CONDITIONS AND VALVE INTERMEDIA THEREFORE ARE NOT TE ENVIRONMENTALLY QUALIFIED.

• • VALVE LIMIT SWITCHES ARE 3CCP*AOV10A USED AS SENSORS 3CCP*AOV10B 3CCP*AOV19A 3CCP*AOV19B 3CCP*AOV179A 3CCP*AOV179B 3CCP*AOV180A 3CCP*AOV180B 3CCP*AOV194A 3CCP*AOV194B 3CCP*AOV197A 3CCP*AOV197B 3CCP*MOV45A 3CCP*MOV45B 3CCP*MOV48B 3CCP*MOV48B 3CCP*MOV49A 3CCP*MOV49B 3CCP*FV66A 3CCP*FV66B

• FT67A,B IS SAFETY RELATED, FLOW TO ESF 0 TO 110% OF DESIGN 0-8000 GPM YES/ YES/ YES/

D51 2 N/A 3CCP-FI11A CCP-F11A* 2 OFIS EEQ, AND COMPONENTS COMPONENTS FLOW (FI11) NO* NO* NO*

SEISMICALLY QUALIFIED.

0-2000 GPM ** REFER TO SSER 4, APPENDIX L, 3CCP-FT11A VITAL & 3CCP-FI11B CCP-F11B*

(FI15) 3.3.20.

VITAL UPS 0-8000 GPM 3CCP-FT11B & NON- 3CCP-FI15A CCP-F15A*

(FI67)

VITAL UPS 3CCP-FT15A 3CCP-FI15B CCP-F15B*

3CCP-FT15B 3CCP*FI67A1 3CCP*FT67A 3CCP*FI67B1 3CCP*FT67B HVAC 06/28/18 7.5-51 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes FULLY

• SOME DAMPERS ARE NOT OPENED, EXPOSED TO HARSH ONE PAIR OF DAMPER POSITIONS SEE FULLY SEE SEE Attachment 1 FOR ENVIRONMENTS DURING D52 OPEN/CLOSED 2 N/A LIGHTS PER 2 Attachment 1 CLOSED, & Attachment 1 QUALIFICATIONS

• ACCIDENT CONDITIONS AND DAMPER INTERMEDIA THEREFORE ARE NOT TE ENVIRONMENTALLY QUALIFIED.

SERVICE WATER

• SOME VALVES ARE NOT EXPOSED TO HARSH ONE PAIR OF VITAL & YES/ ENVIRONMENTS DURING D53 VALVE STATUS ** NS NS N/A LIGHTS PER 2 YES YES VITAL UPS NO* ACCIDENT CONDITIONS AND VALVE THEREFORE ARE NOT ENVIRONMENTALLY QUALIFIED.

FULLY ** VALVE LIMIT SWITCHES ARE 3SWP*MOV54A, B, C, D OPENED, USED AS SENSORS.

3SWP*MOV57A, B, C, D FULLY 3SWP*MOV102A, B, C, D CLOSED, &

INTERMEDIA 3SWP*MOV71A, B TE 3SWP*MOV50A, B 3SWP*MOV115A, B 3SWP*AOV39A, B 3SWP*TV35A, B 3WTC*AOV25A, B 3SWP*MOV24A, B, C, D FLOW TO RSS HEAT- 0 TO 8000 NON-VITAL D54 NS NS N/A 3SWP-FI59A SWP-F59A 2 YES YES NO SPDS EXCHANGER GPM UPS 3SWP-FT59A 3SWP-FI59B SWP-F59B 3SWP-FT59B 3SWP-FI59C SWP-F59C 3SWP-FT59C 3SWP-FI59D SWP-F59D 3SWP-FT59D ELECTRIC POWER 06/28/18 7.5-52 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes EMERGENCY BUS(S) 4160V DC BUS D55 VOLTAGES, CURRENT 2 N/A 4160 BUS: 2 NO YES YES OFIS VOLTAGE BUS: VOLTS:

0 TO 5250 4160 V MB4CM816 301A1BUS-V VAC 480 V 480V BUS MC4DM817 301A2BUS-V 120 VAC 0 TO 600 VAC 480V BUS: 301A2BUS-V 125 VDC 120V BUS MB2R0103 301B2BUS-V EMERGENCY DIESEL 0 TO 150 VAC MB2S0104 301C1BUS-V GENERATORS 125V VOLTS MB2T0104 301D1BUS-V BUS:

HERTZ 0 TO 150 VDC MB2Y0104 DG A VOLTS DIESEL AMPS MC2U0104 15G-14U-V VOLTS:

VOLT-AMPS 0 TO 5250 V MC2V0104 DG B VOLTS DIESEL MC2W0104 15G-15U-V HERTZ:

55 TO 65 HZ MC2X0104 DIESEL 120V BUS:

AMPS: VITAL &

0 TO 1200 VITAL UPS MBVA0106 AMPS & NON-DIESEL VITAL UPS MBVA0306 VOLT-AMPS:

+/- 0 TO 4.36 MCVA0206 MVAR MCVA0406 125V BUS:

MBBY0109 MBBY0309 MCBY0209 MCBY0409 A AND B DIESELS:

AM-3EGS*EG-A, B VM-3EGS*EG-A, B FM-3EGS*EG-A, B VAR-3EGS*EG-A, B VERIFICATION OF AUTOMATIC ACTUATION OF SAFETY SYSTEMS ONE PAIR OF REACTOR TRIP BREAKER OPEN /

D56 NS NS N/A VITAL UPS LIGHTS PER TMB-RX 2 NO YES YES OFIS POSITION CLOSED BREAKER 3RPS*ACB-RTA, B SPDS 06/28/18 7.5-53 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes 3RPS*ACB-BYA, B ONE PAIR OF BREAKER D57 AFW PUMP STATUS NS NS N/A VITAL UPS LIGHTS PER 2 NO YES YES POSITION PUMP OPEN /

34C16-2 (3FWA*P1A) 3FWA-SI40B CLOSED 34D15-2 (3FWA*P1B) 0-6000 (SI40B) 3FWA*SE40 (3FWA*P2)

D58 SI PUMP STATUS NS NS BREAKER N/A VITAL UPS 2 NO YES YES ONE PAIR OF 34C8-2 (3SIH*P1A) POSITION LIGHTS PER OPEN /

34D7-2 (3SIH*P1B) PUMP CLOSED SERVICE WATER PUMP D59 NS NS N/A VITAL UPS 2 NO YES YES STATUS BREAKER ONE PAIR OF 34C17-2 (3SWP*P1A) POSITION LIGHTS PER 34D16-2 (3SWP*P1B) OPEN /

PUMP 34C18-2 (3SWP*P1C) CLOSED 34D17-2 (3SWP*P1D)

D60 CCW PUMP STATUS NS NS BREAKER N/A VITAL UPS 2 NO YES YES ONE PAIR OF 34C9-2 (3CCP*P1A) POSITION LIGHTS PER 34D8-2 (3CCP*P1B) OPEN /

PUMP 34D9-2 (3CCP*P1C) CLOSED FULLY OPENED, ONE PAIR OF SI VALVE ALIGNMENT

• FULLY SEE SEE Attachment 1 FOR

• VALVE LIMIT SWITCHES ARE D61 NS NS N/A LIGHTS PER 2 SEE Attachment 1 CLOSED, & Attachment 1 QUALIFICATIONS. USED AS SENSORS.

VALVE INTERMEDIA TE CONTAINMENT SPRAY D62 NS NS N/A VITAL UPS 2 NO YES YES SYSTEM PUMP STATUS 34C6-2 (3QSS*P3A) BREAKER ONE PAIR OF 34D5-2 (3QSS*P3B) POSITION LIGHTS PER 34C19-2 (3RSS*P1A) OPEN /

PUMP 34D18-2 (3RSS*P1B) CLOSED 34C20-2 (3RSS*P1C) 34D19-2 (3RSS*P1D)

HIGH / LOW

• ONLY A COMMON TROUBLE HIGH LEVEL LIQUID HIGH / LOW D63 TOP TO BOTTOM 3 LEVEL N/A N/A 2 N/A N/A N/A ALARM IS AVAILABLE IN THE RADWASTE TANK LEVEL LEVEL ALARMS ALARMS

• MAIN CONTROL ROOM. HIGH/LOW 3LWS-LT21A 3LWS-LI21A ALARMS AND LEVEL INDICATORS 3LWS-LI21B 3LWS-LI21B

• ARE PROVIDED LOCALLY.

TYPE E VARIABLES CONTAINMENT RADIATION CONTAINMENT STRUCT. 1R/hr TO E1 1 SEE A12 SEE A12 RAD. LEVEL (HR) 104R/hr AIRBORNE RADIOACTIVE MATERIALS RELEASED FROM PLANT 06/28/18 7.5-54 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes

• SEE Deviation Number 30 IN Appendix 7.5A

• • INSTRUMENTS ARE DESIGNATED AS NON-SAFETY FLOW OUT VENTILATION 0 - 110% VENT DESIGN 30,000 - VITAL & RELATED/QUALITY (NSQ) TO E2 2 N/A 3HVR*RIY10A CVFE10 2 NO ** NO ** NO ** OFIS VENT FLOW 280,000 SCFM VITAL UPS ENSURE THAT INSTRUMENTATION IS PROCURED AND MAINTAINED WITH THE NECESSARY EEQ CAPABILITIES FOR THE INSTALLED ENVIRONMENT.

3HVR-FE10 3HVR-FT10 FLOW RATE TO 0 - 110% VENT DESIGN 150-12,150 VITAL &

• SEE Deviation Number 29 IN E3 MILLSTONE STACK N/A 3HVR*RIY19A CVFE19 2 NO YES YES OFIS FLOW SCFM VITAL UPS Appendix 7.5A.

(SLCRS) 3HVR*FE19 2 3HVR*FT19 2 10-6 TO

• REFER TO SSER 4, APPENDIX L, E4 VENTILATION VENT (ER) 2 SEE C13 SEE C13 103 Ci/cc 3.3.23 SUPPLEMENTARY LEAK 10-6 TO E5 COLLECTION AND 2 SEE C14 SEE C14 RELEASE SYSTEM (ER) 103 Ci/cc CONTAINMENT RECIRCULATION E6 NS NS SEE C15 SEE C15 COOLER SERVICE WATER OUTLET TUR. DRIVEN AUX. F/W 10-3 TO NON-VITAL

• REFER TO SSER 4, APPENDIX L, E7 NS NS N/A 3MSS-RIY79 CVMSS79 2 NO YES NO OFIS PUMP DISCHARGE 103 Ci/cc UPS 3.3.24 3RMS-CNSL1 3MSS-RE79 Workstation Monitor MAIN STEAM RELIEF 10-1 TO 10-3 TO NON-VITAL

• REFER TO SSER 4, APPENDIX L, E8 2 N/A 3MSS-RIY75 CVMSS75 2 NO YES NO OFIS LINE 103 Ci/cc 103 Ci/cc UPS 3.3.6 & 3.3.24 3MSS-RE75 3MSS-RIY76 CVMSS76 3MSS-RE76 3MSS-RIY77 CVMSS77 3MSS-RE77 3MSS-RE78 CVMSS78 3RMS-CNSL1 3MSS-RE78 (CRT)

CONDENSER AIR 10-6 TO E9 2 SEE C9 SEE C9 EJECTOR 105Ci/cc HYDROGEN 10-6 TO E10 RECOMBINER CUBICLE 2 SEE C10 SEE C10 VENTILATION 10-2 Ci/cc ENVIRONS RADIATION AND RADIOACTIVITY 06/28/18 7.5-55 Rev. 31

MPS-3 FSAR TABLE 7.5-1 ACCIDENT MONITORING INSTRUMENTATION LIST (CONTINUED)

DISPLAY MAIN BOARD R.G. 1.97 Millstone 3 Item R.G. 1.97 Recommended Design Actual Power Variable Trend TSC, EOF Design Number Variable/Sensor Range/Status Category Range/Status Redundancy Supply Indication Indication Computer Category EEQ Seismic QA Trending Remarks/Notes

• SAMPLING LOCATIONS FOR SITE ENVIRONMENTAL REFER TO RG1.97 REV 2 RADIATION MONITORING ARE FOR COMPLETE LIST LISTED ON ODCM TABLE E-1 AND OF RECOMMENDED SHOWN IN ODCM APPENDIX G OF PORTABLE SAMPLING RADIATION EFFLUENT SITE ENVIRONMENTAL WITH ON SITE MONITORING AND OFF SITE DOSE E11 3

• N/A N/A * *

• 3 N/A N/A N/A RADIATION LEVEL

• ANALYSIS CALCULATION MANUAL CAPABILITIES AND (REMODCM). PORTABLE PORTABLE RADIATION SAMPLING AND MONITORING MONITORING EQUIPMENT AND ON SITE INSTRUMENTATION. LABORATORY ANALYSIS EQUIPMENT ARE DISCUSSED IN FSAR Section 12.5.2.

METEOROLOGY

• COMPONENT TAGS DO NOT METEOROLOGICAL WIND WIND EXIST. THIS INSTRUMENTATION IS E12 WIND DIRECTION 3 N/A N/A OFIS OFIS 3 N/A N/A N/A OFIS INSTRUMENTATION

• DIRECTION DIRECTION COMMON TO THE MILLSTONE SITE.

0 TO 360° 0 TO 360° CVWD033 WIND SPEED WIND SPEED CVWD142 0 TO 67 MPH 0 TO 100 MPH CVWD374 DELTA DELTA TEMP WIND SPEED TEMP

-10 °F TO 18

-9 °F TO 18 °F CVWS033MPH

°F CVWS142MPH SEE RG1.97 FOR CVWS374MPH ACCURACY REQUIRE- DELTA TEMP MENTS CVDT142F CVDT374F 06/28/18 7.5-56 Rev. 31

MPS-3 FSAR Abbreviations:

EEQ Electrical Environmental Qualification EOF Emergency Offsite Facility EQML Environmental Qualification Master List (Specification SP-EE-353)

ER Extended Range HR High Range ICC Inadequate Core Cooling MCR Main Control Room NMR Normal Range NR Narrow Range NS Not Specified OFIS Off site Facilities Information System SPDS Safety Parameter Display System TSC Technical Support Center UPS Uninterruptible Power Supply WR Wide Range Explanatory Notes:

A Under the Actual Range/Status column:

The calibrated range of the instrument is listed unless otherwise noted. Valve and Circuit Breaker position status information is provided for valves and pumps respectively.

B Under the Redundancy column:

Yes means redundant qualified (Class 1E) channels are available in the MCR. For design Category 2 and 3 instrumentation this column in marked N/A since there are no specific provisions for redundancy of Reg. Guide 1.97 Rev. 2 Category 2 or 3 instrumentation.

C Under the Power Supply column:

The type of power supply for the subject instrumentation channel(s) is listed. An instrumentation channel pertains to the signal from the sensor (listed under the Variable/Sensor column) to, at a minimum, the Main Board Instrument (listed under the Variable Indication column). Since there are no specific provisions for the power supply of design Category 3 instrumentation, N/A is marked in this column. The power supplies listed in this table are defined as follows:

VITAL: Consists of an Emergency Electrical Bus or Distribution Panel which is, at a minimum, backed by the Emergency Diesel Generators.

VITAL UPS: Consists of an Emergency Electrical Bus or Distribution Panel which is backed by the Emergency Diesel Generators and Class 1E Batteries.

NON-VITAL: Consists of a Normal Electrical Bus or Distribution Panel which is neither backed by the Emergency Diesel Generators nor Class 1E Batteries.

NON-VITAL UPS: Consists of a Normal Electrical Bus or Distribution Panel which is, at a minimum, backed by Non-Class 1E Batteries.

Note: VITAL, VITAL UPS, and NON-VITAL UPS power supplies as defined above, are considered highly reliable power sources.

06/28/18 7.5-57 Rev. 31

MPS-3 FSAR The type of power supply for the subject instrumentation channel(s) is listed. An instrumentation channel pertains to the signal from the sensor (listed under the Variable/Sensor column) to, at a minimum, the Main Board Instrument (listed under the Variable Indication column). Since there are no specific provisions for the power supply of design Category 3 instrumentation, N/A is marked in this column. The power supplies listed in this table are defined as follows:

D Under the Display column:

The tag number(s) of available MCR display instrumentation is listed. Under the TSC/EOF Computer column, display will be via CRTs driven by either OFIS or SPDS.

E Under the Millstone 3 Design Category column:

The plant-specific Regulatory Guide 1.97 Rev. 2 design category (1, 2, or 3) for this instrumentation as determined by Specification SP-M3-IC-022.

F Under the EEQ column:

Yes means the subject instrumentation loop sensor(s) is listed in the EEQ Program Specification SP-EE-353 Millstone Unit 3 Environmental Qualification Master List. The listed sensor and instrument loop up to and including an isolation device is consider environmentally qualified in accordance with Regulatory Guide 1.89. The appropriate environmental qualification requirements for each instrument are determined as part of the EEQ program. For design Category 3 instrumentation, N/A is entered since there are no specific provisions for environmental qualification.

G Under the Seismic column:

Yes means that the instrumentation has been seismically qualified in accordance with the criteria stated in section 3.0 of Specification SP-M3-IC-022 for Category 1 and 2 instrumentation. For design Category 3 instrumentation, N/A is entered since there are no specific provisions for seismic qualification.

H Under the QA column:

Yes means that the instrumentation meets the QA requirements detailed in section 3.0 of Specification SP-M3-IC-022 for Category 1 and 2 instrumentation. For design Category 3 instrumentation, N/A is entered since there are no specific provisions for design qualification.

I Under the Trending column:

DED_REC means continuously available dedicated recorders are provided. A dedicated recorder is defined as a recorder that has at least one channel dedicated for a specific instrument loop. The term dedicated does not imply or impose QA qualification. These recorders may be qualified either QA or NON-QA depending upon its use.

REDN_REC means continuously available, qualified (Class 1E), redundant dedicated recorders are provided.

OFIS means data measurement/trending is available via the Off site Facilities Information System. This data is continuously available, updated, stored in computer memory, and displayed on demand.

SPDS means data measurement/trending is available via the Safety Parameter Display System. This data is continuously available, updated, stored in computer memory, and displayed on demand.

J Under the Remarks/Notes column:

For each item number, any column entry with an asterisk is explained in the Remark/Notes column 06/28/18 7.5-58 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List Variable No./Name Sensor ID EEQ Seismic QA Power Su D3/RHR Valve Status 3RHS*FCV610 Yes Yes Yes Vital 3RHS*FCV611 Yes Yes Yes Vital 3RHS*HCV606 No No No Non-Vital 3RHS*HCV607 No No No Non-Vital 3RHS*MV8701A Yes Yes Yes Vital 3RHS*MV8701B Yes Yes Yes Vital 3RHS*MV8701C Yes Yes Yes Vital 3RHS*MV8702A Yes Yes Yes Vital 3RHS*MV8702B Yes Yes Yes Vital 3RHS*MV8702C Yes Yes Yes Vital 3RHS*MV8716A Yes Yes Yes Vital 3RHS*MV8716B Yes Yes Yes Vital D31/AFW Valve Status 3FWA*HV31A Yes Yes Yes Vital UPS 3FWA*HV31B Yes Yes Yes Vital UPS 3FWA*HV31C Yes Yes Yes Vital UPS 3FWA*HV31D Yes Yes Yes Vital UPS 3FWA*HV32A No Yes Yes Vital UPS 3FWA*HV32B No Yes Yes Vital UPS 3FWA*HV32C No Yes Yes Vital UPS 3FWA*HV32D No Yes Yes Vital UPS 3FWA*HV36A Yes Yes Yes Vital UPS 3FWA*HV36B Yes Yes Yes Vital UPS 06/28/18 7.5-59 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List (Continued)

Variable No./Name Sensor ID EEQ Seismic QA Power Su 3FWA*HV36C Yes Yes Yes Vital UPS 3FWA*HV36D Yes Yes Yes Vital UPS 3FWA*AOV23A Yes Yes Yes Vital UPS 3FWA*AOV23B Yes Yes Yes Vital UPS 3FWA*AOV61A Yes Yes Yes Vital UPS 3FWA*AOV61B Yes Yes Yes Vital UPS 3FWA*AOV62A No Yes Yes Vital UPS 3FWA*AOV62B No Yes Yes Vital UPS 3FWA*MOV35A Yes Yes Yes Vital 3FWA*MOV35B Yes Yes Yes Vital 3FWA*MOV35C Yes Yes Yes Vital 3FWA*MOV35D Yes Yes Yes Vital 3MSS*MOV17A No Yes Yes Vital 3MSS*MOV17B No Yes Yes Vital 3MSS*MOV17D No Yes Yes Vital 3MSS*MOV74A Yes Yes Yes Vital 3MSS*MOV74B Yes Yes Yes Vital 3MSS*MOV74C Yes Yes Yes Vital 3MSS*MOV74D Yes Yes Yes Vital D46/CVCS Valve Status 3CHS*AOV64 No No No Non-Vital 3CHS*AOV68 No No No Non-Vital 3CHS*AOV71 No No No Non-Vital 06/28/18 7.5-60 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List (Continued)

Variable No./Name Sensor ID EEQ Seismic QA Power Su 3CHS*AV002A No No No Non-Vital 3CHS*AV002B No No No Non-Vital 3CHS*AV7010A No No No Non-Vital 3CHS*AV7010B No No No Non-Vital 3CHS*AV7010C No No No Non-Vital 3CHS*AV7010D No No No Non-Vital 3CHS*AV7010E No No No Non-Vital 3CHS*AV7022 No No No Non-Vital 3CHS*AV7040 No No No Non-Vital 3CHS*AV7041 No No No Non-Vital 3CHS*AV7045 No No No Non-Vital 3CHS*AV7046 No No No Non-Vital 3CHS*AV7054 No No No Non-Vital 3CHS*AV7057 No No No Non-Vital 3CHS*AV8101 No No No Non-Vital 3CHS*AV8141A No No No Non-Vital 3CHS*AV8141B No No No Non-Vital 3CHS*AV8141C No No No Non-Vital 3CHS*AV8141D No No No Non-Vital 3CHS*AV8143 Yes Yes Yes Vital UPS 3CHS*AV8146 No Yes Yes Vital UPS 3CHS*AV8147 No Yes Yes Vital UPS 06/28/18 7.5-61 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List (Continued)

Variable No./Name Sensor ID EEQ Seismic QA Power Su 3CHS*AV8149A No Yes Yes Vital UPS 3CHS*AV8149B No Yes Yes Vital UPS 3CHS*AV8149C No Yes Yes Vital UPS 3CHS*CV8152 Yes Yes Yes Vital UPS 3CHS*CV8160 Yes Yes Yes Vital UPS 3CHS*FCV110A Yes Yes Yes Vital UPS 3CHS*FCV110B Yes Yes Yes Vital UPS 3CHS*FCV111A Yes Yes Yes Vital UPS 3CHS*FCV111B Yes Yes Yes Vital UPS 3CHS*FCV110A Yes Yes Yes Vital UPS 3CHS*FCV110B Yes Yes Yes Vital UPS 3CHS*FCV111A Yes Yes Yes Vital UPS 3CHS*FCV111B Yes Yes Yes Vital UPS 3CHS*FCV121 No No No Non-Vital 3CHS*HCV128 No No No Non-Vital 3CHS*HCV182 No No No Non-Vital 3CHS*HCV190A Yes Yes Yes Vital UPS 3CHS*HCV190B Yes Yes Yes Vital UPS 3CHS*HCV387 No No No Non-Vital 3CHS*LCV112A Yes Yes Yes Vital UPS 3CHS*LCV112B Yes Yes Yes Vital 3CHS*LCV112C Yes Yes Yes Vital 06/28/18 7.5-62 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List (Continued)

Variable No./Name Sensor ID EEQ Seismic QA Power Su 3CHS*LCV112D Yes Yes Yes Vital 3CHS*LCV112E Yes Yes Yes Vital 3CHS*MV8100 Yes Yes Yes Vital 3CHS*MV8104 Yes Yes Yes Vital 3CHS*MV8105 Yes Yes Yes Vital 3CHS*MV8106 Yes Yes Yes Vital 3CHS*MV8109A Yes Yes Yes Vital 3CHS*MV8109B Yes Yes Yes Vital 3CHS*MV8109C Yes Yes Yes Vital 3CHS*MV8109D Yes Yes Yes Vital 3CHS*MV8110 Yes Yes Yes Vital 3CHS*MV8111A Yes Yes Yes Vital 3CHS*MV8111B Yes Yes Yes Vital 3CHS*MV8111C Yes Yes Yes Vital 3CHS*MV8112 Yes Yes Yes Vital 3CHS*MV8116 Yes Yes Yes Vital 3CHS*MV8438A Yes Yes Yes Vital 3CHS*MV8438B Yes Yes Yes Vital 3CHS*MV8438C Yes Yes Yes Vital 3CHS*MV8468A Yes Yes Yes Vital 3CHS*MV8468B Yes Yes Yes Vital 3CHS*MV8507A Yes Yes Yes Vital 06/28/18 7.5-63 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List (Continued)

Variable No./Name Sensor ID EEQ Seismic QA Power Su 3CHS*MV8507B Yes Yes Yes Vital 3CHS*MV8511A Yes Yes Yes Vital 3CHS*MV8511B Yes Yes Yes Vital 3CHS*MV8512A Yes Yes Yes Vital 3CHS*MV8512B Yes Yes Yes Vital 3CHS*PCV131 No No No Non-Vital 3CHS*SOV390A No Yes Yes Non-Vital 3CHS*SOV390B No Yes Yes Non-Vital 3CHS*TCV129 Yes Yes Yes Vital UPS 3CHS*TCV381A No No No Non-Vital 3CHS*TCV381B No No No Non-Vital 3CHS*TCV386 No No No Non-Vital 3RCS*AV8036A No No No Non-Vital 3RCS*AV8036B No No No Non-Vital 3RCS*AV8036C No No No Non-Vital 3RCS*AV8036D No No No Non-Vital 3RCS*AV8037A No No No Non-Vital 3RCS*AV8037B No No No Non-Vital 3RCS*AV8037C No No No Non-Vital 3RCS*AV8037D No No No Non-Vital 3RCS*AV8153 Yes Yes Yes Vital UPS 3RCS*LCV459 No Yes Yes Vital UPS 06/28/18 7.5-64 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List (Continued)

Variable No./Name Sensor ID EEQ Seismic QA Power Su 3RCS*LCV460 Yes Yes Yes Vital UPS 3RCS*MV8098 No Yes Yes Vital D52/HVAC Damper Positions 3HVC*AOV20 No Yes Yes Vital UPS 3HVC*AOV21 No Yes Yes Vital UPS 3HVC*AOV22 No Yes Yes Vital UPS 3HVC*AOV23 No Yes Yes Vital UPS 3HVC*AOV25 No Yes Yes Vital UPS 3HVC*AOV26 No Yes Yes Vital UPS 3HVC*AOD27A No Yes Yes Vital UPS 3HVC*AOD27B No Yes Yes Vital UPS 3HVC*MOD33A No Yes Yes Vital 3HVC*MOD33B No Yes Yes Vital 3HVC*AOD119B No Yes Yes Vital UPS 3HVC*AOD119A No Yes Yes Vital UPS 3HVP*MOD20A No Yes Yes Vital 3HVP*MOD20B No Yes Yes Vital 3HVP*MOD20C No Yes Yes Vital 3HVP*MOD20D No Yes Yes Vital 3HVP*MOD23A No Yes Yes Vital 3HVP*MOD23B No Yes Yes Vital 3HVP*MOD26A No Yes Yes Vital 3HVP*MOD26B No Yes Yes Vital 06/28/18 7.5-65 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List (Continued)

Variable No./Name Sensor ID EEQ Seismic QA Power Su 3HVQ*AOD40A Yes Yes Yes Vital UPS 3HVQ*AOD40B Yes Yes Yes Vital UPS 3HVQ*AOD40C No Yes Yes Vital UPS 3HVQ*AOD40D No Yes Yes Vital UPS 3HVQ*AOD41A No Yes Yes Vital UPS 3HVQ*AOD41B Yes Yes Yes Vital UPS 3HVQ*AOD41C No Yes Yes Vital UPS 3HVQ*AOD41D No Yes Yes Vital UPS 3HVQ*AOD42A No Yes Yes Vital UPS 3HVQ*AOD42B Yes Yes Yes Vital UPS 3HVQ*AOD42C No Yes Yes Vital UPS 3HVQ*AOD42D No Yes Yes Vital UPS 3HVQ*AOD43A No Yes Yes Vital UPS 3HVQ*AOD43B Yes Yes Yes Vital UPS 3HVQ*AOD43C Yes Yes Yes Vital UPS 3HVQ*AOD43D No Yes Yes Vital UPS 3HVQ*MOD26A1 No Yes Yes Vital 3HVQ*MOD26B1 No Yes Yes Vital 3HVQ*MOD26C1 No Yes Yes Vital 3HVQ*MOD26A2 No Yes Yes Vital 3HVQ*MOD26B2 No Yes Yes Vital 3HVQ*MOD26C2 No Yes Yes Vital 06/28/18 7.5-66 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List (Continued)

Variable No./Name Sensor ID EEQ Seismic QA Power Su 3HVR*AOD20A Yes Yes Yes Vital UPS 3HVR*AOD20B Yes Yes Yes Vital UPS 3HVR*AOD29A Yes Yes Yes Vital UPS 3HVR*AOD29B Yes Yes Yes Vital UPS 3HVR*AOD32A Yes Yes Yes Vital UPS 3HVR*AOD32B Yes Yes Yes Vital UPS 3HVR*AOD33A Yes Yes Yes Vital UPS 3HVR*AOD33B Yes Yes Yes Vital UPS 3HVR*AOD35A Yes Yes Yes Vital UPS 3HVR*AOD35B Yes Yes Yes Vital UPS 3HVR*AOD39A Yes Yes Yes Vital UPS 3HVR*AOD39B Yes Yes Yes Vital UPS 3HVR*AOD40A Yes Yes Yes Vital UPS 3HVR*AOD40B Yes Yes Yes Vital UPS 3HVR*AOD42A Yes Yes Yes Vital UPS 3HVR*AOD42B Yes Yes Yes Vital UPS 3HVR*AOD43A Yes Yes Yes Vital UPS 3HVR*AOD43B Yes Yes Yes Vital UPS 3HVR*AOD44A Yes Yes Yes Vital UPS 3HVR*AOD44B Yes Yes Yes Vital UPS 3HVR*AOD55A Yes Yes Yes Vital UPS 3HVR*AOD55B Yes Yes Yes Vital UPS 06/28/18 7.5-67 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List (Continued)

Variable No./Name Sensor ID EEQ Seismic QA Power Su 3HVR*AOD65A Yes Yes Yes Vital UPS 3HVR*AOD65B Yes Yes Yes Vital UPS 3HVR*AOD66A Yes Yes Yes Vital UPS 3HVR*AOD66B Yes Yes Yes Vital UPS 3HVR*AOD80A Yes Yes Yes Vital UPS 3HVR*AOD80B Yes Yes Yes Vital UPS 3HVR*AOD81A Yes Yes Yes Vital UPS 3HVR*AOD81B Yes Yes Yes Vital UPS 3HVR*AOD85 Yes Yes Yes Vital UPS 3HVR*AOD86 Yes Yes Yes Vital UPS 3HVR*AOD95A Yes Yes Yes Vital 3HVR*AOD95B Yes Yes Yes Vital 3HVR*AOD174A Yes Yes Yes Vital UPS 3HVR*AOD174B Yes Yes Yes Vital UPS 3HVR*AOD184 Yes Yes Yes Vital UPS 3HVR*MOD28A Yes Yes Yes Vital 3HVR*MOD28B Yes Yes Yes Vital 3HVR*MOD49A Yes Yes Yes Vital 3HVR*MOD49B Yes Yes Yes Vital 3HVR*MOD49C1 Yes Yes Yes Vital 3HVR*MOD49C2 Yes Yes Yes Vital 3HVR*MOD50A Yes Yes Yes Vital 06/28/18 7.5-68 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List (Continued)

Variable No./Name Sensor ID EEQ Seismic QA Power Su 3HVR*MOD50B Yes Yes Yes Vital 3HVR*MOD50C1 Yes Yes Yes Vital 3HVR*MOD50C2 Yes Yes Yes Vital 3HVR*MOD72A Yes Yes Yes Vital 3HVR*MOD72B Yes Yes Yes Vital 3HVV*MOD50C No Yes Yes Vital 3HVV*MOD50D No Yes Yes Vital 3HVV*AOD50A1 No Yes Yes Vital UPS 3HVV*AOD50B1 No Yes Yes Vital UPS 3HVV*AOD50A2 No Yes Yes Vital UPS 3HVV*AOD50B2 No Yes Yes Vital UPS 3HVV*MOD51A Yes Yes Yes Vital 3HVV*MOD51B Yes Yes Yes Vital 3HVV*MOD51C Yes Yes Yes Vital 3HVV*MOD51D Yes Yes Yes Vital 3HVY*AOD23A No Yes Yes Vital 3HVY*AOD23B No Yes Yes Vital 3HVZ*MOD20A No Yes Yes Vital 3HVZ*MOD20B Yes Yes Yes Vital 3HVZ*MOD21A No Yes Yes Vital 3HVZ*MOD21B No Yes Yes Vital D61/SI Valve Alignment 3SIH*MV8801A Yes Yes Yes Vital 06/28/18 7.5-69 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List (Continued)

Variable No./Name Sensor ID EEQ Seismic QA Power Su 3SIH*MV8801B Yes Yes Yes Vital 3SIH*MV8802A Yes Yes Yes Vital 3SIH*MV8802B Yes Yes Yes Vital 3SIH*MV8806 Yes Yes Yes Vital 3SIH*MV8807A Yes Yes Yes Vital 3SIH*MV8807B Yes Yes Yes Vital 3SIH*MV8813 Yes Yes Yes Vital 3SIH*MV8814 Yes Yes Yes Vital 3SIH*MV8821A Yes Yes Yes Vital 3SIH*MV8821B Yes Yes Yes Vital 3SIH*MV8835 Yes Yes Yes Vital 3SIL*MV8840 Yes Yes Yes Vital 3SIH*MV8920 Yes Yes Yes Vital 3SIH*MV8923A Yes Yes Yes Vital 3SIH*MV8923B Yes Yes Yes Vital 3SIH*MV8924 Yes Yes Yes Vital 3SIH*CV8823 Yes Yes Yes Vital 3SIH*CV8824 Yes Yes Yes Vital 3SIH*CV8843 Yes Yes Yes Vital 3SIH*CV8871 Yes Yes Yes Vital 3SIH*CV8964 Yes Yes Yes Vital 3SIH*CV8881 Yes Yes Yes Vital 06/28/18 7.5-70 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List (Continued)

Variable No./Name Sensor ID EEQ Seismic QA Power Su 3SIH*CV8888 Yes Yes Yes Vital 3SIL*MV8804A Yes Yes Yes Vital 3SIL*MV8804B Yes Yes Yes Vital 3SIL*MV8809A Yes Yes Yes Vital 3SIL*MV8809B Yes Yes Yes Vital 3SIL*MV8812A Yes Yes Yes Vital 3SIL*MV8812B Yes Yes Yes Vital 3SIL*CV8825 Yes Yes Yes Vital UPS 3SIL*CV8890A Yes Yes Yes Vital UPS 3SIL*CV8890B Yes Yes Yes Vital UPS 3SIL*SV8875A Yes Yes Yes Vital UPS 3SIL*SV8875B Yes Yes Yes Vital UPS 3SIL*SV8875C Yes Yes Yes Vital UPS 3SIL*SV8875D Yes Yes Yes Vital UPS 3SIL*SV8875E Yes Yes Yes Vital UPS 3SIL*SV8875F Yes Yes Yes Vital UPS 3SIL*SV8875G Yes Yes Yes Vital UPS 3SIL*SV8875H Yes Yes Yes Vital UPS 3SIL*CV8880 Yes Yes Yes Vital UPS 3SIL*CV8968 Yes Yes Yes Vital UPS 3SIL*HCV943A Yes Yes Yes Vital UPS 3SIL*HCV943B Yes Yes Yes Vital UPS 06/28/18 7.5-71 Rev. 31

Table 7.5-1 Accident Monitoring Instrumentation List (Continued)

Variable No./Name Sensor ID EEQ Seismic QA Power Su 3SIL*MV8808A Yes Yes Yes Vital 3SIL*MV8808B Yes Yes Yes Vital 3SIL*MV8808C Yes Yes Yes Vital 3SIL*MV8808D Yes Yes Yes Vital 06/28/18 7.5-72 Rev. 31

1 INSTRUMENTATION AND CONTROL POWER SUPPLY SYSTEM instrumentation and control power supply system is described in Section 8.3.

2 RESIDUAL HEAT REMOVAL ISOLATION VALVES 2.1 Description residual heat removal system (RHS) isolation valves are normally closed and are only opened residual heat removal after system pressure is reduced to approximately 375 psig.

RHS valves are provided with red (OPEN) and green (CLOSED) position indicating lights ted at the keylock control switch for each valve. These lights are powered by valve control er and actuated by valve motor operator limit switches.

re are three motor-operated valves in series in each of the two RHS pump suction lines from reactor coolant system (RCS) hot legs. Two valves in series located close to the containment ls, one inside containment and one outside containment, are provided with interlocks. The rlock features provided for the isolation valves are similar for both trains and are shown on ure 7.6-1.

h of the two valves is interlocked so that it cannot be opened unless the RCS pressure is below roximately 412.5 psia. This interlock prevents the valve from being opened when the RCS sure plus the RHS pump pressure would be above the RHS system design pressure. The rlocks for each train are independent. If the valve remains open and RCS pressure increases to psig, an alarm will sound requiring operator action.

e plant is in Mode 1, 2, or 3, the operator is required to close all three suction valves. If the t is in Mode 4, 5, or 6, and the RCS pressure increases to 750 psig, the operator is required to e the motor-operated valve closest to the pump.

ould be noted that these valves can also be controlled from the Auxiliary Shutdown Panel P). Valve 8701A is not interlocked with RCS pressure low to open to provide one train of R cooling when the control room is inaccessible. Valve 8701B is interlocked with RCS low sure to open from the ASP but can be manually opened if necessary, because it is located ide of containment.

first valve in each train is located in the ESF building closest to the RHS pump and is closed deenergized at the MCC during power operation. The alarm will function with the valve nergized.

third valve in each train is located inside the containment and is closed and deenergized at the C during power operation. No interlocks are provided.

28/18 7.6-1 Rev. 31

ed on the scope definitions presented in IEEE Standard 279-1971 and 338-1971, these criteria ot apply to the RHS isolation valve interlocks; however, in order to meet NRC requirements because of the possible severity of the consequences of loss of function, the requirements of E Standard 279-1971 will be applied with the following comments:

1. For the purpose of applying IEEE Standard 279-1971 to this circuit, the protection system shall consist of the two valves in series in each line and all components of their interlocking and closure circuits.

2. IEEE Standard 279-1971, Paragraph 4.10: The above-mentioned pressure interlock signals and logic will be tested on line to the maximum extent possible without adversely affecting safety. This test will include the analog signal through to the train signal which activates the slave relay (the slave relay provides the final output signal to the valve control circuit). This is done in the best interests of safety since an actual actuation to permit opening the valve could potentially leave only one remaining valve to isolate the low-pressure RHS from the RCS.

3. IEEE Standard 279-1971, Paragraph 4.15: This requirement does not apply, as the setpoints are independent of mode of operation and are not changed.

ironmental qualification of the valves and wiring are discussed in Section 3.11.

3 REFUELING INTERLOCKS ctrical interlocks (i.e., proximity/limit switches), as discussed in Section 9.1.4, are provided minimizing the possibility of damage to the fuel during fuel handling operations.

4 ACCUMULATOR MOTOR-OPERATED VALVES design of the interconnecting of these signals to the accumulator isolation valve meets the owing criteria established in previous NRC positions on this matter:

1. Automatic opening of the accumulator valves when (a) the primary coolant system pressure exceeds a preselected value specified in the Technical Specifications or (b) a safety injection signal has been initiated. Both signals shall be provided to the valves.

2. Utilization of a safety injection signal (SIS) to automatically remove (override) and bypass features that are provided to allow an isolation valve to be closed for short periods of time when the reactor coolant system is at pressure in accordance with the provisions of the Technical Specifications. As a result of the confirmatory SIS, isolation of an accumulator with the reactor at pressure is acceptable.

28/18 7.6-2 Rev. 31

safety injection system accumulator discharge isolation valves are motor operated, normally n valves which are controlled from the main control board.

se valves are interlocked such that:

1. Signals from the ESFAS are provided to the valve(s) upon initiation of SIS. These signals would open the valves if they were closed and energized, but since the valves are locked open during normal operation with their power removed, the signals perform no actual function. (See Section 6.3.2.2.6).

2. Signals from the ESFAS are provided to the valve(s) upon receipt of high pressurizer pressure (pressure above the P-11 setpoint). These signals would open the valves if they were closed and energized, but since the valves are locked open during normal operation with their power removed, the signals perform no actual function. (See Section 6.3.2.2.6).

3. They cannot be closed as long as a SIS is present.

four main control board position switches for these valves provide a spring return to auto m the OPEN position and a maintained closed position.

se normally open motor-operated valves have alarms, indicating a malpositioning (with rd to their ECCS function during the injection phase). The alarms sound in the main control m.

alarm sounds for any accumulator isolation valve under the following conditions when the S pressure is above the SI unblocking pressure:

1. Valve motor-operator limit switch indicates valve not open

2. Valve stem limit switch indicates valve not open. The alarm on this switch repeats itself at given intervals.

ass and inoperable alarms are in accordance with Regulatory Guide 1.47.

5 REACTOR COOLANT SYSTEM LOOP ISOLATION VALVE INTERLOCKS.

tup of an isolated reactor coolant loop is prevented by strict administrative controls until the t is in Mode 5 or 6 with all conditions of Technical Specification 3/4.4.1.6 satisfied.

interlocks allow opening of the cold leg loop stop valves (refer to Valve 2 on Figure 7.6-4) never:

28/18 7.6-3 Rev. 31

2. The reactor coolant system temperature is less than a preset amount (170°F), and

3. The cold leg temperature is within 20°F of the highest cold leg temperature in other loops, and the hot leg temperature is within 20°F of the highest hot leg temperature in other loops.

the logic functions of these interlocks, refer to Figure 7.2-1, Sheets 17, 18, and 19.

6 FUEL POOL COOLING AND PURIFICATION SYSTEM 6.1 Description fuel pool cooling and purification system design is described in Section 9.1.3, and the flow ram is shown on Figure 9.1-6.

l pool cooling pump motor controls are located on the main control board and at the tchgear. REMOTE/LOCAL control selector switches are provided at the switchgear. An unciator is alarmed on the main control board when local control is selected.

following parameters are indicated on the fuel pool cooling panel:

1. Fuel pool water level

2. Fuel pool demineralizer total flow

3. Fuel pool water temperature

4. Fuel pool coolers outlet temperature

5. Fuel pool cooling return flow

6. Fuel pool cooling pumps discharge pressure

7. Fuel pool purification return flow

8. Fuel pool demineralizer flow following parameters are provided with first out annunciators on the fuel pool panel:

1. Fuel pool water level low

2. Fuel pool water level high

3. Fuel pool water temperature high 28/18 7.6-4 Rev. 31

5. Fuel pool cooling return flow low

6. Fuel pool purification flow low

7. Fuel pool prefilter 3A differential pressure high

8. Fuel pool prefilter 3B differential pressure high

9. Fuel pool demineralizer differential pressure high

10. Fuel pool post filter differential pressure high

11. Fuel pool coarse filter differential pressure high

12. Fuel pool cooler cooling water outlet flow low

13. Fuel pool purification pump 2A auto trip

14. Fuel pool purification pump 2B auto trip uel pool cooling system trouble annunciator located on the main control board is alarmed never an alarm is received on the fuel pool panel.

undant pressure switches are utilized to energize low level indicator lights on the main control rd. Temperature is indicated on the main control board by redundant temperature indicators.

l pool level low, fuel pool level high, fuel pool cooling pumps auto trip, and fuel pool perature high are alarmed on the main control board.

tinuous wide range level indication is provided from the top of the fuel racks to the normal rating level of the spent fuel pool by the Spent Fuel Pool Wide Range Level Displays within Auxiliary Building.

protect personnel from high radiation doses which could occur due to fuel pool water level er than normal, or during the refueling process, continuous radiation monitoring above the pool is provided. For a detailed description of the radiation monitor provided above the fuel l, see Chapter 11, Section 11.5.2.

6.2 Analysis of Fuel Pool Cooling and Purification System

1. IEEE Standard 279-1971, Paragraph 4.2: For a discussion of system instrumentation redundancy and single failure criteria, refer to FSAR Sections 3.1 and 9.1.3.

28/18 7.6-5 Rev. 31

3. Design Bases For the fuel pool cooling and purification system design bases, refer to Section 9.1.3.1.

4. IEEE Standard 279-1971, Paragraph 4.6: Instrumentation for the fuel pool cooling and purification system has no multiple instrument channels. The instrument trains (A and B) for this system meet the requirements of General Design Criteria 44 (Section 3.1.2.44).

5. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10: Calibration of the level switches, alarms, and indicators is verified periodically by removing the device in service and testing with test apparatus compatible with the specific equipment being tested and injecting simulated signals. Inspections and testing requirements are discussed in Section 9.1.3.4.

6. IEEE Standard 279-1971, Paragraph 4.13: Bypass and inoperable alarms are in accordance with Regulatory Guide 1.47.

7 CONTAINMENT LEAKAGE MONITORING SYSTEM (CONTAINMENT ATMOSPHERE PRESSURE AND TEMPERATURE MONITORING INSTRUMENTATION) 7.1 Description containment leakage monitoring system design is shown on Figure 6.2-53.

h the exceptions described below, components mounted between the containment structure the outer containment isolation valves, including the valves themselves and the two tainment air temperature detectors located inside the containment structure, are safety related.

remainder of the containment leakage monitoring system components inside and outside the tainment structure are not safety related.

r safety related containment pressure transmitters (two extended range and two narrow range) installed in two of the four containment penetration lines (PT935 and PT936). The extended ge containment pressure transmitters transmit the containment pressure signal to the plant puter, and to dual channel indicators in the control room and one channel is recorded. The ow range containment pressure transmitters transmit the containment pressure signal to dual nnel indicators in the control room. The dual channel indicators and recorder in the control m are safety related.

itional safety related containment atmosphere pressure transmitters are installed in each of the containment penetration lines (PT-934 through 937). The transmitter output signals are used 28/18 7.6-6 Rev. 31

channels of containment pressure indication in the control room and two channels on the iliary shutdown panels. Two channels are recorded in the control room. Each transmitter may erified and calibrated by valving the transmitter out of service and applying a simulated al.

otor-operated valve is installed in each containment open pressure tap line between the tainment and the transmitter connections. This valve is normally open and fails in the AS IS ition on loss of power. An inadvertent closed position of these valves is alarmed and a bypass unciator is alarmed in the control room. The motor-operated valves are remote manually trolled from the control room. Two safety related temperature measuring channels are vided to monitor the containment atmosphere temperature. This temperature is indicated in the trol room and one channel is recorded.

7.2 Analysis

1. IEEE Standard 279-1971, Paragraph 4.2: Redundant channels and trains for pressure and redundant trains of temperature indication supplied from separate power sources preclude a single random failure from preventing a protective action or indication at the system level.

2. IEEE Standard 279-1971, Paragraphs 4.9 and 4.10: Each pressure transmitter associated with Hi-1, Hi-2, and Hi-3 containment pressure may be tested and calibrated by valving the transmitter out of service and applying a simulated signal.

Temperature transmitters and indicators may be tested and calibrated periodically with a compatible test apparatus.

3. IEEE Standard 279-1971, Paragraph 4.13: Bypass and inoperable alarms are in accordance with Regulatory Guide 1.47.

4. Design Bases For design bases information and a further discussion of compliance with IEEE-279-1971 for engineered safety features, refer to Section 7.3.1.2 and 7.3.2.

5. IEEE Standard 279-1971, Paragraph 4.4: For a discussion of the type tests made to verify the performance requirements, refer to Section 3.11.

6. IEEE Standard 279-1971, Paragraph 4.5: For a discussion of channel independence applicable to Hi-1, Hi-2, and Hi-3 containment pressure, refer to Section 7.3.2.2.3.

28/18 7.6-7 Rev. 31

8.1 Description basic function of the RCS pressure control during low-temperature operation is discussed in tion 5.2.2. As noted in Section 5.2.2, this pressure control includes automatic actuation logic two pressurizer power operated relief valves (PORV). The function of this actuation logic is to tinuously monitor RCS temperature and pressure conditions with actuation logic armed by rator action by means of an ARM/BLOCK main control board (MCB) switch which is placed he BLOCK position when the plant is at operating pressure. The monitored system perature signals are processed to generate the reference pressure limit which is compared to actual monitored RCS pressure. This comparison provides an actuation signal to an actuation ice which, if manually armed, causes the PORV to automatically open if necessary to prevent sure conditions from exceeding allowable limits. See Figure 7.2-1, Sheets 18 and 19, for the c diagram showing the basic elements used to process the generating station variables for this

-temperature RCS overpressurization preventive interlock. These two sheets present the logic ram for the pressurizer pressure relief system for Trains A and B that is part of the safety de cold shutdown system.

wide range temperature signals are used as input to generate the reference pressure limit gram considering the plants allowable pressure and temperature limits. This reference sure is then compared to the actual RCS pressure monitored by the wide range pressure nnel. The error signals derived from the difference between the reference pressure and the sured pressure first annunciates a main board alarm whenever the measured pressure roaches, within a predetermined amount, the reference pressure. On a further increase in sured pressure, the error signal generates an annunciated actuation signal channel, the train pendence between protection sets and between Trains A and B is maintained from sensors to PORVs.

n receipt of the actuation signal, the actuation device automatically causes the PORV to open.

n sufficient RCS inventory letdown, the operating RCS pressure decreases, clearing the ation signal. Removal of this signal from the actuation device causes the PORV to close.

8.2 Analysis of Interlock logic functions and actuation signals shown on Figure 7.2-1, Sheets 18 and 19, are lemented in NSSS protection equipment. For the criteria for which the protection system was gned, and which apply equally well to the interlocks, which are part of this protection system, Sections 7.2 and 7.3. The primary purpose of these interlocks is automatic transient gation. These interlocks do not perform a primary protective function, but rather provide matic overpressure protection at low temperature as backup to operator action. However, to re a well engineered design and improved operability, the instrumentation and control ions of the interlocks for RCS pressure control during low temperature operation will satisfy licable sections of US NRC Branch Technical Position RSB 5-2 that addresses 28/18 7.6-8 Rev. 31

1. For the purpose of applying IEEE Standard 279-1971 to this circuit, the following definitions will be used:

a. Safety Grade System The block valve and the power operated relief valve (PORV) in series in each of the redundant lines and all components of the interlocks for RCS pressure control during low temperature operation. The I&C equipment for one redundant line is defined as the Train A system; the I&C equipment for the other redundant line is defined as the Train B system.

b. Protective Action The automatic control of RCS pressure during low-temperature operation to prevent the actual pressure from exceeding the calculated reference pressure limit. This protective action can be satisfied by either train of the redundant system, the Train A system or the Train B system.

2. IEEE Standard 279-1971, Paragraph 4.2 Any single random failure within the Train A system or the Train B system will not prevent protective action at the system level when required.

3. (Deleted)

4. IEEE Standard 279-1971, Paragraph 4.12 The protection action is manually blocked by operator action of the MCB ARM/

BLOCK switch which places it in the BLOCK position when the plant is at temperatures greater than the range of concern for RCS low temperature operation.

The annunciator initiated by the low temperature auctioneered circuit will alarm to warn the operator that the ARM/BLOCK switch should be placed in the ARM position. Whether or not the system should be armed and actually is not armed will be indicated to the operator when this annunciator is initiated and the switch is positioned to the maintained BLOCK position. In addition, if the system is armed and the PORV block valve is not fully open, this condition is also annunciated.

8.3 Pressurizer Pressure Relief System pressurizer low pressure interlocks shown on Figure 7.2-1, Sheet 6, together with pressurizer sure control shown on Figure 7.2-1, Sheet 11, and the interlocks for the pressurizer block es, 8000 A and B, shown on Figure 7.2-1, Sheets 18 and 19, are referred to as the pressurizer sure relief system.

28/18 7.6-9 Rev. 31

1. Capability for RCS overpressure mitigation during cold shutdown, heatup, and cooldown operations to minimize the potential for impairing reactor vessel integrity when operating at or near the vessel ductility limits

2. Capability for RCS depressurization following Condition II, III, and IV events and for safety grade cold shutdown

3. An interlock that, with the RCS cold overpressure protection system armed and the PORV block valves in auto control, opens the PORV block valves

4. A safety related pressure relief function which opens the pressurizer PORVs when two out of four protection channels sense high pressurizer pressure. To avoid spurious PORV opening, the actuation bistables are energized to open the PORVs.

Coincidence logic and PORV actuation is performed by the Solid State Protection System (SSPS). One PORV is controlled by the A train of SSPS while the other PORV is controlled by the B train. The PORVs close after pressurizer pressure has been reduced by a predetermined value. Refer to FSAR Figure 7.2-1 sheets 6, 18 and 19 for additional details.

rlocks from the PPR system control the opening and closing of the pressurizer PORVs and the RV block valves. These interlocks provide the following functions:

1. Pressurizer pressure control

2. RCS pressure control during low-temperature operation

3. RCS pressure control to achieve and maintain safety grade cold shutdown and to heat up using equipment that is required for safety interlock functions that provide pressurizer pressure control are derived from process meters as shown on Figure 7.2-1, Sheets 6, 11, 18, and 19. The functions shown on ure 7.2-1, Sheets 18 and 19, include those needed for the PORV block valves as well as the surizer PORVs to meet both interlock logic and manual operation requirements where manual ration can be either at the main control board or on the local shutdown panel.

9 HEAT TRACING OF SAFETY-RELATED SYSTEMS ety-related systems requiring heat tracing are heated by circuits powered from two pendent control panels, 3HTS-PNLF1 and 3HTS-PNLF2. The transformers for each panel powered by the purple and orange safety trains, respectively. The power from the panels is safety grade. The safety grade power is protected from the nonsafety service by the sformers which are safety grade isolation transformers or isolated by two Class 1E breakers in es.

28/18 7.6-10 Rev. 31

erated low ambient temperature signals. A temperature sensor on the piping provides an alarm e primary panel, 3HTS-PNLF1, if it senses a temperature below its setpoint. This also causes larm to sound on the main control board identifying trouble at the primary panel. Should the perature of the piping continue to drop, a second temperature sensor on the piping provides an m at the secondary panel, 3HTS-PNLF2, which in turn, provides an additional alarm on the n control board.

10 SHUTDOWN MARGIN MONITOR 10.1 Description safety related shutdown margin monitor is an instrument that measures the count rate from neutron monitoring instruments and identifies any statistically significant increase that would cate a loss of reactor shutdown margin.

monitors input signal is obtained as a pulse output from the existing neutron-flux monitoring em. This design minimizes unwanted background counts from electromagnetic pickup or m alpha, beta, or gamma flux at the detector.

shutdown monitors have been designed with bipolar discrete components and complimentary al oxide semiconductor (CMOS) microprocessors and integrated circuitry for high reliability long life.

shutdown margin monitors are designed with 20 memory registers that are updated every 30 nts, (detected neutrons) or once a second, whichever is longer. These registers are used to vide an average count rate over a period of time in an effort to reduce noise spikes and ecessary alarms. This averaging process causes a time delay in the instruments response le monitoring the reactor core at very low count rates, such as following long shutdowns or eling operations. The time delay of the monitor increases as the instruments count rate reases. Minimum count rates for operability have been established and procedurealized to ount for this time delay.

shutdown margin monitor will alarm when the monitored count rate increases above the eline count rate by a pre-set factor (Alarm Ratio). The Alarm Ratio can range from 1.25 to mes the baseline count rate. The monitor continually lowers its baseline count rate as the count decays with time. This renormalization is required to properly monitor the core for istically significant neutron flux increases.

10.2 Function shutdown margin monitors provide the reactor operator adequate warning if an unintentional of shutdown margin occurs. The monitors monitor the count rate from the existing neutron at the reactor core for a statistically significant increase. The monitor will alarm once the nitored count rate has increased by a factor of 1.25 to 4, depending on the instrument's 28/18 7.6-11 Rev. 31

uirements Manual (TRM). The setpoint ensures that the operator will be provided with at least minutes response time to mitigate the boron dilution event.

tion 15.4.6 of the FSAR describes the event of a possible unplanned moderation dilution that ld result in an unwanted increase in reactivity and a decrease in shutdown margin. Such an nt could be detected by measuring the boron concentration in the moderator. However, the tdown margin is monitored directly by measuring the neutron flux at the reactor core. The rator will be alerted to any reduction in shutdown margin whether from an unplanned boron tion or from another cause.

increase in reactivity or decrease in shutdown margin due to boron dilution event results in ncrease in neutron flux in the reactor core due to an increase in subcritical multiplication. By nitoring the neutron flux at the reactor core during a shutdown, a loss of shutdown will be tified. The shutdown margin monitors are required to be operable in MODES 3, 4 and 5. With h monitors inoperable, mode changes are allowed up to MODE 3 as long as the action ement in the technical specification is completed.

11 REFERENCES FOR SECTION 7.6 1 IEEE Standard 279-1971. IEEE Standard: Criteria for Protection System for Nuclear Power Generating Stations. The Institute of Electrical and Electronic Engineers, Inc.

2 IEEE Standard 338-1971. IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection System. The Institute of Electrical and Electronic Engineers, Inc.

28/18 7.6-12 Rev. 31

FIGURE 7.6-1 LOGIC DIAGRAM FOR RHS ISOLATION VALVES 28/18 7.6-13 Rev. 31

re are two normally closed motor-operated series isolation valves in each of the two RHS p suction lines from the RCS hot legs. The electrical interlock features provided for isolation es (8701B and 8702B) are similar to those provided for isolation valves (8701A and 8702A).

h valve is interlocked against opening unless the following conditions are met:

1. The RCS pressure, as measured by appropriate wide range pressure channels, is less than 412.5 psia. This assures the RHS system cannot be overpressurized by aligning it to the RCS when RCS pressure plus RHS pump head would exceed the RHS system design pressure.

It should be noted that when controlling valve 8701A from the ASP, the RCS low pressure interlock is not available. This design feature allows one train of RHR cooling when the control room is inaccessible.

2. The corresponding RHS pump/RWST suction isolation valve is closed. This assures posi-tive isolation of the RWST and RHS/RWST suction piping before initiating a normal cooldown.

3. The corresponding recirculation line to the CHG/HHSI pumps isolation valve is closed.

This assures the suction of the HHSI and/or CHG pumps cannot be overpressurized by normal cooldown flow via an open recirculation line isolation valve.

4. "Closed" indication is present from both of the recirculation pump discharge isolation valves. (Note: Redundancy is provided by the check valves at the recirculation pump dis-charge.)

h valve is also alarmed when open and RCS pressure is greater than 440 psig. When the plant Mode 1, 2, or 3, the operator is required to close all three suction valves. This assures that h of the interlocked valves in the pump suction line will be closed during a plant startup prior eaching operating conditions, should one valve have been inadvertently left open by operator ssion. These valves may be shut at any time that plant conditions warrant closure of the es. When the plant is in Mode 4, 5, or 6, and the RCS pressure increases to 750 psig, the rator is required to close the motor-operated valve closest to the RHS pump.

wide range RCS pressure interlock on the first set of isolation valves is independent and rse from that provided to the second set of isolation valves. This is specifically required to t NRC criteria which are applicable to the RHS system design.

28/18 7.6-14 Rev. 31

FIGURE 7.6-2 FUNCTIONAL BLOCK DIAGRAM OF ACCUMULATOR ISOLATION VALVES 06/28/18 7.6-15 Rev. 31

FIGURE 7.6-3 AUTOMATIC RHS AND QSS PUMP SHUTOFF (SHEET 1) 06/28/18 7.6-16 Rev. 31

FIGURE 7.6-3 AUTOMATIC RHS AND QSS PUMP SHUTOFF (SHEET 2) 28/18 7.6-17 Rev. 31

FIGURE 7.6-4 REACTOR COOLANT SYSTEM LOOP WITH LOOP STOP VALVES 06/28/18 7.6-18 Rev. 31

The general design objectives of the plant control systems are:

1. To establish and maintain power equilibrium between primary and secondary system during steady state operation

2. To constrain operational transients so as to preclude unit trip and re-establish steady state unit operation

3. To provide the reactor operator with monitoring instrumentation that indicates all required input and output control parameters of the systems and provides the operator the capability of assuming manual control of the system 1 DESCRIPTION plant control systems described in this section perform the following functions:

1. Reactor Control System

a. Enables the nuclear plant to accept a step load decrease of 10 percent and a ramp decrease of 5 percent per minute within the load range of 15 percent to 100 percent without reactor trip, steam dump, or pressurizer relief actuation, subject to possible xenon limitations. The reactor control system will not withdraw control rods for step and ramp load increases. The operators will take the appropriate actions in response to alarms and maintain control of the plant.

b. Maintains reactor coolant average temperature Tavg within prescribed limits by creating the bank demand signals for moving groups of full length rod cluster control assemblies during normal operation and operational transients. The Tavg control also supplies a signal to pressurizer water level control and steam dump control.

2. Rod Control System Provides for reactor power modulation by manual and automatic control of full length control rod banks in a preselected sequence and for manual operation of individual banks.

3. Systems for Monitoring and Indicating

a. Provide alarms to alert the operator if the required core reactivity shutdown margin is not available, due to excessive control rod insertion.

b. Display control rod position.

28/18 7.7-1 Rev. 31

4. Plant Control System Interlocks

a. Prevent further withdrawal of the control banks when signal limits are approached that predict the approach of a DNBR limit or kW/ft limit.

b. Inhibit automatic turbine load change as required by the nuclear steam supply system.

5. Pressurizer Pressure Control Maintains or restores the pressurizer pressure to a value which is well within reactor trip and relief and safety valve actuation setpoint limits following normal operational transients that induce pressure changes by control (manual or automatic) of the pressurizer heaters and spray valves.

6. Pressurizer Water Level Control Establishes, maintains, and restores pressurizer water level within specified limits as a function of the average coolant temperature. Changes in level are caused by coolant density changes induced by loading, operational, and unloading transients.

Level changes are produced by means of charging flow control (manual or automatic) as well as by manual selection of letdown orifices. Maintaining coolant level in the pressurizer within prescribed limits by actuating the charging and letdown system thus provides control of the reactor coolant water inventory.

7. Steam Generator Water Level Control

a. Establishes and maintains the steam generator water level to within predetermined physical limits during normal operating transients.

b. The steam generator water level control system also restores the steam generator water level to within predetermined limits at unit trip conditions.

It regulates the feedwater flow rate such that under operational transients the heat sink for the reactor coolant system does not decrease below a minimum. Steam generator water inventory control is manual or automatic through the use of feedwater control valves.

8. Steam Dump Control

a. Permits the nuclear plant to accept a sudden loss of load without incurring reactor trip. Steam is dumped to the condenser and/or the atmosphere as necessary to accommodate excess power generation in the reactor during turbine load reduction transients.

28/18 7.7-2 Rev. 31

actuation of the steam generator safety valves.

c. Maintains the plant at no load conditions and permits a manually controlled cooldown of the plant.

9. Incore Instrumentation Provides information on the neutron flux distribution and on the core outlet temperatures at selected core locations.

1.1 Reactor Control System reactor control system enables the nuclear plant to follow load decreases automatically uding the acceptance of step load decreases of 10 percent and ramp decreases of 5 percent per ute within the load range of 15 percent to 100 percent without reactor trip, steam dump, or sure relief (subject to possible xenon limitations). The system is also capable of restoring lant average temperature to within the programmed temperature deadband following a change oad. Manual control rod operation is required for response to load increases and may be ormed at any time.

reactor control system controls the reactor coolant average temperature by regulation of trol rod bank position. The reactor coolant loop average temperatures are determined from hot and cold leg measurements in each reactor coolant loop. There is an average coolant perature (Tavg) computed for each loop, where:

Tavg = (Thot + Tcold)/2 (7.7-1) error between the programmed reference temperature (based on turbine impulse chamber sure) and the highest of the Tavg measured temperatures (which is processed through a

-lag compensation unit) from each of the reactor coolant loops constitutes the primary control al as shown in general on Figure 7.7-1 and in more detail on the functional diagrams shown Figure 7.2-1, Sheet 9. The system is capable of restoring coolant average temperature to the grammed value following a decrease in load. The programmed coolant temperature increases arly with turbine load from zero power to the full power condition. The Tavg also supplies a al to pressurizer level control and steam dump control and rod insertion limit monitoring.

temperature channels needed to derive the temperature input signals for the reactor control em are fed from protection channels via isolation amplifiers.

additional control input signal is derived from the reactor power versus turbine load mismatch al. This additional control input signal improves system performance by enhancing response reducing transient peaks.

28/18 7.7-3 Rev. 31

displays (Section 7.7.1.3.1) indicate the need for an adjustment in the axial power distribution.

ing boron to the reactor coolant will reduce Tavg and require the rods to be moved toward the of the core. This action will reduce power peaks in the bottom of the core. Likewise, removing on from the reactor coolant will move the rods further into the core to control power peaks in tops of the core.

1.2 Rod Control System 1.2.1 Full Length Rod Control System full length rod control system, when operating in automatic, receives rod speed and direction als to move into the core from the Tavg control system. The rod speed demand signal varies r the corresponding range of 5 to 45 inches per minute (8 to 72 steps/minute) depending on the nitude of the input signal. Manual control is provided to move a control bank in or out at a cribed fixed speed.

en the operator selects the AUTOMATIC mode, rod motion is then controlled by the reactor trol systems. In the AUTOMATIC mode, the rods are inserted in a predetermined grammed sequence with the control interlocks listed in Table 7.7-1. Rod withdrawal is ually controlled by the operator.

shutdown banks are always in the fully withdrawn position during normal operation and are ved to this position at a constant speed by manual control prior to criticality. A reactor trip al causes them to fall by gravity into the core. There are 5 shutdown banks.

control banks are the only rods than can be manipulated under automatic control. Each trol bank is divided into two groups to obtain smaller incremental reactivity changes per step.

rod cluster control assemblies in a group are electrically paralleled to move simultaneously.

re is individual position indication for each rod cluster control assembly.

er to rod drive mechanisms are supplied by two motor generator sets operating from two arate 480V, three-phase buses. Each generator is the synchronous type and is driven by a 200 induction motor. The AC power is distributed to the rod control power cabinets through the series connected reactor trip breakers.

Rod Control System can insert small amounts of reactivity to accomplish fine control of tor coolant average temperature about a small temperature deadband. A summary of the rod ter control assembly sequencing characteristics is given below:

1. Two groups within the same bank are stepped such that the relative position of the groups will not differ by more than one step.

2. The control banks are programmed such that withdrawal of the banks is sequenced in the following order; control bank A, control bank B, control bank C, and control 28/18 7.7-4 Rev. 31

inserted.

3. The control bank withdrawals are programmed such that when the first bank reaches a preset position, the second bank begins to move out simultaneously with the first bank which continues to move toward its fully withdrawn position. When the second bank reaches a preset position, the third bank begins to move out, and so on. This withdrawal sequence continues until the unit reaches the desired power level. The control bank insertion sequence is the opposite.

4. Overlap between successive control banks is adjustable between 0 to 50 percent (0 and 115 steps), with an accuracy of 1 step.

5. Rod speeds for either the shutdown banks or manual operation of the control banks are capable of being controlled between a minimum of 6 steps per minute and a maximum of 68 steps per minute.

1.3 Plant Control Signals for Monitoring and Indicating 1.3.1 Monitoring Functions Provided by the Nuclear Instrumentation System power range channels are important because of their use in monitoring power distribution in core within specified safe limits. They are used to measure power level, axial flux imbalance, radial flux imbalance. These channels are capable of recording overpower excursions up to percent of full power. Suitable alarms are derived from these signals as described below.

ic power range signals are:

1. Total current from a power range detector (four such signals from separate detectors); these detectors are vertical and have a total active length of 10 feet

2. Current from the upper half of each power range detector (four signals)

3. Current from the lower half of each power range detector (four signals) ived from these basic signals are the following (including standard signal processing for bration):

1. Indicated nuclear power (four signals)

2. Indicated axial flux imbalance (), derived from upper half flux minus lower half flux (four signals) rm functions derived are as follows:

28/18 7.7-5 Rev. 31

2. Upper radial tilt (maximum to average of four power range input signals) on upper-half detector currents

3. Lower radial tilt (maximum to average of four power range input signals) on lower-half detector currents vision is made to continuously record on strip charts on the control board the 8 ion chamber als, i.e. upper and lower currents for each detector. Nuclear power and axial unbalance is ctable for recording as well. Indicators are provided on the control board for nuclear power for axial flux imbalance.

plant computer monitors the excore detectors and actuates an alarm when the calculated al Flux Different (AFD) exceeds the specified limits. The indicated AFD will be monitored logged in accordance with the Technical Specifications when the AFD alarm is inoperable.

itional background information on the Nuclear Instrumentation System can be found in AP-8255.

1.3.2 Rod Position Monitoring of Full Length Rods o separate systems are provided to sense and display control rod position as described below:

1. Digital Rod Position Indication System The digital rod position indication system measures the actual position of each full length rod using a detector which consists of discrete coils mounted concentrically with the rod drive pressure housing. The coils are located axially along the pressure housing and magnetically sense the entry and presence of the rod drive shaft through its centerline. For each detector, the coils are interlaced into two data channels, and are connected to the containment electronics (Data A and B) by separate multi-conductor cables. By employing two separate channels of information, the digital rod position indication system can continue to function when one channel fails. Multiplexing is then used to transmit the digital position signals from the containment electronics to the control board display unit.

The control board display unit contains a column of light emitting diodes (LEDs) for each rod. At any given time, the one LED illuminated in each column shows the position for that particular rod. Since shutdown rods are always fully withdrawn with the plant at power, their position is displayed every 6 steps with 4 step accuracy only in the region from rod bottom to 18 steps and from 210 steps to 228 steps. All intermediate positions of the rod are represented by a single transition LED. Each rod of the control banks has its position displayed every 6 steps with 4 step accuracy throughout its range of travel.

28/18 7.7-6 Rev. 31

or control bank rod is at bottom.

2. Demand Position System - The demand position system counts pulses generated in the rod drive control system to provide a digital readout of the demanded group position.

demand position and digital rod position indication systems are separate systems, but safety eria were not involved in the separation, which was a result only of operational requirements.

rating procedures require the reactor operator to compare the demand and indicated (actual) ings from the rod position indication system so as to verify operation of the rod control em.

1.3.3 Control Bank Rod Insertion Monitoring en the reactor is critical, the normal indication of reactivity status in the core is the position of control bank in relation to reactor power (as indicated by the reactor coolant system loop T) coolant average temperature. These parameters are used to calculate insertion limits for the trol banks. Two alarms are provided for each control bank.

1. The low alarm alerts the operator of an approach to the rod insertion limits requiring boron addition by following normal procedures with the chemical and volume control system.

2. The low-low alarm alerts the operator to take immediate action to add boron to the reactor coolant system by any one of several alternate methods.

purpose of the control bank rod insertion monitor is to give warning to the operator of essive rod insertion. The insertion limit maintains sufficient core reactivity shutdown margin owing reactor trip and provides a limit on the maximum inserted rod worth in the unlikely nt of a hypothetical rod ejection, and limits rod insertion such that acceptable nuclear peaking ors are maintained. Since the amount of shutdown reactivity required for the design shutdown gin following a reactor trip increases with increasing power, the allowable rod insertion limits t be decreased (the rods must be withdrawn further) with increasing power. Two parameters ch are proportional to power are used as inputs to the insertion monitor. These are the T ween the hot leg and the cold leg, which is a direct function of reactor power, and Tavg, which rogrammed as a function of power. The rod insertion monitor uses parameters for each control bank as follows:

ZLL = A(T)auct + B(Tavg)auct + C (7.7-2) re:

ZLL = Maximum permissible insertion limit for a control bank 28/18 7.7-7 Rev. 31

(Tavg)auct = Highest Tavg of all loops A, B, C = Constants chosen to maintain ZLL actual limit based on physics calculations control rod bank demand position (Z) is compared to Z as follows:

If Z - ZLL D a low alarm is actuated If Z - ZLL E a low-low alarm is actuated ce the highest values of Tavg and T are chosen by auctioneering, a conservatively high esentation of power is used in the insertion limit calculation.

has an adjustable upper limit on insertion which is set to a value low enough to prevent ance alarms. When ZLL for a given control rod bank is limited, the low and low-low alarms also be limited, possibly to a value below the insertion limit. However, ZLL is set high enough the lead control bank and alarm will never be limited.

uation of the low alarm alerts the operator of an approach to a reduced shutdown reactivity ation. Administrative procedures require the operator to add boron through the chemical and ume control system. Actuation of the low-low alarm requires the operator to initiate boration cedures as required by Technical Specifications. The value for E is chosen such that the

-low alarm would normally (if not limited) be actuated before the insertion limit is reached.

value for D is chosen to allow the operator to start boration procedures early, prior to hing the E limit. Figure 7.7-2 shows a block diagram representation of the control rod bank rtion monitor. The monitor is shown in more detail on the functional diagrams shown on ure 7.2-1, Sheet 9. In addition to the rod insertion monitor for the control banks, the plant puter, which monitors individual rod positions, provides an alarm that is associated with the deviation alarm discussed in Section 7.7.1.3.4. This warns the operator if any shutdown rod ter control assembly leaves the fully withdrawn position.

insertion limits are established by:

1. Establishing the allowed rod reactivity insertion at full power consistent with the purposes given above

2. Establishing the differential reactivity worth of the control rods when moved in normal sequence

3. Establishing the change in reactivity with power level by relating power level to rod position

4. Linearizing the resultant limit curve; all key nuclear parameters in procedure measured as part of the initial and periodic physics testing program 28/18 7.7-8 Rev. 31

he reactivity status of the reactor. In addition, samples are taken periodically of coolant boron centration. Variations in concentration during core life provide an additional check on the tivity status of the reactor, including core depletion.

1.3.4 Rod Deviation Alarm od deviation function is performed as part of the digital rod position indication system where larm is generated if a preset limit is exceeded as a result of a comparison of any control rod inst the other rods in a bank. The deviation alarm of a shutdown rod is based on a preset rtion limit being exceeded.

demanded and measured rod position signals are also monitored by the plant computer which vides a visual printout and an audible alarm whenever an individual rod position signal iates from the other rods in the bank or from the demand position by a preset limit. The alarm be set with appropriate allowance for instrument error and within sufficiently narrow limits to lude exceeding core design hot channel factors.

ure 7.7-3 is a block diagram of the rod deviation comparator and alarm system implemented he plant computer. Additionally, the DRPI system contains rod deviation circuitry that detects alarms the following conditions:

1. When any 2 rods within the same control bank are misaligned by a preset distance

( 12 steps) or

2. When any shutdown rod is below the full-out position by a preset distance (18 steps) 1.3.5 Rod Bottom Alarm od bottom signal for the full length rods in the digital rod position system is used to operate trol relays, which generate the rod bottom alarms.

1.4 Plant Control System Interlocks listing of the plant control system interlocks, along with the description of their derivations functions, is presented in Table 7.7-1. It is noted that the designation numbers for these rlocks are preceded by C. The development of these logic functions is shown in the ctional diagrams (Figure 7.2-1, Sheets 4, 5, 7, 9, 10 and 16).

1.4.1 Rod Stops stops are provided to prevent abnormal power conditions which could result from excessive trol rod withdrawal initiated by operator violation of administrative procedures.

28/18 7.7-9 Rev. 31

ved from overtemperature T and the C4 rod stop, derived from overpower T are also used turbine runback, which is discussed below.

1.4.2 Automatic Turbine Load Runback omatic turbine load runback is initiated by an approach to an overpower or overtemperature dition. This will prevent high power operation that might lead to an undesirable condition, ch, if reached, will be protected by reactor trip.

bine load reference reduction is initiated by either an overtemperature or overpower T signal.

o out of four coincidence logic is used.

od stop and turbine runback are initiated when T > T rod stop (7.7-3) both the overtemperature and the overpower condition.when For either condition in general T rod stop = T setpoint-BP (7.7-4) re:

BP = a setpoint bias re T setpoint refers to the overtemperature T reactor trip value and the overpower T tor trip value for the two conditions. The turbine runback is continued until T is equal to or than T rod stop. This function maintains an essentially constant margin to trip.

1.4.3 Turbine Loading Stop interlock (C-16) is provided to limit turbine loading during a rapid return to power transient n a reduction in reactor coolant temperature is used to increase reactor power (through the ative moderator coefficient). This interlock limits the drop in coolant temperature within ldown accident limits and preserves satisfactory steam generator operating conditions.

sequent manual turbine loading can begin after the interlock has been cleared by an increase oolant temperature which is accomplished by reducing the boron concentration in the coolant.

1.5 Pressurizer Pressure Control reactor coolant system pressure is controlled by using either the heaters (in the water region) he spray (in the steam region) of the pressurizer. The electrical immersion heaters are located r the bottom of the pressurizer. A portion of the heater group is proportionally controlled to ect small pressure variations. These variations are due to heat losses, including those due to a 28/18 7.7-10 Rev. 31

spray nozzles are located on the top of the pressurizer. Spray is initiated when the pressure troller spray demand signal is above a given setpoint. The spray rate increases proportionally h increasing spray demand signal until it reaches a maximum value.

m condensed by the spray reduces the pressurizer pressure. A small continuous spray is mally maintained to reduce thermal stresses and thermal shock and to help maintain uniform er chemistry and temperature in the pressurizer.

ay flow may be increased by energizing one or more backup heaters. This may be done to rove chemical mixing between the RCS loop and the pressurizer or it may be done to force itional outflow from the pressurizer through the surge line to reduce the risk of thermal shock he surge line nozzle during unexpected transients. Energizing the backup heaters can shift sure control from the proportionally controlled heaters to the spray.

e that power-operated relief valves limit system pressure for large positive pressure transients.

he event of a large load reduction, not exceeding the design plant load rejection capability, the surizer power operated relief valves might be actuated for the most adverse conditions, e.g.,

most negative Doppler coefficient, and the maximum incremental rod worth. The relief acity of the power operated relief valves is sized large enough to limit the system pressure to vent actuation of high pressure reactor trip for the above condition. Power-operated relief es are actuated by safety related circuitry and are, therefore, not part of the nonsafety related surizer pressure control system.

lock diagram of the pressurizer pressure control system is shown on Figure 7.7-4.

1.6 Pressurizer Water Level Control pressurizer operates by maintaining a steam cushion over the reactor coolant. As the density he reactor coolant adjusts to the various temperatures, the steam water interface moves to orb the variations with relatively small pressure disturbances.

water inventory in the reactor coolant system is maintained by the chemical and volume trol system. During normal plant operation, the charging flow varies to produce the flow anded by the pressurizer water level controller. The pressurizer water level is programmed as nction of coolant average temperature, with the highest average temperature (auctioneered) g used. The pressurizer water level decreases as the load is reduced from full load. This is a lt of coolant contraction following programmed coolant temperature reduction from full er to low power. The programmed level is designed to match the level changes resulting from coolant temperature changes as nearly as possible.

control pressurizer water level during startup and shutdown operations, the charging flow is ually regulated from the main control room. The letdown line isolation valves are closed on pressurizer level.

28/18 7.7-11 Rev. 31

1.7 Steam Generator Water Level Control h steam generator is equipped with a three-element feedwater flow controller which maintains ogrammed water level which is a function of turbine load. The three-element feedwater troller regulates the feedwater valve by continuously comparing the feedwater flow signal, the er level signal, the programmed level and the pressure compensated steam flow signal. The water pump speed is varied to maintain a programmed pressure differential between the m header and the feed pump discharge header. The speed controller continuously compares actual P with a programmed P ref which is a linear function of steam flow. Continued very of feedwater to the steam generators is required as a sink for the heat stored and erated in the reactor following a reactor trip and turbine trip. A feedwater isolation signal es all feedwater valves when the average coolant temperature is below a given temperature the reactor has tripped. Manual override of the feedwater control system is available at all es.

en the nuclear plant is operating at very low power levels (as during startup), the steam and water flow signals will not be usable for control. Therefore, a secondary automatic control em is provided for operation at low power. This system uses the steam generator water level nuclear power signals in a feed forward control scheme to position a bypass valve which is in llel with the main feedwater regulating valve. Switchover from the bypass feedwater control em (low power) to the main feedwater control system is initiated by the operator at roximately 25 percent power.

ck diagrams of the steam generator water level control system and the main feedwater pump ed control system are shown on Figures 7.7-6 and 7.7-7.

1.8 Steam Dump Control steam dump system, in conjunction with the rod control system, is designed to accept a 50 ent loss of net load without tripping the reactor (Section 10.4.4).

automatic steam dump system is able to accommodate this abnormal load rejection and to uce the effects of the transient imposed upon the reactor coolant system. By bypassing main m directly to the condenser and/or the atmosphere, an artificial load is thereby maintained on primary system. The rod control system can then reduce the reactor temperature to a new ilibrium value without causing overtemperature and/or overpressure conditions. The steam p steam flow capacity is 28.2 to 35.1 percent of full load steam flow at full load steam sure.

e difference between the reference Tavg (Tref) based turbine impulse chamber pressure and the

/lag compensated auctioneered Tavg exceeds a predetermined amount, and the interlock tioned below is satisfied, a demand signal will actuate the steam dump to maintain the reactor lant system temperature within control range until a new equilibrium condition is reached.

28/18 7.7-12 Rev. 31

he turbine impulse chamber pressure. It is provided to unblock the dump valves when the rate oad rejection exceeds a present value corresponding to a 10 percent step load decrease or a ained ramp load decrease of 5 percent/minute.

lock diagram of the steam dump control system is shown on Figure 7.7-8.

1.8.1 Load Rejection Steam Dump Controller s circuit prevents large increase in reactor coolant temperature following a large, sudden load rease. The error signal is a difference between the lead/lag compensated auctioneered Tavg and reference Tavg is based on turbine impulse chamber pressure.

Tavg signal is the same as that used in the reactor coolant system. The lead/lag compensation the Tavg signal is to compensate for lags in the plant thermal response and in valve positioning.

owing a sudden load decrease, Tref is immediately decreased and Tavg tends to increase, thus erating an immediate demand signal for steam dump. Since control rods are available, in this ation steam dump terminates as the error comes within the maneuvering capability of the trol rods.

1.8.2 Plant Trip Steam Dump Controller owing a reactor trip, the load rejection steam dump controller is defeated and the plant trip m dump controller becomes active. Since control rods are not available in this situation, the and signal is the error signal between the lead/lag compensated auctioneered Tavg and the reference Tavg. When the error signal exceeds a predetermined setpoint, the dump valves are ped open in a prescribed sequence. As the error signal reduces in magnitude, indicating that reactor coolant system Tavg is being reduced toward the references no-load value, the dump es are modulated by the plant trip controller to regulate the rate of removal decay heat and gradually establish the equilibrium hot shutdown condition.

1.8.3 Steam Header Pressure Controller idual heat removal is maintained by the steam generator pressure controller (manually cted) which controls the amount of steam flow to the condensers. This controller operates a ion of the same steam dump valves to the condensers which are used during the initial sient following turbine reactor trip on load rejection.

1.9 Incore Instrumentation incore instrumentation system consists of chromel-alumel thermocouples at fixed core outlet itions and movable miniature neutron detectors which can be positioned to scan selected fuel mblies, anywhere along the length of the fuel assembly vertical axis. The basic system for rtion of these detectors is shown on Figure 7.7-9.

28/18 7.7-13 Rev. 31

omel-alumel Type K thermocouples are inserted into guide tubes that penetrate the reactor sel head through seal assemblies, and terminate at the exit flow end of the fuel assemblies. The mocouples are provided with two primary seals, a grayloc coupling and swage type seal from duit to head. Thermocouple readings are monitored by the process computer and the equate core cooling monitoring system, which is described in Section 4.4.6.5.

1.9.2 Movable Neutron Flux Detector Drive System iature fission chamber detectors can be remotely positioned in retractable guide thimbles to vide flux mapping of the core. The stainless steel detector shell is welded to the leading end of cal wrap drive cable and to stainless steel sheathed coaxial cable. The retractable thimbles, which the miniature detectors are driven, are pushed into the reactor core through conduits ch extend from the bottom of the reactor vessel down through the concrete shield area and up to a thimble seal table. Their distribution over the core is nearly uniform with about the e number of thimbles located in each quadrant.

thimbles are closed at the leading ends, are dry inside, and serve as the pressure barrier ween the reactor water pressure and the atmosphere. Mechanical seals between the retractable bles and the conduits are provided at the seal table. During reactor operation, the retractable bles are stationary. They are extracted downward from the core during refueling to avoid rference within the core. A space above the seal table is provided for the retraction operation.

drive system for the insertion of the miniature detectors consists basically of drive mblies, six path transfer assemblies, and fifteen path transfer assemblies, as shown on ure 7.7-9. The drive system pushes hollow helical wrap drive cables into the core with the iature detectors attached to the leading ends of the cables and small diameter sheathed coaxial les threaded through the hollow centers back to the ends of the drive cables. Each drive mbly consists of a motor which pushes a helical wrap drive cable and a detector through a cted thimble path by means of a special drive box, and includes a storage reel for the total e cable length.

h flux thimble is equipped with a passive magnetic ball check valve. These valves are installed he non-QA position of the detector drive system between the fifteen path transfer assembly the high pressure seal. These valves are free to open to allow passage of the incore fission mbers during a flux map. However, in the event of a throughwall leak in the flux thimble, RCS sure will hold the check valve closed, thereby isolating the leak without the need for a tainment entry. Flux thimble plugs are also provided for isolating a thimble in the event that destructive examination of the thimbles during a refueling reveals excessive wear. The ctor/drive cable will have to be retracted above the seal table prior to installing any plugs.

1.9.3 Control and Readout Description control and readout system provides means for inserting the miniature neutron detectors into reactor core and withdrawing the detectors while providing information on neutron flux 28/18 7.7-14 Rev. 31

ice provide feedback of path selection operation. Each gear box drives an encoder for position back. One six path operation selector is provided for each drive unit to insert the detector in of six functional modes of operation. A fifteen path transfer assembly is the transfer device will be used to route a detector into any one of up to fifteen selectable paths. Access to a mon path is provided to permit cross calibration of the detectors.

control room contains the necessary equipment for control, position indication, and flux rding for each detector. Additionally, drive motor controls, core path selection, and system us displays are provided.

flux-mapping consists briefly of selecting flux thimbles in given fuel assemblies at various quadrant locations. The detectors are driven to the top of the core and stopped automatically.

x level, as a function of detector position, is to be obtained during the slow withdrawal of the ctors through the core from top to a point below the bottom. In a similar manner other core tions can be selected and plotted. Each detector provides axial flux distribution data along the ter of a fuel assembly. Data from detectors in various radial positions are then combined to in a flux map of the core.

thimbles are distributed nearly uniformly over the core with approximately the same number himbles in each quadrant. The number and location of these thimbles have been chosen to mit measurement of local to average peaking factors to an accuracy of 5 percent (95 percent fidence). Measured nuclear peaking factors will be increased by 5 percent to allow for this uracy. If the measured power peaking is larger than acceptable, reduced power capability will ndicated.

rating plant experience has demonstrated the adequacy of the In-Core Instrumentation in ting the design bases stated.

2 ANALYSIS plant control systems are designed to assure high reliability in any anticipated operational urrences. Equipment used in these systems is designed and constructed with a high level of ability.

per positioning of the control rods is monitored in the control room by bank arrangements of individual position columns for each rod cluster control assembly. A rod deviation alarm alerts operator of a deviation of one rod cluster control assembly from the other rods in that bank or m the bank demand position. There are also insertion limit monitors with visual and audible unciation. A rod bottom alarm signal is provided to the control room for each full length rod ter control assembly. Four excore long ion chambers also detect asymmetrical flux ribution indicative of rod misalignment.

rall reactivity control is achieved by the combination of soluble boron and rod cluster control mblies. Long term regulation of core reactivity is accomplished by adjusting the 28/18 7.7-15 Rev. 31

mblies for load reductions, and manual operator action for load increases. This system uses ut signals including neutron flux, coolant temperature, and turbine load.

axial core power distribution is controlled by moving the control rods through changes in tor coolant system boron concentration. Adding boron requires the rods to be moved out, eby reducing the amount of power in the bottom of the core, allowing power to redistribute ard the top of the core. Reducing the boron concentration causes the rods to move into the core eby reducing the power in the top of the core, the result redistributes power towards the om of the core.

transient analysis performed for the plant control systems shows that they will prevent an esirable condition in the operation of the plant that, if reached, will be protected by reactor trip e Section 7.7.2.7). The description and analysis of the reactor trip protection is covered in tion 7.7.2.7. Worst case failure modes of the plant control systems are postulated in the lysis of off-design operational transients and accidents covered in Chapter 15, such as the owing:

1. Uncontrolled rod cluster control assembly bank withdrawal from a subcritical or low power startup condition

2. Uncontrolled rod cluster control assembly bank withdrawal at power

3. Rod cluster control assembly misalignment

4. Loss of external electrical load and/or turbine trip

5. Loss of non-emergency AC power to the station auxiliaries

6. Excessive heat removal due to feedwater system malfunctions

7. Excessive load increase incident

8. Accidental depressurization of the reactor coolant system se analyses will show that a reactor trip setpoint is reached in time to protect the health and ty of the public under those postulated incidents and that the resulting coolant temperatures duce a DNBR which is not less than the safety analysis limits (see Section 4.4). Thus, there be no cladding damage and no release of fission products to the reactor coolant system under assumption of these postulated worst case failure modes of the plant control system.

2.1 Separation of Protection and Control System ome cases, it is advantageous to employ control signals derived from individual protection nnels through isolation amplifiers contained in the protection channel. As such, a failure in the 28/18 7.7-16 Rev. 31

C on the isolated output portion of the circuit (non-protection side of the circuit) will not affect input (protection) side of the circuit.

ere a single random failure can cause a control system action that results in a generating ion condition requiring protective action and can also prevent proper action of a protection em channel designed to protect against the condition, the remaining redundant protection nnels are capable of providing the protective action even when degraded by a second random ure. This meets the applicable requirements of Section 4.7 of IEEE Standard 279-1971.

pressurizer pressure channels needed to derive the control signals are electrically isolated m control.

2.2 Response Considerations of Reactivity ctor shutdown with control rods is completely independent of the control functions since the breakers interrupt power to the full length rod drive mechanisms regardless of existing control als. The design is such that the system can withstand accidental withdrawal of control groups nplanned dilution of soluble boron without exceeding acceptable fuel design limits. The gn meets the requirements of the 1971 General Design Criteria 25.

single electrical or mechanical failure in the rod control system can cause the accidental hdrawal of a single rod cluster control assembly from the partially inserted bank at full power ration. The operator can deliberately withdraw a single rod cluster control assembly in the trol bank; this feature is necessary in order to retrieve a rod should one be accidentally pped. In the event of withdrawal of a single rod cluster control assembly by operator action, ther deliberate or by a combination of errors, rod deviation will be displayed on the plant unciator, and the individual rod position readouts will indicate the relative positions of the s in the bank.

h bank of control and shutdown rods in the system is divided into two groups (groups 1 and 2) to 5 mechanisms each. The rods comprising a group operate in parallel through multiplexing istors. The two groups in a bank move sequentially such that the first group is always within step of the second group in the bank. The group 1 and group 2 power circuits are installed in erent cabinets as shown on Figure 7.7-14, which also shows that one group is always within step (5/8 inch) of the other group. A definite schedule of actuation or deactuation of the ionary gripper, moveable gripper, and lift coils of a mechanism is required to withdraw the rod ter control assembly attached to the mechanism as shown in Figure 7.7-15 since the four ionary gripper, moveable gripper, and lift coils associated with the rod cluster control mblies of these rod groups are driven in parallel, any single failure which could cause rod hdrawal would affect a minimum of one group of rod cluster control assemblies. Mechanical ures are in the direction of insertion, or immobility.

28/18 7.7-17 Rev. 31

ially inserted bank at full power operation.

ure 7.7-15 shows the typical parallel connections on the lift, movable and stationary coils for a up of rods. Since single failures in the stationary or movable circuits will result in dropping or venting rod (or rods) motion, the discussion of single failure will be addressed to the lift coil uits. (1) Due to the method of wiring, the gate firing transformers which fire the lift coil tiplex thyristors, three of the four thyristors in a rod group could remain turned off when uired to fire if, for example, the 120 VAC supply failed open at point X1. Upon up demand, rod in group 1 and 4 rods in group 2 would withdraw. A second failure at point X2 in the up 2 circuit is required to withdraw one rod cluster control assembly; (2) Timing circuit ures will affect the four mechanisms of a group or the eight mechanisms of the bank and will cause a single rod withdrawal; (3) More than two simultaneous component failures are uired (other than the open wire failures) to allow withdrawal of a single rod.

identified multiple failure involving the least number of components consists of open circuit ure of the proper two out of sixteen wires connected to the gate of the lift coil thyristors. The bability of open wire (or terminal) failure is 0.016 x 10-6 per hour by MIL-HDB-217A. These e failures would have to be accompanied by failure, or disregard, of the indications mentioned ve. The probability of this occurrence is, therefore, too low to have any significance.

cerning the human element, to erroneously withdraw a single rod cluster control assembly, the rator would have to improperly set the bank selector switch, the lift coil disconnect switches, the in hold out switch. In addition, the three indications would have to be disregarded or fective. Such series of errors would require a complete lack of understanding and inistrative control. A probability number cannot be assigned to a series of errors such as e.

rod position indication system provides direct visual displays of each control rod assembly ition. The plant computer alarms for deviation of rods from their banks. In addition, a rod rtion limit monitor provides an audible and visual alarm to warn the operator of an approach n abnormal condition due to dilution. The low-low insertion limit alarm alerts the operator to ow borating procedures as required by Technical Specifications. The facility reactivity control ems are such that acceptable fuel damage limits will not be exceeded even in the event of a le malfunction of either system.

important feature of the control rod system is that insertion is provided by gravity fall of the s.

ll analyses involving reactor trip, the single, highest worth rod cluster control assembly is tulated to remain untripped in its full out position.

means of detecting a stuck control rod assembly is available from the actual rod position rmation displayed on the control board. The control board position readouts, one for each full 28/18 7.7-18 Rev. 31

iation of one rod with respect to other rods in a bank. This serves as a means to identify rod iation.

plant computer monitors the actual position of all rods with an accuracy of +/-4 steps. Should a be misaligned from the other rods in that bank by more than 12 steps, the rod deviation alarm ctuated. Due to rod position measurement uncertainties, the actual rod misalignment may be as e as 20 steps (12.5 inches) at the alarm setpoint.

aligned rod cluster control assemblies are also detected and alarmed in the control room by power range deviation circuits which are independent of the plant computer.

ated signals derived from the nuclear instrumentation system are compared with one another etermine if a preset amount of deviation of average power level has occurred. Should such a iation occur, the comparator output will operate a bistable unit to actuate a control board unciator. This alarm will alert the operator to a power imbalance caused by a misaligned rod.

use of individual rod position readouts, the operator can determine the deviating control rod take corrective action. The design of the plant control systems meets the requirements of the 1 General Design Criteria 23. Refer to Section 4.3 for additional information on response siderations due to reactivity.

2.3 Step Load Changes without Steam Dump plant control system restores equilibrium conditions, without a trip, following a minus 10 ent step change in load demand, over the 15 to 100 percent power range for automatic trol. Steam dump is blocked for load decrease less than or equal to 10 percent. A load demand ter than full power is prohibited by the turbine control load limit devices.

plant control system minimizes the reactor coolant average temperature deviation during the decrease transient within a given value and restores average temperature to the programed oint. Excessive pressurizer pressure variations are prevented by using spray and heaters.

omatic rod withdrawal has been disabled, therefore manual operator action is required to ond to any increases in load.

2.4 Loading and Unloading p unloading of 5 percent per minute can be accepted over the 15 to 100 percent power range er automatic control without tripping the plant. Ramp loading is performed manually. Coolant rage temperature is maintained as a function of turbine generator load.

coolant average temperature increases during loading and causes a continuous insurge to the surizer as a result of coolant expansion. The sprays limit the resulting pressure increase.

versely, as the coolant average temperature is decreasing during unloading, there is a tinuous outsurge from the pressurizer resulting from coolant contraction. The pressurizer 28/18 7.7-19 Rev. 31

sients. The primary concern during loading is to limit the overshoot in nuclear power and to vide sufficient margin in the overtemperature T setpoint.

ing rapid loading transients, a drop in reactor coolant temperature could be used to increase power. This mode of operation could be applied when the control rods are not inserted deep ugh into the core to supply all the reactivity requirements of the rapid load increase (the boron trol system is relatively ineffective for rapid power changes). The reduction in temperature ld be initiated by continued turbine loading past the point where the control rods are pletely withdrawn from the core. The temperature drop would be recovered and nominal ditions restored by a boron dilution operation.

essive drops in coolant temperature are prevented by interlock C-16. This interlock circuit nitors the auctioneered low coolant Tavg and the programmed reference temperature which is a ction of turbine impulse pressure and causes a turbine loading stop when Tavg reaches the low g or Tavg below Tref setpoints.

core axial power distribution would be controlled during the reduced temperature return to er because the control rods will be in the manual mode. Normally, power distribution control ot required during a rapid power increase and the rods may proceed to the top of the core. The position is reestablished at the end of the transient by decreasing the coolant boron centration.

2.5 Load Rejection Furnished by Steam Dump System en a load rejection occurs, if the difference between the required temperature setpoint of the tor coolant system and the actual average temperature exceeds a predetermined amount, a al will actuate the steam dump to maintain the reactor coolant system temperature within trol range until a new equilibrium condition is reached.

reactor power is reduced at a rate consistent with the capability of the rod control system.

uction of the reactor power is automatic. The steam dump flow reduction is as fast as rod ter control assemblies are capable of inserting negative reactivity.

rod control system can then reduce the reactor temperature to a new equilibrium value hout causing overtemperature and/or overpressure conditions. The steam dump steam flow acity is 28.2 to 35.1 percent of full load steam flow at full load steam pressure.

steam dump flow reduces proportionally as the control rods act to reduce the average coolant perature. The artificial load is, therefore, removed as the coolant average temperature is ored to its programmed equilibrium value.

28/18 7.7-20 Rev. 31

n the magnitude of the temperature error signal resulting from loss of load.

2.6 Turbine-Generator Trip With Reactor Trip enever the turbine generator unit trips at an operating power-level above 51 percent power, the tor also trips. The unit is operated with a programmed average temperature as a function of

, with the full load average temperature significantly greater than the equivalent saturation sure of the steam generator safety valve setpoint. The thermal capacity of the reactor coolant em is greater than that of the secondary system, and because the full load average temperature reater than the no load temperature, a heat sink is required to remove heat stored in the reactor lant to prevent actuation of steam generator safety valves for a trip from full power. This heat is provided by the combination of controlled release of steam to the condenser and by eup of feedwater to the steam generators.

steam dump system is controlled from the reactor coolant average temperature signal whose oint values are programmed as a function of turbine load. Actuation of the steam dump is d to prevent actuation of the steam generator safety valves. With the dump valves open, the rage coolant temperature starts to reduce quickly to the no load setpoint. A direct feedback of perature acts to proportionally close the valves to minimize the total amount of steam which is assed.

feedwater flow is cut off following a reactor trip when the average coolant temperature reases below a given temperature or when the steam generator water level reaches a given h level.

itional feedwater makeup is then controlled manually to restore and maintain steam generator er level while assuring that the reactor coolant temperature is at the desired value. Residual t removal is maintained by the steam header pressure controller (manually selected) which trols the amount of steam flow to the condensers. This controller operates a portion of the e steam dump valves to the condensers which are used during the initial transient following ine and reactor trip.

pressurizer pressure and level fall rapidly during the transient because of coolant contraction.

pressurizer water level is programmed so that the level following the turbine and reactor trip bove the heaters. However, if the level at which the heaters become uncovered is approached owing the trip, the heaters are cutout, letdown is isolated and the chemical and volume control em will provide additional charging flow to restore water level in the pressurizer. Heaters are turned on to restore pressurizer pressure to normal.

steam dump and feedwater control systems are designed to prevent the average coolant perature from falling below the programmed no load temperature following the trip to ensure quate reactivity shutdown margin.

28/18 7.7-21 Rev. 31

operational transients were analyzed using the NSSS control system settings and setpoints to onstrate adequate margin exists to relevant reactor trip and ESF actuation setpoints over the g normal operating range of 581.5 °F to 589.5 °F.

analyses were performed using the multi-loop version of the Westinghouse LOFTRAN puter code. This computer model simulates the overall thermal-hydraulic and nuclear onse of the NSSS as well as various control and protection systems. This methodology has n reviewed and approved by the NRC (Reference 7.7-2).

following inputs are applicable for the transients analyzed:

All applicable NSSS control systems were assumed to be functioning as-designed and operating in the automatic mode of control. The automatic withdrawal feature is disabled.

To address the Tavg coastdown maneuver, the limiting transients were analyzed with the rods in manual control.

The pressurizer pressure and steam dump control systems were credited in the analyses.

The steam generator and pressurizer level control systems were not explicitly modeled and not specifically addressed in the analysis.

In accordance with Westinghouse methodology, two percent conservatism was applied to the initial power level in the analysis. The other plant parameters (RCS Tavg, pressurizer pressure, pressurizer level and steam generator mass at the nominal water level) were assumed to be at the nominal full power values.

Best estimate reactor kinetics parameters were modeled (rod worth, moderator temperature coefficient (MTC), doppler power defect, etc.) for the normal operating transient conditions. Since beginning-of-cycle (BOC) core physics parameters have lower differential rod worth and a less negative MTC, modeling BOC core characteristics yield more conservative results that bound the full cycle of operation. To address the Tavg coastdown maneuver, the limiting transients were analyzed at EOC fuel reactivity conditions.

The initial conditions for each of the transients were chosen to maximize the transient responses.

The analysis took into account two out of service steam dump valves.

The load rejection transient was modeled as a ramp load change at a maximum rate of 200 percent per minute.

following operational transients were addressed:

28/18 7.7-22 Rev. 31

10 percent step load increase 10 percent step load decrease 50 percent load rejection (i.e., 50 percent loss of net load at 200 percent per minute)

Turbine trip without reactor trip from the P-9 Setpoint.

results show the following:

The plant control system restores equilibrium conditions, without a trip, following a +/-10 percent step change in load demand over the 15-100 percent power range for automatic control.

Ramp loading and unloading of 5 percent per minute can be accepted over the 15 to 100 percent power range under automatic control without tripping the plant.

The results of the 50 percent load rejection transient analysis with the revised steam dump setpoints demonstrated that no reactor trip or engineered safety features were challenged.

The analysis was performed with two steam dump valves out of service. The control systems response was smooth during the transient with no excessive oscillatory responses.

The turbine trip without reactor trip transient from the P-9 setpoint satisfies the criteria of the NUREG-0737, Item II.K.3.10 and is acceptable for the SPU conditions.

3 REFERENCE FOR SECTION 7.7 1 WCAP-8255, 1974 (for background information only), Lipchak, J.B. and Stokes, R.A.,

Nuclear Instrumentation System.

2 WCAP-7907-A, April 1984, LOFTRAN Code Description.

3 NUREG-0737, Clarification of TMI Action Plan Requirements, Item II.K.3.10, Proposed Anticipatory Trip Modification, October 1980.

28/18 7.7-23 Rev. 31

signation Derivation Function 1 1-out-of-2 Neutron flux (intermediate Blocks manual control rod withdrawal.

range) above setpoint 2 1-out-of-4 Neutron flux (power Blocks manual control rod withdrawal.

range) above setpoint 3 2-out-of-4 Overtemperature T Blocks manual control rod withdrawal above setpoint Blocks turbine load reference increase and initiates a turbine runback.

4 2-out-of-4 Overpower T above Blocks manual control rod withdrawal.

setpoint Blocks turbine load reference increase and initiates a turbine runback.

7 1-out-of-1 Time derivative (absolute Makes steam dump valves available for value) of turbine impulse chamber either tripping or modulation.

pressure (decrease only) above setpoint Reactor trip and bypass breakers Blocks steam dump control via the load open rejection controller and makes the plant trip controller available for steam dump control. Makes steam dump valves available for either tripping or modulation.

9 Any condenser pressure above Block steam dump to condenser.

setpoint or both circulating water pumps in an condenser section not running 11 1-out-of-1 Control Bank D position Alarms Control Bank D above limit.

above setpoint 16 1-out-of-1 Auctioneered low Tavg Stops automatic turbine loading until below setpoint or below Tref condition clears.

20 2-out-of-2 turbine impulse chamber Arms AMSAC; below setpoint, blocks pressure above setpoint AMSAC (generated in AMSAC; see Section 7.8).

• Not part of control system (control grade) 28/18 7.7-24 Rev. 31

GURE 7.7-1 SIMPLIFIED BLOCK DIAGRAM OF REACTOR CONTROL SYSTEM 28/18 7.7-25 Rev. 31

FIGURE 7.7-2 CONTROL BANK ROD INSERTION MONITOR 06/28/18 7.7-26 Rev. 31

FIGURE 7.7-3 ROD DEVIATION COMPARATOR 06/28/18 7.7-27 Rev. 31

FIGURE 7.7-4 BLOCK DIAGRAM OF PRESSURIZER PRESSURE CONTROL SYSTEM 28/18 7.7-28 Rev. 31

GURE 7.7-5 BLOCK DIAGRAM OF PRESSURIZER LEVEL CONTROL SYSTEM 28/18 7.7-29 Rev. 31

FIGURE 7.7-6 BLOCK DIAGRAM OF STEAM GENERATOR WATER LEVEL CONTROL SYSTEM 28/18 7.7-30 Rev. 31

URE 7.7-7 BLOCK DIAGRAM OF MAIN FEEDWATER PUMP SPEED CONTROL SYSTEM 28/18 7.7-31 Rev. 31

FIGURE 7.7-8 BLOCK DIAGRAM OF STEAM DUMP CONTROL SYSTEM 28/18 7.7-32 Rev. 31

FIGURE 7.7-9 BASIC FLUX-MAPPING SYSTEM 28/18 7.7-33 Rev. 31

FIGURE 7.7-10 NOT USED 28/18 7.7-34 Rev. 31

FIGURE 7.7-11 NOT USED 28/18 7.7-35 Rev. 31

FIGURE 7.7-12 NOT USED 28/18 7.7-36 Rev. 31

FIGURE 7.7-13 NOT USED 28/18 7.7-37 Rev. 31

FIGURE 7.7-14 SIMPLIFIED BLOCK DIAGRAM OF ROD CONTROL SYSTEM 06/28/18 7.7-38 Rev. 31

FIGURE 7.7-15 CONTROL BANK B PARTIAL SIMPLIFIED SCHEMATIC DIAGRAM OF POWER CABINETS 1 BD A 06/28/18 7.7-39 Rev. 31

1 DESCRIPTION 1.1 System Description Anticipated Transient Without Scram (ATWS) Mitigation System Actuation Circuitry SAC) provides a backup to the Reactor Trip System (RTS) and Engineered Safety Features uation System (ESFAS) for initiating turbine trip and auxiliary feedwater flow in the event of nticipated transient; e.g., in the complete loss of main feedwater. The AMSAC is independent nd diverse from the RTS and the ESFAS with the exception of the final actuation devices and assified as control grade equipment. It is a highly reliable, microprocessor based, single-train em powered by a non-Class 1E source.

AMSAC continuously monitors level in the steam generators (SG), which is an anticipatory cation of a loss of heat sink, and initiates certain functions when the level drops below a determined set point for at least a preselected time and for three of the four SG levels. These ated functions are the tripping of the turbine, the initiation of auxiliary feedwater, and ation of the SG blowdown and sample lines.

AMSAC is designed to be highly reliable, resistant to inadvertent actuation, and easily ntained. Reliability is assured through the use of internal redundancy and continual

-testing by the system. Inadvertent actuations are minimized through the use of internal undancy and majority voting at the output stage of the system. The time delay on low steam erator level and the coincidence logic used also minimize inadvertent actuations.

AMSAC automatically performs its actuations when above a preselected power level, rmined using turbine impulse chamber pressure, and remains armed sufficiently long after pressure drops below the set point to ensure that its function will be performed in the event of rbine trip.

1.2 Equipment Description AMSAC consists of a single train of equipment located in a seismically qualified cabinet.

design of the AMSAC is based on the industry standard Intel multibus format, which permits use of various readily available, widely used microprocessor cards on a common data bus for ous functions.

AMSAC consists of the following:

1. Steam Generator Level Sensing AMSAC utilizes the SG level signals as measured with four differential pressure type level transmitters, measuring the level of each of the main steam generators as 28/18 7.8-1 Rev. 31

2. Turbine Impulse Pressure AMSAC also utilizes the turbine impulse pressure signal for measuring Turbine Power, as shown in Figure 7.2-1, Sheet 16. Turbine impulse pressure is measured at the high pressure turbine.

3. System Hardware The system hardware consists of two primary systems: the Actuation Logic System (ALS) and the Test/Maintenance System (T/MS).

Actuation Logic System The ALS monitors the analog and digital inputs, performs the functional logic required, provides actuation outputs to trip the turbine and initiate auxiliary feedwater flow, and provides status information to the T/MS.

The ALS consists of three groups of input/output (I/O) modules, three actuation logic processors (ALPs), two majority voting modules, and two output relay panels. The I/O modules provide signal conditioning, isolation, and test features for interfacing the ALS and T/MS. Conditioned signals are sent to three identical ALPs for analog-to-digital conversion, set point comparison, and coincidence logic performance. Each of the ALPs perform identical logic calculations using the same inputs and derive component actuation demands which are then sent to the majority voting modules. The majority voting modules perform a two-out-of-three vote on the ALP demand signals. These modules drive the relays providing outputs to the existing turbine trip and auxiliary feedwater initiation circuits. A simplified block diagram of the AMSAC ALS architecture is presented in Figure 7.8-1.

Test/Maintenance System The T/MS provides the AMSAC with automated and manual testing as well as a maintenance mode. Automated testing is the continuously performed self-checking done by the system during normal operation. ALS status is monitored by the T/MS and sent to the plant computer and the main control board.

Manual testing of the system by the Instrumentation and Controls (I&C) staff can be performed on line to provide assurance that the ALS system is fully operational.

The maintenance mode permits the I&C staff, under administrative control, to modify channel set points, channel status and timer values, and initiate channel calibration.

The T/MS consists of a test/maintenance processor, a digital-to-analog conversion board, a memory board, expansion boards, a self-health board, digital output modules, a test/maintenance panel, and a portable terminal/printer.

28/18 7.8-2 Rev. 31

The output relay panels provide component actuation signals through isolation relays which then drive the final actuation circuitry as shown in Figure 7.2-1, Sheets 15 and 16, for initiation of auxiliary feedwater and for turbine trip.

1.3 Functional Performance Requirements lyses have shown that the two most limiting ATWS events are a loss of external electrical and a loss of feedwater event both without a reactor trip. AMSAC performs the mitigative ations of automatically initiating auxiliary feedwater, tripping the turbine, and isolating SG wdown and sampling lines. These are initiated in order to ensure a secondary heat sink owing an anticipated transient (ANS Condition II) without a reactor trip, in order to limit core age following an anticipated transient without a reactor trip, and to ensure that the energy erated in the core is compatible with the design limits to protect the reactor coolant pressure ndary by maintaining the reactor coolant pressure to within ASME Stress Level C.

1.4 AMSAC Interlocks ngle interlock, designated as C-20, is provided to allow for the automatic arming and blocking he AMSAC (see Figure 7.2-1, Sheet 16). The system is blocked at sufficiently low reactor er levels when the actions taken by the AMSAC following an ATWS need not be matically initiated. Turbine impulse chamber pressure in a two-out-of-two logic scheme is d for this permissive. Turbine impulse chamber pressure above the set point will automatically at any block; i.e., will arm the AMSAC. Dropping below this set point will automatically k the AMSAC. Removal of the C-20 permissive is automatically delayed for a predetermined

e. The operating status of the AMSAC is displayed on the main control board.

1.5 Trip System SG level and turbine impulse chamber pressure inputs are used by AMSAC to determine trip and. Signal conditioning is performed on the transmitter output and used by each of the ALPs erive a component actuation demand. If three of the four steam generators have a low level at wer level greater than the C-20 permissive, then a trip demand signal is generated. This signal es output relays for performing the necessary mitigative actions.

1.6 Isolation Devices SAC is independent of the RTS and ESFAS. The AMSAC inputs for measuring turbine ulse chamber pressure and narrow-range SG water level are derived from transmitters and nnels within the process protection system. Connections to these channels are made nstream of Class 1E isolation devices which are located within the process protection inets. These isolation devices ensure that the existing protection system continues to meet all licable safety criteria by providing isolation. Buffering of the AMSAC outputs from the safety ted final actuation device circuits is achieved through qualified relays. A credible fault 28/18 7.8-3 Rev. 31

1.7 AMSAC Diversity From the Reactor Protection Systems ipment diverse from the RTS and ESFAS (excluding sensors and isolation devices) is used in AMSAC to prevent common mode failures that might affect the AMSAC and the RTS or AS. The AMSAC is a digital, microprocessor based system with the exception of the analog level and turbine impulse pressure transmitter inputs. The RTS and ESFAS utilize analog and rse digital-based protection system components. Where similar components are utilized for same function in both AMSAC and the RTS and ESFAS, the components used in AMSAC are vided from a different manufacturer.

mmon mode failure of identical components in the analog portion of the RTS that results in the ility to generate a reactor trip signal will not impact the ability of the digital AMSAC to erate the necessary mitigative actuations. Similarly, a postulated common mode failure cting analog components in ESFAS, affecting its ability to initiate auxiliary feedwater, will impact the ability of the digital based AMSAC to automatically initiate auxiliary feedwater.

1.8 Power Supply AMSAC power supply is a dedicated uninterruptible power supply (UPS) which is pendent from the RTS power supplies and is backed by batteries which are independent from existing batteries which supply the RTS.

1.9 Environmental Variations SAC equipment is not designed as safety-related equipment; therefore, it is not required to be lified as safety related equipment. The AMSAC equipment is located in a controlled ironment such that variations in the ambient conditions are minimized. No AMSAC ipment is located inside containment. The SG level transmitters (located inside containment) the turbine impulse chamber pressure transmitters (located inside the turbine building) supply input into AMSAC and are qualified for the environment in which they are located.

1.10 Set Points AMSAC makes use of two set points in the coincidence logic in order to determine if gative functions are required. Water level in each SG is sensed to determine if a loss of ondary heat sink is imminent. The low level set point is selected in such a manner that a true ering of the level will be detected by the system. The normal small variations in SG level will result in a spurious AMSAC signal.

C-20 permissive set point is selected in order to be consistent with ATWS investigations wing that the mitigative actions performed by the AMSAC need not be automatically actuated w a certain power level. The maximum allowable value of the C-20 permissive set point is ned by these investigations.

28/18 7.8-4 Rev. 31

S) will provide the first trip signal.

nsure that the AMSAC remains armed sufficiently long to permit its function in the event of a ine trip, the C-20 permissive is maintained for a preset time delay after the turbine impulse mber pressure drops below the set point.

set points and the capability for their modification in the AMSAC are under administrative trol.

2 ANALYSIS 2.1 Safety Classification/Safety Related Interface AMSAC is not safety related and therefore need not meet the requirements of IEEE -1971. The AMSAC has been implemented such that the RTS and the ESFAS continue to t all applicable safety-related criteria. The AMSAC is independent of the RTS and ESFAS.

isolation provided between the RTS and the AMSAC and between the ESFAS and the SAC by the isolator modules and the isolation relays ensures that the applicable safety-related eria are met for the RTS and the ESFAS.

2.2 Redundancy tem redundancy has not been provided. Since AMSAC is a backup nonsafety-related system he redundant RTS, redundancy is not required. To ensure high system reliability, portions of AMSAC have been implemented as internally redundant, such that a single failure of an input nnel or ALP will neither actuate nor prevent actuation of the AMSAC.

2.3 Diversity From the Existing Trip System erse equipment has been selected in order that common cause failures affecting both the RTS the AMSAC or both the ESFAS and the AMSAC will not render these systems inoperable ultaneously. A more detailed discussion of the diversity between the RTS and the AMSAC between the ESFAS and the AMSAC is presented in Section 7.8.1.

2.4 Electrical Independence AMSAC is electrically independent of the RTS and ESFAS from the process protection inet signal output (into AMSAC) up to the final actuation devices. Isolation devices are vided to isolate the nonsafety AMSAC circuitry from the safety related actuation circuits of auxiliary feedwater system as discussed in Section 7.8.1.6.

28/18 7.8-5 Rev. 31

SAC needs to be and is physically separated from the existing protection system hardware.

AMSAC outputs are provided from separate relay panels within the cabinets. The two trains separated within the AMSAC cabinet by a combination of metal barriers, conduit, and ance.

2.6 Environmental Qualification ipment related to the AMSAC is qualified to operate under conditions resulting from cipated operational occurrences for the respective equipment location. The AMSAC ipment, with the exception of the isolation devices, is not designated as safety related ipment and therefore is not required to be qualified as safety related per the requirements of E Standard 279-1971, IEEE Standard for Criteria for Protection Systems for Nuclear Power erating Stations.

2.7 Seismic Qualification required that only the isolation devices comply with seismic qualification. The AMSAC put isolation device is qualified in accordance with a program that was developed to lement the requirements of IEEE Standard 344-1975, IEEE Standard for Seismic lification of Class 1E Electrical Equipment for Nuclear Power Generating Stations.

2.8 Test, Maintenance, and Surveillance Quality Assurance C Generic Letter 85-06, Quality Assurance Guidance for ATWS Equipment that is not Safety ated, requires quality assurance procedures commensurate with the non-safety related sification of the AMSAC. The quality controls for the AMSAC are, at a minimum, consistent h existing plant procedures or practices for non-safety related equipment.

ign of the AMSAC followed procedures relating to equipment procurement, document trol, and specification of system components, materials, and services. In addition, cifications also define quality assurance practices for inspections, examinations, storage, ping, and tests as appropriate to a specific item or service.

omputer software verification program and a firmware validation program have been lemented commensurate with the non-safety related classification of the AMSAC to ensure the system design requirements implemented with the use of software have been properly lemented and to ensure compliance with the system functional, performance, and interface uirements.

tem testing is completed prior to the installation and operation of the AMSAC as part of the mal factory acceptance testing and the validation program. Periodic testing is performed both matically through use of the system automatic self-checking capability and manually under inistrative control via the AMSAC test/maintenance panel.

28/18 7.8-6 Rev. 31

er to the AMSAC is from a battery backed, dedicated UPS independent of the power supplies the RTS and ESFAS. The station battery supplying power to the AMSAC is independent of e used for the RTS and ESFAS. The AMSAC is an energize-to-actuate system capable of orming its mitigative functions with a loss of off-site power.

2.10 Testability at Power AMSAC is testable at power. This testing is done via the system test/maintenance panel. The ability of the AMSAC to perform its mitigative actuations is bypassed at a system level while he test mode. Total system testing is performed as a set of three sequential, partial, overlapping

s. The first of the tests checks the analog input portions of the AMSAC in order to verify uracy. Each of the analog input modules is checked separately. The second test checks each of ALPs to verify that the appropriate coincidence logic is sent to the majority voter. Each ALP is ed separately. The last test exercises the majority voter and the integrity of the associated put relays. The majority voter and associated output relays are tested by exercising all possible ut combinations to the majority voter. The integrity of each of the output relays is checked by firming continuity of the relay coils without operating the relays. The capability to vidually operate the output relays, confirm integrity of the associated field wiring, and operate corresponding isolation relays and final actuation devices at plant shutdown is provided.

2.11 Inadvertent Actuation AMSAC has been designed such that the frequency of inadvertent actuations is minimized.

s high reliability is ensured through use of three redundant ALPs and a majority voting dule. A single failure in any of these modules will not result in a spurious AMSAC actuation.

ddition, a three-out-of-four low SG level coincidence logic and a time delay have been cted to further minimize the potential for inadvertent actuations.

2.12 Bypass 2.12.1 Maintenance Bypasses AMSAC is blocked at the system level during maintenance, repair, calibration, or test. While system is blocked, the bypass condition is continuously indicated in the main control room.

2.12.2 Operating Bypasses AMSAC has been designed to allow for operational bypasses with the inclusion of the C-20 missive. Above the C-20 set point, the AMSAC is automatically unblocked (i.e., armed);

w the set point, the system is automatically blocked. The operating status of the AMSAC is tinuously indicated in the main control room via an annunciator window.

28/18 7.8-7 Rev. 31

enever the mitigative capabilities of the AMSAC are bypassed or deliberately rendered perable, this condition is continuously indicated in the main control room. In addition to the rating bypass, any manual maintenance bypass is indicated via the AMSAC general warning to the main control room.

2.12.4 Means for Bypassing ermanently installed system bypass selector switch is provided to bypass the system. This is a

-position selector switch with NORMAL and BYPASS positions. At no time is it essary to use any temporary means, such as installing jumpers or pulling fuses, to bypass the em.

2.13 Completion of Mitigative Actions Once Initiated AMSAC mitigative actions go to completion as long as the coincidence logic is satisfied and time delay requirements are met. If the flow in the feedwater lines is reinitiated before the er expires and the SG water level increases to above the low-low set point, then the cidence logic will no longer be satisfied and the actuation signal disappears. If the cidence logic conditions are maintained for the duration of the time delay, then the mitigative ons go to completion. The auxiliary feedwater initiation signal is latched in at the component ating devices and the turbine trip is latched in at the turbine electrohydraulic control system.

iberate operator action is then necessary to terminate auxiliary feedwater flow, clear the ine trip signal using the main control board turbine trip reset switch, and proceed with the pening of the turbine stop valves.

2.14 Manual Initiation nual initiation of the AMSAC is not provided. The capability to initiate the AMSAC gative functions manually (i.e., initiate auxiliary feedwater, trip the turbine, and isolate SG wdown and sampling lines) exists at the main control board independent of AMSAC.

2.15 Information Readout AMSAC has been designed such that the operating and I&C staffs have accurate, complete, timely information pertinent to the status of the AMSAC. A system level general warning m is indicated in the control room. Diagnostic capability exists from the test/maintenance el to determine the cause of any unanticipated inoperability or deviation.

2.16 Compliance With Standards and Design Criteria AMSAC meets the applicable requirements of Part 50.62 of Title 10 of the Code of Federal ulations and the quality assurance requirements of NRC Generic Letter 85-06. No other dards currently apply to the AMSAC.

28/18 7.8-8 Rev. 31

28/18 7.8-9 Rev. 31 06/28/18 7.8-10 Rev. 31